Discovery Rules Engine

The Discovery Rules Engine allows users with Discovery Enforcement permissions to create and manage ordered rule sets for a specific PAM Configuration on a Gateway, controlling how Discovery jobs identify resources and how discovered results are handled and stored. This enables automatic, batch processing at scale, so instead of manually reviewing and processing hundreds or thousands of discovered resources, admins can use rules to automatically add, ignore, or prompt based on defined criteria. Rules are evaluated in order, and the first rule that matches a discovered resource determines what happens next (“first match wins”).

Creating or Managing rules

Rules are managed from the Discovery section of the Vault under the Rules tab, where you can:

• Create new rules for a given PAM configuration

  • Supported Action

  • Supported Fields

  • Supported Operators

• Edit the existing rule set for a given PAM config

• Manage the order in which the rules are executed

• Enable or disable rules

• Delete rule

Assigning a rule set when creating a Discovery job

• Click Create a Discovery job and select a Gateway.

• If that Gateway is linked to multiple PAM Configurations, choose the PAM Configuration you want to use.

• The rules associated with that PAM Configuration will be applied when the job runs on the selected Gateway.

• If the selected PAM Configuration has no rules, you’ll be able to create them during setup.

Ordering and priority

Rules run in a defined order:

• By default, rules follow creation order

• You can manually reorder rules

• First match wins (only one rule applies per Discovery Job)

Rule actions

Each rule can apply one of the following actions:

• Add – Automatically applies the rule logic to the given resource and adds it to the vault.

• Ignore – Excludes matching resources to reduce noise and false positives

• Prompt – Flags the resource for users to review when more input is needed

Fields supported by the Rules Engine

• recordType - The PAM record type.

• recordTitle - The autogenerated record title.

• recordNotes - The notes, pre-rule engine, from the post discovery process. These can be internationalized.

• recordDesc - The description of the object. These can be internationalized.

• parentUid - The UID of the parent record. This is used mainly on PAM User records where you need to match the user to a resource.

• parentRecordType - The record type of the parent record. This can be used to group the users on a resource with the resource record.

• login - The login field on PAM User, Machine, Database, and Directory objects. This may be set in Discovery based on the provider and resource type. Most of the time it will be blank.

• password - The password field on PAM User, Machine, Database, and Directory objects. Discovery normally will not populate this.

• privatePEMKey - The private key field on PAM User, Machine, Database, and Directory objects. Discovery normally will not populate this.

• distinguishedName - The Distinguished Name on the PAM User and PAM Directory object.

• connectDatabase - The database to use for connection on the PAM User and PAM Database object.

• managed - Flag to indicate if the user is managed by another process. For AWS, this would be IAM Users in RDS. Other providers may offer the same services.

• hostName - The hostname/IP of a resource. This will match on the hostname or IP value. When the rule engine evaluates this field, it will be explained to include the ip. For example, hostName == ‘127.0.0.1’ would be expanded to (hostName == ‘127.0.0.1’ or ip == ‘127.0.0.1’). And hostName != ‘127.0.0.1’to (hostName != ‘127.0.0.1’ and ip != ‘127.0.0.1’).

• port - The connection port. This is handled as a number, not a string. This allows Arithmetic-Comparison Operators.

• operatingSystem - This is the operating system discovery of a PAM Machine object. This will be populated for providers like AWS and Azure, however Local Network cannot detect the operating system from outside of the machine.

• instanceId - For a PAM Machine object, the value depends on the provider. For AWS, this will be a EC2 Instance ID, for Azure VM name, else the IP/hostname. This value is intended to be unique for the gateway PAM Machines.

• instanceName - For a PAM Machine object, the value depends on the provider. For AWS, this will be a EC2 Instance name or ID, for Azure VM name, else the IP/hostname.

• providerGroup - A general name for cloud provider groups. This is the resource group in Azure. This is not used in AWS.

• providerRegion - A general name for cloud provider regions. This is the Region Name in AWS. This can be used Azure as the Location.

• databaseId - For a PAM Database object, the value depends on the provider. For AWS this is the RDS Database Instance ID, for Azure it’s the database name. Otherwise, it’s the IP/hostname:port. This value is intended to be unique for the gateway PAM Database.

• databaseType - The enumeration for the type of database.

• useSSL - A boolean to indicate if discovery requires SSL or not.

• domainName - The domain name of a directory service. This is not a distinguished name.

• directoryId - For a PAM Directory object, the value depends on the provider. For AWS this is the Directory ID, for Azure it’s the domain name. Otherwise, it’s the IP/hostname:port. This value is intended to be unique for the gateway PAM Directory.

• directoryType - The enumeration for the type of directory.

Operators