Notifications

645 views

Description

Symptoms


Once the Qualys integration for the Vulnerability module is configured, if the "Qualys Host Detection Integration" is executed, newly matched CI's are not consistently updated with the Qualys Asset specific data as expected, and values for Qualys ID, Qualys Host ID ,Qualys Host tag and Fully Qualified Domain Name (if available) remain blank on the matched CI.

Cause


This is expected behaviour. CI information is supposed to be updated by Discovery tool but not Qualys.

Resolution


This is by design. All information related to a CI will be stored in associated Discovered Items record for that CI (sn_sec_cmn_src_ci).

Updating the CI information in CMDB can be done in two approaches .One approach is to just update the tags information of CI in CMDB and the other approach is to update tags information along with other fields(Qualys Id, Qualys Host Id, fqdn, ip, os, netbios) of CI in CMDB.They are discussed in detail in subsequent sections 

The table sn_sec_cmn_src_cmdb_map contains the mapping between the fields in Qualys response and columns of CI in CMDB

1. Updating the tags information along with other fields(Qualys Id, Qualys Host Id, fqdn, ip, os, netbios) on CI

a. Add the additional boolean parameter to the below method as shown  

File: QualysHostImportReportProcessor

                   var matchResult = new sn_vul.ImportHost().hostImport(sourceInstance, host, "ID", integrationRun, true);

b. Re-run the Qualys Host Detection Integration

  This will update the CI information in CMDB.

2. Updating just the tags information of matched CI's in CMDB

    This can be done by following the below two steps in order

a.Add a schedule job that runs once and update all the existing matched CI's in CMDB with their host data present in sn_vul_qualys_m2m_ci_host_tag. Attached the scheduled job(sysauto_script_66e4c7bf53320010a3b7ddeeff7b12a6.xml) which can be imported on the instance and run.

b.Add a business rule on table sn_vul_qualys_m2m_ci_host_tag which will run on insert/update/delete and update the tags data for every newly matched CI on imports.Attached the business rule (sys_script_707072b253fe0010a3b7ddeeff7b12db.xml) which can be imported on the instance.

 

Ref. documentation pages related to Discovered Items:
https://docs.servicenow.com/bundle/london-release-notes/page/release-notes/security-operations/secops-vuln-resp-rn.html
https://docs.servicenow.com/bundle/london-release-notes/page/product/vulnerability-response/concept/cj-discovered-items.html#discovered-items

Article Information

Last Updated:2020-02-18 22:03:42
Published:2020-02-19