ServiceNow Discovery is an application within the ServiceNow platform that helps in identifying the devices and applications on specific network.

It automates the process of populating the Configuration Management Database (CMDB) with accurate and up-to-date configuration item (CI) data.

The Discovery process is a structured methodology used to detect, identify, and document all Configuration Items (CIs) within an IT infrastructure.

1. Scanning Phase: The primary goal of this phase is to discover and categorize devices based on their initial network signatures such as servers, routers, switches, printers, or virtual machines.

The scanning phase initiates the discovery cycle by probing the network to identify active devices and endpoints. Using tools such as Shazzam probes or other network scanners, the system performs IP range sweeps and port scans to detect hosts and open network ports. These open ports serve as indicators of available services or protocols (e.g., SSH, WMI, SNMP) that can later be leveraged for deeper inspection.

2. Classification Phase: Once devices are detected, the classification phase determines the type and role of each device in the network. This involves analyzing response patterns, service banners, and protocol data obtained from the scan results.

3. Identification Phase: In the identification phase, the discovery tool cross-references the gathered information against existing CMDB records to determine whether the detected device already exists within the database. This comparison is typically based on unique identifiers such as IP address, MAC address, serial number, or host name. If a match is found, the existing CI record is updated; otherwise, a new CI entry is created. This step ensures that the CMDB remains consistent and prevents duplicate entries or redundant data.

4. Exploration Phase: The final exploration phase performs an in-depth interrogation of the identified devices to collect detailed attributes and relationships. Using predefined discovery patterns and credentials, the system retrieves granular configuration data such as installed software, running processes, hardware components, network interfaces, and dependency mappings.

Probes: It is lightweight scripts whose main role is to collect raw data about network devices, operating systems, software, and services by performing low-level network operations.

Sensors: It is server-side scripts that interpret and process the data collected by probes. Once a probe executes and returns its results, the sensor parses the raw data, extracts meaningful information, and then writes the relevant CI attributes to the CMDB tables. Patterns: Predefined sequences of probes and sensors executed together to discover a device completely. It automates the discovery of complex devices by defining discovery logic, order, and dependencies.

Horizontal Discovery: Discovers infrastructure and network devices such as servers, routers, switches, etc.

Vertical Discovery: Focuses on applications running on the infrastructure discovered in horizontal discovery, such as databases, web servers, etc.

Discovery uses Identification and Reconciliation Engine (IRE) rules along with key attributes such as IP address, host name, serial number, etc., to uniquely identify a CI and determine if it should be updated or a new one created.

The MID Server is the key component that enables Discovery to reach devices behind firewalls. A MID Server acts as a bridge between the ServiceNow cloud instance and the local network environment. It is installed within the customer’s internal network.

The ECC Queue table (ecc_queue) contains Inbound and Outbound messages:

1. Outbound Messages: Messages sent from the ServiceNow instance to the MID Server. These instruct the MID Server to perform specific actions. e.g. Discovery probe instructions (e.g., "Run Shazzam probe on IP range 10.0.0.0/24").

2. Inbound Messages: Messages sent from the MID Server back to the ServiceNow instance. These contain the results or responses from the executed probes. e.g. Probe results, status updates, or discovery data returned from target devices.

Here’s how Discovery securely communicates through firewalls:

- The MID Server continuously polls the ECC Queue for new Discovery instructions from the ServiceNow instance.

- When it receives a Discovery task, it executes the assigned probes or patterns to collect information from target devices (such as servers, network devices, or databases).

- It performs Discovery operations like scanning, classification, identification, and exploration within the network segment where it is installed.

- After completing the task, the MID Server sends the results back to the ServiceNow instance through the ECC Queue for further processing by sensors or patterns.

- The MID Server operates in a stateless manner — it does not store or retain any Discovery data locally, ensuring data security and compliance.

Horizontal is used for Discovery and Vertical/Top down is used for Service mapping.

Here’s how Discovery and Service Mapping differ in practical terms:

The main goal of a Behavior is to provide Discovery with flexibility and efficiency when determining how to access a device.

Since different devices may support multiple connection protocols (for example, SSH, SNMP, WMI, or PowerShell), Behaviors tell Discovery which protocol to try first and how to proceed if that attempt fails.

Here is how Behaviors Are Utilized in the Discovery Process:

1. The MID Server first identifies that a target IP or host is active and reachable within the network.

2. Discovery then consults the configured Behaviors to determine which protocol and credential combination should be used to connect to the target device.

3. If the first Behavior fails (for example, due to an incompatible protocol or invalid credentials), Discovery automatically proceeds to the next Behavior in the sequence.

4. This process continues until a successful connection is established, or all available Behaviors have been attempted without success.

ECC Queue: Check for communication errors between ServiceNow and the MID Server.

MID Server Logs: Analyze command execution and probe errors.

Discovery Logs: Review Discovery status, phase failures, and CI creation issues.

SSH: Port 22
WMI (Windows): Ports TCP 135, TCP 139, TCP 445, and dynamic ports (1024–65535).