- 24 Mar 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
CMDB Reconciliation & Maintenance
- Updated on 24 Mar 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
CMDB Reconciliation & Maintenance
Watch the “CMDB Reconciliation & Maintenance” video, or read below.
Security Challenges and CMDBs
For many companies, Configuration Management Databases (CMDBs) are used as a single source of truth for tracking and managing IT assets. However, CMDBs rarely provide a complete picture of all assets at any given time - especially with the rise of virtual machines and cloud computing, where devices are created and deprecated in short time periods.
For IT and security professionals that need to know everything about an asset in order to secure it, CMDBs often lack the data that’s needed to truly understand assets from a security perspective. Moreover, CMDBs are often problematic because of data confliction - data inputs into CMDBs often have a wide variety in naming conventions, and even fields like OS Type, OS Version, Full OS String, Host Name, and others vary frequently.
How Axonius Helps to Reconcile Asset Gaps and Maintain An Accurate CMDB
Axonius aggregates and deconflicts asset data to provide a singular, credible view into any asset. Customers use Axonius to generate a comprehensive asset inventory with all unique devices, users, and cloud instances. Getting a complete asset inventory is attainable in hours.
Once all assets are seen in Axonius, you can find gaps and discrepancies present in CMDB platforms.
Common questions customers answer with the Axonius platform are:
- How many assets are missing from the CMDB?
- Are there devices that have been marked missing or disposed in the CMDB, but that are still seen in Axonius?
- Do device details in my CMDB match the latest data seen in Axonius?
Recommended Data Sources
The more adapters you have connected in Axonius, the more data you’ll receive about each asset.
We recommend any of the following adapter types in order to add new devices to a CMDB, or enrich existing devices with additional data:
- CMDB Platforms: connect the CMDB your organization uses, such as ServiceNow, Cherwell, Lansweeper, or Jira Asset Platform.
- Identity Access Management: Services such as Microsoft Active Directory are typically used to organize devices and users in the enterprise
- MDM/EMM: Similar to the above, device management solutions like Absolute, Citrix XenMobile, and Jamf are used to an organization’s devices
- Configuration Patch Management: similarly, configuration and patch management agents like Microsoft SCCM and Tanium provide rich device information and attributes
- Endpoint Protection: endpoint agents can provide rich information on devices, including running software, OS type and version, external IP, network interfaces, and more
- Networking: identifying new devices in your organization is often easiest to do by looking at network connections
- Vulnerability Assessment Tools: understand if the device has known vulnerabilities that may have been exploited as part of the incident
- Cloud and Virtualization: if your company accounts for cloud and virtual assets in its CMDB, connecting cloud IAAS and virtualization adapters is required
Example Queries
The baseline to find anything not listed in your CMDB is to use the NOT flag in the, and select the CMDB platform adapter connected in Axonius.
Devices in the Last 30 Day Not Seen in the CMDB
A simple and useful way to reconcile differences between Axonius and CMDB platforms is to compare what has been seen in Axonius within a given timeframe, but never seen by a CMDB adapter source.
This query shows devices seen in Axonius in the last 30 days, but that do not exist in ServiceNow.
Find Traditional Devices Not Listed in the CMDB
To find devices missing from CMDBs, it is helpful to compare CMDB adapter sources with Device Management and Identity Access Management platforms, such as Microsoft Active Directory or Jamf pro.
Since cloud environments are highly dynamic, many organizations choose not to account for cloud assets in CMDBs, and instead only account for traditional devices, such as desktops, laptops, or servers.
This query shows devices listed in Active Directory and JAMF (excluding cloud assets in AWS), but not seen in ServiceNow.
Updating CMDBs With Axonius Data
Add Newly Identified Devices to CMDBs
When devices that should be added to your CMDB are found in Axonius, you can automatically add them using the Create CMDB Computer action under the Manage CMDB Computer category in the Axonius Security Policy Enforcement Center.
Any time a saved query provides new results, they can automatically be added to the CMDB using this enforcement. When additions are made to the CMDB, you can specify the CI table where they will be added, and specify additional fields to be added in JSON format.
Update CMDB Computer
To enrich CMDB entries with Axonius data, you can use the Update CMDB action.
Customers can choose how often to refresh device details in their CMDB by configuring a schedule for enforcement sets.