Rules for identifying and creating CIs

CI identifier rules are used to look up a CI in the CMDB with matching information from a third-party integration. These rules define what fields contain matching data, and the order of precedence in which they are evaluated. Matches with the lowest Order value are evaluated first.

The value of CI identifier rules lies in providing results that are linked to configuration items that exist within the CMDB. CMBD records often have augmented information about related services, owner, contents, support groups, and other vital information.

CI identifier rules are used by Vulnerability integrations, to define how imported data locates the closest matching existing CI, where possible.

The CI identifier rules also define the order in which CI classes and fields on the CI table are compared to the imported data.

For example, a set of CI identifier rules could be defined to search all CIs for any matching Qualys Host IDs, as follows.
  • If not match is found, then it searches Computer CIs to check the fully qualified domain name.
  • If no match is found, then it searches the IP address on the CI.
  • Finally, if no match is found, it searches within all Hardware CIs for a match.

The business rule, Set Value For CI ID Field, as well as some integration transform maps for vulnerability import, use the CI identifier rules to determine how to fill in the configuration item field in a vulnerable item. This rule is triggered when the IP address and other information are provided, but the CI field is empty.

Several CI columns are supported in the default identifier rule shipped with the base system.
  • name
  • fqdn
  • mac_address
  • dns
  • ip_address
When the Qualys Cloud Platform integration is installed, the following rules are available:
  • sn_vul_qualys_host_id
  • sn_vul_qualys_id

Create CI Identifier rules

CI identifier rules define what fields to search in the CMDB for matching data.

Before you begin

Role required: sn_sec_cmn_admin

About this task

Procedure

  1. Navigate to Security Operations > CMDB > CI Identifier Rules.
  2. Click New.
  3. On the form, fill in the fields.
    Table 1. CI Identifier Rules form
    Field Description
    Table Name of the table in the CMDB.
    Choices are:
    • Computer
    • Configuration Item
    • Hardware
    • IP address
    • Network Adapter
    Field Field that contains information that can be used to locate a CI. This field may be on the CI record, or on a related record, such as a network adapter.
    Important:

    FQDN, IP Address, DNS name, Mac address, or Name are the only choices that can be used by default.

    For all other fields, to add additional fields to your CI identifier rules, a script include change is required. These scripts must be edited to handle the additional fields as part of the input data to the locateCIByNetwork function in the SecOpsCILocation script include.
    Note: These modifications require coding or advanced ServiceNow expertise.
    The following are the script includes to edit:
    • VulnerabilityUtils.findCIByNetworkDetails
    • QualyUtil.findCIByNetworkDetails
    • SecOpsCILocation.locateCIByNetwork
    Order Order of precedence for the rule. Matches with the lowest order are evaluated first.
    If no match is found when evaluating the CI identifier rules, other tables are searched for a DNS or IP match. The search for a match is conducted, in order, as follows:
    • cmdb_ip_address_dns_name
    • cmdb_ci_network_adapter
    • cmdb_ci_ip_address
    • cmdb_ci (ip_address field)