Skip to main content

Server Scanning Reference

This document provides a comprehensive reference for Windows and Linux server discovery in Tripl-i. Server scanning uses WMI (for Windows) and SSH (for Linux/Unix) to collect deep system information, software inventory, network connections, and hardware details — building a complete Configuration Item (CI) record for each discovered device.

Overview

Server scanning is the core discovery capability. When the Nopesight Scanner agent detects open management ports during a network scan, it automatically connects using the appropriate protocol and collects comprehensive system data that flows into your CMDB.

ProtocolTarget SystemsTrigger PortAuthentication
WMIWindows Server, Windows WorkstationTCP 135, 445Domain or local credentials
SSHLinux, Unix, AIX, macOSTCP 22Username/password or SSH key

Key Benefits

  • Complete Hardware Inventory — Automatically discover CPU, memory, disk, network adapters, monitors, and peripherals
  • Software Inventory — Every installed application, version, and vendor captured with CPE matching for vulnerability tracking
  • Network Dependency Mapping — Active network connections mapped to identify service dependencies
  • User Account Audit — Local and domain user accounts discovered for access reviews
  • Patch Compliance — Windows hotfixes and Linux packages tracked with KB-to-CVE mapping
  • Database Discovery — SQL Server instances automatically detected during Windows scans
  • Monitor & Peripheral Tracking — External displays and USB devices tracked by serial number

How It Works

Discovery Flow

Network Port Scan
    |
    |--- Port 135/445 open ---> WMI Scanner (Windows)
    |--- Port 22 open --------> SSH Scanner (Linux/Unix)
    |
    v
Credential Lookup (per IP)
    |
    v
System Data Collection
    |
    v
Backend Processing Pipeline
    |
    +--> CI Creation/Update (Server or Workstation)
    +--> Sub-Collection Population (disks, network, software, etc.)
    +--> Relationship Building (software, database, network connections)
    +--> AI Enrichment (dependency analysis, risk scoring)

Device Type Classification

The system automatically classifies discovered devices:

ClassificationDetection Criteria
ServerServer OS edition, server hardware model, domain controller role
WorkstationDesktop OS (Windows 10/11, macOS), consumer hardware model

Classification happens during backend processing based on OS name, hardware model keywords, and domain role indicators.

WMI Scanning (Windows)

Network Requirements

PortProtocolPurpose
135TCPRPC Endpoint Mapper (required)
445TCPSMB/CIFS for remote administration
49152-65535TCPDynamic RPC ports
5985/5986TCPWinRM (PowerShell Remoting, optional)

Credential Requirements

  • Domain Account — Recommended for scanning multiple Windows devices with a single credential
  • Local Administrator — Required for full hardware and software collection
  • Minimum Permission — Remote WMI access, remote registry read, remote service query

For localhost scanning, no credentials are required — the scanner uses the current user context.

What WMI Discovers

System Information

Data PointDescriptionCI Field
Computer nameNetBIOS hostnamename
DomainActive Directory domaincustomFields.domain
ManufacturerHardware vendor (Dell, HP, Lenovo)manufacturer
ModelHardware model namemodel
Serial numberService tag / serialserialNumber
Currently logged-on userActive user sessioncustomFields.current_user

Operating System

Data PointDescriptionCI Field
OS nameFull OS caption (e.g., "Microsoft Windows Server 2022 Standard")operatingSystem
VersionOS version numbercustomFields.os_version
Build numberWindows buildcustomFields.os_build
Architecture32-bit or 64-bitcustomFields.os_architecture
Service packService pack levelcustomFields.service_pack
Install dateOS installation datecustomFields.os_install_date
Last boot timeLast system restartcustomFields.last_boot_time

Processor

Data PointDescriptionCI Field
CPU modelProcessor name (e.g., "Intel Xeon E5-2680 v4")customFields.cpu_model
Core countPhysical corescustomFields.cpu_cores
Thread countLogical processorscustomFields.cpu_threads
Clock speedMax frequency (MHz)customFields.cpu_speed
Socket countNumber of CPU socketscustomFields.processor_count

Memory

Data PointDescriptionCI Field
Total memoryTotal RAM in GBcustomFields.total_memory_gb
DIMM detailsPer-slot: capacity, speed, manufacturer, part numberStored in raw scan data

Disk Drives

Disk information is stored in the ServerDisk sub-collection linked to the CI:

Data PointDescription
Drive letterVolume mount point (C:, D:, etc.)
Volume nameFriendly volume label
Total size (GB)Volume capacity
Free space (GB)Available space
File systemNTFS, ReFS, FAT32

Physical disk details (model, interface type, media type) are stored in the ServerPhysicalDisk sub-collection.

