When data is imported from a third-party integration, Vulnerability Response
automatically uses host data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup
Rules. These rules are used to identify configuration items (CIs) and add them to
the vulnerable item record to aid in remediation.
As assets are imported, a lookup is performed first on the Discovered
Items list using third-party IDs to find matches to configuration item (CIs)
from prior imports. When a host ID match is found, it is used as the Configuration
item field in the vulnerable item record.
You can see how imported assets are mapped to CIs using the Discovered
Items list. If a match is not found, or the host ID field is empty, the rules
use the other host information to attempt to correctly identify the CI. If a match is still
not found, a placeholder CI is created and is designated as an Unmatched
CI. See Unmatched CIs
for more information on how those CIs are handled.
Note: CI lookup rules are available only for the Qualys and Rapid7 vulnerability integrations.
CI lookup rules can be domain separated and are source-specific. Each source can have
multiple deployments. For example, the Rapid7 Vulnerability Integration, can have both Data
Warehouse and InsightVM deployments. Qualys can have multiple deployments of the Qualys
Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
Note: CI lookup
rules are shared by all deployments of the vulnerability integration. If a rule is deleted
or modified, the deletion or changes affect all deployments of the vulnerability
integration.
When attempting a match, the first step is a vendor ID lookup for an exact match across
source, source_instance, and vendor ID. Then, lookup rules are run in order, from lowest to
highest and stop when a rule returns just a single CI as a match. If a rule is created in such
a way that it returns more than one CI, only the first match is used.
Note: To avoid matching
on low-level networking elements, if a matched CI is one of
dscy_switchport
, cmdb_ci_network_adapter
,
cmdb_ci_nic
, or cmdb_ci_ip_address
, the parent CI is
returned.
A system property to exclude CI classes is available. This property is not available with
upgrade. See Ignore CI classes for upgrade information and
instructions on setting the property.
To make it easier to find matching issues, when a match is found, the CI lookup rule used to
find it is added to the Discovered Item record in the CI matching rule
field. Lookup rules are evaluated by lowest Order value first.
These
Qualys CI lookup rules are shipped with the base system.
- QUALYS HOST ID
- FQDN
- NetBIOS
- DNS
- IP
These
Rapid7 CI lookup rules are shipped with the base system.
- MacAddress
- FQDN
- HostName
- IP
Note: Rules, once removed, cannot be recovered. Rather than
removing existing rules, deactivate them when creating new ones.
Importing vulnerability data can be taxing on an instance and performance issues with
resources can occur if rules are not carefully constructed. The logic used to iterate through
and perform matching within the CMDB can result in
lengthy processing times. To avoid any potential degradation of resources or performance
complications, test any custom-written CI Lookup Rules or modifications to pre-defined
CI Lookup Rules. See Prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up
data.