Commands executed by Assets Discovery
Discovery uses the following commands to collect data. More about command types and patterns
Windows
| Command | Type | Pattern |
|---|---|---|
SELECT * FROM Win32_Product | WMIQuery | Windows_Application_Product.pat |
| Get-WmiObject Win32_Product | PowerShellExecute | Windows_Application_Product_PS.pat |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ | WMIRegValueList | Windows_Application_Reg32.pat |
Get-ChildItem -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\' | Select-Object PSChildName for each software key: Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{software}' | PowerShellExecute | Windows_Application_Reg32_PS.pat |
| SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ | WMIRegValueList | Windows_Application_Reg64.pat |
Get-ChildItem -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\' | Select-Object PSChildName for each software key: Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{software}' | PowerShellExecute | Windows_Application_Reg64_PS.pat |
SELECT * FROM Win32_SoftwareFeature | WMIQuery | Windows_Application_SoftwareFeature.pat |
| Get-WmiObject Win32_SoftwareFeature | PowerShellExecute | Windows_Application_SoftwareFeature_PS.pat |
| SELECT * FROM Win32_Service | WMIQuery | Windows_ApplicationServices.pat |
| Get-WmiObject Win32_Service | PowerShellExecute | Windows_ApplicationServices_PS.pat |
| SELECT * FROM Win32_Processor | WMIQuery | Windows_CPUs.pat |
| Get-WmiObject Win32_Processor | PowerShellExecute | Windows_CPUs_PS.pat |
docker ps -a --format "{{.ID}}" for each container: docker inspect -f ""Name:{{println .Name}}" + docker stats --no-stream --format ""{{.MemUsage}}"" + $containerId | WMIQuery | Windows_Docker_Container.pat |
docker ps -a --format "{{.ID}}" for each container: docker inspect -f ""Name:{{println .Name}}" + docker stats --no-stream --format ""{{.MemUsage}}"" + $containerId | PowerShellExecute | Windows_Docker_Container_PS.pat |
SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3 or DriveType = 4 SELECT * FROM Win32_LogicalDiskToPartition SELECT * FROM Win32_DiskDriveToDiskPartition for all FileSystems: SELECT * FROM Win32_DiskDrive WHERE DeviceID LIKE "%{deviceId}" | WMIQuery | Windows_FileSystem.pat |
Get-WmiObject Win32_LogicalDisk | Where-Object {$_.DriveType -eq '3' -or $_.DriveType -eq '4'} Get-WmiObject Win32_LogicalDiskToPartition Get-WmiObject Win32_DiskDriveToDiskPartition for all FileSystems: Get-WmiObject Win32_DiskDrive | Where-Object {$_.DeviceID -match '{deviceId}'} | PowerShellExecute | Windows_FileSystem_PS.pat |
| SELECT * FROM Win32_ComputerSystem | WMIQuery | Windows_Hostinfo_Hostname_Model.pat |
| Get-WmiObject Win32_ComputerSystem | PowerShellExecute | Windows_Hostinfo_Hostname_Model_PS.pat |
| SELECT * FROM Win32_PhysicalMemory | WMIQuery | Windows_Hostinfo_RAM.pat |
| Get-WmiObject Win32_PhysicalMemory | PowerShellExecute | Windows_Hostinfo_RAM_PS.pat |
| SELECT StandardName FROM Win32_TimeZone | WMIQuery | Windows_Hostinfo_Timezone.pat |
| Get-WmiObject Win32_TimeZone | SELECT StandardName | Format-List | PowerShellExecute | Windows_Hostinfo_Timezone_PS.pat |
