What is Keeper Discovery?

Keeper Discovery empowers DevOps, IT Security, and software development teams with complete visibility into all privileged accounts and IT assets within your organization. Through the Keeper Gateway, Keeper Discovery can identify assets across your infrastructure in the following target configurations:

• Local Environment

• AWS

• Azure

• Google Cloud

Why use Keeper Discovery?

Organizations often struggle with maintaining visibility over privileged accounts and IT assets across increasingly complex infrastructures, including on-premises environments and multi-cloud setups. This lack of visibility can lead to unmanaged accounts, misconfigurations, and potential security vulnerabilities.

Keeper Discovery solves these challenges by:

• Providing Centralized Visibility: Automatically discovering and cataloging privileged accounts and IT assets across local environments, AWS, Azure, and Google Cloud.

• Strengthening Security Posture: Identifying unmanaged accounts, misconfigurations, and security risks to proactively address vulnerabilities.

• Streamlining Discovery: Simplifying the process of asset discovery using the Keeper Gateway, enabling seamless integration into your infrastructure.

Encryption and Security Model

Keeper Discovery operates on a zero-knowledge model, ensuring that neither Keeper's infrastructure nor its employees can view, access, or decrypt any discovered assets. All discovery tasks are executed by the Keeper Gateway within the customer's environment. The gateway encrypts findings and securely exchanges data with the Keeper Vault and privileged users via the Keeper Secrets Manager APIs.

• For more information, see the section

Features of Keeper Discovery

Keeper Discovery is part of the Zero-Trust KeeperPAM Platform. Keeper Discovery has the following features:

• Create a discovery job to scan assets through any Keeper Gateway

• View the status of running discovery jobs

• Kill discovery jobs

Methodology

Keeper's Discovery system first performs a scan of resources, based on the Keeper Gateway capabilities and the defined PAM Configuration.

After locating resources, a rules engine converts the findings into Keeper records and adds those resources to Shared Folders. The types of Keeper Records that can be created are:

Once resources are discovered, the interactive discovery process enables users to link administrative credentials, such as username/password combinations or SSH keys, to the identified resources. After the initial discovery and credential association, users can initiate a deeper discovery to identify local users and services within each target resource.

Keeper's encrypted data storage model organizes these associations—environments, Gateways, Resources, Accounts, and Services—into a Graph structure. This PAM Graph represents the environment as a hierarchical set of parent-child relationships, allowing KeeperPAM to map and visualize the environment effectively.

How to use Discovery

Discovery can be managed through the Keeper Commander CLI and the Vault UI.

The next section covers the basics on performing discovery with KeeperPAM.

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with the Keeper Vault and Desktop App.

Prerequisites

Prior to using Discovery, make sure to review the documentation.

Discovery

From the Keeper Vault, click on the Discovery section. Click on "Create Discovery Job" to start a discovery process.

When discovery jobs are either running, failed, or completed states, the jobs will display on the Discovery screen.

Create a Discovery Job

To create a discovery job, select the Keeper Gateway which will perform the discovery. The Gateway is associated to a PAM Configuration, which tells the gateway what type of environment is being scanned.

If the PAM Configuration is lacking details about the environment such as CIDR or cloud secrets, the user is prompted to enter this information.

Discovery Rules

If prior discovery jobs have created discovery rules, the rules can be viewed and managed. A Discovery Rule saves time in the discovery process by ignoring certain findings. For example, if you want to ignore a certain resource.

Job Queue

Discovery jobs can be run in parallel across Keeper Gateways, but a single gateway can only run a single job at a time. If a job on a particular gateway is still running, you will receive an error message and you are giving the opportunity to cancel the job.

Process Results

After a discovery job is in a "Completed" state, clicking the Job will allow you to process the findings interactively. You can multi-select or iterate through the findings, and add the findings to a queue before it is finalized.

When iterating through the discovery results, you can either Ignore, Skip or Queue the result to the final batch of results.

• Ignore: Skip the resource now and for future jobs, creating a Rule for this resource

• Skip: Only skips the resource during this session, but will be found again in subsequent scans

• Queue to Folder: Add the resource to the queue, and finalize all findings at the end

When iterating through the results, you can select the location in the vault where the resource will be stored, and you can immediately assign the Admin Credentials associated to the resource. The Admin Credentials which are linked to the resource server several purposes:

• Finding user accounts: Subsequent discovery jobs will be able to use the Admin Credentials to remotely access the target resource and discover local user accounts.

• Password Rotation: The Admin Credential is used for performing on-demand and scheduled password rotations on any found accounts.

• Just-In-Time Access: Keeper JIT enables role and group elevation for the duration of privileged sessions.

PAM Resources can have Connections and Tunneling activated to simplify the process of establishing access to the targets. PAM Users found during discovery can be enabled for automatic rotation.

Publish Found Resources

After processing through the findings, the queued resources can be published to the vault in the specified Shared Folder locations.

Next Steps

Now that the Discovery is complete, additional resources can be found by running another job against the same Gateway and PAM Configuration. If Admin Credentials have been linked to KeeperPAM Resources, these credentials will be used to discover local user accounts within each resource.

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.

Prerequisites

Prior to using Discovery on Commander, make sure to review the documentation.

Starting Commander

Login to Keeper Commander CLI using the keeper shell command.

List the Gateways

Run the command pam gateway list or pam g l command to list all gateways

The Gateway UID is required to start the discovery process.

Start Discovery Job

Run the pam action discover start command to start a discovery job. The Gateway UID must be provided with the -g option.

View Status of Discovery Job

View the status of the active discovery job by with pam action discover status

After a discovery job is complete, the detailes status information can be viewed by running:

Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.

Process the Discovery Results

Once the discovery job is completed, you can process the findings with the provided Job ID.

An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.

During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.

Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.

Exploring Commander Capabilities

Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the for a list of all available options.

The Discovery Rules Engine allows users with Discovery Enforcement permissions to create and manage ordered rule sets for a specific PAM Configuration on a Gateway, controlling how Discovery jobs identify resources and how discovered results are handled and stored. This enables automatic, batch processing at scale, so instead of manually reviewing and processing hundreds or thousands of discovered resources, admins can use rules to automatically add, ignore, or prompt based on defined criteria. Rules are evaluated in order, and the first rule that matches a discovered resource determines what happens next (“first match wins”).

Creating or Managing rules

Rules are managed from the Discovery section of the Vault under the Rules tab, where you can:

• Create new rules for a given PAM configuration

Assigning a rule set when creating a Discovery job

• Click Create a Discovery job and select a Gateway.

• If that Gateway is linked to multiple PAM Configurations, choose the PAM Configuration you want to use.

• The rules associated with that PAM Configuration will be applied when the job runs on the selected Gateway.

• If the selected PAM Configuration has no rules, you’ll be able to create them during setup.

Ordering and priority

Rules run in a defined order:

• By default, rules follow creation order

• You can manually reorder rules

• First match wins (only one rule applies per Discovery Job)

Rule actions

Each rule can apply one of the following actions:

• Add – Automatically applies the rule logic to the given resource and adds it to the vault.

• Ignore – Excludes matching resources to reduce noise and false positives

• Prompt – Flags the resource for users to review when more input is needed

Fields supported by the Rules Engine

• recordType - The PAM record type.

• recordTitle - The autogenerated record title.

• recordNotes - The notes, pre-rule engine, from the post discovery process. These can be internationalized.

Operators

Overview

In this guide, you will learn how to discover resources within your target infrastructure using Discovery.

Prerequisites

Prior to using Discovery, make sure to have the following:

• An active license of KeeperPAM

• Activate on the Admin Console to enable discovery

• Deploy a using the latest version

Discovery Enforcement Policies

On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs.

Discovery can also be enabled on the using the enterprise-role command:

Installing the Keeper Gateway

The is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.

Populating PAM User records

Before running a Discovery job, it is recommended to create records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.

PAM Configuration

To get started with Discovery, you need a set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.

Network Discovery

Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.

AWS Discovery

AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Azure Discovery

Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.

In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.

Below is the PAM Configuration data required for a successful discovery.

Discovery Workflow

The basic workflow for running Discovery jobs is the following:

• Set up a Keeper Gateway with associated Shared Folders

• Populate the shared folders with any administrative credentials as PAM User record types

• Run a discovery job on the target infrastructure

Discovery Types

Keeper will discover Resources and associated user accounts in the following resources:

Databases

• PostgreSQL

• MySQL

• MariaDB

• Microsoft SQL Server

Machines

• Linux

• Windows

Directories

• Active Directory

• LDAP

• Local users

• Domain users

AWS Cloud

• Virtual Machines

• Directories and directory users

• IAM users

• Databases

Azure Cloud

• Virtual Machines

• Directories and directory users

• IAM users

• Databases

Services and Scheduled Tasks

When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.

To learn more and set up this capability, see the page.

Activating PAM Features

After a Discovery process has been completed, you can edit the vault records to activate advanced features such as , , and .

Next Steps: