Manage Discovery Processes

This topic describes how to set up, view, and manage Discovery processes.

Overview

The Discovery process scans predefined machines for new and modified accounts and their dependencies. After the scan, you can see which accounts should be onboarded into the Vault where they can be managed automatically and securely, according to your enterprise compliance policies.

In the Discovery Management page, you can perform the following actions:

  • Create new discovery processes and view their statuses

  • View details of an existing discovery process in the Preview pane

  • Refresh the Discovery list to get a real-time update of the status of the discovery processes that are currently running in the system

The following information appears in the Discovery Setup area.

Column Displays

Discovery name

The name of the defined discovery.

Type

The type of discovery process.

Possible values:

  • Onetime

  • Recurring

State

The current state of the discovery process.

Possible values:

  • Running

  • Pending

  • The next run date and time (for recurring discoveries)

For more information, refer to Manage Discovery Processes.

Last run time

The time on the scanner machine when this discovery starts. If this is a recurring discovery, this time indicates the last time this discovery was started.

Last run status

The status of the discovery the last time it was run.

View discovery details

 

The details in the Preview Pane change, depending on whether the selected discovery is Windows or Unix.

Create discovery processes

Before creating discovery processes, make sure that the user who performs the discovery has the required permissions, as listed in Supported target machines.

In organizations where privileged access is not permitted to remote Unix machines, a logon account that only has permission to log on remotely is required to log on to the remote machine. After this log on account has authenticated to the remote machine, the privileged user can run discoveries.

In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts.

Delete discovery processes

When discovery processes are no longer required and they become redundant, they can be deleted, so that only the necessary scheduled processes are listed.

 

A discovery process cannot be deleted while it is running.

Discover accounts and SSH keys

The Accounts Feed discovers local and domain accounts, as well as SSH keys. In Windows discoveries, each account is classified, so that you know whether it is a local or domain account, and privileged or not. In Unix discoveries, accounts are classified so that you know whether it is a local account or SSH key, and privileged or not. Additional information also helps you understand the type of accounts that have been discovered and helps you to assess the risks associated with each account.

In addition, in Windows discoveries, the discovery finds Windows Services and Windows Scheduled Tasks that use the detected privileged accounts. In Unix discoveries, the discovery does not find dependencies of local accounts on Unix machines although it does find SSH key trusts.

Accounts that already exist in the Vault will not be rediscovered. This refers to accounts that were added in the PVWA, onboarded using the Accounts Feed, or provisioned using the AddAccount web service.

Accounts that are displayed in the Pending Accounts list may have changed since they were initially discovered. In order to make sure that the Pending Accounts list reflects the current status, you can perform a new discovery process in which the same accounts are rediscovered and their details are updated.

 
When you configure the discovery to scan a company domain, sub-domains will not be scanned automatically. For example, when you scan the mycompany.com domain, the sub.mycompany.com domain will not be scanned automatically.
When scanning accounts and groups in a trusted domain, it is recommended to perform a separate scan for each existing domain.
Only one discovery process at a time can be executed by the Scanner. If you define multiple discoveries that are using the same CPM scanner, they will wait in the queue as pending and will be run one after the other.

Stop discoveries

Discoveries can be stopped manually when running. When a discovery is stopped, a list of pending accounts is created which includes accounts that were already discovered. As the discovery is not completed, some account dependencies may not be included.

After a discovery has been stopped, a discovery log is written that contains details about the user who stopped it and the time when it was stopped. This discovery log can be accessed by a link in the Discovery Preview pane. These details are also written in the central CACPMScanner.log file in the PasswordManager\Logs folder.

View the status of the discovery process

Once you have defined a Discovery process, and while it is running, you can check its status in the Discovery Management page. The following statuses are displayed:

Status

Description

Running

The discovery is currently running and scanning for accounts.

Stopping

The discovery is in the process of being stopped. After the discovery has been stopped, its status changes to ‘Stopped’.

Pending

The discovery is still waiting to be run and has not yet started.

Completed successfully

The discovery was completed successfully and no errors were encountered during the scan.

Completed with errors

The discovery was completed but errors occurred. You can view the errors that occurred during this discovery in the specific discovery log.

For details, see View discovery error logs.

Failed

The discovery failed to run. For example, a failed connection to the Active Directory or a user with insufficient privileges. The discovery stops immediately and updates its status to Failed.

For details, see View discovery error logs.

View discovery error logs

When a discovery scan is not completed successfully, an error log is created that contains the errors that occurred during the scan. After you fix the errors, you can rerun the discovery.

A log is created for discoveries that end in the following ways:

  • Discoveries that end with a failure

  • Discoveries that complete with errors

  • Discoveries that are stopped manually

The discovery errors are also in the CACPMScanner.log file, located in the PasswordManager\Logs folder.

 

When discoveries are deleted, their log files are also deleted. Logs that are created for recurring discoveries are overwritten each time the discovery starts running again.

To view the discovery error log:

  1. On the Discovery Management page, select the discovery that was stopped.

  2. In the Discovery Preview pane, click the link for the error log file.

     

    If the discovery finished successfully, an error log is not created and there won't be a link for that discovery scan in the Preview pane.

Timeout error

The log may include an error that indicates the machine reached its timeout limit. This means there was an issue on the machine that caused the scan to stop and wait for a resolution. If the issue was not resolved before the timeout limit is reached, the discovery process moves on to the next machine.

You can define the timeout parameter limit. For more information about setting the timeout parameter, see Accounts Feed.