| netstat -n | WMIExecute | Windows_Hostinfo_ReferencedHosts.pat Windows_Hostinfo_ReferencedHosts_PS.pat |
| SELECT * FROM Win32_BIOS | WMIQuery | Windows_Hostinfo_SerialNr.pat |
| Get-WmiObject Win32_BIOS | PowerShellExecute | Windows_Hostinfo_SerialNr_PS.pat |
| SELECT * FROM Win32_ComputerSystemProduct | WMIQuery | Windows_Hostinfo_Vendor_UUID.pat |
| Get-WmiObject Win32_ComputerSystemProduct | PowerShellExecute | Windows_Hostinfo_Vendor_UUID_PS.pat |
SELECT * FROM Msvm_ComputerSystem SELECT * FROM Msvm_SummaryInformation WHERE Name = '{0}' | WMIQuery | Windows_HyperV_VMs.pat |
Get-WmiObject -Namespace root\virtualization\v2 Msvm_ComputerSystem Get-WmiObject -Namespace root\virtualization\v2 Msvm_SummaryInformation | Where-Object {$_.Name -eq 'vmID'} | PowerShellExecute | Windows_HyperV_VMs_PS.pat |
SELECT * FROM Win32_NetworkAdapterConfiguration Where IPEnabled=true | WMIQuery | Windows_NetworkInterfaces.pat |
| Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq 'true'} | PowerShellExecute | Windows_NetworkInterfaces_PS.pat |
SELECT * FROM Win32_OperatingSystem | WMIQuery | Windows_OS.pat Windows_Hostinfo_SystemUpTime.pat |
| Get-WmiObject Win32_OperatingSystem | PowerShellExecute | Windows_OS_PS.pat Windows_Hostinfo_SystemUpTime_PS.pat |
SELECT * FROM Win32_QuickFixEngineering | WMIQuery | Windows_Patches.pat |
| Get-WmiObject Win32_QuickFixEngineering | PowerShellExecute | Windows_Patches_PS.pat |
SELECT * FROM Win32_DesktopMonitor | WMIQuery | Windows_Peripherie_Monitor.pat |
| Get-WmiObject Win32_DesktopMonitor | PowerShellExecute | Windows_Peripherie_Monitor_PS.pat |
SELECT * FROM Win32_Printer | WMIQuery | Windows_Peripherie_Printer.pat |
| Get-WmiObject Win32_Printer | PowerShellExecute | Windows_Peripherie_Printer_PS.pat |
SELECT * FROM Win32_DiskDrive Where InterfaceType = "USB" | WMIQuery | Windows_Peripherie_USB_Storage.pat |
| Get-WmiObject Win32_DiskDrive | Where-Object {$_.InterfaceType -eq 'USB'} | PowerShellExecute | Windows_Peripherie_USB_Storage_PS.pat |
| SELECT * FROM Win32_VideoController | WMIQuery | Windows_Peripherie_VideoController.pat |
| Get-WmiObject Win32_VideoController | PowerShellExecute | Windows_Peripherie_VideoController_PS.pat |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion | WMIRegValue | Windows_ProductKey.pat |
| Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion' | Select-Object DigitalProductId | PowerShellExecute | Windows_ProductKey_PS.pat |
| SELECT * FROM Win32_DiskDrive | WMIQuery | Windows_StorageDevice.pat |
| Get-WmiObject Win32_DiskDrive | PowerShellExecute | Windows_StorageDevice_PS.pat |
SELECT * FROM Win32_ComputerSystem fallback command: SELECT * from Win32_NetworkLoginProfile WHERE LastLogOn IS NOT NULL | WMIQuery | Windows_Hostinfo_Username.pat |
