Discovery Overview
Tripl-i Discovery automatically finds and maps your entire IT infrastructure, creating a real-time, accurate view of all hardware, software, and their relationships. Using multiple discovery methods and AI-powered analysis, it eliminates manual inventory processes and ensures your CMDB stays current.
What is Discovery?
Discovery is the automated process of:
- Finding devices and applications on your network
- Collecting detailed configuration and state information
- Mapping relationships and dependencies
- Analyzing patterns and anomalies with AI
- Updating the CMDB with current data
Discovery Architecture
Discovery Methods
Agent-Based Discovery
Advantages:
- Deep system information
- Real-time updates
- Behind firewall access
- Minimal network impact
Supported Platforms:
- Windows (PowerShell agent)
- Linux (Python agent)
- Unix (Shell agent)
- Container environments
Agentless Discovery
Network Scanning:
- SNMP v1/v2c/v3
- WMI (Windows)
- SSH (Linux/Unix)
- ICMP ping sweep
API-Based:
- VMware vSphere
- AWS EC2
- Azure Resource Manager
- Google Cloud Platform
- Kubernetes API
Hybrid Discovery
Combines agent and agentless methods for:
- Complete coverage
- Minimal blind spots
- Optimized performance
- Flexible deployment
Discovery Process
1. Initial discovery
Discovery proceeds in three phases:
Phase 1 -- Network Sweep
- IP range scanning
- Port identification
- Basic device classification
- Initial inventory
Phase 2 -- Deep Discovery
- Credential-based access
- Detailed configuration collection
- Software inventory
- Process analysis
Phase 3 -- Relationship Mapping
- Network connections
- Application dependencies
- Service mapping
- Data flow analysis
2. Continuous discovery
After the initial scan, agents report changes on a recurring basis. The Discovery Engine forwards those changes to the AI Engine for classification and then updates the CMDB -- keeping your configuration data fresh without any manual effort.
AI-Powered Discovery Features
Intelligent device classification
When a new device is discovered, the AI Engine automatically classifies it based on the information collected during scanning. For example, a device with open web and database ports and an Apache banner may be classified as follows:
| Attribute | Value |
|---|---|
| Type | Web Server |
| Operating System | Ubuntu Linux |
| Role | Application Server |
| Detected Services | Apache Web Server, MySQL Database |
| Confidence | 94% |
This automatic classification removes the need for manual categorization and ensures every asset in the CMDB has accurate metadata from the moment it is discovered.
Pattern recognition
- Identifies standard deployment patterns
- Detects application stacks
- Recognizes clustering configurations
- Maps load-balanced services
Anomaly detection
Tripl-i flags unexpected discoveries so you can investigate quickly. A typical anomaly alert includes:
| Detail | Example |
|---|---|
| Type | New Device |
| IP Address | 10.1.5.200 |
| Classification | Unknown Web Server |
| Risk Level | Medium |
| Recommendations | Verify authorization, check security compliance, update firewall rules |
Discovery Credentials
Credential management
Tripl-i stores discovery credentials in a secure vault. You can configure different credential types scoped to specific parts of your network:
| Credential Type | Scope Example | Privileges |
|---|---|---|
| Active Directory | *.corp.local | Read-only |
| SSH Key | Production Subnet | Limited sudo for discovery commands |
| SNMP v3 | Network Infrastructure | authPriv security level |
Security best practices
- Use read-only credentials wherever possible
- Implement credential rotation on a regular schedule
- Limit the scope of each credential to the minimum required IP range
- Monitor credential usage for unauthorized access
- Encrypt credentials at rest
Discovery Scheduling
Schedule types
Full Discovery
- Complete infrastructure scan
- All attributes collected
- Relationship rebuild
- Recommended schedule: Weekly
Incremental Discovery
- Changes only
- New and modified devices
- Quick updates
- Recommended schedule: Every 4 hours
Real-time Discovery
- Agent-based changes
- Immediate updates
- Critical systems only
- Runs continuously
Smart scheduling
Smart Scheduling lets you assign the right discovery method and frequency for each asset category. The table below shows a typical configuration:
| Asset Category | Discovery Method | Frequency |
|---|---|---|
| Production Servers | Agent | Real-time |
| Development Servers | Agentless | Daily |
| Network Devices | SNMP | Every 4 hours |
| Workstations | Agent | On login |
Tailoring the schedule by asset category ensures critical infrastructure is always up to date while minimizing load on less critical systems.
