Discovery Overview

Discovery is the process where Verify Privilege Vault scans an environment to find accounts and associated resources called dependencies. Once accounts are found, they can be used to create new secrets in Verify Privilege Vault. Users with the "administer discovery" role permission can either manually import accounts or can create an automated process to do so. Using discovery does not stop users from manually creating their own secrets.

Some typical accounts that discovery can find include Windows local admin, Windows domain, and Unix non-daemon. Some typical dependencies discovery can scan for include scheduled tasks running as a domain user, application pools running as a domain user, and services running as a domain user.

Account and dependency types not supported out-of-the-box in Verify Privilege Vault can still be discovered by writing PowerShell scripts that you can run as custom scanners. See Extensible Discovery.

In a Hurry?

We suggest reading (in order):

Discovery Benefits

Importation of Network Credentials

By using discovery, your Verify Privilege Vault offsets the burden of keeping track of computers and accounts on your network. This can be especially beneficial when getting started for discovering and importing accounts in bulk, as well as having Verify Privilege Vault find accounts and create secrets whenever a new machine or account is provisioned.

Protection Against Backdoor Accounts

When Verify Privilege Vault is configured to discover new accounts, it provides added protection by regularly running discovery on your network to identify those accounts. Verify Privilege Vault adds the new accounts to its records and resets the accounts password to values that meet your security policy. Consequentially, if someone is setting up backdoor admin accounts on the network, they cannot use those accounts very long before they are imported into Verify Privilege Vault and their passwords are changed with Remote Password Changing (RPC).

Discovery Types

Active Directory Discovery

Verify Privilege Vault AD discovery scans for AD machines, AD user accounts, local Windows accounts, and dependencies on an AD domain. First, SS discovers machines from your domain. Next, SS scans each machine for local Windows accounts and dependencies that depend on domain accounts. By default, SS scans for local accounts, domain accounts, scheduled tasks, Windows services, and IIS application pools. You can discover additional accounts and dependencies by creating PowerShell scanners. PowerShell scanners are an advanced topic described in the Extensible Discovery section.

ESX/ESXi Discovery

Verify Privilege Vault provides a wizard to help configure ESX/ESXi discovery. You name the discovery Source, define the host ranges of the desired IP addresses, and choose a secret to use as credentials when scanning.

Verify Privilege Vault provides a "Generic Discovery—Only Credentials" secret type that stores a simple username and password pair for Unix or ESX/ESXi discovery. It is intended only for discovery and is incapable of RPC.

AWS Discovery

Verify Privilege Vault can scan Amazon Web Services (AWS) for accounts that can access the cloud resource. Two types of secrets can be discovered and managed through Verify Privilege Vault:

  • AWS Access Key: Keys used for programmatic integration with AWS.

  • AWS Console Account: User login accounts for AWS.

Google Cloud Platform Discovery

Verify Privilege Vault can manage Google Cloud Platform (GCP) service accounts and VM instances. This feature allows users to run discovery to pull and manage VM Instances, as well as import and manage GCP service accounts.

Unix Discovery

Verify Privilege Vault provides a wizard to help configure Unix discovery. You name the discovery Source, define the host ranges of the desired IP addresses, and choose a secret to use as credentials when scanning. The default command sets that Verify Privilege Vault ships with discovers machines and accounts in most Unix environments.

By default, the "Find Non-Daemon Users (Basic Unix)" command set is used first. If a built-in account is discovered, you must modify the discovery source to use the "Find All Users (Basic Unix)" command set. You can create new command sets by clicking the Configure tab on the Discovery Sources page.

Extensible Discovery

You can customize discovery by changing parts of it to use PowerShell. The information a discovery scanner outputs is defined by its scanner template. For standard templates, the input and output information types are fixed. Extensible discovery allows you to customize or replace the unmanaged account, IP address and OU, account, and dependency discovery steps above. Extensible discovery does still have limitations on what information is passed between discovery scanners. For more information, see Extensible Discovery.

Discovery Performance

Please see our Discovery Best Practices to learn about optimizing discovery performance.

Example Discovery Process

A typical automated discovery process for Active Directory domains, running on an interval, looks like this:

The majority of current discovery processes are for AD discovery source type. The others types differ by input and output but follow a similar process.
Even though automatic discoveries run on a set interval, you cannot schedule when those occur. The interval is from whenever the discovery last ran.
  1. Discovery matching runs. The discovery matcher creates a link between existing active secrets and any existing secrets in Verify Privilege Vault based on their machine names, accounts and dependencies. The matcher is automatic. When matches are found, the corresponding existing discovery results appear as "managed" in the discovery network view with a link to the existing secret or dependency.

  2. Discovery rules run and attempt to match any unmanaged discovery results to the rule's parameters. If a rule matches the results, discovery automatically imports the results using the settings in the discovery rule. Once finished, discovery begins.

  3. The Find Host Ranges scanner (using the Windows Discovery base scanner) runs with an Active Directory Domain input template. The scanner determines which OUs are to be scanned and populates its Organizational Unit output template with a list of those OUs. The output template will be used by the following Find Machine scanner and also by the Find Local Accounts scanner, which does not require machine information.

  4. The Find Machine scanner (using the Windows Discovery base scanner) examines OUs from its Organizational Unit input template via LDAP and creates a list of machines with which it populates its Windows Computer output template. This is the list of computers to run a dependency scan on. The Find Dependencies scanner uses this instance of the output template as its input template.

  5. The Find Local Accounts scanner (using the File Load Discovery base scanner) examines OUs from its Organizational Unit input template via LDAP and creates a list of all AD admin accounts with which it populates its Active Directory Account output template. This is the list of discovered admin accounts.

  6. The Find Dependencies scanner (using the Windows Discovery base scanner) examines a list of machines from its Windows computer input template using various technologies. For example, application pools use Microsoft Web Administration (WMA) or, failing that, Windows Management Instrumentation (WMI). Services use WMI, and scheduled tasks use Windows' task scheduler interfaces. The Find Dependencies scanner can return any number of output templates as desired. These include: Com+ Application, Computer Dependency (Basic), PS Dependency, Remote File, SQL Dependency (Basic), SSH Dependency (Basic), SSH Key Rotation Dependency, Windows Application Pool, Windows Scheduled Task, and Windows Service.

The discovered dependencies for local accounts are displayed at Admin > Discovery > Discovery Network View > Local Accounts. Returned accounts for AD users are displayed at Admin > Discovery > Discovery Network View > Domain > Cloud Accounts.

Any dependencies that were discovered in prior discovery runs that are no longer present are removed from the discovery results, and their secret dependencies are deactivated.

Manual Discovery

You can also run discovery manually by going to Admin > Discovery and clicking the Run Now button and selecting Discovery Scan. We recommend waiting for any automatic discovery to idle before starting a manual discovery run. A discovery scan runs the first four of the automated steps above. When you click the "Run Now" button on the Scan Computers tab, the last two are run. These steps are the most time intensive steps because many machines may be scanned.