What does Duplicate Items field in the Vulnerability Integration Run indicate?Issue <!-- div.margin { padding: 10px 40px 40px 30px; } table.tocTable { border: 1px solid; border-color: #e0e0e0; background-color: #fff; } .title { color: #d1232b; font-weight: normal; font-size: 28px; } h1 { color: #d1232b; font-weight: normal; font-size: 21px; margin-bottom: 5px; border-bottom-width: 2px; border-bottom-style: solid; border-bottom-color: #cccccc; } h2 { color: #646464; font-weight: bold; font-size: 18px; } h3 { color: #000000; font-weight: bold; font-size: 16px; } h4 { color: #666666; font-weight: bold; font-size: 15px; } h5 { color: #000000; font-weight: bold; font-size: 13px; } h6 { color: #000000; font-weight: bold; font-size:14px; } ul, ol { margin-left: 0; list-style-position: outside; } --> Overview This article explains what the value in the Duplicate Items field in a Vulnerability integration run indicates. Duplicate Items in Vulnerability Integration Run There is a hover over hint for the 'Duplicate Items' field that yields: "Number of imported records that were identical to existing vulnerable item records" Keeping that in mind, when the count is greater than 0, it doesn't mean that the system created additional duplicate Vulnerable Item records. Instead, the system routed these identified duplicate detections to a matching/existing Vulnerable Item record. The term "Duplicate Items" here is used in the context of 'Number of detections from the Host Detection payload', that were identified as matching up to an existing Vulnerable Item. The system recognized the count here as duplicates, but treated them accordingly with the "de-duplication" process. Meaning, the system did not create additional duplicate Vulnerable Item records, instead it associated these identified duplicate detections to an existing Vulnerable Item record. Example Consider an example of Qualys Host Detection import, in the report "Last 30days Qualys Duplicates" on the 'Integration Run Status' page, if you see a large count for duplicates, it illustrates that duplicate detections were identified/handled. If you navigate to the table [sn_vul_vi_ip_address], you can actually see IP address and port pairs, that are associated to Vulnerable Items, as part of the "de-duplication" process. If you choose a Vulnerable Item record, and scroll down to the Related Lists on the record, you will see a Related List called "Associated IP Addresses". You can infer here, how detections are "de-duplicated" into a single VIT record.