Get-WmiObject Win32_ComputerSystem fallback command: Get-WmiObject Win32_NetworkLoginProfile | Where-Object {$_.LastLogon -ne $null} | PowerShellExecute | Windows_Hostinfo_Username_PS.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir {drive}\tomcat*.exe /s/b for all found tomcat.exe files: {tomcat.exe}version.bat | findstr "server number" fallback command: type {tomcat-path}RELEASE-NOTES | findstr /i /c:"tomcat version" | WMIExecute | Windows_Application_Tomcat.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir -path {drive}\ -r -filter tomcat*.exe -ErrorAction SilentlyContinue | % fullname for all found tomcat.exe files: & '{tomcat.exe}version.bat' | findstr "server number" fallback command: type {tomcat-path}RELEASE-NOTES | findstr /i /c:"tomcat version" | PowerShellExecute | Windows_Application_Tomcat_PS.pat |
SOFTWARE\Microsoft\Office SOFTWARE\Wow6432Node\Microsoft\Office for each key → sub value: \Registration\DigitalProductID | WMIRegValueList | Windows_Application_Office_ProductKey.pat |
Get-ChildItem -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\' | Select-Object PSChildName Get-ChildItem -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\' | Select-Object PSChildName for each key → sub value: \Registration\DigitalProductID | PowerShellExecute | Windows_Application_Office_ProductKey_PS.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir {drive}\mysql.exe /s/b for all found mysql.exe files: {mysql.exe} -u $$login$$ -p$$password$$ -e"SELECT table_schema AS "Database name", Round(Sum(data_length + index_length) / 1024 / 1024, 0) AS "Size (MB)" FROM information_schema.TABLES GROUP BY table_schema;" | WMIExecute | Windows_Application_mySQL-DBs.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir -path {drive}\ -r -filter mysql.exe -ErrorAction SilentlyContinue | % fullname for all found mysql.exe files: & '{mysql.exe}' -u $$login$$ -p$$password$$ -e'SELECT table_schema AS \""Database name\"", Round(Sum(data_length + index_length) / 1024 / 1024, 0) AS \""Size (MB)\"" FROM information_schema.TABLES GROUP BY table_schema;' | PowerShellExecute | Windows_Application_mySQL-DBs_PS.pat |
| sqlcmd -Q "SELECT DB.name, SUM(CASE WHEN type = 0 THEN MF.size * 8 / 1024 ELSE 0 END) AS DataFileSizeMB, SUM(CASE WHEN type = 1 THEN MF.size * 8 / 1024 ELSE 0 END) AS LogFileSizeMB FROM sys.master_files MF JOIN sys.databases DB ON DB.database_id = MF.database_id GROUP BY DB.name" | WMIExecute PowerShellExecute | Windows_Application_MSSQL-DBs.pat Windows_Application_MSSQL-DBs_PS.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir {drive}\psql.exe /s/b for all found psql.exe files: [set "PGPASSWORD=$$password$$"]"{psql.exe}" -h localhost --username=$$login$$ -c "\l+" | WMIExecute | Windows_Application_PostgrSQL-DBs.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir -path {drive}\ -r -filter psql.exe -ErrorAction SilentlyContinue | % fullname for all found psql.exe files: $env:PGPASSWORD='$$password$$'; &'{psql.exe}' -h localhost --username=postgres -c "\l+";$env:PGPASSWORD='' | PowerShellExecute | Windows_Application_PostgrSQL-DBs_PS.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir {drive}\pom.xml /s /b | findstr "atlassian.*-web" for all found pom.xml files: type "{pom.xml}" | findstr "parent version" | WMIExecute | Windows_Application_Atlassian-JIRA.pat Windows_Application_Atlassian-Confluence.pat Windows_Application_Atlassian-Bamboo.