Discovery: How to

Understanding the Asset Report

The Assets page (located underneath Consume Intelligence >>> Assets) of the platform is meant to be your working page for reviewing the discovery results and taking further action.  The Assets page is meant to be a listing of devices discovered within the customer environment. It should be used in an iterative process for scope setting/discovery of the customer’s environment (i.e. it is used as a working document throughout multiple scans to troubleshoot and discover further areas of a customer’s environment until the target scope is achieved).

Please review the "How We Collect" page to gain a more in-depth understanding of the discovery process/what the appliance is doing.

The Asset Report is generated after the RN150 has completed the inventory phase. The appliance/assessment always works in this manner:

The Asset Report lists all devices that responded to an ICMP ping. Additionally, if we were able to connect to them using the provided credentials and categorize them they are further classified into device types (e.g. Windows Server, Windows Workstation, etc).  Each category in the Asset Report aligns to a specific credential input into the appliance. (i.e. Devices under the Windows Server link indicate we have WMI access to that box, the Linux/Unix link shows SNMP or SSH accessible devices, if it is in the Virtual Machine link we have vCenter access, etc.).  Clicking each link will filter the table below to show just those devices.

Key Takeaways

  • The report is additive.  With each successive rescan of the environment the newly discovered data will be added to that of the previous scan.  Data is never removed, even in the event that credentials or subnets are removed or deselected for scanning in the appliance.
  • There is often overlap between the links.  Since they correspond to a credential we could have a Windows VM that is in both the Windows link and the VM link as it responded to both sets of credentials (Windows Admin and vCenter). Additionally, it can be in the inaccessible devices link if one credential worked, but not another (e.g. vCenter passed, but Windows failed). Please note that the RISC Networks platform will resolve the duplicate devices when doing subsequent reporting (you will only see one device for the VM and Windows Server), but the asset report is purposefully left as-is so that virtual teams and windows teams can both confirm the expected asset list.

Troubleshooting

As you work with the customer on scope setting you will undoubtedly spend time reviewing inaccessible devices.  Devices end up in this category because at least one set of applicable credentials were attempted and were unable to gain access to the device(s).  During the inventory phase we look to see what ports are open on a specific host. If we see ports for WMI or SNMP open then we will attempt to use the corresponding credential.


Generally, it is best to focus on those devices that are identified in the MAC manufacturer as common server or VM manufacturers (VM Ware, HP, Dell, etc.).  We will uncover any device in the environment that responds to ICMP ping, so there can be many devices in this tab that are not in scope or useful to your objective.

Lastly, in many cases customers may not be sure the scope is correct.  That’s okay, this is an iterative process and is designed such that we can always come back and rescan.  You may find, once you have collected performance data on the scope and started working on grouping applications, traffic going to IPs that are out of scope.  This is covered in our Application Grouping Workflow document, but know that discovery can be an iterative process.  You will get further data to help you disposition the environment as you continue in the assessment process.  Think of it as you are illuminating a dark room; it is not possible to fully light the room without understanding how big it is. Start with what you have so you can use it to illuminate other dark corners of a customer’s environment.


For detailed troubleshooting instructions and error messages please refer to the Troubleshooting subsections of the following collection modules:

Windows Collection Module

SSH Collection Module