CI Matching and Reconciliation
Overview
The CI matching and reconciliation mechanism prevents duplicate Configuration Items during discovery. It uses a hierarchical lookup strategy to find existing CIs before creating new ones, ensuring data integrity and avoiding duplication.
Matching hierarchy
The system uses a priority-based matching approach to identify existing CIs. Identifiers are checked in the following order, from highest to lowest confidence:
| Priority | Identifier | Confidence | Notes |
|---|---|---|---|
| 1 | Serial Number + MAC Address | Highest | Unique hardware combination |
| 2 | Serial Number only | High | Usually unique per device |
| 3 | MAC Address only | Medium | Can change if NIC is replaced |
| 4 | Hostname | Low | Can be duplicated across environments |
| 5 | IP Address | Lowest | Dynamic and reusable |
Tenant isolation
All CI lookups include tenant filtering to ensure proper data isolation. This means that two different tenants can each have devices with the same IP address or hostname without causing conflicts. Tenant filtering is enforced at every step of the matching process.
Matching algorithm
How matching works in practice
Hardware identifier priority. When hardware identifiers (serial number or MAC address) are available, the system skips IP-based matching entirely. This prevents overwriting a different physical device that happens to share the same IP address.
Conflict detection. If a lookup finds an existing CI at the same IP address but with different hardware identifiers (different serial number or MAC address), the system recognizes this as a different physical device and creates a new CI rather than overwriting the existing one.
Virtual machine handling. Virtual machines require special handling because cloned VMs may share serial numbers and MAC addresses can be regenerated. The system detects VM-specific serial number formats (such as those starting with "VMware-") and shifts to MAC address or VM UUID as the primary identifier.
Common matching scenarios
Scenario 1: Hardware Refresh A new physical device replaces an old one and is assigned the same IP address. Because the serial number and MAC address are different, the system creates a new CI. The old CI remains in the CMDB as a historical record.
Scenario 2: Network Change A server is moved to a different subnet and receives a new IP address. Because the serial number and MAC address have not changed, the system updates the existing CI with the new IP information.
Scenario 3: NIC Replacement A network interface card is replaced, changing the MAC address. Because the serial number still matches, the system updates the existing CI with the new MAC address.
Duplicate prevention
Duplicates can occur in the following situations:
- Missing tenant filter -- Lookups that do not include the tenant field may match CIs belonging to another organization
- Timing issues -- Concurrent scans of the same device before the first scan completes
- Identifier changes -- Hardware changes between consecutive scans
- Data quality -- Missing or invalid identifiers in scan data
Prevention strategies:
- Tenant filtering is enforced on every CI lookup
- Atomic operations ensure that concurrent scans do not create duplicates
- Retry logic handles transient conflicts gracefully
Troubleshooting duplicates
If you suspect duplicate CIs exist in your CMDB, follow these steps:
- Identify -- Use the CMDB search to look for devices with the same serial number, MAC address, or hostname
- Compare -- Check the "Last Scanned" timestamp on each CI to determine which record is most recent
- Merge -- Transfer any unique custom fields and relationships from the older CI to the newer one
- Update references -- Ensure that any related CIs, events, or reports point to the correct (surviving) CI
- Delete -- Remove the older duplicate CI
- Verify -- Confirm that no orphaned relationships remain
Best practices for CI matching
- Always include tenant context -- Every CI lookup must respect tenant boundaries
- Prioritize hardware identifiers -- Serial numbers and MAC addresses are more reliable than IP addresses
- Handle conflicts proactively -- Log and investigate identifier mismatches rather than ignoring them
- Monitor for duplicates -- Run regular audits to catch duplicates early
- Test edge cases -- Verify matching logic with scenarios like VM cloning, NIC replacement, and IP reuse
Discovery Data Processing
Data flow pipeline
Data quality controls
Validation Rules:
- Required field checks
