Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Vulnerable Item's Configuration Item (CI) matching issue in Vulnerability Response application - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Vulnerable Item's Configuration Item (CI) matching issue in Vulnerability Response application
KB0780995

Vulnerable Item's Configuration Item (CI) matching issue in Vulnerability Response application


7754 Views Last updated : Apr 8, 2024 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

This article aims to explain the CI matching process from Qualys Integration.

 

This article might answer some of these common questions:

1) When there are duplicate CI in the system, the VIT that is being created does not always select the best CI. How to improve it?

2) What is the difference between "Qualys CI" (sn_vul_qualys_ci) table and "UnMatched CI" (sn_sec_cmn_unmatched_ci) table and when are they used?

3) What is the difference between "CI Lookup Rules" (sn_sec_cmn_ci_lookup_rules) and "CI Identifier Rules"(sn_sec_cmn_ci_identifier_rule) ?

Release

London, Madrid

Resolution

To understand the CI matching process, the 'Discovered Item' should be understood at first

 

Prior to London, the Qualys integration used Qualys fields to match to CMDB records. If it didn’t find a record with the specified Qualys id, it will execute the lookup rules to find existing records without a Qualys ID. If it doesn’t find one, or the host already has a different Qualys ID, a new “Qualys CI” (sn_vul_qualys_ci) record will be inserted.

 

In London, CI matching method has been improved. Instead of using a field on the CI table, a new table called “Discovered Items” (sn_sec_cmn_src_ci) has been introduced. This allows multiple Qualys Ids to map to a single CI. It persists the Qualys ID in the “Source ID” field and the “Configuration Item” field references the CI.

 

The first step in the record matching process is that the system searches by Qualys ID in the "Discovered Items" table and if a record exists in the Discovered Items table, it will create a vulnerable item using that CI

 

If no “Discovered Items” record exists, it will execute the CI Lookup Rules in the table “CI Lookup Rules” (sn_sec_cmn_ci_lookup_rules). If it finds a match using any of these rules, it will create a new “Discovered Items” record. If it doesn’t find a match, it will create a new record in the “Unmatched CIs” table (sn_sec_cmn_unmatched_ci), which extends cmdb_ci table. After creating the 'Unmatched CI' record, a new 'Discovered Item' record is also created associating the unmatched CI with the Qualys ID so that the next time for the same Qualys ID, a match will be found in the first step, in the 'Discovered Items' table, and the CI lookup rules will not be executed.

 

For the issue related to the "best CI not being matched", this might be the cause. There might be a "Discovered Item" record created (which would have been a duplicate 'Unmatched CIs' record that was created due to improper CI lookup rules in the first place), that gets returned during the first step and the CI lookup rule is never being called.


So to avoid the issue, please remove the Duplicate CIs records that was already inserted, using the CMDB De-duplication wizard.
https://docs.servicenow.com/csh?topicname=de-duplication-tasks.html&version=latest

The one caveat to using that is before trying to de-dup vulnerability-related issues, two additional tables need to be added to the Related Items list: sn_sec_cmn_src_ci and sn_vul_vulnerable_item. That way when duplicates are removed or re-mapped, all their appropriate references in the VR records will get updated as well.

 

It should also be noted that the "CI Lookup Rules” (sn_sec_cmn_ci_lookup_rules) is used for CI matching starting from London. Previously, the other table "CI Identifier Rule" (sn_sec_cmn_ci_identifier_rule) was being used which is NOT used anymore.

 

This can be validated by following the code in the system:

During the import, the script include "QualysHostImportReportProcessor" calls another script include named "ImportHost" which would first check if there is a "Discovered Item" record and if NOT, then it would call another script include named "CIIdenitify" where we are querying the "CI Lookup Rules" (sn_sec_cmn_ci_lookup_rule) table to see if there are any CIs that matches the condition defined in the CI Lookup rules.


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.