SD Discovery notes

ITOM Visibility

 

San Diego

The ServiceNow® ITOM Visibility product consists of ServiceNow® Discovery, ServiceNow® Service Mapping, Certificate Inventory and Management, Service Graph Connectors, Multisource CMDB, and Firewall Audits and Reporting. Discovery and Service Mapping give you a unified, connected view of your entire IT network and the services that it supports.

 

Who uses ITOM Visibility?

ITOM Visibility enables the IT departments of enterprises and cloud companies providing platform as a service to discover their IT resources.

 

ServiceNow® Configuration Management Database (CMDB) is not just an operational tool, it is a strategic necessity in today’s IT landscape. Maintaining an accurate and complete CMDB provides the foundation for maintaining critical services and drives multiple outcomes important to IT departments.

 

ITOM Visibility discovers many things which are stored in the CMDB.

 

Data collected by ITOM Visibility provides a foundation for operation of the following business units and products of Now Platform:

ITOM Health

Use ITOM Health to track and maintain the health of services in your organization. ITOM Health gathers alerts from infrastructure events captured by third-party monitoring tools. It then uses IT-related information gathered by Discovery to map alerts to configuration items. Based on the collected information, ITOM Health provides dashboards showing a consolidated view of all service-impact events. You can also use ITOM Health to proactively analyze your IT infrastructure to spot issues and prevent service outages. Using advanced machine learning to analyze information about your IT infrastructure, the application automatically determines dynamic thresholds and identifies anomalies that may indicate potential service outages.

ITOM Optimization

ITOM Optimization gives you tools to provision private and public cloud infrastructure and services and to achieve consistent management and cost visibility. The Cloud Insights application, available in the ServiceNow Store, helps you to analyze the full range of costs associated with cloud assets so you can identify and take action on opportunities to save money and optimize operations.

Software Asset Management

Understand the software running in your IT environment. Software Asset Management works together with the CMDB powered up by ITOM Visibility. Use Software Asset Management to track configurations that impact software license consumption across your IT environments and datacenter.

Customer Service Management

Efficiently diagnose and resolve issues related to the IT infrastructure by using near real-time data supplied by ITOM Visibility.

IT Service Management

Rely on the IT infrastructure discovered by ITOM Visibility to manage and deliver services to your users. See changes and incidents created and managed by IT Service Management applications in ITOM Visibility service maps.

Strategic Portfolio Management

Use data collected by ITOM Visibility to gain a comprehensive understanding of the applications used in your organization.

Security Operations

View security incidents in the context of ITOM Visibility to find out which application services are at risk. Use this information to prioritize and resolve threats based on the impact they pose to your organization.

How do you use ITOM Visibility?

The Discovery feature offers a replicable and reliable method of identifying the enterprise IT infrastructure. Discovery can find computers, servers, software, printers, routers, and switches. It can also find IP-enabled devices and applications that run on them, resources from various cloud providers, and TLS certificates. This method is referred to as horizontal discovery. Connections between the devices and applications are not included in horizontal discovery.

 

The Service Mapping feature maps dependencies, based on a connection between devices and applications. This method is referred to as top-down mapping. The top-down mapping helps you immediately see the impact of a problematic object on the rest of the application service operation. Application service maps show infrastructure objects and connections between them. Service Mapping regenerates application service maps regularly, to keep them updated and relevant. Any faulty objects are shown along with the devices and applications they affect, providing a visual clue of the state of the application service.

 

Comparison of horizontal discovery and top-down mapping results

Diagram showing results of horizontal discovery and top-down mapping results

How does ITOM Visibility work?

Discovery can use scripts to collect and process data on a host and then update the CMDB. Scripts that explore or investigate CIs on your network are called probes. Sensors are the scripts that parse the data returned from the probes. In addition, Discovery uses discovery patterns. A pattern is a sequence of operations whose purpose is to detect attributes of devices and applications and, when used by Service Mapping, their outbound connections.

 

Service Mapping can deploy different methods for creating application services. Discovery patterns are the main method used by Service Mapping. However, you can also map application services using tags, and traffic connections between devices and applications. For more information, see Choose the right method for mapping application services.

