Troubleshooting CI Lookup - IBM/ServiceNow-Guardium-Vulnerability-Assessment GitHub Wiki

Table of contents

Introduction

  • Matching a Guardium data source to a ServiceNow CI asset is a very critical part of vulnerability management. You should strive to match every Guardium data source to its corresponding entry in the ServiceNow CMDB.

  • Do not use Discovered Item > Reapply CI lookup rules. This ServiceNow action only works on hardware like Linux or Windows servers. If a match is not found, ServiceNow would create an "Unclassed Hardware" entry, which is not appropriate for a database instance.

  • Instead, use Guardium > Data sources > Reapply CI lookup rules. This uses ServiceNow framework to run the CI lookup rules. If a match is found, the Guardium and ServiceNow code will convert all referenced Vulnerable Items, Vulnerability Detections, and Configuration Compliance Test Results to link to the newly matched CI.

  • You must have access to ServiceNow > Application Logs (App Scope = Security Support Common) in order to see the output from any CI Lookup Rule

Guardium CI Lookup Rules

  • IBM Guardium - Correlation ID

    • Simple field matching
      • cmdb_ci.correlation_id == Guardium-Data-Source.name

  • IBM Guardium - Relationship Table Lookup

    • Complex lookup
      1. Match the Guardium Host with the CI fully qualified domain name, cmdb_ci.fqdn; or if host is an IP address, match with the IP address, cmdb_ci.ip_address
      2. If a network adapter is found, get its parent server record
      • Determine database instances running on the parent server through the RunsOn::Runs relationship
      1. Filter the list where Guardium Port equals the database instance port, cmdb_ci_db_instance.tcp_port
      2. Match the Guardium Service Name property (if not empty) to the database instance service property (ex. sid for Oracle), if supported
      3. Match the Guardium Database Name property(if not empty) to a referenced database catalog or Contains::ContainedBy relationship to database catalog


Troubleshooting CI Lookup Rules

Enable debug mode in Guardium settings

If running Guardium app v1.3.30

  • Open Guardium > Settings
  • Go to tab: Database Import
  • Log level: verbose

If running Guardium app v1.3.28

  • Open ServiceNow > Lookup Rules
  • Open **IBM Guardium - Relationship Table Lookup"
  • This line of code (near the top) must be set to "info"
var GS_LOG_LEVEL = "info"; // change to "debug" to suppress output

Request access to Application Logs in ServiceNow

  • You do not need access to all Application Log entries. Request access to App Scope = Security Support Common
  • Example output when Guardium "verbose" setting is enabled:

Run CI Lookup from Guardium Data Sources view

  • Select data sources where State == Unmatched
  • Select the view action: Reapply CI Lookup Rules
  • Monitor Guardium Application Log for overall task start and end
  • Monitor ServiceNow Application Logs for detailed information

What to do with the App Log information

  • In the example above, there is no entry in cmdb_ci.LIST where the fully qualified domain name matches the one in the Guardium data source entry. To fix this, there must be a ServiceNow CI to match.
    • Use ServiceNow Discovery tool to find the database (it will insert new records into cmdb_ci table)
    • Add the cmdb_ci_db_instance manually

The five properties used to match a Guardium data source with a ServiceNow CMDB CI asset


Manually changing the matched ServiceNow CMDB CI asset

  • If there is an entry that you feel matches the Guardium data source, examine the five properties of the Guardium data source. When you are absolutely certain, change the Configuration Item as shown below.
  • A script will run in the background to change all associated Vulnerable Items, Vulnerability Detections, and Configuration Compliance Test Results.

⚠️ **GitHub.com Fallback** ⚠️