Configuring lookup rules

  • Release version: Australia
  • Updated March 12, 2026
  • 7 minutes to read

    • By configuring lookup rules, you can map security exposure data to the correct configuration items (CIs) in the CMDB. This mapping is a critical function because associating exposure findings with the right assets is essential for proper risk assessment, assignment, and remediation workflows.

    Create lookup rule

    Create lookup rules to automatically and accurately associate incoming exposure findings data with the correct configuration items (CIs) in the Configuration Management Database (CMDB) This is essential for enabling the rest of the vulnerability management process to function correctly.

    Before you begin

    Role required: sn_vul.vulnerability_admin

    About this task

    Creating lookup rules requires advanced ServiceNow and Unified Security Exposure Management (USEM) expertise. Rather than modifying one of the existing lookup rules, consider copying it and modifying the copy. When you are satisfied that the new rule does what you want, deactivate the original.
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Procedure

    1. Navigate to Workspaces > Security Exposure Management Workspace.
    2. Select Administration [gear icon] in the navigation pane.
    3. Select Review on the Look-up rules tile.
    4. On the Rules page, select Look-up in the navigation pane.
    5. Select New.
    6. On the form, fill in the fields.
      Table 1. Look-up rule form
      Field Description
      Details
      Name Name of the rule.
      Lookup method Method used for matching. Choices are:
      • Script: Pre-built (IP address, DNS name, and so on) or custom script.
      • Field matching: Search on table or field in the CMDB.
      Type Type used with the Script Lookup method.
      Order Order of precedence for the rule. Rules with the lowest order are evaluated first.
      Active Check box for whether the rule is active or disabled.
      Source Source used as input to this rule.
      Source field Source field used as input to this rule. Select any field, but it is treated as a string value.
      Description Description of the new look-up rule.
      Lookup target Lookup approach you want to follow. Select from:
      • Configuration item
      • Product model
      Applies to

      This field has no value by default.

      For third-party and ServiceNow® integrations that support both Application Vulnerability Response (AVR) and Vulnerability Response (VR) like the Vulnerability Response Integration with Wiz, for example, select one as it applies to each rule:
      • Discovered Item - for Vulnerability Response lookup rules.
      • Discovered Application - for Application Vulnerability Response lookup rules.
      Note:
      If you leave this field empty for lookup rules that support both VR and AVR integrations, background jobs for both applications apply changes on the same set of lookup rules. This state might cause a conflict and set the reapply flag incorrectly.

      With this distinction set, after the respective background jobs for AVR and VR are completed, the system resets the flag only for the lookup rules for the background job that was run.
      If condition is met
      Condition Condition based on which the lookup rule is applied. This condition depends on the attribute from the third-party scanner.
      Note:
      The asset attribute is a part of the payload. It is received from the third-party scanner. See the Discovered Items table for payload examples.
      Then set this value
      Lookup method Method used for matching. Choices are:
      • Script: Pre-built (IP address, DNS name, and so on) or custom script.
      • Field matching: Search on table or field in the CMDB.
      Search on CI table Table to search within the CMDB. Used with field matching Lookup Method.
      Search on product table If you choose the Product model Lookup target, the default value is Application Model.
      Search on CI field Field that contains information that can be used to locate a CI. Used with the field matching Lookup method. This field may be on the CI record, or on a related record, such as a network adapter.
      Search on product model field If you choose the Product model Lookup target, the default value is Name.
      Type Type used with the Script Lookup method.
      Script Editable sample script, based on the Type, is shown. Implement the custom script following the comments included in the template of the default function.
      Note:

      The process function has three parameters: rule, sourceValue, and sourcePayload
    7. Select Save.

      For more implementation information for lookup rules see, Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules.

    Ignore CI classes

    To ignore some configuration item (CI) classes, for example Load Balancer [cmdb_ci_lb], when running lookup rules, set the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property.

    Before you begin

    Role required: admin
    Note:

    The ignoreCIClass system property is available starting with Vulnerability Response v9.0. However, the property functionality is not available upon upgrade from any previous version.

    If you have upgraded from any Security Operations application, prior to version 9.0, see KB0788209 for instructions on how to enable this functionality.

    Procedure

    1. Enter sys_properties.list in the left navigation bar.
    2. Select Enter.
    3. In the Search menu, under Name enter sn_sec_cmn.ignoreCIClass.
    4. In the Value text box, enter the CI classes to exclude in a comma-separated list.
    5. Select Update.
      This list is used by CI Lookup Rules during the next import. Vulnerable items created during import are not associated to a CI of any type listed in the Value field of the sn_sec_cmn.ignoreCIClass system property.

    Reapply lookup rules

    Reapply lookup rules to ensure updated or existing rules are applied to relevant items. This helps maintain accurate data mapping and consistency after rule changes or additions.

    Before you begin

    Role required: sn_vul.vulnerability_admin, sn_vul_cmn.usem_admin, sn_vul.app_sec_manager, sn_vul_container.admin, sn_vulc.admin

    About this task

    Reapplying lookup rules is useful when:
    • Look-up rules are updated or newly created.
    • Findings were previously unassigned or incorrectly assigned.
    • You must reassign ownership based on updated business logic or CI ownership changes.
    Note:

    For Vulnerability Response (VR) lookup rules, two background jobs are simultaneously initiated after you select Reapply: one for Vulnerability Response (VR) rules and one for Application Vulnerability Response (AVR) rules.

    To keep these jobs distinct and to prevent conflicts, the AVR and VR lookup rules have the Applies to field on lookup rule records, which by default is not populated.

    If you're creating lookup rules for third-party and ServiceNow® integrations that support both Application Vulnerability Response (AVR) and Vulnerability Response (VR) like the Vulnerability Response Integration with Wiz, for example, you might want to create two separate rules, one for VR and one for AVR and choose one in the Applies to field:
    • Discovered Item - for Vulnerability Response lookup rules.
    • Discovered Application - for Application Vulnerability Response lookup rules.

    With this distinction set, after the respective background jobs for AVR and VR are completed, the system resets the flag only for the lookup rules for the background job that was run.

    Procedure

    1. Navigate to Workspaces > Security Exposure Management Workspace.
    2. Select Administration [gear icon] in the navigation pane.
    3. Select Review on the Look-up rules tile.
    4. On the Rules page, select Look-up rules in the navigation pane.
    5. Select Reapply.
      All the rules are reapplied regardless of any filters.
    6. Alternatively, you can navigate to the Lookup Rules [sn_sec_cmn_ci_lookup_rule] table, select individual rules, edit the records, and update them.
    7. Select Apply Changes to apply your recent changes to existing discovered items.
      Note:
      Depending on your number of discovered items, evaluating them with your updated rules might take some time.

    Reapply lookup rules on selected discovered items

    Reapply the lookup rules on selected discovered items from the discovered item list view select actions. If the configuration item (CI) changes after you reapply the rules, the discovered items are updated with the new CI and impacted detections. Vulnerable items are also updated.

    Before you begin

    Roles required: admin

    About this task

    For more information, see CI changes for discovered items.

    For more information on the concepts of CI matching and the CMDB, discovered item lookup, rule-based identification, see the CI matching in Vulnerability Response [KB0998706] article in the HI Knowledge Base.

    Procedure

    1. Navigate to All > Security operations > CMDB > Discovered Items.
    2. Select the required discovered items and select Actions on selected rows....
    3. From the list, select Reapply CI lookup rules.
      Note:
      You can skip the reapplication of lookup rules on discovered items with the substate ‘CI Decommissioned’ by enabling the system property sn_sec_cmn.skipItemsWithCIDecommissioned.

      The rules are reapplied on these discovered items.

    4. Select View status in the message.

      The status displays on the background job form.

      Note:
      In the Notes field, the Discovered items could not be process due to exception attribute with a non-zero value indicates that there’s an error or exception while reapplying a look-up rule. Check the system logs for more details.
    5. Reapply only applies to items scanned within the last 90 days based on the last_scan_date, last_comp_scan_date, non_infra_last_scan_date, non_infra_last_comp_scan_date column.

      Added ci_lifecycle_status_source (scope = sn_sec_cmn) system property for configuring CI lifecycle status columns (for example, Install Status, Operational Status). You can configure additional columns for retiring CIs.

      Columns are added to the background job list view:
      • Elapsed Time(ms): The time required for processing the background job.
      • Items Processed: The number of items processed until now.
      • Total Items to be Processed: The total number of items remaining to be processed.
      • Time Until Completion(ms): The time remaining until the background job is processed. These columns provide visibility into job progress. These columns are available for each form view for you to add according to requirement.