The CI Lookup Rules module contains rules that are used to find the matching record for host information received during third-party vulnerability integration imports. The host information is matched with the discovered items, unmatched configuration item classes, and the Configuration Management Database (CMDB).

Before you begin

Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

Role required: sn_vul.vulnerability_admin

About this task

Creating CI lookup rules requires advanced ServiceNow and Vulnerability Response expertise. Rather than modifying one of the existing lookup rules, consider copying it and modifying the copy. When you are satisfied that the new rule does what you want, deactivate the original.
Note: Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

Procedure

  1. Navigate to All > Security Operations > CMDB > CI Lookup Rules.
  2. Click New.
  3. On the form, fill in the fields.
    Table 1. CI lookup rule form
    FieldDescription
    Name Name of the rule.
    Lookup method Method used for matching. Choices are:
    • Script: Pre-built (IP address, DNS name, and so on) or custom script.
    • Field matching: Search on table or field in the CMDB.
    Type Type used with the Script Lookup method.
    Order Order of precedence for the rule. Rules with the lowest order are evaluated first.
    Active Check box for whether the rule is active or disabled.
    Source Source used as input to this rule.
    Source field Source field used as input to this rule. Select any field, but it is treated as a string value.
    Condition Condition based on which the CI lookup rule is applied. This condition depends on the attribute from the third-party scanner.
    Note: The asset attribute is a part of the payload. It is received from the third-party scanner. See the Discovered Items table for payload examples.
    Script Editable sample script, based on the Type, is shown. Implement the custom script following the comments included in the template of the default function.
    Note:

    The process function has three parameters: rule, sourceValue, and sourcePayload
    Search on table Table to search within the CMDB. Used with field matching Lookup Method.
    Search on field Field that contains information that can be used to locate a CI. Used with the field matching Lookup method. This field may be on the CI record, or on a related record, such as a network adapter.
  4. Click Submit.

    For more information implementation information for CI Lookup Rules see, Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules.

    Figure 1. Example of a CI lookup rule using a condition builder for V12.0
    CI lookup rule using a condition builder for version 12.0.
    Figure 2. Example of a CI lookup rule using a script prior to V12.0
    CI lookup rule using a script