If an asset does not find a match in the Configuration Management Database (CMDB) by CI lookup rules, the asset is termed as an unclassed hardware.

When data is imported from ServiceNow built integrations, Vulnerability Response automatically uses host data to search for matches in the CMDB. The CI lookup rules are used to identify configuration items (CIs) and add them to the vulnerable item record to aid in remediation. If the assets are not found in the CMDB, the Identification and Reconciliation engine (IRE) runs its own identification rules defined on the hardware class and all its children and creates a CI under an Unclassed Hardware class. When Discovery finds this asset, instead of reclassifying the existing unclassed hardware, it creates a CI. This is because the identification rule relies on the name of the hardware CI.

If the Identification and Reconciliation engine (IRE) is activated, the reclassify option from discovered items is not supported.

"className": "cmdb_ci_unclassed_hardware",

"values": {
        "name": "asset01.company.com",//from NetBios,
        "mac_address": "1a:5e:2c:0e:42:f3",
        "fqdn": "asset01.company.com",
        "ip_address": "133.10.3.123"
    }

"settings": {
        "updateWithoutSwitch": true
    }

"className": "cmdb_ci_cmdb_ci_win_server"

"values": {
        "name": "asset01",
        "mac_address": "1a:5e:2c:0e:42:f3",
        "fqdn": "asset01.company.com",
        "ip_address": "133.10.3.123",
        "os_domain": "company"
    }

"settings": {
        "updateWithoutSwitch": false
    }

In this case, the existing Unclassed Hardware CI is not reclassified to Windows server, and instead a new CI under Windows server is created. The reason being the identification rule relies on the name of the Hardware CI. If you notice the payloads, the name in the payload from Vulnerability Response is the same as either FQDN/NETBIOS, but it is just the host name for the payload from Discovery.