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir -path {drive}\ -r -filter pom.xml -ErrorAction SilentlyContinue | % fullname for all found pom.xml files: type '{pom.xml}' | findstr "parent version" | PowerShellExecute | Windows_Application_Atlassian-JIRA_PS.pat Windows_Application_Atlassian-Confluence_PS.pat Windows_Application_Atlassian-Bamboo_PS.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir {drive}\MANIFEST.MF /i | findstr "bitbucket" for all found MANIFEST.MF files: type "{MANIFEST.MF}" | findstr /I "implementation-version" | WMIExecute | Windows_Application_Atlassian-BitBucket.pat |
wmic logicaldisk where drivetype=3 get caption | findstr ":" for all drives: dir -path {drive}\ -r -filter MANIFEST.MF -ErrorAction SilentlyContinue | % fullname | findstr /i ""bitbucket" for all found MANIFEST.MF files: type '{MANIFEST.MF}' | findstr "implementation-version" | PowerShellExecute | Windows_Application_Atlassian-BitBucket_PS.pat |
For the Atlassian Products reading the used database configuration: dir {drive}\dbconfig.xml /s /b | findstr /i "<productName>" for all found dbconfig.xml files: type "{dbconfig}" | findstr "jdbc:" | WMIExecute | Windows_Application_Atlassian-JIRA.pat Windows_Application_Atlassian-Confluence.pat Windows_Application_Atlassian-Bamboo.pat Windows_Application_Atlassian-BitBucket.pat |
For the Atlassian Products reading the used database configuration: dir -path {drive}\ -r -filter dbconfig.xml -ErrorAction SilentlyContinue | % fullname | findstr /i "<productName>" for all found dbconfig.xml files: type "{dbconfig}" | findstr "jdbc:" | PowerShellExecute | Windows_Application_Atlassian-JIRA_PS.pat Windows_Application_Atlassian-Confluence_PS.pat Windows_Application_Atlassian-Bamboo_PS.pat Windows_Application_Atlassian-BitBucket_PS.pat |
Linux
Discovery automatically adds | col -b to all executed commands to disable colored outputs.
| Command | Type | Pattern |
|---|---|---|
last | egrep 'tty|pts' | SSHExecute | Linux_Hostinfo_Username.pat |
| COLUMNS=256 dpkg -l | SSHExecute | Linux_Application_DPK.pat |
| rpm -qa --queryformat 'begin\nname:%{NAME}\nversion:%{VERSION}\nrelease:%{RELEASE}\nvendor:%{VENDOR}\ndescription:%{SUMMARY}\n' | SSHExecute | Linux_Application_RPM.pat |
| sudo qlist -IUCv | SSHExecute | Linux_Application_QLIST.pat |
| egrep '^(model name|cpu MHz|[pP]rocessor|physical id|cpu cores)' /proc/cpuinfo | SSHExecute | Linux_CPUs.pat |
docker ps -a --no-trunc --format "{{.ID}} {{.Status}}" for each container: docker inspect -f ""Name:{{println .Name}}" + docker stats --no-stream --format ""{{.MemUsage}}"" + $containerId | SSHExecute | Linux_Docker_Container.pat |
| df -BMB | grep "^/dev" | SSHExecute | Linux_FileSystem.pat |
| rm ~/.bash_history -f && history -c | SSHExecute | Linux_Host_Clear_Command_History.pat |
hostname OS check command: uname -o -r -i -m && cat /etc/*release && lsb_release -a For Solaris-Systems: check-hostname | awk '{ print $NF }' all other Linux-Systems: hostname --fqdn | SSHExecute | Linux_Hostinfo_Hostname.pat |
dmesg | grep -i 'hypervisor detected' fallback command(s): systemd-detect-virt hostnamectl | grep -i 'virtualization' sudo virt-what | SSHExecute | Linux_Hostinfo_Hypervisor.pat |
