Agent Client Collector for Visibility reference

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read

    • Review this information for details on OS query scripts, data collected, and definition of terms.

    OS module scripts for ACC-V

    These platform-specific plugins invoke platform-specific module scripts. Each script outputs to a standard JSON payload regardless of the platform.
    Operating System family/plugin Name of module script

    Linux: acc-f-modules

    		 basic_inventory.rb (Starting with ACC-F version 2.10.1, this will not be used.)
    data_collection.rb
    running_processes.rb
    tcp_connections.rb

    Windows: acc-f-modules

    		 basic_inventory.rb (Starting with ACC-F version 2.10.1, this will not be used.)
    data_collection.rb
    running_processes.rb
    tcp_connections.rb

    macOS Operating Systems: acc-f-modules

    		 basic_inventory.rb (Starting with ACC-F version 2.10.1, this will not be used.)
    running_processes.rb
    tcp_connections.rb
    Linux:

    acc-visibility-modules

    		 installed_software.rb
    file_systems.rb
    storages_devices.rb (support for getting physical disk and corresponding disk partitions only)
    network_adapters.rb
    local_users.rb
    enhanced_inventory.rb
    cloud.rb
    Windows:

    acc-visibility-modules

    		 installed_software.rb
    file_systems.rb
    storages_devices.rb (support for getting physical disk and corresponding disk partitions only)
    network_adapters.rb
    local_users.rb
    enhanced_inventory.rb
    cloud.rb
    sam_advanced.rb
    sam_processor.rb
    intel_ema.rb
    macOS Operating Systems:

    acc-visibility-modules

    		 installed_software.rb
    file_systems.rb
    storages_devices.rb (support for getting physical disk and corresponding disk partitions only)
    network_adapters.rb
    local_users.rb
    enhanced_inventory.rb
    cloud.rb
    Note:

    running_processes.rb and tcp_connections.rb are interdependent. For an efficient Discovery, keep both tcp_connections.rb and running_processes.rb together. Both the files are needed to get the complete data. If one is not there, it will not populate the other data.

    To fetch information about all the running_processes on the macOS, you must provide sudo access to osquery. If this configuration is not made, then running_processes.rb will only fetch what is triggered by _servicenow user. For tcp_connections.rb, you must add ‘sudo lsof’ command in the sudoers file. If this is not done, tcp_connections.rb will only fetch what is triggered by _servicenow user.

    Data collected

    ACC-V uses the same classification criteria as IP-based Discovery for classifying as computer or server. The subset of collected data includes the following categories:
    • Basic inventory – Starting with ACC-F version 2.10.1, this will not be used.
    • Data collection - Collects the necessary data for classification and identification of a host CI. This includes host name, serial numbers, and OS information.
    • Installed Software – cmdb_sam_sw_install (if SAM enabled) and cmdb_software_instance (if SAM not enabled)
    • File Systems – cmdb_ci_file_system
    • Storage Devices – cmdb_ci_disk and cmdb_ci_storage_device
    • Serial Numbers – cmdb_serial_number
    • Network Adapters – cmdb_ci_network_adapter and cmdb_ci_ip_address
    • TCP Connections – cmdb_tcp
    • Running Processes – cmdb_running_process (ACC-V also classifies the running processes and creates application CIs in cmdb_ci_appl, where possible)
    • Local User – cmdb_os_user (Populates the local users for all the Operating Systems that ACC-V supports by adding a new module called local_user​)
    • Enhanced inventory – Collects enhanced data (such CPU info, start_date, object_id) which is not necessary for identifying a unique host.
    Figure 1. Relationships between host computer, file systems, and storage devices
    This diagram shows the layout and relationships

    Agent Client Collector terms

    Agent Client Collector (ACC)
    The software component installed on target hosts that communicates with the MID Server. Sometimes referred to as Agent. This component is a ServiceNow derivative of Sensu-Go.
    Agent Client Collector Framework (ACC-F)
    A ServiceNow base scoped application that leverages ACC and provides core capabilities (including Check Types, Check Definitions, Policies, and so on) enabling other ACC scoped applications, including ACC-M and ACC-V.
    Agent Client Collector for Monitoring (ACC-M)
    A ServiceNow scoped application enabling monitoring use cases.
    Agent Client Collector for Visibility (ACC-V)
    A ServiceNow scoped application that implements push-based Discovery leveraging ACC and ACC-F.
    Horizontal IP-based Discovery
    Traditional Discovery available to customers prior to ACC-V. It discovers data via Probes and Patterns through the MID Server, requiring the Discovery Plugin.
    Modules
    A subset of discovered data that is populated as part of Discovery. Examples of Modules include: Data Collection, Installed Processes, Serial Numbers, File Systems, Storage Devices, Network Adapters, Running Processes, and TCP Connections.
    Push-based Discovery
    Discover data via ACC, ACC-F, ACC-V, and the MID Server with a direct push of data from the target host. Discovery does not require specific IP range configuration on a Discovery Schedule or providing Discovery Credentials for target host.
    Sensu-Go agent
    The Free and Open Source project which ACC is derived from.
    Virtual Machine Instance
    A virtual target host running inside of a hypervisor, either on-premise or within a cloud service provider like AWS, GCP, or Microsoft Azure.
    Virtual Machine Image
    A snapshot of a live virtual machine instance persisted to a file system or cloud storage.