Tenable Integeration for Vulnerability Response does not honor 'CI Classes to Ignore' correctly - Support and Troubleshooting

Tenable Integeration for Vulnerability Response does not honor 'CI Classes to Ignore' correctly Issue  Symptoms Tenable.io for Vulnerability Response is a store app developed by Tenable. In the general settings for this integration, there is an option 'CI Classes to ignore' which is a list of CI classes to be ignored when matching vulnerable items to CIs.

This 'CI classes to ignore' feature does not work and causes newly created Vulnerable items to be associated to CIs which are listed in 'CI classes to Ignore'.

Release Applicable to all ServiceNow releases.

Environment Tenable.io for Vulnerability Response store app.

Cause The CI to match is found by running 'CI matching rules' that can be seen in 'Tenable - SecurityCenter > CMDB > CI Matching Rules' from the filter navigator.

These rules run queries against different CMDB tables excluding the CI classes to ignore. If there is a match, they check if the CI has a non-empty cmdb_ci field value and if there is one, that CI is directly matched to the vulnerable item without checking the CI's class name.

If the CI matched has a non-empty cmdb_ci field value, the script does not check if this CI belongs to one of the classes listed in CI Classes to Ignore or not.

Resolution Since these CI matching rules are part of the store app developed by Tenable, you would need to contact Tenable support to provide a fix for this.