Discovery behaviors

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Discovery behaviors

    Discovery behaviors in ServiceNow define which probes the Shazzam engine launches and from which MID Servers these probes run. Unlike a single MID Server scanning an IP range, behaviors can distribute scanning tasks across multiple MID Servers, even on different network segments, enabling more efficient and targeted discoveries. Behaviors are used in Discovery schedules to update Configuration Items (CIs) in the CMDB.

    Show full answer Show less

    This capability is important for organizations with complex network environments, multiple domains, or specific access controls. It helps optimize resource use, avoid duplicate scans, and manage protocol-specific discovery effectively.

    Key Features

    • Load balancing: Distributes discovery workload across multiple MID Servers deployed in one or more domains to improve efficiency.
    • Multi-domain and multi-protocol support: Assigns different MID Servers to scan specific protocols or domains, such as one MID Server scanning all protocols on one domain and another performing WMI scans on a second domain.
    • Access Control List (ACL) compliance: Enables scanning of SNMP devices protected by ACLs by configuring MID Servers that have proper ACL access.
    • Protocol selection per device: Controls discovery when devices run multiple protocols (e.g., SSH and SNMP simultaneously) by enabling exploration of only the designated protocol, preventing redundant scans.
    • Supports complex environments: Facilitates discovery across multiple Windows domains and various UNIX and SNMP devices using multiple MID Servers, avoiding duplicate discovery efforts.

    Functionality Definitions

    When creating a behavior, you select a functionality definition that specifies which protocols Shazzam scans. Common options include:

    • Windows only (WMI): Scans Windows devices via WMI; requires a Windows MID Server and domain criteria.
    • Windows, DNS, and WINS: Scans Windows devices via WMI and resolves domains using DNS and WINS; requires a Windows MID Server.
    • SNMP only: Scans only SNMP devices, useful for devices protected by ACLs restricting SNMP access; does not require additional criteria.
    • All except SNMP: Scans all protocols except SNMP (includes WMI and SSH); often paired with SNMP-only behavior to separate scanning responsibilities.
    • All except Windows (no WMI): Scans all protocols except WMI (includes SSH and SNMP); useful for non-Windows devices or multi-domain scenarios requiring different MID Servers.

    Practical Applications for ServiceNow Customers

    • Use Discovery behaviors to tailor discovery tasks across multiple MID Servers, improving scan efficiency and accuracy in large or segmented networks.
    • Set up load balancing behaviors to automatically distribute discovery workloads when multiple MID Servers scan the same protocol.
    • Leverage behaviors to manage access constraints like ACLs, ensuring MID Servers used have the necessary permissions for protected devices.
    • Create behaviors that define protocol-specific discovery on devices running multiple protocols, preventing redundant or conflicting scans.
    • Apply behaviors to efficiently discover devices across multiple Windows domains and other device types without duplicating efforts.

    Next Steps

    To implement Discovery behaviors, create behaviors in your Discovery schedules by selecting appropriate functionality definitions based on your network environment and protocols. Consider using PowerShell for Windows domain discoveries when possible, as it allows a single MID Server to authenticate across domains with stored credentials.

    Configure load balancing behaviors if you have multiple MID Servers scanning the same protocols to optimize resource usage and reduce scanning time.

    Discovery behaviors determine the probes that Shazzam launches, and from which MID Servers these probes are launched.

    Unlike a scan performed by a single MID Server on a designated IP address range, a behavior can assign different tasks to multiple MID Servers on the same IP address segment or on different network segments. Behaviors are available in Discovery schedules for discoveries in which configuration items (CI) are updated in the CMDB.

    Behaviors can be used in the following scenarios:
    • Load balancing: A behavior enables load balancing in systems that use multiple MID Servers deployed across one or more domains.
    • Multiple protocols in multiple domains: Configure one MID Server to scan for all protocols on one domain and another MID Server to perform a WMI scan on a second domain.
    • Access Control Lists (ACL): Discovery can scan SNMP devices protected by an ACL if the MID Server host machine is granted access by that ACL. Use a behavior to configure a MID Server to scan devices protected by an ACL.
    • Devices running two protocols: Some devices might have two protocols running at the same time. Examples of this are the SSH and SNMP protocols running concurrently on one device (most common). A behavior can control which of the two protocols is explored for certain devices. The behavior then prevents the other protocol from being explored.

    Behaviors also enable the efficient Discovery of SSH and SNMP devices and WMI devices running on multiple Windows domains, using multiple MID Servers.

    For example, an organization has two Windows domains in its network and a variety of UNIX computers and SNMP devices. The challenge is to discover all the devices efficiently, without duplicating effort. Each domain contains a Windows MID Server which is used to scan the IP addresses from the two domains specified in the Discovery Schedule, as well as the SSH and SNMP devices. We need a Behavior that divides the work appropriately to avoid scanning anything twice. In this example, we assume that both domains are in the same geographical location, and that a single schedule is sufficient.
    Note:
    The preferred method for running Discovery over multiple Windows domains is to use PowerShell, which allows a single MID Server to authenticate on machines on different domains using credentials stored on the instance.

    Available functionality definitions

    When creating a behavior, you select a functionality definition that determines which protocols Shazzam scans. The following table lists the available options.
    Table 1. Discovery functionalities
    Functionality Description
    Windows only (WMI) Scans for Windows devices using WMI protocol. Requires a Windows MID Server and functionality criteria to specify the domain.
    Windows, DNS, and WINS Scans for Windows devices using WMI protocol and resolves the domain using DNS and WINS. Requires a Windows MID Server and functionality criteria.
    SNMP only Scans for SNMP devices only. Use this when scanning devices protected by an ACL that restricts SNMP access to specific MID Server hosts. Does not require functionality criteria.
    All except SNMP Scans for all protocols except SNMP, including WMI and SSH. Use this in combination with SNMP only functionality when you need separate MID Servers for SNMP and other protocols.
    All except Windows (no WMI) Scans for all protocols except WMI, including SSH and SNMP. Use this in combination with Windows only functionality when scanning multiple domains or when non-Windows devices require a different MID Server.