Discovery Flashcards
What are the two types of discovery?
- Horizontal discovery
- Horizontal discovery is a technique that Discovery uses to scan your network, find computers and devices, and then populate the CMDB with the CIs it finds. Horizontal discovery does create direct relationships between CIs, such as a runs onrelationship between an application CI and the actual computer CI that it runs on. Horizontal discovery is not aware of business services and does not create relationships between CIs based on the business service they are in.
- Top-down discovery
- Top-down discovery is a technique that Service Mapping uses to find and maps CIs that are part of business services, such as an email service. For example, top-down discovery can map a website business service by showing the relationships between an Apache Tomcat web server service, a Windows server, and the MSSQL database that stores the data for the business service.
Typically, Service Mapping and Discovery work together to run horizontal discovery first to find CIs, and then top-down discovery to establish the relationships between business services that you need to know.
What are probes and sensors?
- These are scripts that collect and process data on a host and then update the CMDB.
- Probes explore or investigate CIs on your network
- Sensors parse the data returned from the probes
- There are several of each provided by default but they can be customized or created.
- Written in JavaScript
What are patterns
These are a series of operations that also collect data on a host, process it, and update the CMDB.
Patterns differ from probes and sensors in that they are written in Neebula Discovery Language (NDL) rather than JavaScript, and they are called into action in the later stages of the horizontal discovery process.
Default patterns are provided, but you can also customize or create patterns using the Pattern Designer.
What are the phases of horizontal discovery?
- Scanning
- Discovery sends a probed called Shazzam to the network to see if commonly used ports are open and if these ports can respond to queries. For example, if Shazzam finds a device that responds on port 135, Discovery knows that it is a Windows server.
- Classification
- If Discovery finds devices or computers, it sends additional probes to find the type of device or the operating system on the device. For example, Discovery sends the WMI probe to a Windows machine to detect the Windows 2012 operating system. Then Discovery uses records called classifiers, which specify the trigger probe or probes that run during the next two phases. If you are using patterns, the classifier specifies a trigger probe that in turn launches a pattern.
- Identification
- Discovery tries to gather more information about the device and then tries to determine if a CI for the device exists in the CMDB. Discovery then uses additional probes, sensors, and identifiers to update existing CIs in the CMDB or create new ones. Identifiers, also known as identification rules, specify the attributes that the probes look at when reconciling data with the CIs in the CMDB. If you are using patterns, Discovery uses the appropriate identification rule for the CI type specified in the pattern.
- Exploration
- The identifier launches additional probes configured in the classifier. These probes are especially designed as exploration probes to gather additional information about the device, like the applications running it, and additional attributes, such as memory, network cards, and drivers. Discovery then creates relationships between applications and devices and between applications. If you are using patterns, the operations in the pattern perform the exploration of the CI.
What happens in the following phase of discovery:
Scanning
Discovery sends a probed called Shazzam to the network to see if commonly used ports are open and if these ports can respond to queries. For example, if Shazzam finds a device that responds on port 135, Discovery knows that it is a Windows server.
What happens in the following phase of discovery:
Classification
If Discovery finds devices or computers, it sends additional probes to find the type of device or the operating system on the device. For example, Discovery sends the WMI probe to a Windows machine to detect the Windows 2012 operating system. Then Discovery uses records called classifiers, which specify the trigger probe or probes that run during the next two phases. If you are using patterns, the classifier specifies a trigger probe that in turn launches a pattern.
What happens in the following phase of discovery:
Identification
Discovery tries to gather more information about the device and then tries to determine if a CI for the device exists in the CMDB. Discovery then uses additional probes, sensors, and identifiers to update existing CIs in the CMDB or create new ones. Identifiers, also known as identification rules, specify the attributes that the probes look at when reconciling data with the CIs in the CMDB. If you are using patterns, Discovery uses the appropriate identification rule for the CI type specified in the pattern.
What happens in the following phase of discovery:
Exploration
The identifier launches additional probes configured in the classifier. These probes are especially designed as exploration probes to gather additional information about the device, like the applications running it, and additional attributes, such as memory, network cards, and drivers. Discovery then creates relationships between applications and devices and between applications. If you are using patterns, the operations in the pattern perform the exploration of the CI.
