sevco.io

Sevco Data Model

Sevco Data Flow Diagram

Collection: Sevco data collection begins with Integration Sources. See Integrations for more detail. Inventory is collected from every configured source routinely - typically once per hour.

Aggregation: At each collection, every User or Device (hereafter an asset) reported by an inventory source is compared to all the other assets reported by all the other sources to build the Aggregated Inventory. While any single source (such as Office 365 or Sophos) has asset attributes unique to that source, there are also attributes in common to most/all sources. These become the aggregated attributes tracked as part of the Sevco Aggregated Inventory.

State Tracking: Assets and their attributes change over time. In addition to the simple aggregation, we also track the changes in aggregated attributes over time.

Aggregated Attributes

Aggregated devices currently have the following attributes:

  • Hostnames
  • Operating System
  • Operating System Version
  • IP Addresses
  • MAC Addresses
  • FQDN
  • Sources (Sevco Data Sources)

Some fields have multiple forms - e.g., hostnames are across three actual fields: hostname, fqdn and distinguished_name. Fields are multi-valued: if sources report multiple values, all are included. This is expected with some fields like MAC Address or IP addresses for devices with multiple NICs, less obvious but expected for fields like Operating System when sources may report different granularity (e.g., Windows vs. Windows 10.3.281).

Events

Events currently have five primary fields:

  • change time
  • change type
  • asset id
  • source & source id
  • attribute changed & the new value

There are currently two event types reported: create and update. The first time an asset is reported by a source it will generate a create event for that asset. Anytime an attribute is updated for that source, it will generate an update event for that attribute on that asset and include the new attribute's value.