Discovery using the Vault

Overview

Keeper Discovery provides DevOps, IT Security, and development teams with centralized visibility into privileged accounts and IT assets across local, AWS, and Azure environments. Integrated through the Keeper Gateway, it helps organizations identify unmanaged accounts, misconfigurations, and security risks. By automating asset discovery and delivering actionable insights, Keeper Discovery strengthens security, streamlines operations, and supports compliance across complex infrastructure setups.

Prerequisites

Prior to using Discovery, make sure to review the Discovery Basics documentation.

Discovery

To create a Discovery Job, navigate to the Discovery tab and click Create Discovery Job. Then, select an active Keeper Gateway to perform the scan. The Gateway is linked to a PAM Configuration, which defines the environment type being scanned.

If the PAM Configuration is missing required details, such as CIDR ranges or cloud credentials, you’ll be prompted to provide that information before the job can proceed.

Job Queue

Discovery jobs can be run in parallel across Keeper Gateways, but a single gateway can only run a single job at a time. If a job on a particular gateway is still running, you will receive an error message and you are giving the opportunity to cancel the job.

Once a Discovery Job reaches the Completed state, clicking on the job allows you to review and process the findings interactively. You can select multiple items or go through them individually, adding findings to a queue before finalizing the results.

While reviewing discovery results, you can choose the Vault location where each resource will be stored and assign the appropriate Admin Credentials. These credentials serve several key functions:

• User Account Discovery: Used in future discovery jobs to remotely access the resource and identify local user accounts.

• Password Rotation: Enables on-demand and scheduled password rotations for discovered accounts.

Additionally, PAM Users identified during discovery can be configured for automatic password rotation.

In the Discovery Job panel, you can view all previously run jobs along with their status, such as Completed, Running, or Failed.

Next Steps

Now that the Discovery is complete, additional resources can be found by running another job against the same Gateway and PAM Configuration. If Admin Credentials have been linked to KeeperPAM Resources, these credentials will be used to discover local user accounts within each resource.