 

What to know before you begin

ITOM Visibility is available with activation of the Discovery (com.snc.discovery) plugin and the Service Mapping (com.snc.service-mapping) plugin, which require the ITOM Visibility subscription. For details, see Request Discovery and Request Service Mapping. For full ITOM Visibility functionality, install the latest ITOM Visibility out-of-band applications from the ServiceNow Store. Visit the ServiceNow Store release notes to view all the ITOM Visibility applications and features available on the store. For cumulative release note information for all released apps, see the ServiceNow Store version history release notes.

 

Define users and configure credentials to enable ITOM Visibility access to applications and devices inside your organization network. For details, see Prerequisites for performing top-down discovery using Service Mapping.

 

San Diego

The ServiceNow® ITOM Visibility application provides a unified, connected view of your entire IT network and the services that it supports. ITOM Visibility was enhanced and updated in the San Diego release.

 

ITOM Visibility highlights for the San Diego release

Benefit from the augmented connection suggestions that show connections for load balancer members.

Broaden the range of applications and devices that ITOM Visibility can discover using the latest discovery patterns.

Important: Some modules and features of ITOM Visibility is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

New in the San Diego release

Discovering devices and applications using the new patterns

Use ITOM Visibility patterns that were previously available only on the ServiceNow Store. ITOM Visibility now includes the following new patterns in ServiceNow® Discovery and Service Mapping Patterns, version 1.0.85 and later:

Citrix Xen Hyper-V- Discovers the Citrix Xen Hyper-V components and their respective attributes. Discover information regarding the Hyper-V Server, Associated Pools, VMs, Network and Storage and their relationships with new and existing CIs.

Cloudian Storage- Finds the Cloudian servers and related disks.

Infinibox- Finds and maps InfiniBox instances.

gMSA configuration for Discovery

Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. gMSAs can now be used for credential-less Discovery.

Quick start tests for Service Mapping

After upgrades and deployments of new applications or integrations, run quick start tests to verify that Service Mapping still works. If you customized Service Mapping, copy the quick start tests and configure them for your customizations.

 

Changed in this release

Agent Client Collector for Visibility

Updated Agent Client Collector for Visibility (ACC-V), which now includes the following features:

Support for Oracle Linux, Amazon Linux 2, and MacOS (x86_64 architecture only).

Support for exclusion list for IPs and Network Interface Controllers (NICs).

Changing the Discovery Source for ACC-V to "ACC-Visibility."

Support for SAM total usage metrics.

Enhancement for the patterns

ITOM Visibility now includes the following new patterns in ServiceNow® Discovery and Service Mapping Patterns, version 1.0.85 and later:

Kubernetes- Offers improved pattern execution. It collects information for products and components such as Ingress, ReplicaSets, and ReplicationController. It also adds relations between existing elements to newly added components.

Docker virtualization- Collects the additional information for container repositories.

Amazon AWS Relational Database Service - Collects additional information and relations.

Microsoft Azure Cloud component- Collect the tag information for websites and databases.

Microsoft SQL cluster- Discovers Microsoft SQL cluster and nodes and their relation to the SQL instance.

Microsoft SQL server- Collects the Microsoft SQL components and services information and creates the CI relation to Microsoft SQL Instance.

NetApp SolidFire storage system- Discovers the information about the chassis that contains the storage server.

Oracle Listener HD- Discovers Oracle components such as the listener process, managed Oracle instances, databases, application clusters, and nodes.

Augmented connection suggestions

Use the information about load balancers when deciding whether to add or remove connections based on connection suggestions. Connection suggestions indicate whether a target host resides behind a load balancer.

SNMPv3 authentication protocols

SNMPv3 authentication protocols have been updated to include an additional four protocols: SHA-224, SHA-256, SHA-384, and SHA-512. The SHA protocol was renamed SHA-1.

Activation information

ITOM Visibility is available with activation of the Discovery (com.snc.discovery) plugin and the Service Mapping (com.snc.service-mapping) plugin, which require the ITOM Visibility subscription. For details, see Request Discovery and Request Service Mapping. For full ITOM Visibility functionality, install the latest ITOM Visibility out-of-band applications from the ServiceNow Store. Visit the ServiceNow Store release notes to view all the ITOM Visibility applications and features available on the store. For cumulative release note information for all released apps, see the ServiceNow Store version history release notes.

 

Related ServiceNow applications and features

ITOM Health

The ServiceNow® ITOM Health product includes the ServiceNow® Event Management and ServiceNow® Health Log Analytics applications, which help you track and maintain the health of services in your organization. ITOM Health was enhanced and updated in the San Diego release. You can purchase ITOM Health, or a more comprehensive package, ITOM Predictive AIOps, which includes ITOM Health and Health Log Analytics.

