Discovery Flashcards

1
Q

What are the two types of discovery?

A
  • Horizontal discovery
    • Horizontal discovery is a technique that Discovery uses to scan your network, find computers and devices, and then populate the CMDB with the CIs it finds. Horizontal discovery does create direct relationships between CIs, such as a runs onrelationship between an application CI and the actual computer CI that it runs on. Horizontal discovery is not aware of business services and does not create relationships between CIs based on the business service they are in.
  • Top-down discovery
    • Top-down discovery is a technique that Service Mapping uses to find and maps CIs that are part of business services, such as an email service. For example, top-down discovery can map a website business service by showing the relationships between an Apache Tomcat web server service, a Windows server, and the MSSQL database that stores the data for the business service.

Typically, Service Mapping and Discovery work together to run horizontal discovery first to find CIs, and then top-down discovery to establish the relationships between business services that you need to know.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are probes and sensors?

A
  • These are scripts that collect and process data on a host and then update the CMDB.
  • Probes explore or investigate CIs on your network
  • Sensors parse the data returned from the probes
  • There are several of each provided by default but they can be customized or created.
  • Written in JavaScript
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are patterns

A

These are a series of operations that also collect data on a host, process it, and update the CMDB.

Patterns differ from probes and sensors in that they are written in Neebula Discovery Language (NDL) rather than JavaScript, and they are called into action in the later stages of the horizontal discovery process.

Default patterns are provided, but you can also customize or create patterns using the Pattern Designer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the phases of horizontal discovery?

A
  • Scanning
    • Discovery sends a probed called Shazzam to the network to see if commonly used ports are open and if these ports can respond to queries. For example, if Shazzam finds a device that responds on port 135, Discovery knows that it is a Windows server.
  • Classification
    • If Discovery finds devices or computers, it sends additional probes to find the type of device or the operating system on the device. For example, Discovery sends the WMI probe to a Windows machine to detect the Windows 2012 operating system. Then Discovery uses records called classifiers, which specify the trigger probe or probes that run during the next two phases. If you are using patterns, the classifier specifies a trigger probe that in turn launches a pattern.
  • Identification
    • Discovery tries to gather more information about the device and then tries to determine if a CI for the device exists in the CMDB. Discovery then uses additional probes, sensors, and identifiers to update existing CIs in the CMDB or create new ones. Identifiers, also known as identification rules, specify the attributes that the probes look at when reconciling data with the CIs in the CMDB. If you are using patterns, Discovery uses the appropriate identification rule for the CI type specified in the pattern.
  • Exploration
    • The identifier launches additional probes configured in the classifier. These probes are especially designed as exploration probes to gather additional information about the device, like the applications running it, and additional attributes, such as memory, network cards, and drivers. Discovery then creates relationships between applications and devices and between applications. If you are using patterns, the operations in the pattern perform the exploration of the CI.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens in the following phase of discovery:

Scanning

A

Discovery sends a probed called Shazzam to the network to see if commonly used ports are open and if these ports can respond to queries. For example, if Shazzam finds a device that responds on port 135, Discovery knows that it is a Windows server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What happens in the following phase of discovery:

Classification

A

If Discovery finds devices or computers, it sends additional probes to find the type of device or the operating system on the device. For example, Discovery sends the WMI probe to a Windows machine to detect the Windows 2012 operating system. Then Discovery uses records called classifiers, which specify the trigger probe or probes that run during the next two phases. If you are using patterns, the classifier specifies a trigger probe that in turn launches a pattern.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What happens in the following phase of discovery:

Identification

A

Discovery tries to gather more information about the device and then tries to determine if a CI for the device exists in the CMDB. Discovery then uses additional probes, sensors, and identifiers to update existing CIs in the CMDB or create new ones. Identifiers, also known as identification rules, specify the attributes that the probes look at when reconciling data with the CIs in the CMDB. If you are using patterns, Discovery uses the appropriate identification rule for the CI type specified in the pattern.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What happens in the following phase of discovery:

Exploration

A

The identifier launches additional probes configured in the classifier. These probes are especially designed as exploration probes to gather additional information about the device, like the applications running it, and additional attributes, such as memory, network cards, and drivers. Discovery then creates relationships between applications and devices and between applications. If you are using patterns, the operations in the pattern perform the exploration of the CI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a midservers role in discovery?

A
  • Constantly queries the instance for probes to run, executes the instructions in the probe or in the pattern that the probe specifies.
  • The MID Server then returns the results to the instance, where sensors process it.
  • The MID Server uses several techniques to probe devices without using agents.
  • The MID Server uses SSH to connect to a Unix or Linux computer, and then it can run a standard command, as specified in the probe, to gather information.
  • Similarly, it uses the Simple Network Management Protocol (SNMP) to gather information from a network switch or a printer.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the types of horizontal discovery?

