Reapply CI look up RuleIssue This article is intended to help understand the flow of Reapply Configuration Item look up rule. It presents different ways to correct a Configuration Item on the vulnerable items/test results Different methods to correct a configuration item Select discovered items from list view whose Configuration item is incorrect and Click on Reapply Configuration Item look up rule list action. This processes selected discovered items irrespective of the state.Reconcile Unmatched Discovered item Module. More DetailsRectify the Configuration Item look up rule which might have caused the incorrect Configuration Item to be associated with Vulnerable item/ test result and apply look up rule again.Trigger a scheduled job "Re-apply Configuration Item Lookup Rules on the Changed Discovered items". This reapplies the look up rule on discovered items whose source data changed in subsequent ingestions. Flow All the above mentioned methods re-apply Configuration Item look up rules on the discovered item source data to find the correct configuration Item If a Configuration Item is found after applying look up rule then update the Configuration Item and look up rule on the discovered item record. There is a business rule on Discovered item Handle Configuration Item Change which is responsible for updating the configuration item on detections and vulnerable item/test results.Business Rule update of all the open detections associated with the processed discovered item with new configuration item whose configuration item is not equal to the new configuration item.Process the vulnerable item Check if the vulnerable item has detections from other discovered items and if so mark the vulnerable item for a roll up.If there exists any existing VI with the new external_id generated based on the new Configuration Item Move all the detections of the processed discovered item to the existing vulnerable item and add the work note to current VI "Moved detections of Discovered item <number> from this VI to <new VI number>"Update the existing VI Reopen the existing vulnerable item if its in Closed-Fixed or Closed-Stale.Update last-found if the existing Vulnerable item's last found is before than the current vulnerable item's last found.Update first_found and last_opened in existing Vulnerable item if these values are after the current vulnerable item's values.Update times_found if the old vulnerable item's value is greater than then the new VI. If the current VI has detections from other discovered items then it requires roll up Update the current VI with earliest first-found detection data. If the current VI doesn't have detections from other discovered items then it doesn't require roll up Close the Vulnerable item with Close - Invalid Configuration Item with worknotes "Closed because the Configuration Items do not match."Remove Vulnerable from any existing group if the group is not in Close state.Remove Remediation status of current VI. If there is no existing VI based on the new external_id then Check for the flag "sn_sec_cmn.update_on_ci_change" if it's true then (true by default). If current VI has detection from other discovered items then Create a new Vulnerable item.Move all detections of the processed discovered item to newly created Vulnerable item.Update the work notes "Moved detections of Discovered item <number> from this VI to <new VI number>" to current Vulnerable item.Roll up the current VI with earliest first-found detection data which is not from the processed discovered item. If the current Vulnerable item doesn't have detections from other discovered items then update the new Configuration Item on current Vulnerable item.update external_id based on the new Configuration ItemUpdate hasImpactedService to pending and clear the assignment group on current VI. If the flag "sn_sec_cmn.update_on_ci_change" is set to false then Create a new Vulnerable item.Move all detections of the processed discovered item to newly created VI.Update the work notes "Moved detections of Discovered item <number> from this VI to <new VI number>" to current Vulnerable item.If current VI has detection from other discovered items then Roll up the current VI with earliest first-found detection data which is not from the processed discovered item. If current VI has no detections from any other discovered item then Close current VI with Close -Invalid Configuration Item with worknotes "Closed because the Configuration Items do not match."Remove Vulnerable from any existing group if the group is not in Close state.Remove Remediation status of current VI. If a Configuration Item is not found after applying look up rule and discovered item is in unmatched state then clear the look up rule entry in discovered item.If a Configuration Item is not found after applying look up rule and discovered item is in matched state then Create a new Configuration Item.update new Configuration Item and clear the look up rule entry on discovered item. Related LinksReapply CI lookup rules on selected discovered items