Creating Discovery Rules

Introduction

Verify Privilege Vault discovery rules play a pivotal role in automating the process of finding, importing, and managing passwords, API keys, and other credentials throughout an IT environment.

Discovery rules offer several advantages:

  • Automated Discovery: Discovery rules simplify identifying potential secrets across various platforms and environments, ensuring that no sensitive credentials remain unmanaged or unprotected.

  • Policy Enforcement and Risk Reduction: Discovery rules help enforce consistent security policies across an IT environment. This consistency is crucial for minimizing security breaches and ensuring compliance with regulatory standards.

  • Efficient Secret Management: Discovery rules reduce the administrative burden on IT teams by automating secret candidate discovery and importation.

  • Dynamic Adaptation: Discovery rules help to flexibly adapt to IT environments, which are constantly changing with the addition of devices and applications.

isvp-vault offers a feature related to discovery rules that allows you to see what accounts would match a rule. This is part of the discovery process where discovery rules are used to automate the identification and management of credentials across various platforms. Here's how it works:

  • Discovery Account Rules: These rules are search queries against the accounts found by discovery. When these rules are created and run, accounts that match the rules can be automatically imported as secrets. This means you can define criteria for accounts, and the system will identify which accounts matches these criteria.

  • Viewing Discovery Results: After running a discovery scan, you can view the results in the Discovery Network View. This view allows you to see which accounts have been discovered and whether they match any existing rules. You can filter and search through these results to identify specific accounts that meet the criteria set by your discovery rules.

Creating Local Account Rules

Discovery account rules are search queries against the accounts found by discovery, visible in the Discovery Network View. When these rules are created and run, accounts that match the rules can be automatically imported as secrets. When matches are found, email notifications can also be sent out.

The rule order determines the rule application order. Drag rules to reorder them. Rules can specify a combination of the domain or OU, the computer name and the account name.

To create a rule:

  1. Select Discovery. The Discovery Analysis tab of the Discovery page appears.

  2. Select the Network View tab.

  3. Click the Create Rule button. The Create Rule popup appears:

  4. From the Rule Type dropdown list, select Accounts.

  5. (Optional) Type in text strings for the following if you want to limit the scope of the rule:

    • Computer Name Contains

    • Account Name Contains

    • Operating System Contains

    For this example, Del, Admin, and Windows have been entered.

    Discovery rules automatically create secrets or send emails when local accounts or public keys that match the rule criteria are discovered.

  6. Select the Manage Accounts checkbox if you want secrets to be created and the service and accounts to be managed by Verify Privilege Vault.

  7. Click the Create Rule button. The Discovery account rule page appears with the values you typed:

  8. Type the name of the new rule in the Rule Name textbox if you want to change the suggested name.

  9. Click the None Selected link in the Filter section to choose a discovery source. The Pick OU popup appears.

  10. Navigate to and select the OU of your choice, this appears as your source. Additional controls also appear, which differ with each source. For this example the following source was used:

  11. Select the Include Children checkbox if you want to include any child OUs in the scan.

  12. From the Scan Template dropdown list, select an output template. The Secret and Alerts sections appear below the Filter section.

  13. From the Matching Condition dropdown list, pick which of the filtering parameters must match.

    The completion checklist updates to show that you completed the Filter section.

  14. Scroll to the Secret section:

  15. The Create Secrets checkbox is selected by default.

  16. From the Secret Template dropdown list, select the secret template the new secret will originate from if a default is not available automatically.

  17. Click the Folder link to select a folder for the new secret to belong to.

    You cannot use personal folders for this purpose.
  18. Type the naming convention for the new secret in the Secret Name text box.

    A naming convention is automatically suggested based on the hostname and username, such as $DOMAIN\$USERNAME.

  19. From the New Secret Permissions dropdown list, select whether you want secrets to copy (standalone) or inherit (change with the folder) the permissions from the folder.

  20. From the Site dropdown list, select the Verify Privilege Vault local installation or a distributed engine to run the rule from. The Password Section appears.

    The completion checklist updates to show that you completed the Secret section.

  21. Scroll to the Password section:

    Remote password changing must be enabled to change the password.
  22. Select the I know the current password… option if you do not want Verify Privilege Vault to change the account password when the secret is created.

