Horizontal Discovery Patterns

- Phase 1 - Scanning
Shazzam probe scans common ports
Discovery determines which ports responded and identifies the type of machine
- Phase 2 - Classification
Classification probe is sent based on port probe response
Probe retrieves additional information, such as version of the OS, then classifies
the device
- Phase 3 - Identification
Patterns unify the Identification and Exploration Phases
The Classifier specifies the Horizontal Pattern probe
The Horizontal Pattern probe specifies which pattern to launch
Horizontal Pattern probe also contain a sensor used for updating the CMDB
- Phase 4 - Exploration
Patterns unify the Identification and Exploration Phases
The Classifier specifies the Horizontal Pattern probe
The Horizontal Pattern probe specifies which pattern to launch
Horizontal Pattern probe also contain a sensor used for updating the CMDB

Pattern
Series of operation that tell Discovery:
-Which CI to find on your network
-What credentials to use
-What tables to populate in CMDB

Patterns perform same functions as a probe:

-Identifies a target CI
-Explores a CI for details, such as RAM, CPU, OS, version, etc

Differences between Patern and Probes

-Patterns run during Identification and Exploration phases, Probes run during all
phases
-Probes create many ECC queue records, patterns only creates one additional record
-Patterns have a faster performance during Discovery than probes

Discovery Patterns 2 types:

- Infrastructure, identify hardware or hosts, such as servers, load balancers, etc
- Application, identify by a running process on a host, such as IIS, Apache, MSSQL

Pattern Sections,
- Identification: identify a CI through a series of steps and is part of the
baseline pattern record
- Extension: extends the Identification section, without changnig the baseline
pattern and is saved as a shared library

Steps are the basis for Discovery

- Once a step is created an Operation is selected, which determines how information
is gathered, modified, verified within each step
- THe order of the steps is inportant as each step is evaluated in sequence
- Each step must be succesful during discovery or the pattern will fail

Shared Libraries
- Steps can be saved in Shared Libraries and
- Shared patterns are saved in the Discovery
- Can only be modified from the pattern they
Linux . MEmory modules shared library can be
pattern
reused between patterns
Patterns [sa_pattern] table
reference
modified by accessing the Linux Server

Operation Choices
-- Structure
- Library Reference
- Match

-- Parse
- Parse Command Output
- Parse File
- Parse Variable

-- Others
- Change User
- Find Matching URL
- Parse URL
- Put File
- Set Parameter Value
- Unchange User

-- Query
- Get Process
- Get Registry Key
- LDAP Query
- SNMP Query
- WMI Method Invocation
- WMI Query

-- Table Operations
- Create Relation/Reference
- Filter Table
- Merge Table
- Transform Table
- Union Tables

-- Populate Variables
-- Debug
Debug Mode without a Discovery Schedule

-- Set Parameter Value

- Used to set a value of a variable or field
- Ideal for constant or static values
- VALUE field is what will be returned
- NAME field is the name of the variable
- Variable names must match the Column name of a field, not the label, in order for
it populate in a table

Parse Command Output

- Used to extract information from the command output
- Define Parsing determines the strategy used to extract information, such as
Delimited text, RegEx, etc
- Delimiters and Positions are used to define what specific information will be
captured from the Output

Merge Table
- Operation to merge content from two source tables into a target table
- Great final step if variable names match CI attributes
- Target Table should match CI Type for final step

Transform Table
- Add one or more computed columns to an existing table and place the results in a
target table
- Use this operation to unify information from different sources

WMI Query
- Get variable information from the target using OS tool
- Break down the query with UI for fields and contdition

SNMP Query
- Get variable information from the target
- Uses OID for SNMP query
- Populates multiple variables into a pattern table

Query for variables NOT HARD CODE

Parse Variable
- Use variables from query to populate pattern tables
- Multiple parsing strategies
- Drag and drop capabilities

Pattern Payload Properties

mid.discovery.max_pattern_payload_size
- Whit so many Shared Patterns being accessed when using Horizontal patterns, the
default payload size may be exceeded
- Default pattern payload size is 300000 bytes
- If the patter payload size is too low, errors may occur when running Debug or
Discovery
- Modify MID Server>Properties to increase the
mid.discovery.max_pattern_payload_size
- Leaving the MID Server field blank will apply the modified value to all MID
Servers