CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

    ServiceNow Vulnerability Response automatically identifies configuration items (CIs) in the Configuration Management Database (CMDB) when importing vulnerability data from third-party integrations. This is achieved throughCI Lookup Rules, which use host data to find matching CIs and link them to vulnerable item records to support remediation efforts.

    Show full answer Show less

    Starting with version 19.0, you can manage these lookup rules under Security Operations > CMDB > Lookup Rules in your instance.

    How CI Lookup Rules Work

    • Imported assets are first matched against the Discovered Items list using third-party host IDs.
    • If a host ID match exists, it is used directly for the vulnerable item’s Configuration item field.
    • If no host ID match exists or the field is empty, other host information is used to find a CI match.
    • If no matches are found, a placeholder called an Unmatched CI is created and tracked in the system.
    • CI lookup rules are source-specific, domain separated, and shared across all deployments of that vulnerability integration.
    • Matching attempts start with an exact vendor ID lookup; if no match, rules are evaluated in order by ascending priority.
    • Only the first CI match returned by a rule is used; if the match is a low-level networking element, its parent CI is used instead to avoid irrelevant matches.

    Key Features

    • Source-specific CI lookup rules: Each vulnerability data source such as Qualys, Rapid7, Tenable.io, and Tenable.sc has its own predefined lookup rules based on common identifiers like FQDN, IP, MacAddress, HostName, and NetBIOS.
    • Rule order and priority: Lookup rules process from the lowest order number to the highest, stopping on the first unique CI match.
    • System property for excluding CI classes: You can configure which CI classes to ignore during matching to refine results.
    • Tracking matching rules: The rule used to find a CI is recorded in the Discovered Item record for traceability.
    • Reapplying rules: When rules are changed, you can reapply them to discovered items to update CI assignments and related vulnerable item records.
    • Deactivation instead of deletion: Deactivate rules rather than deleting to preserve history and prevent loss of configurations.

    Performance and Best Practices

    • CI lookup processing can be resource-intensive; poorly constructed or overly broad rules may cause performance degradation.
    • Test custom or modified CI lookup rules thoroughly before deployment to avoid duplicate or orphaned records.
    • Follow recommended steps for maintaining clean and accurate CMDB data after running lookup rules, including removing duplicates and cleaning data.

    Unmatched CIs and Unclassed Hardware

    When no CMDB match is found for an imported asset, the system creates an Unmatched CI, which is listed under Security Operations > CMDB > Discovered Items. These represent unclassed hardware and enable tracking of assets that require further classification or remediation.

    Practical Benefits for ServiceNow Customers

    • Automates linking of vulnerability data to accurate CMDB configuration items, improving remediation accuracy and efficiency.
    • Provides transparency and control over how imported vulnerabilities map to your asset data.
    • Enables ongoing maintenance of CI matching as your CMDB and vulnerability data evolve.
    • Helps maintain CMDB data integrity by managing unmatched assets and preventing incorrect CI associations.
    • Supports multiple vulnerability sources with tailored lookup rules to handle diverse data formats and identifiers.

    When data is imported from a third-party integration, Vulnerability Response automatically uses host data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules are used to identify configuration items (CIs) and add them to the vulnerable item record to aid in remediation.

    Starting with version 19.0, navigate to Security Operations > CMDB > Lookup Rules to locate the list in your instance.

    As assets are imported, a lookup is performed first on the Discovered Items list using third-party IDs to find matches to configuration item (CIs) from prior imports. When a host ID match is found, it is used as the Configuration item field in the vulnerable item record.

    You can see how imported assets are mapped to CIs using the Discovered Items list. If a match is not found, or the host ID field is empty, the rules use the other host information to attempt to correctly identify the CI. If a match is still not found, a placeholder CI is created and is designated as an Unmatched CI. See Unmatched CIs for more information on how those CIs are handled.

    CI lookup rules can be domain separated and are source-specific. Each source can have multiple deployments.
    Note:
    CI lookup rules are shared by all deployments of the vulnerability source integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.
    When attempting a match, the first step is a vendor ID lookup for an exact match across source, source_instance, and vendor ID. Then, lookup rules are run in order, from lowest to highest and stop when a rule returns just a single CI as a match. If a rule is created in such a way that it returns more than one CI, only the first match is used.
    Note:
    To avoid matching on low-level networking elements, if a matched CI is one of dscy_switchport, cmdb_ci_network_adapter, cmdb_ci_nic, or cmdb_ci_ip_address, the parent CI is returned.

    A system property to exclude CI classes is available. This property is not available with upgrade. See Ignore CI classes for upgrade information and instructions on setting the property.

    To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the Discovered Item record in the CI matching rule field. Lookup rules are evaluated by lowest Order value first.

    The CI lookup rules are shipped with their corresponding integration plugins.

    Some of the Qualys CI lookup rules are:
    • QUALYS HOST ID
    • FQDN
    • NetBIOS
    • DNS
    • IP
    Some of the Rapid7 CI lookup rules are:
    • MacAddress
    • FQDN
    • HostName
    • IP
    Some of the Tenable.io CI lookup rules are:
    • FQDN
    • NETBIOS
    • HOSTNAME
    • MacAddress
    • DNS
    Note:
    The Tenable.io CI lookup rules prioritize and populate the non-empty network interface values (FDQN, IPV4, and MacAddress) over the regular FDQN, IPV4, and MacAddress values for a discovered item. When these network interface values are empty, the regular FDQN, IPV4, and MacAddress values are populated for a discovered item.
    Some of the Tenable.sc CI lookup rules are:
    • MacAddress
    • FQDN
    • NETBIOS
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.

    Note:
    For information on CI matching, see KB0998706.

    Reapplying updated CI lookup rules

    When you change a CI lookup rule, click Apply Changes on the CI Lookup Rules list page to rerun all the rules on the discovered items that:
    • Were matched by the updated rules
    • Are not matched by any rule
    If the configuration item (CI) changes after reapplying the lookup rules, the discovered items are updated with the new CI. The impacted detections and vulnerable items are also updated. For more information, see Reapply CI lookup rules on selected discovered items.