<h2>Discovery basics</h2><br/><div style="overflow-x:auto"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta content="text/html; charset=UTF-8" /><meta name="copyright" content="(C) Copyright 2024" /><meta name="DC.rights.owner" content="(C) Copyright 2024" /><meta name="generator" content="DITA-OT" /><meta name="DC.type" content="concept" /><meta name="DC.title" content="Discovery basics" /><meta name="abstract" content="Discovery finds computers, servers, printers, a variety of IP-enabled devices, and the applications that run on them. It can then update the CIs in your CMDB with the data it collects." /><meta name="description" content="Discovery finds computers, servers, printers, a variety of IP-enabled devices, and the applications that run on them. It can then update the CIs in your CMDB with the data it collects." /><meta name="DC.subject" content="Discovery, probe types" /><meta name="keywords" content="Discovery, probe types" /><meta name="DC.relation" scheme="URI" content="../../../product/discovery/reference/r-discovery.html" /><meta name="DC.relation" scheme="URI" content="../../../product/it-operations-management/reference/r_ITOMApplications.html" /><meta name="DC.relation" scheme="URI" content="../../../product/it-operations-management/reference/itom-visibility-landing-page.html" /><meta name="DC.relation" scheme="URI" content="../../../product/discovery/concept/c_DiscoProcessFlows.html" /><meta name="DC.relation" scheme="URI" content="../../../product/discovery/concept/disco-process-flow-patterns.html" /><meta name="DC.relation" scheme="URI" content="discovery-setup.html" /><meta name="DC.relation" scheme="URI" content="c_DiscoveryTroubleshooting.html" /><meta name="DC.creator" content="ServiceNow" /><meta name="DC.date.created" content="2023-02-02" /><meta name="DC.date.modified" content="2023-02-02" /><meta name="mini-toc" content="yes" /><meta name="DC.format" content="XHTML" /><meta name="DC.identifier" content="c_GetStartedWithDiscovery" /><link rel="stylesheet" type="text/css" href="../../../CSS/commonltr.css" /><title>Discovery basics</title></head><body id="c_GetStartedWithDiscovery"> <div class="breadcrumb"><a class="link" href="../../../product/it-operations-management/reference/r_ITOMApplications.html" title="Get better visibility into your infrastructure and services, prevent service outages, and expand your organization's operational agility with ServiceNow IT Operations Management.">IT Operations Management</a> > <a class="link" href="../../../product/it-operations-management/reference/itom-visibility-landing-page.html" title="The ServiceNow ITOM Visibility product consists of ServiceNow Discovery, ServiceNow Service Mapping, Certificate Inventory and Management, Service Graph Connectors, CMDB 360, and Firewall Audits and Reporting. Discovery and Service Mapping give you a unified, connected view of your entire IT network and the services that it supports.">ITOM Visibility</a> > </div> <h1 class="title topictitle1" id="ariaid-title1"><span class="ph">Discovery</span> basics</h1> <div class="body conbody"><p class="shortdesc"><span class="ph"> <span class="ph">Discovery</span> finds computers, servers, printers, a variety of IP-enabled devices, and the applications that run on them. It can then update the CIs in your CMDB with the data it collects.</span></p> <div class="section" id="c_GetStartedWithDiscovery__section_bfk_n1g_ycb"><h2 class="title sectiontitle">Horizontal discovery and top-down discovery</h2> <div class="p">There are two types of discovery: <dl class="dl"><dt class="dt dlterm">Horizontal discovery</dt><dd class="dd"><p class="p">Horizontal discovery is a technique that <span class="ph">Discovery</span> uses to scan your network, find computers and devices, and then populate the CMDB with the CIs it finds. Horizontal discovery creates direct relationships between CIs, such as a <code class="ph codeph">runs on</code> relationship between an application CI and the actual computer CI that it runs on. Horizontal discovery is not aware of business services and does not create relationships between CIs based on the business service they are in.</p> </dd><dt class="dt dlterm">Top-down discovery</dt><dd class="dd"><p class="p">Top-down discovery is a technique that Service Mapping uses to find and maps CIs that are part of business services, such as an email service. For example, top-down discovery can map a website business service by showing the relationships between an Apache Tomcat web server service, a Windows server, and the MSSQL database that stores the data for the business service.</p> <p class="p">Typically, <span class="ph">Service Mapping</span> and <span class="ph">Discovery</span> work together to run horizontal discovery first to find CIs, and then top-down discovery to establish the relationships between business services that you need to know.