I don't believe the accepted answer is correct - looking at the documentation, Discovery uses Nmap for this, which would be part of the Port Scan.

See documentation:

https://docs.servicenow.com/csh?topicname=c_ShazzamResultAPI.html&version=latest

https://docs.servicenow.com/csh?topicname=credential-less-host-discovery.html&version=latest

From the Shazzam Result API documentation, which defines "Active" and "Alive" as pertaining to whether any port is open or responding. There is no mention of ICMP/Ping in these definitions.

From the Credential-less Host Discovery Page:

ServiceNow Discovery uses the Ping method to determine if a host IP address is "alive" or reachable on the network. This is typically the initial check before proceeding to more intensive scanning phases.

• Mechanism: It works by sending an ICMP (Internet Control Message Protocol) Echo Request packet to the target IP address.
• Response: If the target host responds with an ICMP Echo Reply, it is considered alive and available for further scanning.
• Role in Discovery: While the Shazzam probe (the first phase of horizontal discovery) scans ports to see if they are active, a basic "alive" check often relies on Ping to quickly filter out unreachable addresses with low network overhead.

The Shazzam Probe (Port Scanning)

In ServiceNow Discovery, the very first active step of the discovery lifecycle is the Port Scan phase. This is executed by a specific probe called the Shazzam probe.

• How it works: Instead of just checking if the machine is on the network, the MID Server sends out targeted requests to specific TCP and UDP ports (such as Port 22 for SSH, Port 135 for WMI, or Port 161 for SNMP) across your configured IP ranges.

• Determining "Alive": If a target device responds to any of these port requests—either by accepting the connection (meaning the port is open) or actively refusing the connection (meaning the machine is there, but that specific port is closed)—ServiceNow flags that IP address as "active" or "alive."

Why not Ping (ICMP)?

While a standard ping is the universal IT tool to check if a host is reachable, ServiceNow Discovery specifically relies on Port Scanning instead because of network security configurations.

• The Firewall Problem: In modern enterprise networks, servers and endpoints are almost always placed behind strict firewalls that are intentionally configured to drop ICMP echo requests (Pings). This is a standard security practice to prevent unauthorized network mapping.

• False Negatives: If Discovery relied on Ping, it would encounter hundreds of servers that are perfectly healthy and running, but are simply configured to ignore Pings. Discovery would incorrectly assume these IP addresses are "dead" and skip discovering them entirely.

• The Port Scan Solution: Even if a server blocks a Ping, it must leave its operational ports open to function on the network. For example, a Linux server will ignore a Ping but must leave Port 22 open so administrators can log in. Shazzam bypasses the ICMP block by knocking directly on these required operational "doors."

Summary Comparison

• Ping (ICMP): Simply asks the network, "Are you there?" (Highly unreliable because it is frequently blocked by default).

• Port Scan (Shazzam): Specifically asks, "Is your SSH, WMI, or HTTP service listening?" (Highly reliable because these ports must be open for the server to serve its purpose).

Therefore, Port Scanning is the definitive method Discovery uses to determine if a host IP is alive and ready to be classified.

If you found this breakdown helpful, please mark this response as Helpful or Correct!