Network Adapters

Stored in the ServerNetworkAdapter sub-collection:

Data PointDescription
Adapter nameConnection name (e.g., "Ethernet 0")
MAC addressHardware address
IP addressesIPv4 and IPv6 addresses with subnet masks
SpeedLink speed in Mbps
DHCP enabledStatic or dynamic configuration
DNS serversConfigured DNS servers
Default gatewayConfigured gateway

Installed Software

Stored in the ServerAppsInstalled sub-collection:

Data PointDescription
Application nameSoftware title
VendorPublisher name
VersionInstalled version
Install dateWhen it was installed

Each application is also processed through the Software Instance pipeline, which:

  1. Creates a Software Instance CI linked to the server
  2. Matches to the Software Catalog for normalization
  3. Generates CPE identifiers for vulnerability matching
  4. Links to Software Family classifications via AI analysis

Windows Hotfixes

Stored in the ServerHotfix sub-collection:

Data PointDescription
KB articleMicrosoft Knowledge Base ID (e.g., KB5034441)
DescriptionHotfix type (Security Update, Update, etc.)
Install dateWhen the hotfix was applied

Hotfixes are cross-referenced with the KB-CVE mapping database to determine which vulnerabilities are patched.

Network Connections

Stored in the ServerNetworkConnection sub-collection:

Data PointDescription
Remote IPDestination IP address
Remote portDestination port
Local portSource port
ProtocolTCP or UDP
StateESTABLISHED, LISTEN, TIME_WAIT, etc.
Process nameApplication making the connection
Process IDOS process identifier

Network connections are the foundation for dependency mapping — the AI analyzes connection patterns to identify service relationships, authentication flows, and data transfer paths between systems.

User Accounts

Stored in the ServerUserAccount sub-collection:

Data PointDescription
UsernameAccount name
Full nameDisplay name
Account typeLocal or Domain
EnabledActive or disabled

Monitors (Workstations)

External displays discovered via WMI are stored as Monitor CIs:

Data PointDescription
ManufacturerDisplay manufacturer
ModelMonitor model name
Serial numberUnique serial for tracking

Monitors are linked to the workstation via a "Uses" relationship. Serial number tracking enables monitoring of display reuse across workstations over time.

Peripheral Devices (Workstations)

USB devices and docking stations stored as Peripheral CIs:

Data PointDescription
Device typeKeyboard, mouse, docking station, etc.
ManufacturerHardware vendor
ModelDevice model

SQL Server Detection

If SQL Server is detected on a Windows server, the WMI scan automatically triggers database discovery. See SQL Server Database Discovery for details on what additional data is collected.

SSH Scanning (Linux/Unix)

Network Requirements

PortProtocolPurpose
22TCPSSH (Secure Shell) — required

Credential Requirements

  • Username + Password — Standard authentication
  • SSH Key File — Key-based authentication (more secure, recommended for production)
  • Sudo Access — Optional but recommended for complete hardware discovery

Scanning Modes

ModeAccess LevelWhat It Collects
Basic ModeRegular userOS info, hostname, network config, processes, packages, user accounts, network connections
Enhanced ModeRoot or sudoAll basic data plus BIOS/DMI info, disk health (SMART), hardware serial numbers, PCI devices, virtualization details, LVM volumes

What SSH Discovers

System Information

Data PointDescriptionCI Field
HostnameSystem hostnamename
OS nameDistribution and version (e.g., "Ubuntu 22.04.3 LTS")operatingSystem
Kernel versionLinux kernel versioncustomFields.kernel_version
ArchitectureCPU architecture (x86_64, aarch64)customFields.os_architecture
ManufacturerHardware vendor (from DMI data)manufacturer
ModelHardware model (from DMI data)model
Serial numberSystem serial numberserialNumber

Serial Number Discovery

The SSH scanner uses a multi-source approach with confidence scoring:

SourcePriorityConfidenceMethod
DMI/SMBIOS (root)1Highdmidecode with sudo
Sysfs2High/sys/class/dmi/id/product_serial
Device tree3Medium/proc/device-tree/serial-number
CPU info4Medium/proc/cpuinfo serial field
Hostname fallback5LowUses hostname as serial (last resort)

The confidence level is stored alongside the serial number to help assess data quality.

