Discovery Query
Privileged Access Management includes an option to run a discovery query across your environment to locate and report on found endpoints and their configurations.
This scan can be configured to be automatically run at scheduled intervals and the resulting report can be used to create new records that can immediately be placed under management. In addition, the optional Auto-Import option will create Records for newly discovered hosts.
Discovery queries can be constructed for several scenarios:
|
Active Directory Query |
This query creates a scan across the entire network using the supplied Active Directory account(s) to attempt to communicate with all found endpoints. This option requires that the system be integrated with your Active Directory. |
|
IP-Range Query |
This query creates a scan across a specific range of IP address (From – To) and attempt to communicate with the found endpoints using PowerShell (Windows) or SSH (Unix/Linux) in combination with the supplied account(s). |
|
CSV-Based Query |
This query creates a scan based on the endpoints that are supplied using an external CSV file. If a list of endpoints is already available to you, then this option will use that for the input of the scan and attempt communication using PowerShell or SSH in combination with the supplied account(s). |
|
Amazon EC2 Query |
This query creates a scan based on accessible EC2 instances running in your Amazon AWS environments. AWS Keys, regions, credentials and other information is required in order to successfully complete this query. |
Creating a New Query
To create a new Discovery query:
-
Navigate to Administration > Discovery and click the Add Query button to select your query type.
-
When the new Discovery query page opens, configure the query as required.
-
When finished, click the Save button.
Newly created queries, that are enabled, will be queued for processing immediately.
For information about each available option, please click the option’s Help button for a brief description or read our online article Privileged Discovery Queries.
Managing Existing Queries
To manage your existing queries, navigate to the Administration > Discovery page and click on the desired button as described below.
|
Edit |
Use the Edit button to make changes to the selected query’s configuration. |
|
View |
Use the View button to view the results of the executed query. |
|
Enable |
Use the Enable button to enable a currently disabled query (supports multiple selections). |
|
Disable |
Use the Disable button to disable a currently enabled query (supports multiple selections). |
|
Delete |
Use the Delete button to delete the currently selected queries (supports multiple selections). |
|
Refresh |
Use the Refresh button to refresh the list of queries to display the latest configuration and status. |
Viewing a Query Report
To review the results of a Discovery Query after it has completed at least one run, click its View button.
The Discovery results report will list all hosts that were found during the previous run(s).
The default view is filtered to the Connected state, but you may switch between the available options: All, Open Port and Connected.
|
All |
Displays all the endpoints that were found regardless of the response. |
|
Open Port |
Displays the endpoints that were found with an open port (PowerShell or SSH) regardless of the response. |
|
Connected |
Displays all the endpoints that were found, and communication was successfully established using one of the Accounts provided in the query. |
Other options available within the Discovery Query report include:
|
Remove Hosts |
Use this option to remove all discovered hosts from the report. |
|
Copy |
Use this option to copy the selected host(s) that can then be pasted to a container in a Record List as a new record. |
Deleting Queries
To delete an existing query, navigate to the Administration > Discovery page.
Select the query that you wish to delete and finally click on the Delete button to remove it.
The delete operation can support both single and multiple selections.
Delete will remove both the query and all its previous results.
Use the Disable option instead if you want to stop the query from executing and retain the previous results.
Scheduling Queries
Discovery Queries are configured to be queued every 120 minutes.
New queries will be added to the job queue when saved; however existing queries that are edited will not be updated to the queue.
To change this default 120-minute schedule:
-
Navigate to the Administration > Settings > Application Nodes tab.
-
In the list of Application Nodes, locate the node that is labeled as the Worker and click its Edit button.
-
Enter your desired interval in the Discovery Idle Time setting (defined in minutes between scans) and click the Save button when finished.