Event Management gathers alerts from infrastructure events that both third-party monitoring tools and the ServiceNow® internal agent capture. Event Management uses IT-related information that ServiceNow® Discovery gathers so it can map alerts to configuration items. Based on the collected information, Event Management then provides dashboards that show a consolidated view of all service-impact events.

 

The Agent Client Collector application enables you to do the following:

Monitor your service availability.

Examine the health and performance of your environment.

Ensure that your infrastructure and its applications are running properly.

Agent Client Collector collects events and metrics. It runs in either a Windows or Linux environment.

ITOM Optimization

provides automation for the cloud workflows used to manage the cloud resources throughout their life cycle. It enables certified and enterprise-compliant cloud deployment, cost visibility, and other cloud management processes.

ITOM Governance

Agent Client Collector for Visibility

 

San Diego

Agent Client Collector  for Visibility (ACC-V) is a  ServiceNow  Agent installed on your  Windows , Linux, or macOS servers to collect host data. ACC-V deploys Ruby scripts that execute OS Query commands and OS-specific commands to gather the information. You can discover data from various file systems and storage devices, TCP connections, running processes, and other information about target hosts.

 

Note: Currently, ACC-V does not support multi-languages. If values returned are not in English, the returned data cannot be parsed properly and the discovery will fail.

The following modules are supported:

Basic Inventory

Serial Numbers

Storage Devices

File Systems

Network Adapters

TCP Connections

Running Processes

Installed Software

Local User

Intel vPro® platform

Note: Powershell is not being used in any of the ACC-V modules on MicrosoftWindows operating systems.

You can register and manage your target systems in the ServiceNow Configuration Management Database (CMDB) using the ACC-V pushed-based model. There is no need to provide credentials, configure schedules, or scan IP ranges.

 

ACC-V is an additional mechanism to perform discovery. It is an alternative to horizontal IP-based  Discovery for OS-related attributes including system information, network interfaces, running process, and so on. ACC-V is suitable for on-prem servers and cloud instances. ACC-V requires installation of  ServiceNow  Agent Client Collector (ACC) on the target host. ACC is a derivative of Sensu-Go, an open-source software.

 

ACC-V version 1.0.3 collects the system attributes and related lists normally collected by the OS pattern. Further capabilities are planned for future releases. ACC-V currently supports the following operating systems on x86_64 architecture:

Linux

Red Hat Enterprise Linux (RHEL) and Oracle Linux (OL) 7, 8

Centos 7

SLES 12, 15

Ubuntu 18, 20

Amazon Linux 2 (starting in ACC-V version 1.3.0)

Microsoft Windows

Windows Server 2012, 2012r2, 2016, 2019

Windows 10 Enterprise Edition

Windows 11 Enterprise and Professional Editions

macOS (starting in ACC-V version 1.3.0)

10.15 - Catalina

11 - Big Sur

Starting in Quebec patch 3, the discovery_source, ACC-Visibility, was introduced to specifically denote that the CI was discovered by ACC-V.

 

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

 

Benefits

The Agent initiates the communication and stays connected to the ServiceNow instance via the MID Server.

The Agent(s) installed with ACC are self-aware, package the discovery data, and send this data back to the ServiceNow instance via the MID Server on a pre-determined schedule, as set by the ACC-V policy.

If an interesting event occurs on the target host (such as coming back online after a prolonged shutdown), Discovery is triggered. The application is already tracking specific targets that have installed ACC and communicate with the MID Server.

IPv6 agents can be discovered by ACC-V.

Requirements

Discovery plugin (com.snc.discovery) must be installed and activated.

Agent Client Collector Framework (ACC-F) must be installed on the ServiceNow instance.

Agent must be installed on the target host.

Make sure you have upgraded to Quebec  patch 3 or later.

ITOM-Discovery or ITOM-Visibility SKUs (SU-based licensing) is required.

You can then download and install the Agent Client Collector for Visibility (ACC-V) application from the ServiceNow Store or from the instance [sn_acc_visibility]. Follow the instructions on the instance by navigating to Agent Client Collector > Installation Instructions. You can also see Agent Client Collector Installation for details.

 

Note: The ServiceNow Store regularly releases new applications and updates to applications that are created by the ServiceNow Store. If you already have the application, you can download the latest version to enhance your existing experience. Since different features are available or enhanced each time an application is released in the Store, the content and features available are indicated by version number in this document.

How ACC-V works

At a high level, ACC-V works in coordination with the following components:

ServiceNow Instance

ServiceNow MID Server

Target host machines

ServiceNow Agent Client Collector which runs on said Target host machines

ACC-V architecture

This block diagram shows the components that work together

ACC-V applies Checks and Policies to schedule and collect host data which is triggered during the following cases:

Periodic scheduling: A policy-based approach where Discovery is triggered on a periodic basis

On CI delete: When the computer or server CI record is deleted

MID Server  cycle: When the  MID Server  goes down and comes back up

Target host cycle: When the target host goes down and comes back up

Network break: When there is a break in the network link to the target

Note:Discovery is triggered for those agents whose hosts are already present. For the agents whose hosts are not there, it will be discovered through ACC-F.

The ACC-V assets are stored as Agent plugins with the main entry point [acc_visibility_main] and other modules for OS families. There is one main system Discovery  Check definition, called Enhanced Discovery, which is used by the Enhanced  Discovery  Policy. This ACC-V policy runs off a schedule, which is defaulted to 24 hours (86,400 seconds). This policy configuration is synced to all agents as defined in the ACC-V policy.

 

When the payload is returned from the MID Server to the instance, the ACC-V Check Type, EnhancedDiscovery, delegates to the EnhancedDiscoveryHandler script include provided by ACC-V. The script contains logic to process the data from the check and handles tasks like:

Data transformation into an identification and reconciliation engine (IRE) compatible payload

Non-CI data reconciliation (cmdb_running_processes, cmdb_tcp_connections, and so on)

The ACC-V Check Definition, Enhanced Discovery, is initiated by the  ServiceNow  Instance. Then an ECC Queue record with topic, MonitoringProbe, is created on the output queue with relevant Check information. The  MID Server  then processes the check, by sending a message to ACC via WebSocket over TLS.

 

During this time, the MID Server also serves any relevant Assets or Plugins that the ACC requests, making sure it is relevant to the particular Operating System, platform, OS version, and architecture on which the ACC is running.

 

You can edit and modify all parts of the ACC-V application including check type, policy, and check definition. See Checks and policies for more information.

 

Virtual machines and cloud instances

ACC-V associates a target, discovered via Discovery, with a pre-existing virtual machine (VM) Instance CIs. ACC-V associates the discovered CI record with any pre-existing VM Instance record or Cloud Server Instance record with appropriate CMDB relationships.

 

The following variants of virtualization and cloud server vendors are supported for ACC-V:

vCenter

Amazon AWS Cloud

Google(GCP)

Microsoft Azure

Exclusion lists for IPs and NICs

ACC-V version 1.3.0 now supports exclusion list for IPs and Network Interface Controllers (NICs) with a flexible mechanism for filtering out values for IPs and or NICs when creating or updating the host CI and related items. The property [sn_acc_visibility.network_adapter_exclusion_list] contains the list of regular expressions for the names and IP addresses that are excluded in the Network Adapter and IP Address tables. The value of this property is comma-separated regular expressions. Make sure that there is no comma in the regex and nic and ip_addr should be in different lines.

 

Sample format of the value should be:

nic = nameRegex1, nameRegex2, nameRegex3

ip_addr = IPRegex1, IPRegex2

 

Agent Client Collector installation

 

San Diego

You install the Agent Client Collector on any supported host machine. The Agent Client Collector connects to a MID Server. A single MID Server may support several agents, while a single agent works with one MID Server at a time and switches to a different MID Server when necessary to provide failover protection.

 

When an agent's IP address changes, it selects a MID Server to connect to based on the agent's MID Server list.

 

The maximum number of agents that can be connected to a single MID Server is configurable in the sn_agent.mid.max_allowed_agents MID Server property. The default value is 4,000.

 

For ACC-V, a default 1 GB MID Server can support 700 agents concurrently. An 8 GB configuration for MID Server can support 8000 agents concurrently. You can also scale, for example, 5 MID Servers can handle 40 k agents.

 

If you install multiple agents on a single host server, only the first installed agent is functional (has policies, checks, and CIs associated with it). Select duplicate agents on the Agent Client Collectors page (Agent Client Collector > Agents) and do one of the following:

Change the agent's Status to Down to disable the agent.

Click the Delete button to delete the agent.

Agents whose Status = Down which have not been deleted are deleted automatically after 30 days. You can modify this setting on the Autoflush form page (see Autoflush form).

 

When uninstalling and then reinstalling a later version of an agent, both versions of the agent appear on the Agent Client Collector list in your instance.

 

Before installing the Agent Client Collector, you must do the following:

 

Ensure that one or more MID Servers are properly registered and validated with your instance, to be available for an agent connection request. For details, see Configuring MID Servers. In a staging environment, you can have only one MID Server. However, in a production environment, you should configure at least two MID Servers to support zero-touch configuration and ensure that a MID Server is always available if one fails.

Ensure that there is a validated connection from the designated server where you are installing the agent to the MID Server.

Ensure that the following plugins are installed on your instance.

For ACC-M:

 

Agent Client Collector Framework

Agent Client Collector Monitoring

Event Management and Service Mapping Core

Metric Intelligence - WS Scoped App

For ACC-V:

 

Agent Client Collector Framework

Discovery [com.snc.discovery] plugin

For ACC-L:

 

Agent Client Collector Log Analytics

Health Log Analytics

You can verify that these are installed on the System Definitions > Plugins page.

 

All plugins that come with the base system are signed with the ServiceNow certificate. Optionally, you can create a self-signed certificate, as described in Enable an OpenSSL secure signing mechanism for plugins.

 

Ensure that you are installing Agent Client Collector on one of the supported operating systems:

ACC-L and ACC-M are supported only on server operating systems.

ACC-F and ACC-V are supported by both servers and end user devices.

All supported operating systems work with the x86-64 CPU architecture type.

 

When installing macOS, ensure that you are working with Catalina or BigSur.

 

When working with Windows servers, the firewall must have an outbound rule allowing the Agent Client Collector websocket port.

 

The Agent Client Collector base system comes with the servicenow user, which does not have permissions to read logs in some configured log paths. Make sure that the servicenow user has read access to enable Agent Client Collector to view all the configured log paths. For example, if the Agent Client Collector application is installed with the servicenow user, it does not have permissions to view the path to /var/log/ in Linux and the path to C:\Windows\System32 in Windows.

 

Agent Client Collector supports domain separation. The domain of the agent and the CIs it creates is determined by the domain of the MID Server that the agent is connected to. The user's domain must be the lowest domain level (known as a leaf domain) to enable creating a WebSocket endpoint extension for the MID Server.

 

Configure the websocket server on the MID Server

Configure the websocket server on MID Servers to enable connections from agents to the MID server. You can configure only one websocket server per MID server.

 

Configure a websocket endpoint

You can configure a new websocket endpoint for the Agent Client Collector.

 

Automatic MID Server selection

Automatic selection of MID Servers ensures that each agent uses the most efficient available MID Server.

 

Secure the connection between the MID Server and the agent

To secure communication between the MID Server and the agent, use the MID Server's unified key store.

 

Configure the frequency of updating the agent MID Server list

By default, the list of MID servers connected to agents is updated once daily. If you have a dynamic environment that adds MID servers frequently, you may want to schedule updates more often, or execute the job on demand.

 

Verify MID Server installation

After installing the MID Server, verify that installation is complete and accurate.

 

Optimize distribution of agents to MID Servers

Optimize the distribution of agents by allowing redistribution from one MID Server to another. Agents will always be connected to the MID Server with the fastest response time.

 

Incorporating the Agent Client Collector into a custom base image for mass deployment

Deploy the Agent Client Collector on a virtual machine during mass deployment using the machine's base image. Mass deployment uses silent installation, which hides installation status.

 

Agent Client Collector installation on a Linux OS system

Install Agent Client Collector on a system that uses a Linux OS either using a single-line command script or following a manual installation procedure if the single-line script is not connected to the instance or you want to use enhanced customization options.

 

Install the Agent Client Collector on a Windows machine

When installing the Agent Client Collector on a machine that uses a Windows operating system, either download an installation file and use a wizard to install the agent, or use Silent installation to disable installation reports. Silent installation is useful if you are installing many agents at once and you don't want to receive reports for each one.

 

Agent Client Collector installation on macOS system

Install Agent Client Collector on a system that uses macOS. You can either use a single-line command script or follow a manual installation procedure if the agent is not connected to the instance or you want enhanced customization options.

 

Enable the Agent Client Collector load balancer

Enable a load balancer to distribute resources over multiple MID Servers.

 

Restart an agent manually

If you are experiencing performance issues with the Agent Client Collector, you can manually restart the agent. You can perform manual restart only on agents installed in a Windows environment and for Linux-based agents that use systemd.

 

Verify agent connection

Run a self-test on the agent's host when the agent does not appear on an instance. The self-test verifies whether the agent is configured correctly on the instance.

Visibility default checks and policies

 

San Diego

Agent Client Collector for Visibility provides various checks and policies as well as a business rule.

 

Policy

There are four policies for ACC-V: Enhanced Discovery, Windows SAM Discovery, Windows SAM background, and Software installed.

Enhanced Discovery Policy

This policy runs off a schedule, which is defaulted to 24 hours (86400 seconds). The policy interval can be adjusted, for example to run every 4 hours (set the interval to 14400). The ACC-V policy configuration is synced to all agents based on the policy filter defined by ACC-V. Update the following ACC-F system properties if needed:

[sn_agent.disco_minimum_threshold_for_rediscovery_minutes]: to avoid discovering the system too frequently.

[sn_agent.disco_disable_ci_clobber_of_agentless_disco]: to avoid Discovery conflicts.

[sn_agent.disco_ci_clobber_of_agentless_disco_threshold_days]: to avoid Discovery conflicts.

Windows SAM Discovery policy

This policy is responsible for capturing software usage metrics for Windows endpoint devices.

Windows SAM background policy

This policy enables a background job for processing the Osqueryd logs for SAM on Windows endpoint devices.

Software installed policy

This policy is responsible for capturing the installed software data from all the device except Windows endpoint device. The data collected is stored in the [cmdb_sam_sw_install] table. The software installed policy is scheduled to run every 24 hours.

Note:Windows endpoint devices include devices that have a Windows operating system and belong to class computer.

See  System properties for more details. For more detail on policies, see Checks and policies.

 

Check type

ACC-V has three Check Types: EnhancedDiscovery, SAM Advanced Discovery, and Installed Software.

EnhancedDiscovery

This check type is responsible for invoking the EnhancedDiscoveryHandler script include that processes the payload produced by endpoint_discovery.rb as executed by ACC.

SAM Advanced Discovery

This check type is for the Windows SAM Discovery policy that invokes the EnhancedDiscoveryHandler script include for processing the SAM data produced by the sam_advanced.rb file.

Installed Software

This check type for the Software installed policy that invokes the EnhancedDiscoveryHandler script include for processing the installed software data produced by the installed_software.rb file.

Check definition

There are four Check definitions which are used by the four ACC-V Policies.

Enhanced Discovery

This policy configuration is synced to all agents based on the policy filter defined by ACC-V. The Check definition is configured to run with certain assets and determines what gets synced between the Agent and the  MID Server. For more detail on policies, see  Checks and policies.

Note:

In order for the Agent to retrieve the OS serial numbers and TCP connections along with associated running processes, sudo access for “dmidecode” and “ss” is required on Linux systems. For example, this content could be added to /etc/sudoers or to an individual file in /etc/sudoers.d/:

Cmnd_Alias AGENT_ACC_V = /usr/sbin/dmidecode,/usr/sbin/ss

servicenow ALL=(root) NOPASSWD:AGENT_ACC_V

This content could be added to /etc/sudoers for macOS systems to fetch running processes, tcp connections, and installed software:

_servicenow ALL= SETENV: /Library/Caches/servicenow/agent-client-collector/osquery/bin/osqueryi *, /usr/sbin/lsof, /usr/sbin/system_profiler Defaults:_servicenow !requiretty Defaults exempt_group += _servicenow

Windows – SAM background log check

The check definition log runs every 8 minutes and performs inline aggregation of data generated from Osqueryd logs. After collecting the data, it writes all the intermediate data results into a temporary marker file which is reused in the next run. This reuse limits the number of log files and disk space needed on target systems.

Note: You may notice a spike in system resource consumption as the background aggregation check runs every interval.

Windows – Software installations and usage metrics

This check definition collects the data every 24 hours.

 

Installed software

This check definition fetches installed software data for all devices other than Windows endpoint devices.

Business rule

The Enhanced Discovery – On CI Delete business rule triggers the Endpoint Discovery Check when the CI associated with a given CI is deleted from sn_agent_cmdb_ci_agent.