Scan for accounts using Account Discovery
This topic presents the account discovery capability which scans your domain machines to discover privileged accounts and their dependencies in your organization. Discovered accounts are displayed for analysis in the Privilege Cloud Portal or by running dedicated REST APIs. You then decide which accounts should be securely managed by Privilege Cloud and add them to the system - this process is called onboarding.
This topic explains how to configure Account Discovery scans, review discovered accounts, and onboard them.
What accounts can you discover?
Account Discovery discovers the following types of accounts:
-
Windows domain and local accounts
-
Unix local accounts and SSH Keys
-
MacOS accounts from within the Administrators/root groups
These accounts are grouped into two categories:
-
Pending accounts. Pending accounts are privileged accounts in your organization, which you may want to secure by applying a privileged access policy based on password or key. Scan mechanisms provide a list of potential pending accounts, allowing you to review and analyze them, and then decide whether to onboard them to Privilege Cloud, or discard them from the list.
Learn more about pending accounts-
Discovered accounts for Windows and Unix machines are displayed in the Pending Accounts list for analysis.
-
Discovered accounts of loosely connected devices are identified and managed by using dedicated REST APIs.
After analyzing an account, you can decide whether to onboard it to the system or delete it from the list.
Privilege Cloud employs two complementary tools to scan the organization's domain for pending accounts:
-
The CPM Scanner scans the domain according to your Active Directory (for Windows machines) or a CSV file (for Unix machines).
- The Discovered Accounts service uses Endpoint Privilege Manager (EPM) to discover accounts of loosely connected devices.
Learn more in How Accounts Discovery works .
-
-
Account dependencies. Account dependencies provide additional information related to the discovered accounts and indicate additional locations where an account's secrets should be changed, for example, a Windows service, or a Windows scheduled task. Account dependencies should be taken into consideration and handled when onboarding new accounts.
Learn more about account dependenciesAccount dependencies can be discovered for:
-
Pending accounts. These are reflected in the Pending Accounts list by updating the counter of the account dependencies.
-
Existing accounts, which are already defined in Privilege Cloud. When account discovery identifies new dependencies associated with an existing domain account, Privilege Cloud automatically adds them to the account. Due to risk of malicious dependencies, they are added by default in disabled mode. Admins must review and verify each newly discovered dependency, and only then approve it for for CPM secret management.
-
How Accounts Discovery works
Accounts are discovered using the following complementary mechanisms:
Windows and Unix machines (using CPM Scanner) |
The CPM Scanner service scans Windows and Unix machines for new and modified accounts and their dependencies. The discovered accounts are displayed in the Pending Accounts feed for review. You can then decide to onboard, disregard, or delete each discovered account.
|
Account Discovery of local Windows, macOS, and Linux accounts (using EPM Endpoint agent data collection) |
The Account Discovery service scans network endpoints to discover unmanaged local Windows, macOS and Linux accounts. Discovered accounts are displayed in the Discovered Accounts feed for review. You can then decide to onboard a discovered account, delete it, or disregard it.
|
The Accounts Discovery process
Onboarding accounts is a continuous process, where each account goes through three steps:
Scan your environment to discover accounts that require privileged access.
The following scan options apply to the CPM Scanner mechanism only. The Accounts Discovery service, based on CyberArk's EPM, scans the local endpoints automatically.
- Manual vs. scheduled scans. You can run scans once or schedule recurring scans. Recurring scans update pending accounts and the account dependencies.
-
Automatic update of dependencies. When a new dependency is discovered, it is added to the pending account dependencies. If the account is already onboarded, newly detected dependencies are automatically onboarded as well.
-
Running account discovery on remote Unix machines. Some organizations block privileged access to remote Unix machines. In this case, a dedicated logon account with permission to logon remotely is required to log on to the remote machine. After this logon account has authenticated to the remote machine, the privileged user can run discoveries. In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts.
The results of the scan are placed in a queue in the Pending Accounts list. Review the Pending Accounts list, assess the risk of each account, and select which accounts to onboard, and which are no longer needed and can be deleted.
Onboard accounts and assign them to a Safe and platform. You can also use onboarding rules to automatically assign accounts to Safes as soon as they are discovered.
In this section: