One-to-One Rules

Perform the following steps to create one-to-one rules:

1. Go to Configuration > Detection Event Rules to view the detection rule that is available by default. However, you can update an existing rule or create a new rule.

   

2. Review the existing values in the fields and modify them as required:

   • Source table - Select the source table from where the detections are retrieved, that is, the host detection table.
   • Destination table - Select Incident from the list of tables. This is the ServiceNow table used for Qualys Policy Compliance/Policy Audit incidents.

     

   • For change request creation, select Change Request in the Destination table.

     

   • Description - Enter the description for detection event rule.

   • The Trigger Criteria tab defines when this detection event rule runs.

     

   • Order - Provide the number that indicates the order of priority for running this detection event rule. The value in the Order field is a relative value and the detection event rules are executed in ascending order, that is, lowest to highest. The order assigned to a rule helps decide the priority when multiple rules exist for the same table.

   • Stop processing - Select this check box to stop processing the rules ordered after this rule once the detection conditions are met.

   • Trigger when- Define criteria on the posture record that should trigger this detection event rule and create a record in the destination table. You can use single or multiple attributes and filters.

     

     For change request creation, the Trigger Criteria can be set as displayed in the following image:

     

     The Assignment tab defines how the posture incidents are assigned once this detection event rule is triggered. 

     

     • If the Assignment group based on ServiceNow Assignment Rules is selected, the incidents are assigned based on the rules set in the Reprocess the detection event rules.
     • If the Assignment based on the Detection Event Rule is selected, you can select a value in the Assignment Group field. This assignment group applies only to this rule.
     •  If the Assignment based on Group by field is selected, you can select a value in the Assignment Group field. This assignment group applies only to this rule.
3. Click Submit to create the detection event rule.

Detection Event Field Maps

Once the detection event rule is created, add field mappings.

Perform the following steps for adding field mappings:

1. Click the detection event rule that you created, and go to Detection Event Field Maps.
2. You must add the following fields mappings.

   

   You can add any additional field mappings as per your requirement.

We recommend setting the Coalesce field as mentioned in the example to avoid creating duplicate entries.