Scan for accounts using Account Discovery

This topic presents the account discovery capability which scans your domain machines to discover privileged accounts and their dependencies in your organization. Discovered accounts are displayed for analysis in the Privilege Cloud Portal or by running dedicated REST APIs. You then decide which accounts should be securely managed by Privilege Cloud and add them to the system - this process is called onboarding.

This topic explains how to configure Account Discovery scans, review discovered accounts, and onboard them.

What accounts can you discover?

Account Discovery discovers the following types of accounts:

Windows domain and local accounts
Unix local accounts and SSH Keys
MacOS accounts from within the Administrators/root groups

These accounts are grouped into two categories:

Pending accounts. Pending accounts are privileged accounts in your organization, which you may want to secure by applying a privileged access policy based on password or key. Scan mechanisms provide a list of potential pending accounts, allowing you to review and analyze them, and then decide whether to onboard them to Privilege Cloud, or discard them from the list.
Learn more about pending accounts
- Discovered accounts for Windows and Unix machines are displayed in the Pending Accounts list for analysis.
- Discovered accounts of loosely connected devices are identified and managed by using dedicated REST APIs.
After analyzing an account, you can decide whether to onboard it to the system or delete it from the list.
Privilege Cloud employs two complementary tools to scan the organization's domain for pending accounts:

The CPM Scanner scans the domain according to your Active Directory (for Windows machines) or a CSV file (for Unix machines).

The Discovered Accounts service uses Endpoint Privilege Manager (EPM) to discover accounts of loosely connected devices.
Learn more in How Accounts Discovery works .

Account dependencies. Account dependencies provide additional information related to the discovered accounts and indicate additional locations where an account's secrets should be changed, for example, a Windows service, or a Windows scheduled task. Account dependencies should be taken into consideration and handled when onboarding new accounts.
Learn more about account dependencies
Account dependencies can be discovered for:
- Pending accounts. These are reflected in the Pending Accounts list by updating the counter of the account dependencies.
- Existing accounts, which are already defined in Privilege Cloud. When account discovery identifies new dependencies associated with an existing domain account, Privilege Cloud automatically adds them to the account. Due to risk of malicious dependencies, they are added by default in disabled mode. Admins must review and verify each newly discovered dependency, and only then approve it for for CPM secret management.

How Accounts Discovery works

Accounts are discovered using the following complementary mechanisms:

Windows and Unix machines (using CPM Scanner)

The CPM Scanner service scans Windows and Unix machines for new and modified accounts and their dependencies. The discovered accounts are displayed in the Pending Accounts feed for review. You can then decide to onboard, disregard, or delete each discovered account.

Scanned machines. The account scan runs according to a defined source such as your organization's Active Directory or a CSV file.

Supported machines. The CPM Scanner service supports Windows and Unix machines, see Supported target machines.

Default component. The CPM Scanner service is installed automatically, as part of the Connector installation.
Required permissions. See Permissions required for running an Account Discovery scan.
Setup and configuration. To set up and configure the CPM Scanner - see Configure the CPM Scanner.
Perform account discovery and onboarding. See Discover accounts of Windows and Unix machines

Account Discovery of local Windows, macOS, and Linux accounts (using EPM Endpoint agent data collection)

The Account Discovery service scans network endpoints to discover unmanaged local Windows, macOS and Linux accounts. Discovered accounts are displayed in the Discovered Accounts feed for review. You can then decide to onboard a discovered account, delete it, or disregard it.

Supported machines. The Account Discovery service supports Windows, macOS, and Linux machines, and does not currently support Unix machines.

CyberArk EPM is required. The Account discovery service requires CyberArk EPM, which automatically collects discovered local accounts from endpoints, including loosely connected devices. If you do not have CyberArk EPM or want to learn more, contact your account manager or CyberArk Support.
Setup and configuration. See Set up the Account Discovery service.
Discover and manage local accounts on Windows, macOS, and Linux endpoints.
- The account discovery process for local Windows, macOS, and Linux accounts accounts. See Discover local accounts on Windows, macOS, and Linux endpoints.
- Use REST APIs to discover, onboard, or delete accounts. See New discovered accounts.

The Accounts Discovery process

Onboarding accounts is a continuous process, where each account goes through three steps:

Step 1: Run Discovery

Scan your environment to discover accounts that require privileged access.

The following scan options apply to the CPM Scanner mechanism only. The Accounts Discovery service, based on CyberArk's EPM, scans the local endpoints automatically.

Manual vs. scheduled scans. You can run scans once or schedule recurring scans. Recurring scans update pending accounts and the account dependencies.
Automatic update of dependencies. When a new dependency is discovered, it is added to the pending account dependencies. If the account is already onboarded, newly detected dependencies are automatically onboarded as well.
Running account discovery on remote Unix machines. Some organizations block privileged access to remote Unix machines. In this case, a dedicated logon account with permission to logon remotely is required to log on to the remote machine. After this logon account has authenticated to the remote machine, the privileged user can run discoveries. In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts.

Step 2: Analyze

The results of the scan are placed in a queue in the Pending Accounts list. Review the Pending Accounts list, assess the risk of each account, and select which accounts to onboard, and which are no longer needed and can be deleted.

Step 3: Onboard

Onboard accounts and assign them to a Safe and platform. You can also use onboarding rules to automatically assign accounts to Safes as soon as they are discovered.

In this section: