Creating CIs for Vulnerability Response using the Identification and Reconciliation engine
Summarize
Summary of Creating CIs for Vulnerability Response using the Identification and Reconciliation engine
This content explains how ServiceNow customers can create Configuration Items (CIs) in the Configuration Management Database (CMDB) using the Identification and Reconciliation engine (IRE) API within Vulnerability Response. Using IRE helps prevent duplicate CIs and ensures only authoritative data sources update CI attributes, improving CMDB accuracy and reliability.
Show less
Using IRE for CI Creation
Before Vulnerability Response version 12.2, unmatched hosts from scanners were created as CIs in the Unmatched CI class (snseccmnunmatchedci). Starting from version 12.2 through 18.0, unmatched assets are sent to IRE and placed into the Unclassed Hardware or Incomplete IP Identified Device classes. From version 18.0, a new Cloud Resource class was also introduced for unmatched cloud assets.
Starting with version 24.0.6, if IRE encounters exceptions preventing CI creation, detailed exception information is recorded in the Additional Information field to help diagnose and resolve issues.
CMDB CI Classes
To leverage the new CI classes, customers must activate the CMDB CI Class Models plugin. Otherwise, unmatched CIs default to the Unmatched CI class.
- Incomplete IP Identified Device (cmdbciincompleteip): Used when only an IP address is available from scanner data.
- Unclassed Hardware (cmdbciunclassedhardware): Used when host information includes hostname, IP address, DNS, NETBIOS, or MAC address. If a MAC address is present, a related network adapter CI is created. If both IP and MAC addresses are available, an IP address CI is also created and linked.
- Cloud Resource (cmdbcicmpresource): Used when a Cloud Resource ID is present. Note that if the scanner integration asset type is Hybrid and the system property snseccmn.unmatchedcloudresourceenabled is false, CIs for cloud resources are created only in Unclassed Hardware instead of Cloud Resource.
Additional Considerations
- If the Identification and Reconciliation engine (IRE) is active, manual reclassification of discovered items is not supported; the system handles classification automatically.
- The system uses the Unmatched CI class automatically if the CMDB CI Class plugin is not activated or if IRE raises exceptions during CI creation.
What This Enables You to Do
By using the IRE API for CI creation in Vulnerability Response, you can maintain an accurate and deduplicated CMDB, properly classify unmatched assets, and gain detailed diagnostics when creation issues arise. Activating the CMDB CI Class Models plugin allows for more granular CI classification, including cloud resources, enhancing your asset management and vulnerability response workflows.
You can create configuration items (CIs) in the Configuration Management Database (CMDB) using the Identification and Reconciliation engine (IRE) API. By using the IRE API to create CIs, you can prevent duplicate CIs from being created and you can reconcile CI attributes by allowing only authoritative data sources to write to CMDB.
A CI class (table) is the original table name in the instance database. CMDB contains base system classes that store data about CIs.
Using IRE for CI creation
Prior to Vulnerability Response v12.2, if a matched CI isn’t found either in the Discovered Items list or CMDB, a CI is created in the Unmatched CI class (sn_sec_cmn_unmatched_ci). For more information, see Unmatched CIs.
Starting with v24.0.6 of Vulnerability Response, if IRE encounters exceptions that prevent the creation of CIs, the specifics of these exceptions are recorded in the Additional Information field. By examining the details in this field, you can determine the root cause and implement the necessary corrections to ensure the CI is successfully created.
Starting with Vulnerability Response v12.2 to v18.0, if no match is found when the CI lookup rules are applied, the asset information is sent to IRE and a CI is created in one of the Unclassed Hardware and Incomplete IP Identified Device classes. Starting from Vulnerability Response v18.0, a new class, Cloud Resource is also included. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.
CMDB CI classes
| CMDB CI Class | Description |
|---|---|
| Incomplete IP Identified Device (cmdb_ci_incomplete_ip) | CI is created in this table if only the IP address is available in the host information that is received from the scanner. |
| Unclassed Hardware (cmdb_ci_unclassed_hardware) | CI is created in this table if any of the following information is available in the host information that is received from the scanner:
Note: If the MAC address is available, the network adapter entry is created and related to the unclassed hardware CI. If both the IP and MAC addresses are available, the IP address CI is also created and related
to the unclassed hardware CI. |
| Cloud Resource (cmdb_ci_cmp_resource) | CI is created in this table if Cloud Resource ID is available in the host information that is received from the scanner. Note: If the Asset Type of a scanner integration is
Hybrid and the sn_sec_cmn.unmatched_cloud_resource_enabled system property is false, the CIs are created in the Unclassed Hardware class but not in
the Cloud Resource class. |
If the Identification and Reconciliation engine (IRE) is activated, the reclassify option from discovered items is not supported.
- The CMDB CI Class plugin is not activated.
- IRE raises an exception while creating a CI.
For more information, see Unmatched CIs.