| sudo dmidecode -t system | grep 'Product' | SSHExecute | Linux_Hostinfo_Model.pat |
| egrep '^MemTotal' /proc/meminfo | SSHExecute | Linux_Hostinfo_RAM.pat |
netstat -tun fallback command: netstat -an | SSHExecute | Linux_Hostinfo_ReferencedHosts.pat |
sudo dmidecode -t system | grep 'Serial Number' | SSHExecute | Linux_Hostinfo_SerialNr.pat |
uptime | sed -E 's/^[^,]*up *//; s/, *[[:digit:]]* users.*//; s/min/minutes/; s/([[:digit:]]+):0?([[:digit:]]+)/\1 hours, \2 minutes/' fallback command: cat /proc/uptime | SSHExecute | Linux_Hostinfo_SystemUpTime.pat |
| sudo dmidecode -t system | grep 'UUID' | SSHExecute | Linux_Hostinfo_UUID.pat |
sudo dmidecode -t system | grep 'Manufacturer' fallback command: cat /sys/class/dmi/id/sys_vendor | SSHExecute | Linux_Hostinfo_Vendor.pat |
timedatectl | grep 'Time zone' fallback command: date '+%Z %z' | SSHExecute | Linux_Hostinfo_Timezone.pat |
ifconfig -a fallback command: sudo ip addr show | SSHExecute | Linux_NetworkInterfaces.pat |
| sudo ip route show | grep 'default' | SSHExecute | Linux_NetworkInterfaces.pat Linux_NetworkInterfaces_IA.pat |
| ip addr | SSHExecute | Linux_NetworkInterfaces_IA.pat |
| uname -o -r -i -m && cat /etc/*release && lsb_release -a | SSHExecute | Linux_OS.pat |
| lpstat -t | SSHExecute | Linux_Peripherie_Printer.pat |
| lsusb | SSHExecute | Linux_Peripherie_USB_Storage.pat |
| lsusb -D /dev/bus/usb/{0}/{1} | grep -E 'evice:|id|Class' | SSHExecute | Linux_Peripherie_USB_Storage.pat |
| lsblk -e 11,1 -dbP --output NAME,MAJ:MIN,VENDOR,MODEL,SERIAL,LABEL,UUID,SIZE,REV,TYPE,STATE | SSHExecute | Linux_StorageDevice.pat |
VBoxManage list vms for each vm: VBoxManage showvminfo {0} --machinereadable | SSHExecute | Linux_VBox_VMs.pat |
xe vm-list params=uuid is-control-domain=false is-a-snapshot=false --minimal for each vm: xe vm-list params=name-label uuid={1} --minimal xe vm-list params=name-description uuid={1} --minimal xe vm-list params=power-state uuid={1} --minimal xe vm-list params=memory-static-maxe uuid={1} --minimal xe vm-list params=networks uuid={1} --minimal xe vm-list params=VCPUs-number uuid={1} --minimal | SSHExecute | Linux_Xen_VMs.pat |
sudo service --status-all sudo rc-status --all | grep -F '['' sudo systemctl list-unit-files --type=service | egrep 'enabled|disabled' | SSHExecute | Linux_ApplicationServices.pat |
| sudo mysql -u $$login$$ -p$$password$$ -e "SELECT table_schema AS \"Database name\", Round(Sum(data_length + index_length) / 1024 / 1024, 0) AS \"Size (MB)\" FROM information_schema.TABLES GROUP BY table_schema;" | SSHExecute | Linux_Application_mySQL-DBs.pat |
echo $$password$$ | sudo -S -u $$login$$ psql -c "\l+" fallback command: echo $$password$$ | sudo -S -u $$login$$ psql -h localhost -c "\l+" | SSHExecute | Linux_Application_PostgreSQL-DBs.pat |
sudo find / -iname "pom.xml" | grep 'atlassian.*-web' for all found pom.xml files: sed -n '/<parent>/,/<\/parent>/H; /<parent>/h; /\/parent/{x;s/<parent>\(.*[^\n]\)\n*<\/parent>/\1/p;}' {pom.xml} | SSHExecute | Linux_Application_Atlassian-JIRA.pat Linux_Application_Atlassian-Confluence.pat Linux_Application_Atlassian-Bamboo.pat |
