# Discovery Basics

### Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery.

### Prerequisites

Prior to using Discovery, make sure to have the following:

* An active license of KeeperPAM
* Activate [Enforcement Policies](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies) on the Admin Console to enable discovery
* Deploy a [Keeper Gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) using the latest version

### Discovery Enforcement Policies

On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FpIEvx3uoWPQt4DOxWMXR%2FScreenshot%202025-03-17%20at%208.00.04%E2%80%AFPM.png?alt=media&#x26;token=216d6d74-3f07-4395-a9ad-cf1e0a76c43b" alt=""><figcaption><p>Enable Discovery Policy</p></figcaption></figure>

<table><thead><tr><th width="196">Enforcement Policy</th><th width="250">Enforcement Policy</th><th>Definition</th></tr></thead><tbody><tr><td>Can run discovery</td><td><pre data-overflow="wrap"><code>ALLOW_PAM_DISCOVERY
</code></pre></td><td>Allow users to run discovery jobs</td></tr></tbody></table>

Discovery can also be enabled on the [Keeper Commander CLI](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/secrets-manager-commands#overview) using the `enterprise-role` command:

```
enterprise-role "My Role" --enforcement "ALLOW_PAM_DISCOVERY":true
```

### Installing the Keeper Gateway

The [Keeper Gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.

### Populating PAM User records

Before running a Discovery job, it is recommended to create [PAM User](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user) records for any administrative credentials you expect to use. Save these credentials as **PAM User** record types within the Shared Folder that is associated with your Application and Keeper Gateway.

### PAM Configuration

To get started with Discovery, you need a [PAM Configuration](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration) set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.

### Network Discovery

Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.

| Field        | Description                                                                                | Notes                                                                                                                                       |
| ------------ | ------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- |
| Network ID   | Unique ID for the network                                                                  | <p>This is for the user's reference</p><p>Ex: <code>My Network</code></p>                                                                   |
| Network CIDR | Subnet of the IP address                                                                   | <p>Ex: <code>192.168.0.15/24</code><br><a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">learn more</a> about CIDR</p> |
| Port Mapping | If non-standard ports are being used, this ensures that discovery will find the resources. | <p>Example:<br><br>ssh=2222<br>rdp=3390</p>                                                                                                 |

### AWS Discovery

AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

| Field             | Description                                                                                      | Notes                                                             |
| ----------------- | ------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------- |
| AWS ID            | Identifier selected by user                                                                      | This is just used for reference.                                  |
| Access Key ID     | Access Key only when required                                                                    | If instance role is applied to the Gateway, this is not required. |
| Secret Access Key | Secret Key only when required                                                                    | If instance role is applied to the Gateway, this is not required. |
| Region Names      | A list of AWS region names separated by newlines. Discovery will only find resources that match. | <p>Example:<br><br>us-west-1<br>us-east-2</p>                     |
| Port Mapping      | If non-standard ports are being used, this ensures that discovery will find the resources.       | <p>Example:<br><br>ssh=2222<br>rdp=3390</p>                       |

### Azure Discovery

Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

<table><thead><tr><th width="185">Field</th><th width="352">Description</th><th>Notes</th></tr></thead><tbody><tr><td>Azure ID</td><td>A unique id for your instance of Azure</td><td>Required, This is for the user's reference<br>Ex: <code>Azure-1</code></td></tr><tr><td>Client ID</td><td>The application/client id (UUID) of the Azure application</td><td>Required</td></tr><tr><td>Client Secret</td><td>The client credentials secret for the Azure application</td><td>Required</td></tr><tr><td>Subscription ID</td><td>The UUID of the subscription (i.e. Pay-As-You-GO).</td><td>Required</td></tr><tr><td>Tenant ID</td><td>The UUID of the Azure Active Directory</td><td>Required</td></tr><tr><td>Resource Groups</td><td>A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.</td><td></td></tr></tbody></table>

### Discovery Workflow

The basic workflow for running Discovery jobs is the following:

* Set up a Keeper Gateway with associated Shared Folders
* Populate the shared folders with any administrative credentials as PAM User record types
* Run a discovery job on the target infrastructure
* Process the results to discover PAM Machine, PAM Databases and PAM Directory resources
* Run additional discovery jobs to locate user accounts within each found resource, utilizing credentials provided to the job.

### Discovery Types

Keeper will discover Resources and associated user accounts in the following resources:

#### Databases

* PostgreSQL
* MySQL
* MariaDB
* Microsoft SQL Server
* Oracle
* MongoDB

#### Machines

* Linux
* Windows

#### Directories

* Active Directory
* LDAP
* Local users
* Domain users

#### AWS Cloud

* Virtual Machines
* Directories and directory users
* IAM users
* Databases
* Database users

#### Azure Cloud

* Virtual Machines
* Directories and directory users
* IAM users
* Databases
* Database users

### Services and Scheduled Tasks

When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.

To learn more and set up this capability, see the [Service Management](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/service-management) page.

### Activating PAM Features

After a Discovery process has been completed, you can edit the vault records to activate advanced features such as [**Rotation**](https://docs.keeper.io/en/keeperpam/secrets-manager/password-rotation), [**Connections**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections), and [**Tunnels**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/tunnels).

### Next Steps:

* [Discovery using Commander](https://docs.keeper.io/en/keeperpam/privileged-access-manager/discovery/discovery-using-commander)
* [Discovery using the Vault](https://docs.keeper.io/en/keeperpam/privileged-access-manager/discovery/discovery-using-the-vault)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/discovery/discovery-basics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
Field	Description	Notes
Azure ID	A unique id for your instance of Azure	Required, This is for the user's reference Ex: `Azure-1`
Client ID	The application/client id (UUID) of the Azure application	Required
Client Secret	The client credentials secret for the Azure application	Required
Subscription ID	The UUID of the subscription (i.e. Pay-As-You-GO).	Required
Tenant ID	The UUID of the Azure Active Directory	Required
Resource Groups	A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.