Creating a Discovery Source
Introduction
A discovery source is a named collective, ordered system that conducts discovery. There are five broad types:
-
Active Directory
-
Amazon Web Services
-
Entra ID
-
Unix
-
VMware ESX\ESXi
-
Google Cloud Platform
Configuring discovery is defining the parameters of the discovery source. Each discovery source is a configurable definition of how to scan for computer assets in a given environment. A subcomponent of a discovery source, called a scanner, details how to perform those scans.
Procedure
-
Click the Administration button on the main menu. The All Settings page appears.
-
Click the Discovery link in the Core Actions section. The Discovery page appears on the Discovery Sources tab:
-
Click the Create dropdown list button and select the type of source you desire.
For all sources except for Active Directory you are prompted for a name, site, type, and secret. Active directory has a specific dialog which allows for some advanced validation and customization. -
For Active Directory:
Active Directory discovery scans Active Directory (AD) machines, Active Directory user accounts, local Windows accounts, and their dependencies within an AD domain. The discovery process begins by identifying machines within your domain, followed by scanning each machine for local Windows accounts and associated dependencies. By default, the scan includes local accounts, domain accounts, scheduled tasks, Windows services, and IIS application pools. To further enhance the discovery process, you have the option to create PowerShell scanners, which allow for the identification of additional accounts and dependencies. PowerShell scanners are an advanced topic covered in detail within the Extensible Discovery section.-
A Discovery Source popup appears:
If you upgraded from an earlier Verify Privilege Vault version and have created an AD domain within Verify Privilege Vault, a corresponding discovery source is displayed on this page. If discovery was not enabled on that domain, the discovery source Active column is not checked for that discovery source. -
Type the parameters for the discovery source name, FQDN, and friendly name. The parameters with asterisks are required.
-
Ensure the Active check box is selected. This activates this discovery Source for scanning. Active discovery sources are scanned at the defined discovery interval defined. If you have multiple discovery sources, the discovery source with the most un-scanned computers is scanned first.
-
Next, you select a secret that is used as the credentials for discovery scanning and AD synchronization. These credentials must have the proper rights to scan the remote machines. Click the No Secret Selected link. The Select Secret popup page appears.
-
Either search for and click the secret you want to use for the account credentials during the scan. The popup page closes. The name of the secret you chose replaces the No Secret Selected link.
Or create a new secret for the credentials:
-
Click the Create NewSecret link. The Create New Secret page appears.
-
Click the Generic Discovery Credentials secret template. Another Create New Secret page appears:
-
Type or select the parameters needed for the discovery operation. Parameters with asterisks are required.
-
Click the Create Secret button.
-
-
Click the Discovery Site dropdown list to select the desired site for the discovery source. If distributed engines are setup, the list shows all active sites. If no distributed engines are setup, the list defaults to local, and you cannot change it.
-
Click the Discover Specific OU check box to limit your discovery to an OU. See Enabling Specific OU Domain Discovery to define the scanned OU. When you select this option, a Domain Scope tab appears on the Discovery Source page for the created AD discovery source.
-
Leave the Machine Resolution Type dropdown list set to Use Machine and Fully Qualified Name unless you have a specific reason to change it.
-
Click the Create button. Verify Privilege Vault attempts to access the domain with your specified credentials to ensure the configuration is correct. Thus, Verify Privilege Vault must have access to the domain provided, and the account credentials must work.
-
-
For Other Source Types:
For Unix, The default command sets efficiently discover machines and accounts in a wide range of Unix environments. By default, the "Find Non-Daemon Users (Basic Unix)" command set is used for discovery. However, if you wish to include the built-in account in the discovery process, you will need to update the discovery source to use the "Find All Users (Basic Unix)" command set. For further customization, you can create new command sets by accessing the "Configure Command Sets" option on the Discovery Sources list page. Additionally, you can modify the secrets employed during the discovery by accessing the scanner settings.-
A discovery source popup appears:
-
Type the name of the AWS discovery source in the Name text box.
-
Click the Site dropdown list to select the domain.
-
Click the Source Type. Your choices are:
-
AWS: Scan Amazon Web Services for keys, users, windows and non-windows machines. You will be prompted after saving to select which items.
-
Empty: An empty discovery source does not have any scanners in it and after it is created you will need to add scanners to it before it can be activated. Creating an empty source is for when you have specific scanners in mind or want to build it from scratch.
-
Entra ID: Scan an Entra ID tenant for Roles and Role Members.
-
GCP: Scan Google Cloud Platform for users, windows and non-windows machines. You will be prompted after saving to select which items.
-
Unix: Scan IP address ranges to find Unix machines and then discover local accounts on those machines.
-
VMware ESX/ESXi: Scan IP address ranges to find VMware ESX/ESXi hosts and discover local accounts.
-
-
Next, you select a secret that is used as the credentials for discovery scanning and AD synchronization. These credentials must have the proper rights to scan the remote machines. Click the No Secret Selected link. The Select Secret popup page appears.
-
Either search for and click the secret you want to use for the account credentials during the scan. The popup page closes. The name of the secret you chose replaces the No Secret Selected link.
Or create a new secret for the credentials:
-
Click the Create NewSecret link. The Create New Secret page appears.
-
Click the Generic Discovery Credentials secret template. Another Create New Secret page appears:
-
Type or select the parameters needed for the discovery operation. Parameters with asterisks are required.
-
Click the Create Secret button.
-
-
Click the Save button.
-
-
Click the new discovery source and then the Scanners tab to make any adjustments to the source scanner flow. Click a block to see its setting in a panel on the right. Click the Edit Scanner link to make any changes.