Creating a Discovery Source

Introduction

A discovery source is a named collective, ordered system that conducts discovery. There are six broad types:

  • Active Directory

  • Unix

  • VMware ESX\ESXi

  • AWS (Amazon Web Services)

  • GCP (Google Cloud Platform)

  • Entra ID

Configuring discovery is defining the parameters of the discovery source. Each discovery source is a configurable definition of how to scan for computer assets in a given environment. A subcomponent of a discovery source, called a scanner, details how to perform those scans.

This is also an "empty," which creates a new discovery source that does not contain any scanners. This is useful for extensible discovery as you can add any custom scanners.

Procedure

  1. Click the Discovery button on the main menu and on the Discovery page select the Sources tab:

  2. Click the Create dropdown list button and select the type of source you desire.

    For all sources except for Active Directory you are prompted for a name, site, type, and secret. Active directory has a specific dialog which allows for some advanced validation and customization.

  3. For Active Directory:

    Active Directory discovery scans Active Directory (AD) machines, Active Directory user accounts, local Windows accounts, and their dependencies within an AD domain. The discovery process begins by identifying machines within your domain, followed by scanning each machine for local Windows accounts and associated dependencies. By default, the scan includes local accounts, domain accounts, scheduled tasks, Windows services, and IIS application pools. To further enhance the discovery process, you have the option to create PowerShell scanners, which allow for the identification of additional accounts and dependencies. PowerShell scanners are an advanced topic covered in detail within the Extensible Discovery section.

    1. A Discovery Source popup appears:

      If you upgraded from an earlier Secret Server version and have created an AD domain within Secret Server, a corresponding discovery source is displayed on this page. If discovery was not enabled on that domain, the discovery source Active column is not checked for that discovery source.

    2. Type the parameters for the Discovery Source Name, Fully Qualified Domain Name, and Friendly Name. The parameters with asterisks are required.

    3. Ensure the State check box is set to Enabled. This activates this discovery Source for scanning. Enabled discovery sources are scanned at the defined discovery interval defined. If you have multiple discovery sources, the discovery source with the most un-scanned computers is scanned first.

    4. Next, you select a secret that is used as the credentials for discovery scanning and AD synchronization. These credentials must have the proper rights to scan the remote machines. Click the No Secret Selected link. The Select Secret popup page appears.

    5. Either search for and click the secret you want to use for the account credentials during the scan. The popup page closes. The name of the secret you chose replaces the No Secret Selected link.

      Or create a new secret for the credentials:

      1. Click the Create NewSecret link. The Create New Secret page appears.

      2. Click the Generic Discovery Credentials secret template. Another Create New Secret page appears:

      3. Type or select the parameters needed for the discovery operation. Parameters with asterisks are required.

      4. Click the Create Secret button.

    6. Click the Discovery Site dropdown list to select the desired site for the discovery source. If distributed engines are setup, the list shows all active sites. If no distributed engines are setup, the list defaults to local, and you cannot change it.

    7. Click the Discover Specific OU check box to limit your discovery to an OU. See Enabling Specific OU Domain Discovery to define the scanned OU. When you select this option, a Domain Scope tab appears on the Discovery Source page for the created AD discovery source.

    8. Leave the Machine Resolution Type dropdown list set to Use Machine and Fully Qualified Name unless you have a specific reason to change it.

    9. Check the Use LDAPS check box to if you want this server connect to the LDAP server using SSL.

    10. Click the Create button. Secret Server attempts to access the domain with your specified credentials to ensure the configuration is correct. Thus, Secret Server must have access to the domain provided, and the account credentials must work.

  4. For Other Source Types:

    For Unix, the default command sets efficiently discover machines and accounts in a wide range of Unix environments. By default, the "Find Non-Daemon Users (Basic Unix)" command set is used for discovery. However, if you wish to include the built-in account in the discovery process, you will need to update the discovery source to use the "Find All Users (Basic Unix)" command set. For further customization, you can create new command sets by accessing the "Configure Command Sets" option on the Discovery Sources list page. Additionally, you can modify the secrets employed during the discovery by accessing the scanner settings.