A
  • Network discovery
    • Run this type of discovery to find the internal IP networks within your organization. If you already know the IP address ranges in your network, it is not necessary to run network discovery.
  • CI discovery
    • Run this type of discovery to find the devices, computers, and applications on your network. This is essentially the standard type of discovery that you run most often.
  • Cloud discovery
    • Run this type of discovery to find AWS and Azure resources in your organization’s cloud.
  • Serverless discovery
    • Run this type of discovery to find applications on host machines without the need to discover the host first. Serverless discovery relies on patterns to explore CIs on a host.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is IP service affinity?

A

IP Service affinity saves the IP service information that is used to successfully find a device and associates it with the IP address of the device. Using this information, Discovery can target the device in subsequent runs with the accurate protocol. Discovery records the IP Service along with the IP address. Discovery can store the successful IP service information in the IP Service Affinity table [ip_service_affinity].

For example: A network device has both an SSH port and an SNMP port open. By its agentless design, Discovery tries SSH first. However, network devices should be discovered through SNMP. Discovery tries the SSH probe and it fails. This triggers the SNMP probe, which succeeds. With the association between the IP address and the IP service, subsequent discovery runs that target this IP address use SNMP first, because that is the probe that succeeded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Steps of the Horizontal discovery process flow with probes and sensors?

A
  • Kicking off Discovery
  • Scanning phase
  • Classification phase
  • Identification phase
  • Exploration phase
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What happens in the Scanning phase

A
  1. Discovery first takes the Shazzam probe (and then port probes) and places it in a request in the External Communication Channel (ECC) queue.
  2. The MID Server checks the ECC queue, retrieves the discovery request, and runs the probes against the host and discovers open ports.
  3. The port probes scan common ports using several protocols, such as WMI, HTTP, SSH, and SNMP.
  4. If one or more ports respond, the Shazzam probe sends information about the port back to the ECC queue through the MID Server.
  5. Discovery checks the ECC queue to find out which ports responded, which identifies the type of machine. For example, if Shazzam detects that the machine is listening on port 22, Discovery treats the machine as a UNIX or Linux machine.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens in the Classification phase?

A
  1. The Discovery application determines which classification probe to send to the newly discovered device by using information in the record of the port probe that successfully responded.
  2. Discovery puts the classification probe into the ECC queue.
  3. The MID Server checks the ECC queue, retrieves the discovery request, and runs the classification probe.
  4. The classification probe retrieves additional information, such as which version of the operating system is running on a machine. This information determines the class of the CI that Discovery found. There is only one classification probe per discovered device.
  5. The classification probe sends information back to the instance ECC queue through the MID Server.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens in the Identification phase?

A
  1. Discovery determines which classifier to use based on the class of the CI and the criteria specified in all CI classifier records. The classifier specifies which probes to use for the next two phases.
  2. Discovery puts the identification trigger probe for the CI classifier into the ECC queue. For example, a Unix machine running HP-UX would require the HP-UX classifier, which specifies that the Multi Probe-HP-UX Identity identification trigger probe. These probes use identification rules to determine whether or not to insert or update a CI in the CMDB.
    • Note: The trigger probe could also be the Horizontal Pattern probe, which tells Discovery to follow the operations in the specified pattern, rather than sending out additional probes. The operations in the pattern cover both the identification and exploration phases. Discovery knows which identification rules to use based on the CI type, and Discovery makes inserts or updates to the CMDB based on these rules. Probes and sensors are not used.
  3. The MID Server checks the ECC queue, retrieves the discovery request, and runs the identification trigger probe.
  4. The identification probe accumulates identification data for each device and sends that data back to the instance via the MID Server.
  5. Discovery uses sensors for the identifier probe to process the information.
  6. Discovery performs the analysis on the CMDB using CI identifiers. Discovery can update existing CIs in the CMDB or create new ones.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens in the Exploration phase?

A
  1. Discovery looks at the Triggers Probes related list in the classifier to find exploration probes to run.
  2. Discovery puts the exploration trigger probe into the ECC queue.
  3. The MID Server checks the ECC queue, retrieves the discovery request, and runs the exploration trigger probes.
  4. The probes send data back to the instance via the MID Server and sensors make updates to the CMDB, just as in the identification phase.
17
Q

What are the base classifications for the following:

Windows

A
  • Windows Server 2008*
  • Windows Server 2008 R2*
  • Windows Server 2012*
  • Windows Server 2012 R2*
  • Windows Server 2016*
  • Hyper-V Server*
  • Windows Cluster Virtual IPs
18
Q

What are the base classifications for the following:

UNIX

A
  • AIX*
  • ESX
  • HP-UX*
  • Mac OS X
  • Solaris*
  • Linux*, including:
    • Red Hat
    • Fedora
    • Debian
    • SUSE
    • CentOS
    • Ubuntu
19
Q

What are the base classifications for the following:

Other OS classifications

A

z/OS*

20
Q

What are the base classifications for the following:

Network device classifications

A
  • Load balancers (A10*, ACE*, Alteon*, F5 BIG-IP*, F5 BIG-IP via REST*, NetScaler*, Radware - AppDirector*, Cisco GSS, Cisco CSS, HAProxy, Apache mod_jk and mod_proxy)
  • DataPower servers*
  • Dell Remote Access Controller
  • Firewalls
  • Netware servers
  • Network printers
  • Network router*
  • Network switch*
  • Power distribution units
  • IP phones
  • Wireless access points
  • Uninterruptible Power Supplies (UPS)
21
Q

What are the base classifications for the following Application:

Web servers

A
  • Apache Tomcat, Apache mod_jk module, and Apache mod_proxy module*
  • Microsoft IIS*
  • Oracle (Sun) iPlanet*
  • JBoss*
22
Q

What are the base classifications for the following Application:

Email and messaging services

A
  • IMAP
  • Exchange Client Access Server*, Exchange Hub*, Exchange MailBox*
  • Tibco Enterprise Message Service*
23
Q

What are the base classifications for the following Application:

Cloud-based technology

A

Amazon Web Services*

Microsoft Azure*

24
Q

What are the base classifications for the following Application:

Clusters

A
  • Oracle clusters*
  • Unix clusters*
  • Red Hat clusters*
25
Q

What are the base classifications for the following Application:

Databases

A
  • MySQL*
  • DB2
  • Microsoft SQL
  • MongoDB
  • HBase
  • Oracle
  • PostgreSQL*
  • SAP HANA*
  • Sybase*
26
Q

What are the base classifications for the following Application:

Storage servers

A
  • SMI- Storage Server
  • SMI- Storage Switch
  • SMI- WBEM
  • NetApp Storage Server (7-mode and cluster mode)*
27
Q

What are the base classifications for the following Application:

Virtualization

A
  • Docker*
  • Kernel-based Virtual Machine
  • Solaris Zones
  • vCenter
28
Q

What are the base classifications for the following Application:

Others

A
  • Cisco Unified Computing System (UCS)*
  • Citrix License Server and Delivery Controller*
  • HP Service Manager application server*
  • HP Operations Manager*
  • Oracle JavaSpaces
  • GlassFish
  • Jrun*
  • LDAP service
  • MongoDB Shard (MongoS)*
  • NGINX
  • Puppet
  • SAP ASCS*, SAP Business Objects CMS Server*, SAP CI*, SAP DI*, SAP ERS*, SAP SCS*
  • Microsoft Sharepoint*
  • Microsoft SQL Server Analysis Services*
  • Oracle Tuxedo*
  • Oracle WebLogic*
  • IBM WebSphere*, WebSphere Message Broker*, IBM WebSphere MQ*
  • Tibco ActiveMatrix BusinessWorks*
29
Q

What do the asterisks relate to in the classifications listed?

A

Discovery uses patterns to find CIs noted with an asterisk *.

30
Q

What does the following scan type do:

Configuration items

A

Configuration item scans use discovery identifiers to match devices with CIs in the CMDB and update the CMDB appropriately. You can perform a simple discovery by selecting a specific MID Server to scan for all protocols (SSH, WMI, and SNMP), or perform more advanced discoveries with discovery behaviors. When you select a behavior, the MID Server field is not available.

31
Q

What does the following scan type do:

IP addresses

A

IP addresses scans devices without the use of credentials. These scans discover all the active IP addresses in the specified range and create device history records, but do not update the CMDB. IP address scans also show multiple IP addresses that are running on a single device. Devices are identified by class and in some cases by type, such as Windows computers and Cisco network gear. The Max range size Shazzam probe property determines the maximum number of IP addresses Shazzam scans. See Configure the Shazzam probe for details.

32
Q

What does the following scan type do:

Networks

A

Network scans discover IP networks (routers and switches). Results from this search are used to populate the IP Network [cmdb_ci_ip_network] table in Discovery > IP Networks with a list of IP addresses and network masks. Network scans update routers and layer 3 switches in the CMDB.

33
Q

What does the following scan type do:

Web Service

A

Starting in Fuji, This scan discovers resources on Amazon Web Services. Results from this search are used to populate the AWS Resource table [cmdb_ci_aws_resource]. For EC2 instances, the information may appear as reference in the AWS Resource table.

34
Q

What is the purpose of selecting a behavior for scans?

A
  • Select a behavior configured for the MID Servers in your network. When you select a behavior, the MID Server field is no longer visible. Use a behavior when a single schedule requires the use of multiple MID Servers to perform any of the following:
  • Scans requiring multiple Windows credentials.
  • A schedule that must execute two or more particular protocols (SNMP, SSH, or WMI) using more than one MID Server.
  • Load balancing for large discoveries where a single MID Server would be inadequate.
  • Scanning multiple domains.
  • This field is available only if Discover is set to Configuration items.
35
Q
A