</p> </dd></dl> </div> </div> <div class="section" id="c_GetStartedWithDiscovery__section_xqk_wlt_jkb"><h2 class="title sectiontitle">Probes, sensors, and patterns</h2> <div class="p"><span class="ph">Discovery</span> uses these components to find CIs:<dl class="dl"><dt class="dt dlterm"><a class="xref" href="c_DiscoProcessFlows.html" title="The horizontal discovery process passes through the four phases of discovery using probes, which gather information on the target machine, and then sensors, which help Discovery determine what to do with that information.">Probes and sensors</a></dt><dd class="dd">Probes and sensors are scripts that collect and process data on a host and then update the CMDB. More specifically, probes explore or investigate CIs on your network, and sensors parse the data returned from the probes. Several probes and sensors are provided by default, but you can customize them to find different information, or you can create ones. You can also configure several parameters to control the behavior of a particular probe every time it is triggered.</dd><dt class="dt dlterm"><a class="xref" href="disco-process-flow-patterns.html" title="Horizontal discovery with patterns has four phases, just as horizontal discovery with probes does. However, for the last two phases, Discovery triggers operations from a pattern, rather than additional sets of probes.">Patterns</a></dt><dd class="dd">Patterns, like probes and sensors, are a series of operations that also collect data on a host, process it, and update the CMDB. Patterns differ from probes and sensors in that they are written in Neebula Discovery Language (NDL) rather than JavaScript, and they are called into action in the later stages of the horizontal discovery process. Default patterns are provided, but you can also customize or create patterns using the Pattern Designer.</dd></dl> </div> </div> <div class="section" id="c_GetStartedWithDiscovery__discovery-phases"><h2 class="title sectiontitle">Horizontal discovery phases</h2> <p class="p">The phases of horizontal discovery are:</p> <div class="p"><span class="ph">Discovery</span> follows these phases:<dl class="dl"><dt class="dt dlterm">Scanning</dt><dd class="dd"><span class="ph">Discovery</span> sends a probe called Shazzam to the network to see if commonly used ports are open and if these ports can respond to queries. For example, if Shazzam finds a device that responds on port 135, <span class="ph">Discovery</span> knows that it is a Windows server.</dd><dt class="dt dlterm">Classification</dt><dd class="dd">If <span class="ph">Discovery</span> finds devices or computers, it sends additional probes to find the type of device or the operating system on the device. For example, <span class="ph">Discovery</span> sends the WMI probe to a Windows machine to detect the Windows 2012 operating system. Then <span class="ph">Discovery</span> uses records called classifiers, which specify the trigger probe or probes that run during the next two phases. If you are using patterns, the classifier specifies a trigger probe that in turn launches a pattern.</dd><dt class="dt dlterm">Identification</dt><dd class="dd"><span class="ph">Discovery</span> tries to gather more information about the device and then tries to determine if a CI for the device exists in the CMDB. <span class="ph">Discovery</span> then uses additional probes, sensors, and identifiers to update existing CIs in the CMDB or create new ones. Identifiers, also known as identification rules, specify the attributes that the probes look at when reconciling data with the CIs in the CMDB. If you are using patterns, <span class="ph">Discovery</span> uses the appropriate identification rule for the CI type specified in the pattern.</dd><dt class="dt dlterm">Exploration</dt><dd class="dd">The identifier launches additional probes configured in the classifier. These probes are especially designed as exploration probes to gather additional information about the device, like the applications running it, and additional attributes, such as memory, network cards, and drivers. <span class="ph">Discovery</span> then creates relationships between applications and devices and between applications. If you are using patterns, the operations in the pattern perform the exploration of the CI.</dd></dl> </div> </div> <div class="section" id="c_GetStartedWithDiscovery__section_lb1_fdl_f2b"><h2 class="title sectiontitle">Discovery communication through MID Servers</h2> <p class="p">A <a class="xref" href="../product/mid-server/concept/mid-server-landing.dita/mid-server-landing.html" target="_blank" rel="noopener noreferrer">MID Server</a>, which constantly queries the instance for probes to run, executes the instructions in the probe or in the pattern that the probe specifies. The MID Server then returns the results to the instance, where sensors process it. The MID Server does not retain any discovery information.</p> <p class="p">The MID Server starts all communications, using SOAP on HTTPS, which means that all communications are secure, and all communications are initiated inside the enterprise's firewall. No special firewall rules or VPNs are required.</p> <p class="p">Because Discovery is agentless, meaning that it does not require any permanent software to be installed on any computer or device to be discovered, the MID Server uses several techniques to probe devices without using agents. For example, the MID Server uses SSH to connect to a Unix or Linux computer, and then it can run a standard command, as specified in the probe, to gather information. Similarly, it uses the Simple Network Management Protocol (SNMP) to gather information from a network switch or a printer.