- Format validation
- Range verification
- Consistency checks
Deduplication Logic:
- Serial number matching
- MAC address correlation
- Hostname resolution
- UUID comparison
Performance and Scalability
Discovery metrics
| Metric | Target |
|---|---|
| Devices per Hour | 10,000 |
| Concurrent Scans | 500 |
| Data Processing | 1M attributes/min |
| CMDB Updates | 50,000/min |
Scaling strategies
Horizontal Scaling:
- Multiple discovery engines
- Distributed processing
- Load balancing
- Regional collectors
Optimization Techniques:
- Parallel scanning
- Batch processing
- Caching mechanisms
- Smart scheduling
Discovery Reporting
Discovery dashboard
The Discovery Dashboard gives you a real-time summary of your discovery activity, including:
| Metric | Description |
|---|---|
| Total Devices | Total number of discovered assets in your CMDB |
| Discovered Today | New or updated devices found in the current day |
| Failed Discoveries | Devices that could not be scanned (with reasons) |
| Success Rate | Percentage of successful scans |
| Coverage by Category | Breakdown of coverage for servers, workstations, network devices, and cloud resources |
Key reports
-
Discovery Coverage
- Discovered versus expected device counts
- Blind spots analysis
- Credential failures
- Network unreachable summaries
-
Discovery Performance
- Scan duration trends
- Success and failure rates
- Resource utilization
- Queue statistics
-
New Device Report
- Newly discovered items
- Unauthorized devices
- Shadow IT detection
- Compliance gaps
Troubleshooting
Duplicate CIs created
| Detail | Information |
|---|---|
| Symptom | Multiple CIs appear for the same physical device |
| Common Causes | Missing tenant filter in lookups, concurrent scan processing, changed hardware identifiers, IP address reuse |
| Resolution | Run a duplicate detection search, merge duplicate CIs carefully, verify tenant filtering |
| Prevention | Always include tenant in queries, use hardware IDs for matching, monitor for duplicates regularly |
Discovery failures
| Detail | Information |
|---|---|
| Symptom | Expected devices are not discovered |
| Common Causes | Network connectivity issues, firewall blocking required ports, invalid credentials, discovery service disabled on target |
| Resolution | Verify port access from the discovery engine, check and rotate credentials, review firewall logs, enable required services on targets |
Performance issues
| Detail | Information |
|---|---|
| Symptom | Discovery scans run slowly or time out |
| Common Causes | Network congestion, overloaded target devices, excessively large scan ranges, insufficient discovery engine resources |
| Resolution | Adjust scheduling to off-peak hours, limit concurrent scan count, increase engine resources, break large ranges into smaller segments |
CI matching failures
| Detail | Information |
|---|---|
| Symptom | Existing CIs are not updated; new CIs are created instead |
| Common Causes | Missing serial numbers in scan data, changed MAC addresses, dynamic IP assignment, tenant mismatch |
| Resolution | Verify that hardware identifiers are present in scan results, check tenant assignment, review the matching hierarchy, investigate identifier changes |
Best Practices
1. Planning
- Map your network topology before starting discovery
- Identify critical systems that need real-time monitoring
- Plan discovery in phases -- start small and expand
- Set realistic schedules based on network size and complexity
2. Implementation
- Begin with a small pilot covering one subnet or department
- Validate discovered data against known inventories
- Tune discovery patterns based on initial results
- Monitor performance and adjust concurrency limits
3. Optimization
- Review schedules regularly and adjust as your environment changes
- Maintain credentials and rotate them on a defined cadence
- Tune scan parameters for optimal performance
- Analyze coverage reports to identify and close gaps
4. Governance
- Establish a discovery approval process for new scan ranges
- Set up change notifications so stakeholders are informed of new discoveries
- Validate compliance requirements are met by discovered data
- Conduct regular audits of CMDB accuracy against discovery results
Next Steps
- Network Scanning -- Detailed network discovery configuration
- Agent Deployment -- Installing and managing discovery agents
- Credential Management -- Securing and rotating discovery credentials
- Discovery Patterns -- Creating custom discovery patterns