# Discovery using the Vault

### Overview

**Keeper Discovery** provides DevOps, IT Security, and development teams with centralized visibility into privileged accounts and IT assets across local, AWS, and Azure environments. Integrated through the Keeper Gateway, it helps organizations identify unmanaged accounts, misconfigurations, and security risks. By automating asset discovery and delivering actionable insights, Keeper Discovery strengthens security, streamlines operations, and supports compliance across complex infrastructure setups.

### Prerequisites 

Prior to using Discovery, make sure to review the [Discovery Basics](https://docs.keeper.io/en/keeperpam/privileged-access-manager/discovery/discovery-basics) documentation.

### Discovery

To create a Discovery Job, navigate to the **Discovery** tab and click **Create Discovery Job**. Then, select an active **Keeper Gateway** to perform the scan. The Gateway is linked to a **PAM Configuration**, which defines the environment type being scanned.

If the PAM Configuration is missing required details, such as CIDR ranges or cloud credentials, you’ll be prompted to provide that information before the job can proceed.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FBcfPvjJKaSNe72Ms6N59%2FScreenshot%202025-07-15%20at%204.08.35%E2%80%AFPM.png?alt=media&#x26;token=4a0c8567-9aa4-47f6-8022-cccedb3be1da" alt=""><figcaption></figcaption></figure>

### Job Queue

Discovery jobs can be run in parallel across Keeper Gateways, but a single gateway can only run a single job at a time. If a job on a particular gateway is still running, you will receive an error message and you are giving the opportunity to cancel the job.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FpfN0rlCfIdJ0zPFSbzz3%2FCurrent%20Job%20being%20processed.png?alt=media&#x26;token=0bcaeea5-8ec5-42aa-b2c2-4bbaea5039ad" alt=""><figcaption><p>Job is Currently Running</p></figcaption></figure>

Once a Discovery Job reaches the **Completed** state, clicking on the job allows you to review and process the findings interactively. You can select multiple items or go through them individually, adding findings to a queue before finalizing the results.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F4kXE4NnZTlzLyBh6Lbcw%2FScreenshot%202025-07-15%20at%204.19.51%E2%80%AFPM.png?alt=media&#x26;token=17801847-84b0-48a1-9327-328d224bb8d3" alt=""><figcaption></figcaption></figure>

While reviewing discovery results, you can choose the Vault location where each resource will be stored and assign the appropriate Admin Credentials. These credentials serve several key functions:

* **User Account Discovery**: Used in future discovery jobs to remotely access the resource and identify local user accounts.
* **Password Rotation**: Enables on-demand and scheduled password rotations for discovered accounts.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FwnILhTv9uMDZMgZdq5YC%2FScreenshot%202025-07-15%20at%204.20.20%E2%80%AFPM.png?alt=media&#x26;token=d2cc4647-73cb-4e3e-8be4-1c802a02a86b" alt=""><figcaption></figcaption></figure>

Additionally, PAM Users identified during discovery can be configured for **automatic password rotation**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F6awIjKl57UNbI9E7isdz%2FScreenshot%202025-07-15%20at%204.23.10%E2%80%AFPM.png?alt=media&#x26;token=316b5011-5f85-4412-bd83-07589dd6bb08" alt=""><figcaption></figcaption></figure>

In the Discovery Job panel, you can view all previously run jobs along with their status, such as Completed, Running, or Failed.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FD2X7MQ1RRvjLADEqyEp7%2FScreenshot%202025-07-15%20at%204.20.58%E2%80%AFPM.png?alt=media&#x26;token=c9631055-caed-4b77-b75a-19699151b9d0" alt=""><figcaption></figcaption></figure>

### Next Steps

Now that the Discovery is complete, additional resources can be found by running another job against the same Gateway and PAM Configuration. If Admin Credentials have been linked to KeeperPAM Resources, these credentials will be used to discover local user accounts within each resource.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/discovery/discovery-using-the-vault.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.