</p> <div class="p"><div class="fig fignone" id="c_GetStartedWithDiscovery__fig_xwz_4wy_ky"> <img class="image" id="c_GetStartedWithDiscovery__image_hnw_swy_ky" src="../image/DiscoveryCommunicationsDiagram.png" alt="Discovery communications" /> </div> </div> </div> <div class="section" id="c_GetStartedWithDiscovery__section_lvj_5gl_f2b"><h2 class="title sectiontitle">Types of discovery</h2> <p class="p">The types of horizontal discovery that the <span class="ph">Discovery</span> application can perform are explained in the following table:</p> <div class="p"> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="c_GetStartedWithDiscovery__table_b2w_1hl_f2b" class="table" frame="border" border="1" rules="all"><colgroup><col style="width:30.959752321981426%" /><col style="width:69.04024767801857%" /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="vertical-align:top;" id="d200235e287">Type</th><th class="entry cellrowborder" style="vertical-align:top;" id="d200235e290">Description</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e287 "><p class="p">Network discovery</p> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e290 ">Run this type of discovery to find the internal IP networks within your organization. If you already know the IP address ranges in your network, it is not necessary to run network discovery.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e287 "><p class="p">CI discovery</p> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e290 ">Run this type of discovery to find the devices, computers, and applications on your network. This is essentially the standard type of discovery that you run most often.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e287 "><p class="p">Cloud discovery</p> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e290 ">Run this type of discovery to find AWS and Azure resources in your organization's cloud.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e287 "><p class="p">Serverless discovery</p> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d200235e290 ">Run this type of discovery to find applications on host machines without the need to discover the host first. Serverless discovery relies on patterns to explore CIs on a host.</td></tr></tbody></table> </div> </div> </div> <div class="section" id="c_GetStartedWithDiscovery__section_rwp_y3v_5bb"><h2 class="title sectiontitle">IP service affinity</h2> <p class="p">IP Service affinity saves the IP service information that is used to successfully find a device and associates it with the IP address of the device. Using this information, <span class="ph">Discovery</span> can target the device in subsequent runs with the accurate protocol. <span class="ph">Discovery</span> records the IP Service along with the IP address. <span class="ph">Discovery</span> can store the successful IP service information in the IP Service Affinity table [ip_service_affinity].</p> <p class="p">For example: A network device has both an SSH port and an SNMP port open. By its agentless design, <span class="ph">Discovery</span> tries SSH first. However, network devices should be discovered through SNMP. <span class="ph">Discovery</span> tries the SSH probe and it fails. This triggers the SNMP probe, which succeeds. With the association between the IP address and the IP service, subsequent discovery runs that target this IP address use SNMP first, because that is the probe that succeeded.</p> </div> </div> <div class="related-links"> <ul class="ullinks"><li class="link ulchildlink"><strong><a href="../../../product/discovery/concept/c_DiscoProcessFlows.html">Horizontal discovery process flow with probes and sensors</a></strong><br /> The horizontal discovery process passes through the four phases of discovery using probes, which gather information on the target machine, and then sensors, which help Discovery determine what to do with that information.</li><li class="link ulchildlink"><strong><a href="../../../product/discovery/concept/disco-process-flow-patterns.html">Horizontal discovery process flow with patterns</a></strong><br /> Horizontal discovery with patterns has four phases, just as horizontal discovery with probes does. However, for the last two phases, Discovery triggers operations from a pattern, rather than additional sets of probes.</li></ul> <div class="familylinks"> <div class="parentlink"><strong>Parent Topic:</strong> <a class="link" href="../../../product/discovery/reference/r-discovery.html" title="ServiceNow Cloud Discovery finds applications and devices on your network, and then updates the CMDB 360 with the information it finds.">Discovery</a></div> </div> <div class="linklist relinfo relconcepts"><strong>Related concepts</strong><br /> <ul class="linklist"><li class="linklist"><a class="link" href="discovery-setup.html" title="After you activate the Discovery application, you have several ways to get started.">Discovery setup</a></li><li class="linklist"><a class="link" href="c_DiscoveryTroubleshooting.html" title="Learn how to monitor the progress of your discoveries and how to configure the system to aggregate performance metrics that are important to you. Find descriptions of the error messages you see, as well as possible steps you can take to solve problems. The Knowledge Base on Hi contains several articles to help you troubleshoot discovery issues.">Discovery monitoring and issue resolution</a></li></ul></div> </div> </body></html></div>