One-to-One Rules

The one-to-one Rules create a separate incident for each FIM Incident. You must set the one-to-one detection event rules to create an incident.

Perform the following steps to create one-to-one rules:

  1. Navigate to Qualys FIM > Detection Event Rules to view the detection rule that is available by default. However, you can update an existing rule or create a new rule.

    DetectionEventRule

    You can use the Copy this Rule option to clone the detection rule, modify the required field, and save the rule with a new name. 

    new_detection_event

  2. Review the existing values in the fields and modify as required:

    • Source table - Select the source table from which the FIM incidents are retrieved, which is the FIM incidents table.
    • Destination table - Select Incident from the list of tables. This is a ServiceNow table used for Qualys FIM incidents.

      detection_event_rule_destination_table

    • Description - Enter the description for the detection event rule.

    • The Trigger Criteria tab defines when this detection event rule runs.

      detection_event_trigger_criteria

    • Order - Provide the number that indicates the order of priority for running this detection event rule. The value in the Order field is a relative value and the detection event rules are executed in ascending order, that is, lowest to highest. The order assigned to a rule helps decide the priority when multiple rules exist for the same table.

    • Stop processing - Select this check box to stop processing the rules ordered after this rule once the detection conditions are met.

    • Trigger when- Define criteria on FIM incidents that should trigger this detection event rule and create a record in the destination table. You can use single or multiple attributes and filters.

      detection_condition

      The Assignment tab defines how the FIM incidents are assigned once this detection event rule is triggered.

      detection_event_assignment

      • If the Assignment group based on ServiceNow Assignment Rules is selected, the incidents are assigned based on the rules set in the Reprocess the detection event rules.
      • If the Assignment based on the Detection Event Rule is selected, you can select a value in the Assignment Group field. This assignment group applies only to this rule.
  3. Click Submit to create the detection event rule.

Detection Event Field Maps

Once the detection event rule is created, add field mappings.

Perform the following steps for adding field mappings:

  1. Click the detection event rule that you created, and go to Detection event field maps.
  2. You must add the following field mappings.

    detection_event_rule_maps

    You can add any additional field mappings as per your requirement.

We recommend to set the Coalesce field as mentioned in the example to avoid creation of duplicate entries. 

Reprocess Detection Event Rules

To import new FIM incidents, you need to process one-to-one detection rules manually and then process them again.

To manually reprocess one-to-one rules, click Reprocess Detection Event in the detection event rule. 

The Reprocess Detection Event option is available only if you have the required privileges. If you cannot view this option, contact your ServiceNow administrator.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.