Virtualization Detection

The scanner automatically detects the virtualization platform:

PlatformDetection Method
VMwareDMI data, /sys/class/dmi/id/sys_vendor
KVM/QEMUDMI data, /proc/cpuinfo hypervisor flags
Hyper-VDMI data, kernel modules
AWS EC2Instance metadata, DMI product name
AzureInstance metadata, DMI product name
Google CloudInstance metadata, DMI product name
Xen/sys/hypervisor/type
Docker/Container/.dockerenv, cgroup detection

Processor

Data PointDescription
CPU modelProcessor name from /proc/cpuinfo
Core countPhysical CPU cores
Thread countLogical processors
Cache sizesL2/L3 cache sizes

Memory & Disk

Data PointSource
Total memory (GB)/proc/meminfo
Disk space (total, used, free)df command output
Filesystem typesMount point details
LVM volumeslvs (if available)

Network Interfaces

Stored in the ServerNetworkAdapter sub-collection:

Data PointDescription
Interface nameeth0, ens192, bond0, etc.
MAC addressHardware address
IP addressesIPv4 and IPv6 with CIDR notation
Interface statusUp or down

Installed Packages

Stored in the ServerAppsInstalled sub-collection:

Data PointSource
Package namedpkg (Debian/Ubuntu), rpm (RHEL/CentOS), lslpp (AIX)
VersionPackage version string

Running Processes

Data PointDescription
Process IDOS process ID
Process nameExecutable name
Full commandComplete command line
UserProcess owner
Executable pathFull path to binary (via /proc/PID/exe)

Network Connections

Stored in the ServerNetworkConnection sub-collection:

Data PointSource
Remote IP, remote portnetstat or ss output
Local portListening and established connections
ProtocolTCP/UDP
StateConnection state
Associated processlsof output with PID and executable

System Services (Linux)

Data PointDescription
Service nameSystemd unit name
StatusActive, inactive, failed
EnabledStarts at boot

AIX-Specific Discovery

For IBM AIX systems, the SSH scanner collects additional data:

Data PointSource Command
LPAR informationlparstat — Logical Partition details
Device attributeslsattr — Hardware device configuration
System configurationlsconf, prtconf
Installed filesetslslpp — AIX package manager

What Gets Created in Tripl-i

Configuration Items

CI TypeCreated WhenKey Fields
ServerServer OS detected (Windows Server, Linux server)hostname, IP, OS, manufacturer, model, serial, CPU, memory
WorkstationDesktop OS detected (Windows 10/11, macOS)Same as Server
Software InstanceFor each installed applicationname, vendor, version, linked to server
MonitorExternal display detected (workstations)manufacturer, model, serial
PeripheralUSB device detected (workstations)type, manufacturer, model
DatabaseInstanceSQL Server detected on Windowsinstance name, version, edition, port

Sub-Collections

CollectionDescriptionLinked Via
ServerDiskLogical disk volumesci_id
ServerPhysicalDiskPhysical disk drivesci_id
ServerNetworkAdapterNetwork interfacesci_id
ServerNetworkConnectionActive network connectionsci_id
ServerAppsInstalledInstalled softwareci_id
ServerHotfixWindows KB hotfixesci_id
ServerUserAccountLocal/domain user accountsci_id
ServerMonitorConnected monitorsci_id
ServerPeripheralConnected USB devicesci_id

Relationships Created

RelationshipSourceTargetDescription
Connected ToServerServerNetwork connections between systems
Installed OnSoftware InstanceServer/WorkstationSoftware installation
Instance OfSoftware InstanceSoftware ProductSoftware normalization
Member OfSoftware ProductSoftware FamilySoftware classification
Hosts DatabaseServerDatabaseInstanceSQL Server hosting
UsesWorkstationMonitor/PeripheralHardware attachment

CI Matching and Deduplication

When a device is scanned multiple times (or discovered via multiple protocols), Tripl-i matches it to existing CIs using this priority:

  1. Serial Number — Exact match on hardware serial
  2. MAC Address — Primary network adapter MAC
  3. Hostname + Tenant — Case-insensitive name match within the same tenant
  4. IP Address — Fallback matching by IP

If a match is found, the existing CI is updated with the latest scan data. No duplicate CIs are created.

Cross-Protocol Enrichment

A device can be discovered via multiple methods over time:

  • First discovered via vCenter as a VM (gets basic VM metadata)
  • Later scanned via WMI (enriches with OS details, software, network connections)
  • Database discovery adds SQL Server instance data
  • AI analysis adds relationship classifications and business impact scores

Each scan enriches the same CI without overwriting previously collected data.

Stale Connection Detection

Network connections include stale detection: if a previously seen connection no longer appears in the latest scan, it is marked as stale rather than deleted. This prevents data loss from temporary network interruptions and provides historical connection visibility.

Performance Considerations

FactorTypical Value
WMI scan duration per host30-90 seconds
SSH scan duration per host15-45 seconds
Software inventory (large servers)May add 15-30 seconds
Network connections collection5-15 seconds

Scan duration depends on the number of installed applications, active network connections, and network latency to the target.

Security Considerations

  • Credentials encrypted at rest in the scanner agent's credential store
  • WMI uses Kerberos or NTLM authentication (domain credentials preferred)
  • SSH supports key-based auth — no password stored when using keys
  • All data transmitted over encrypted channels (HTTPS to backend)
  • Read-only operations — scanning never modifies target systems
  • Credential rotation — supports credential management integration (CyberArk, Delinea, BeyondTrust)

Next Steps