Types of Horizontal Discovery
Network Discovery: Finds Network Devices in the organization which can be found with IP Ranges
CI Discovery: This type of discovery finds computers and applications in the organization.
Cloud Discovery: This type of discovery finds resources on Aws OR Azure in your organization.
Serverless Discovery: This type of discovery finds applications on different machines without discovering the host.
Phases of Discovery
Scanning: Scans for different devices
Classifications: Classifies what devices are found
Identification: Determines if a CI for the device already exists in the CMDB or not.
Exploration: Looks for additional information of the same discovered device.
ECC Queue:
Stores Input and Output Messages.
Input Messages are processed in the instance to perform actions on the instance only.
Output Messages are processed by the MID server to perform some action like for actions by third party applications.
Probes, Sensors and Patterns
Probes collect information and Sensors processes that information A Pattern performs the same function as a probe: it identifies and explores a target CI. Discovery uses patterns only during the last two phases of discovery: Identification and Exploration.
To view probes and their descriptions, navigate to Discovery Definition > Probes.
MID servers query the probes to run on target machines to collect information. MID Server is subscribed to AMB (Asynchronous Message Bus). It is always available to send and receive messages in ServiceNow instance. And also notifies MID Server if there is any pending job to process in the ECC queue. If a job exists in the ECC queue for the specific MID Server, the MID Server informs the instance that it will be processing the task in the ECC queue. The MID server then processes the task as per the probe and reports back to the ECC queue the results. The information that was collected is then processed by sensors.
List of Discovery Probes:
CIM probe: The CIM probe uses WBEM protocols to query a particular CIM server, the CIM Object Manager, for a set of data objects and properties.
DNS probe: DNS probes determine the DNS names for configuration items (CI).
Horizontal Pattern probe: Discovery uses the Horizontal Pattern probe to launch patterns for horizontal discovery.
PowerShell probe: The PowerShell Probe executes PowerShell V2 scripts on the MID Server host.
SCPRelay probe: The SCP Relay Probe copies a single file or the contents of a directory from one host to another, using the MID Server as a relay.
SNMP probes: The SNMP probes use the SNMP protocol to query a particular device for a list of OIDs, which are then traversed and the results passed back to the sensors.
SSHCommand probe: A probe using the ECC queue topic name SSHCommand executes a shell command on the target host, and returns the resulting output to the sensor.
vCenter probes and probe parameters: vCenter probes scan virtual machines using VMware’s vSphere product suite. Each probe scans for different kinds of data, such as networks, NICs, and tags. The VMware – vCenter probe that discovered all vCenter objects in previous releases is deprecated in the Istanbul release and replaced by multiple probes.
Windows probes and permissions: Discovery accesses devices and software by executing commands as a specific user on Windows computers.
WMIRunner probe: WMI Runner is a probe type that fetches data from Windows operating systems via the Windows Management Instrumentation (WMI) interface.
Port probes: Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters.
Every probe in Discovery must have a corresponding sensor to process the data returned. For example, if the incoming data is the result of a WMI probe, then the WMI sensor is triggered to process the payload. To view the Sensors navigate to Discovery > Discovery Definition > Sensors
ECC queue process flow
Message is created in ECC Queue and checks if message is in INPUT or OUTPUT. If output, then state becomes “ready”. Which is ready to send job to MID Server. The MID Server receives job and state changes to “processing”. When job is completed by thew MID Server, the state then changes to “Processed”. This is how OUTPUT message is processed in ServiceNow.
Then in ServiceNow instance, the MID Server creates a new message in the ECC queue as an INPUT message with the results collected by probes and the state becomes “Ready”. The sensor picks the message to process which changes the state to “processing”. Once the message is processed, the state of that becomes “Processed”. This is how “INPUT” messages in the ECC queue are processed.
References:
SAASWithServiceNow (2020). #2 MID Server and ECC Queue in ServiceNow: https://youtu.be/W_ZdvzY_fI4