sevco.io

Unified Asset Inventory

A conceptual overview of our Unified Asset Inventory

The Unified Inventory is a list of all identified devices from all configured sources as long as the device has been active in at least one source in the last 30 days.

This page describes the what and how; if you're interested in the why, refer to our introductory blog post on the Sevco website: Introducing Sevco Unified Inventory.

📘

Italicized terms are important definitions of key system concepts.

Inventory Processing

Inventory processing has four stages:

Stage 1. Source Configuration and Device Inventory Fetch

Sources are technology you own and use to manage your devices, like your endpoint agents or directory services. A configured Sevco Source communicates with your sources to fetch its currently known source devices and send them through the Sevco Inventory Processing Pipeline. In general, we fetch inventory from all sources every hour. See Manage Sevco Integrations for more information.

Stage 2. Source Device Preprocessing

Source devices require three pre-processing steps: normalization, identification, and stale filtering:

  • Normalization is the process of making consistent attribute names, so (for example) attributes named ipaddr, ip_address, and ip can be referred to the same way.
  • Identification is an initial filter to ensure there is at least one identifiable attribute that can be used to correlate with other sources.
  • Stale Filtering removes any device whose last activity time is greater than 30 days.

Stage 3. Telemetry Generation

Every normalized, identified, and active source device is sent to the Asset Telemetry pipeline. See Asset Telemetry Overview for more information.

Stage 4. Correlation.

In parallel, every normalized, identified, and active source device is sent to the Correlation Engine to be correlated to devices from other sources using the available identifiable attributes. Post-correlation, it becomes an aggregated device.

📘

Important Definitions

  • A source device is a device reported by a source.
  • An active, identified source device is a source device with at least one identifiable attribute with activity within the last 30 days.
  • An aggregate device is the representation of one or more source devices with matching identifiable attributes.

Source Categories

Each source has particular nuances, not only in its configuration, but also in the data available. Per-source details are documented in Sevco Integrations.

There are two considerations that impact inventory processing and that apply to all sources: source category and last activity time.

Categories

There are two categories of sources:

  • Direct: These are imported from the actively managed sources in the IT Asset Lifecycle, such as Active Directory or an endpoint agent. These systems report the direct inventory of systems.
  • Inferred: These are systems that log any device activity or any device observation that implies the existence of a device, but is an indirect measure. Examples include DHCP, ARP Caches, or network scanners.

Activity Times

As described above, during source preprocessing, we remove stale devices from inventory sources. This ensures that the source totals, and thus the overall device totals, are an accurate representation of active devices in the enterprise.

The last activity time varies by source category. For direct sources, it is the time of last communication: these sources are client/server models where software on an endpoint "checks in" to a server. The "time of last checkin" is a commonly available device attribute. For inferred sources, it is the time of the most recent activity observation. For a network scanner, it is the time the scan was run. For an ARP cache, it's the time the entry was observed in the cache.

Unified Inventory

The Unified Inventory page is a list of all aggregate devices. For each aggregate device, it presents the sources in which the aggregate was observed and the last activity time per source. The aggregate's last activity is the most recent source activity time. The aggregate and all previously observed sources remain in the inventory as long as there is at least once source active.