sudo find / -iname "MANIFEST.MF" | grep 'bitbucket' for all found MANIFEST.MF files: cat {MANIFEST.MF} | grep -i "implementation-version" | SSHExecute | Linux_Application_Atlassian-BitBucket.pat |
For the Atlassian Products reading the used database configuration: sudo find / -iname ""dbconfig.xml"" | grep '<productName>' for all found dbconfig.xml files: cat {dbconfig} | grep '<url>jdbc:' | SSHExecute | Linux_Application_Atlassian-JIRA.pat Linux_Application_Atlassian-Confluence.pat Linux_Application_Atlassian-Bamboo.pat Linux_Application_Atlassian-BitBucket.pat |
MacOS
| Command | Type | Pattern |
|---|---|---|
| system_profiler SPApplicationsDataType | SSHExecute | MacOSX_Application_ApplicationsData.pat |
| system_profiler SPExtensionsDataType | SSHExecute | MacOSX_Application_ExtensionsData.pat |
| system_profiler SPFrameworksDataType | SSHExecute | MacOSX_Application_FrameworksData.pat |
| system_profiler SPPrefPaneDataType | SSHExecute | MacOSX_Application_PrefPaneData.pat |
| launchctl list | SSHExecute | MacOSX_ApplicationServices.pat |
| (sysctl -n machdep.cpu.brand_string) & (system_profiler | grep -e 'Processor ' -e Cores -e 'Number of Processors') | SSHExecute | MacOSX_CPUs.pat |
| df -lk | grep "^/dev" | SSHExecute | MacOSX_FileSystem.pat |
| host "$(hostname -s)" | SSHExecute | MacOSX_Hostinfo_FQDN.pat |
| sysctl hw.memsize | SSHExecute | MacOSX_Hostinfo_RAM.pat |
| system_profiler | grep -e 'Model Name: ' -e 'Model Identifier: ' -e 'Memory: ' -e 'Serial Number (system): ' -e 'Hardware UUID: ' | SSHExecute | MacOSX_Hostinfo.pat |
| sudo systemsetup -gettimezone | SSHExecute | MacOSX_Hostinfo_Timezone.pat |
| sw_vers | SSHExecute | MacOSX_OS.pat |
| system_profiler -xml SPUSBDataType | SSHExecute | MacOSX_Peripherie_USB_Storage.pat |
| uptime | SSHExecute | MacOSX_UpTime.pat |
SNMP
| Command | Type | Pattern |
|---|---|---|
| 1.3.6.1.2.1.1.3.0;1.3.6.1.2.1.1.4.0;1.3.6.1.2.1.1.5.0;1.3.6.1.2.1.1.6.0;1.3.6.1.4.1.2021.4.5.0 | SNMP_GET | SNMP_Deviceinfo_Default.pat |
| 1.3.6.1.4.1.2021.4.5.0;1.3.6.1.4.1.2021.4.6.0;1.3.6.1.4.1.2021.4.11.0 | SNMP_GET | SNMP_Deviceinfo_ExtExampleRAM.pat |
| 1.3.6.1.2.1.2.2.1.2;1.3.6.1.2.1.4.20.1.2 | SNMP_WALK | SNMP_Deviceinfo_Network.pat |
Other
| Command | Type | Pattern |
|---|---|---|
| HostSystem | SSHExecute | ESXi_HostSystem.pat |
| VirtualMachine | SSHExecute | ESXi_VirtualMachines.pat |
| show memory | SSHExecute | IBM_DataPower_Hostinfo_ShowMemory.pat |
| show version | SSHExecute | IBM_DataPower_Hostinfo_ShowNetwork-Interface.pat IBM_DataPower_Hostinfo_ShowVersion.pat |
| show system | SSHExecute | IBM_DataPower_Hostinfo_ShowSystem.pat |
| pkginfo -l | SSHExecute | Solaris_Application.pat |
| psrinfo -pv | SSHExecute | Solaris_CPUs.pat |
| prtconf | grep Memory | SSHExecute | Solaris_Hostinfo_RAM.pat |
| smbios -t SMB_TYPE_SYSTEM | SSHExecute | Solaris_Hostinfo_System.pat |
| kstat -p unix:0:system_misc:boot_time | nawk '{printf "%d\n", srand()-$2}' | SSHExecute | Solaris_Hostinfo_SystemUpTime.pat |
| nlsadm get-timezone | SSHExecute | Solaris_Hostinfo_Timezone.pat |