    Complete the following:

    1. In the Current Password text box, type the password.

    2. Leave the Password Changing dropdown list set to Use privileged account.

    3. Click the No Secret Selected link to choose a secret for the privileged account for ongoing use.

  23. Select the Assign a new specific password to all accounts option if you want all the new secrets to have the same password, which you can later change.

    Complete the following:

    This option will change the password on the remote machine for any newly discovered accounts.
    1. (Optional) Type a value in the Takeover Threshold text box.

      If the number of accounts that will be taken over exceeds the maximum threshold, the import is canceled and the subscribed users are notified by email.

    2. Type the new password in the New Password text box.

    3. From the Password Type dropdown list, select the desired type.

    4. For Initial Takeover Secrets, you have the option of selecting the No Secret Selected link and choosing a secret for the privileged account for the initial takeover.
      Or if you want to have a set of secrets that can be tried until one works, click the (Switch to Multiple Reset Secrets) link, and select Add Secret to choose a secret. The name of the secret appears. Repeat as needed.

    5. Leave the Password Changing dropdown list set to Use privileged account.

    6. For Password Changing Privileged Account, click the Add Secret button to choose a secret or secrets for the privileged account for ongoing use.

  24. Select the Generate a random password for each account option if you want to have Verify Privilege Vault create a strong password for the secret.

    This option will change the password on the remote machine for any newly discovered accounts.
    1. (Optional) Type a value in the Takeover Threshold text box.

      If the number of accounts that will be taken over exceeds the maximum threshold, the import is canceled and the subscribed users are notified by email.

    2. From the Password Type dropdown list, select the desired type.

    3. For the Initial Takeover Secrets, click the Add Secret button to choose a secret or secrets for the privileged account.

    4. Leave the Password Changing dropdown list set to Use privileged account.

    5. For Password Changing Privileged Account, click the Add Secret button to choose a secret or secrets for the privileged account for ongoing use.

      Note that the completion checklist updates with a check mark to show that you completed the Password section.

  25. Scroll to the Alerts section:

  26. Select the Send email alert for newly discovered accounts checkbox to enable the Subscribed Users dropdown list.

  27. From the Subscribed Users dropdown list, select one of the following:

    • Discovery Administrators, if you only want to notify admins.

    • Specific Users, if you want to define a list of people to notify.

  28. If you chose Specific Users, new controls appear:

  29. In the Add section, select or search for users and groups. As you click each one, they appear in the Items text box.

    The completion checklist updates to show that you completed the Alerts section.

  30. Select Save at the bottom of the page to keep your changes.

Creating Dependency Rules

Dependency rules automatically add dependencies (Windows services, schedule tasks, application pools) to existing secrets. You can receive email notifications of linkages by adding an event subscription in the Event Subscriptions page. Rules can specify a combination of the domain or OU.

The rule order determines the order in which the rules are applied. Drag rules to reorder them.
You must have a discovery scanner and dependency template configured to apply a dependency rule.
If you run discovery against Windows Server 2016 or 2019, scheduled tasks are not discovered unless your instance or engine are on the same domain as the target server. On Windows Server 2016 and up, scheduled task discovery only gets a security identifier (SID) for the user that runs the task. Verify Privilege Vault has code to convert the SID to a username, but this only works if the code is being executed on the same domain as the scheduled task. If the SID cannot be translated, the scheduled task will not be saved with discovery.

To create a rule:

  1. Access Discovery. The Discovery Analysis tab appears.

  2. Select the Network View tab.

  3. Click the Create Rule button. The Create Rule popup appears.

  4. From the Rule Type dropdown list, select Dependencies.

  5. Click the Create Rule button. The New Rule page appears.

  6. Type the name of the new rule in the Rule Name text box.

  7. Click the None Selected link to choose a discovery source. The Pick OU popup appears.

  8. Select the OU of your choice, it will appear as the source. The Scan Template dropdown list appears.

  9. From the Scan Template dropdown list, select an output template. For this example, the Windows Service template was chosen.

  10. From the Dependency Template dropdown list, select a dependency template. Once again, we chose Windows Service.

  11. From the Site dropdown list, select the local installation of Verify Privilege Vault or a distributed engine to run the rule from.

  12. For Privileged Account, click the No Secret Selected link to choose a secret for the scanning account. The chosen secret appears as a link.

  13. Select the Windows Services: Restart on Change checkbox if you want the services restarted after discovery.

  14. Select Save to keep your changes. The page for your new rule appears: