Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules
Summarize
Summary of Steps to Help Prevent Duplicate or Orphaned Records After Running Vulnerability Response CI Lookup Rules
This guide outlines essential steps to prevent duplicate or orphaned records when importing vulnerability data into the CMDB. Proper configuration of CI Lookup Rules is critical to avoid performance issues and lengthy processing times.
Show less
Key Features
- Testing with Subsets: Utilize small data subsets specific to the CI Lookup Rule being tested while setting other rules to Inactive.
- Analyzing Matched CIs: Regularly check the count of matched versus unmatched CIs, ensuring the percentages are acceptable. A manual search can identify naming or field inconsistencies.
- Reviewing Unmatched CIs: Examine unmatched CIs by class to determine misclassifications or whether certain classes should be excluded or elevated.
- Data Cleanup: Once expected CI matching behavior is confirmed, delete test data and manually rerun CI Matching rules to ensure accuracy.
Key Outcomes
By following these steps, ServiceNow customers can effectively manage their vulnerability imports, ensuring that records are accurately matched and reducing the likelihood of duplicates or orphaned entries. Proper data management practices enhance system performance and reliability.
Take steps to help prevent duplicate or orphan records resulting from matching (configuration items (CIs) within the CMDB.
Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. Thorough testing and debugging of processing scripts in the rules helps alleviate the potential of issues later in the process.
Preventing duplicate or orphaned records
- Use small subsets of data that are specific to the CI Lookup Rule being tested.
- Set all CI Lookup Rules, other than the one being tested, to Inactive.
- Analyze the imported CIs to ensure that you are observing the expected behavior and matching is occurring properly.
- Review Matched CIs
- Examine the count of matched vs unmatched CIs. Ensure that the percentage is acceptable. Don’t just look at the first page, that is likely the first one inserted.
- Manually search for some CIs.
- Check to see if there are any naming or field problems (such as searching for a
specific domain).
If it seems appropriate, add additional matching rules.
- Review Unmatched CIs
- Navigate to the Unmatched CIs table.
- Group by Configuration Item class.
- Review any classes that don’t look right (certificates, network cards, images).
- Figure out why didn’t they match the correct CI?
- Should the class be excluded?
- Should the class be elevated to a related class?
- Review CI states such as Retired.
- Remove Test Data
- Once you begin to observe the correct or expected behavior in CI matching, start over.
- Start over by: Deleting the data used for testing: (see the Deleting
data from tables section)
- Discovered Items
- Vulnerable Items
- Remediation tasks
- Manually rerunning all the CI Matching rules.
For more information on CI Lookup Rules and Qualys, see the KB0750656 article.
For more information on CI Lookup Rules and Rapid7, see the KB0818096.
Deleting data from tables
- Using Delete All Records on Table Configuration.
- Configure the Table Cleaner by navigating to Auto Flushes (sys_auto_flush.list) and creating a new Auto-flush record.
- Truncate the gs.truncateTable using a background script.
Using truncateTable requires turning off the record for rollback check box in the background scripts. Otherwise, a copy of the table and related cascade tables are created, take too long, and most likely fail.
Note:Never use truncateTable in a production environment. Consult you Support representative before executing large deletions in production or shared environments.