Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home Orlando Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application CI Lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

    CI Lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    CI Lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

    When data is imported from a third-party integration, Vulnerability Response automatically uses host data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules are used to identify configuration items (CIs) and add them to the vulnerable item record to aid in remediation.

    As assets are imported, a lookup is performed first on the Discovered Items list using third-party IDs to find matches to configuration item (CIs) from prior imports. When a host ID match is found, it is used as the Configuration item field in the vulnerable item record.

    You can see how imported assets are mapped to CIs using the Discovered Items list. If a match is not found, or the host ID field is empty, the rules use the other host information to attempt to correctly identify the CI. If a match is still not found, a placeholder CI is created and is designated as an Unmatched CI. See Unmatched CIs for more information on how those CIs are handled.

    Note: CI lookup rules are available only for the Qualys and Rapid7 vulnerability integrations.
    CI lookup rules can be domain separated and are source-specific. Each source can have multiple deployments. For example, the Rapid7 Vulnerability Integration, can have both Data Warehouse and InsightVM deployments. Qualys can have multiple deployments of the Qualys Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
    Note: CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.
    When attempting a match, the first step is a vendor ID lookup for an exact match across source, source_instance, and vendor ID. Then, lookup rules are run in order, from lowest to highest and stop when a rule returns just a single CI as a match. If a rule is created in such a way that it returns more than one CI, only the first match is used.
    Note: To avoid matching on low-level networking elements, if a matched CI is one of dscy_switchport, cmdb_ci_network_adapter, cmdb_ci_nic, or cmdb_ci_ip_address, the parent CI is returned.

    A system property to exclude CI classes is available. This property is not available with upgrade. See Ignore CI classes for upgrade information and instructions on setting the property.

    To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the Discovered Item record in the CI matching rule field. Lookup rules are evaluated by lowest Order value first.

    These Qualys CI lookup rules are shipped with the base system.
    • QUALYS HOST ID
    • FQDN
    • NetBIOS
    • DNS
    • IP
    These Rapid7 CI lookup rules are shipped with the base system.
    • MacAddress
    • FQDN
    • HostName
    • IP
    Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.

    • Prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules

      Take steps to prevent duplicate or orphan records resulting from matching (configuration items (CIs) within the CMDB.

    Related concepts
    • Vulnerability Response personas and granular roles
    • Vulnerability Response assignment rules overview
    • Vulnerability Response groups and group rules overview
    • Vulnerability groups and group rules overview (Prior to v10.0)
    • Machine Learning solutions for Vulnerability Response
    • Creating CIs for Vulnerability Response using the Identification and Reconciliation engine
    • Discovered Items overview
    • Vulnerability Response group and vulnerable item states
    • Vulnerability Response calculators and vulnerability calculator rules
    • Vulnerability Response vulnerable item detections from third-party integrations
    • Vulnerability Response remediation target rules
    • Vulnerability Solution Management
    • Exception Management overview
    • Exception rules overview
    • False Positive overview
    • Change management for Vulnerability Response
    • Software exposure assessment using ITAM Software Asset Management (SAM)
    • Domain separation and Vulnerability Response

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      CI Lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      CI Lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations

      When data is imported from a third-party integration, Vulnerability Response automatically uses host data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules are used to identify configuration items (CIs) and add them to the vulnerable item record to aid in remediation.

      As assets are imported, a lookup is performed first on the Discovered Items list using third-party IDs to find matches to configuration item (CIs) from prior imports. When a host ID match is found, it is used as the Configuration item field in the vulnerable item record.

      You can see how imported assets are mapped to CIs using the Discovered Items list. If a match is not found, or the host ID field is empty, the rules use the other host information to attempt to correctly identify the CI. If a match is still not found, a placeholder CI is created and is designated as an Unmatched CI. See Unmatched CIs for more information on how those CIs are handled.

      Note: CI lookup rules are available only for the Qualys and Rapid7 vulnerability integrations.
      CI lookup rules can be domain separated and are source-specific. Each source can have multiple deployments. For example, the Rapid7 Vulnerability Integration, can have both Data Warehouse and InsightVM deployments. Qualys can have multiple deployments of the Qualys Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
      Note: CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.
      When attempting a match, the first step is a vendor ID lookup for an exact match across source, source_instance, and vendor ID. Then, lookup rules are run in order, from lowest to highest and stop when a rule returns just a single CI as a match. If a rule is created in such a way that it returns more than one CI, only the first match is used.
      Note: To avoid matching on low-level networking elements, if a matched CI is one of dscy_switchport, cmdb_ci_network_adapter, cmdb_ci_nic, or cmdb_ci_ip_address, the parent CI is returned.

      A system property to exclude CI classes is available. This property is not available with upgrade. See Ignore CI classes for upgrade information and instructions on setting the property.

      To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the Discovered Item record in the CI matching rule field. Lookup rules are evaluated by lowest Order value first.

      These Qualys CI lookup rules are shipped with the base system.
      • QUALYS HOST ID
      • FQDN
      • NetBIOS
      • DNS
      • IP
      These Rapid7 CI lookup rules are shipped with the base system.
      • MacAddress
      • FQDN
      • HostName
      • IP
      Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

      Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.

      • Prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules

        Take steps to prevent duplicate or orphan records resulting from matching (configuration items (CIs) within the CMDB.

      Related concepts
      • Vulnerability Response personas and granular roles
      • Vulnerability Response assignment rules overview
      • Vulnerability Response groups and group rules overview
      • Vulnerability groups and group rules overview (Prior to v10.0)
      • Machine Learning solutions for Vulnerability Response
      • Creating CIs for Vulnerability Response using the Identification and Reconciliation engine
      • Discovered Items overview
      • Vulnerability Response group and vulnerable item states
      • Vulnerability Response calculators and vulnerability calculator rules
      • Vulnerability Response vulnerable item detections from third-party integrations
      • Vulnerability Response remediation target rules
      • Vulnerability Solution Management
      • Exception Management overview
      • Exception rules overview
      • False Positive overview
      • Change management for Vulnerability Response
      • Software exposure assessment using ITAM Software Asset Management (SAM)
      • Domain separation and Vulnerability Response

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login