What is a midservers role in discovery?
- Constantly queries the instance for probes to run, executes the instructions in the probe or in the pattern that the probe specifies.
- The MID Server then returns the results to the instance, where sensors process it.
- The MID Server uses several techniques to probe devices without using agents.
- The MID Server uses SSH to connect to a Unix or Linux computer, and then it can run a standard command, as specified in the probe, to gather information.
- Similarly, it uses the Simple Network Management Protocol (SNMP) to gather information from a network switch or a printer.
What are the types of horizontal discovery?
- Network discovery
- Run this type of discovery to find the internal IP networks within your organization. If you already know the IP address ranges in your network, it is not necessary to run network discovery.
- CI discovery
- Run this type of discovery to find the devices, computers, and applications on your network. This is essentially the standard type of discovery that you run most often.
- Cloud discovery
- Run this type of discovery to find AWS and Azure resources in your organization’s cloud.
- Serverless discovery
- Run this type of discovery to find applications on host machines without the need to discover the host first. Serverless discovery relies on patterns to explore CIs on a host.
What is IP service affinity?
IP Service affinity saves the IP service information that is used to successfully find a device and associates it with the IP address of the device. Using this information, Discovery can target the device in subsequent runs with the accurate protocol. Discovery records the IP Service along with the IP address. Discovery can store the successful IP service information in the IP Service Affinity table [ip_service_affinity].
For example: A network device has both an SSH port and an SNMP port open. By its agentless design, Discovery tries SSH first. However, network devices should be discovered through SNMP. Discovery tries the SSH probe and it fails. This triggers the SNMP probe, which succeeds. With the association between the IP address and the IP service, subsequent discovery runs that target this IP address use SNMP first, because that is the probe that succeeded.
Steps of the Horizontal discovery process flow with probes and sensors?
- Kicking off Discovery
- Scanning phase
- Classification phase
- Identification phase
- Exploration phase
What happens in the Scanning phase
- Discovery first takes the Shazzam probe (and then port probes) and places it in a request in the External Communication Channel (ECC) queue.
- The MID Server checks the ECC queue, retrieves the discovery request, and runs the probes against the host and discovers open ports.
- The port probes scan common ports using several protocols, such as WMI, HTTP, SSH, and SNMP.
- If one or more ports respond, the Shazzam probe sends information about the port back to the ECC queue through the MID Server.
- Discovery checks the ECC queue to find out which ports responded, which identifies the type of machine. For example, if Shazzam detects that the machine is listening on port 22, Discovery treats the machine as a UNIX or Linux machine.
What happens in the Classification phase?
- The Discovery application determines which classification probe to send to the newly discovered device by using information in the record of the port probe that successfully responded.
- Discovery puts the classification probe into the ECC queue.
- The MID Server checks the ECC queue, retrieves the discovery request, and runs the classification probe.
- The classification probe retrieves additional information, such as which version of the operating system is running on a machine. This information determines the class of the CI that Discovery found. There is only one classification probe per discovered device.
- The classification probe sends information back to the instance ECC queue through the MID Server.
What happens in the Identification phase?
- Discovery determines which classifier to use based on the class of the CI and the criteria specified in all CI classifier records. The classifier specifies which probes to use for the next two phases.
- Discovery puts the identification trigger probe for the CI classifier into the ECC queue. For example, a Unix machine running HP-UX would require the HP-UX classifier, which specifies that the Multi Probe-HP-UX Identity identification trigger probe. These probes use identification rules to determine whether or not to insert or update a CI in the CMDB.
- Note: The trigger probe could also be the Horizontal Pattern probe, which tells Discovery to follow the operations in the specified pattern, rather than sending out additional probes. The operations in the pattern cover both the identification and exploration phases. Discovery knows which identification rules to use based on the CI type, and Discovery makes inserts or updates to the CMDB based on these rules. Probes and sensors are not used.
- The MID Server checks the ECC queue, retrieves the discovery request, and runs the identification trigger probe.
- The identification probe accumulates identification data for each device and sends that data back to the instance via the MID Server.
- Discovery uses sensors for the identifier probe to process the information.
- Discovery performs the analysis on the CMDB using CI identifiers. Discovery can update existing CIs in the CMDB or create new ones.