    1. A discovery source popup appears:

    2. Type the name of the AWS discovery source in the Name text box.

    3. Click the Site dropdown list to select the domain.

    4. Click the Source Type. Your choices are:

      • AWS: Scan Amazon Web Services for keys, users, windows and non-windows machines. You will be prompted after saving to select which items.

      • Empty: An empty discovery source does not have any scanners in it and after it is created you will need to add scanners to it before it can be activated. Creating an empty source is for when you have specific scanners in mind or want to build it from scratch.

      • Entra ID: Scan an Entra ID tenant for Roles and Role Members.

      • GCP: Scan Google Cloud Platform for users, windows and non-windows machines. You will be prompted after saving to select which items.

      • Unix: Scan IP address ranges to find Unix machines and then discover local accounts on those machines.

      • VMware ESX/ESXi: Scan IP address ranges to find VMware ESX/ESXi hosts and discover local accounts.

    5. Next, you select a secret that is used as the credentials for discovery scanning and AD synchronization. These credentials must have the proper rights to scan the remote machines. Click the No Secret Selected link. The Select Secret popup page appears.

    6. Either search for and click the secret you want to use for the account credentials during the scan. The popup page closes. The name of the secret you chose replaces the No Secret Selected link.

      Or create a new secret for the credentials:

      1. Click the Create new secret link. The Create new secret page appears.

      2. Click the Generic Discovery Credentials secret template. Another Create New Secret page appears:

      3. Type or select the parameters needed for the discovery operation. Parameters with asterisks are required.

      4. Click the Create Secret button.

    7. Click the Save button.

  5. Click the new discovery source and then the Scanners tab to make any adjustments to the source scanner flow. Click a block to see its setting in a panel on the right. Click the Edit Scanner link to make any changes.

Your discovery source may not be ready to run yet and may require additional properties to be configured for your network. Some scanners will have required properties such as an IP address range and will indicate this by a red "Invalid" tag on the discovery flow on the Scanners tag. Some settings may be specific to your network and require customization. We recommend that you review each scanner and each setting to see which settings apply to you.

Discovery Account Details

To view the Discovery Account Details, click the Discovery button on the main menu and on the Discovery page, and select the Network view tab. In the Item Type dropdown next to the search box, select Directory Accounts, then select the related account from the list and click on it. The Account details will expand to the right.

Here you can view and copy the Discovery Account details like Type, Full Name, Created date and time, Active Directory Account, Delta Sync Account, Discovery Source Name, Managed, Password expiration status. Click View details to proceed to the Directory Account details.

Here the following details are displayed:

  • Secret - refers to the secret associated with the directory account.

  • Created - the timestamp thatindicates when the account was created. It is important for tracking the account's lifecycle and understanding its history within the system.

  • Scanned name - the name of the account as identified during the discovery scan.

  • Discovery Source - the origin or the source from which the discovery process is initiated. See Discovery Source for more details.

  • Distinguished name - the unique identifier for the account within a directory service like Active Directory. It provides the full path to the account within the directory hierarchy, which is essential for locating and managing the account.

  • OU name - refers to the Organizational Unit (OU) within which the account resides. OUs are used to organize accounts and resources within a directory service, making it easier to apply policies and manage permissions.

  • Scan item template - defines the criteria and properties used during the discovery scan to identify and categorize the account.

  • Password expiration status - indicates whether the account's password is set to expire and when.

  • Password last set - the timestamp that shows when the password for the account was last changed.

  • Added manually - indicates whether the account was manually added to the system, as opposed to being discovered automatically through a scan. Manually added accounts might require additional verification to ensure they are correctly configured.

  • Excluded - shows whether the account has been excluded from certain processes or scans. Exclusion might be used to prevent specific accounts from being managed or altered by automated systems, often for security or operational reasons.