# Discovery Rules Engine

<figure><img src="/files/JY2b4pNuDP0ajW1eRjFN" alt=""><figcaption></figcaption></figure>

The Discovery Rules Engine allows users with **Discovery Enforcement** permissions to create and manage ordered rule sets for a specific **PAM Configuration** on a **Gateway,** controlling how Discovery jobs identify resources and how discovered results are handled and stored. This enables **automatic, batch processing at scale**, so instead of manually reviewing and processing hundreds or thousands of discovered resources, admins can use rules to **automatically add, ignore, or prompt** based on defined criteria. Rules are evaluated in order, and the first rule that matches a discovered resource determines what happens next (“first match wins”).

#### Creating or Managing rules

Rules are managed from the **Discovery** section of the Vault under the **Rules** tab, where you can:

* Create new rules for a given PAM configuration
  * [Supported Action](#rule-actions)
  * [Supported Fields](#here-are-the-fields-supported-by-the-rules-engine)
  * [Supported Operators](#operators)
* Edit the existing rule set for a given PAM config
* Manage the order in which the rules are executed
* Enable or disable rules
* Delete rule

<figure><img src="/files/VdHgiYBJWov681K7cxCR" alt="" width="563"><figcaption></figcaption></figure>

### Assigning a rule set when creating a Discovery job

* Click **Create a Discovery job** and select a **Gateway.**

<figure><img src="/files/908nfcLgqpvN75L6TE3f" alt=""><figcaption></figcaption></figure>

* If that Gateway is linked to **multiple PAM Configurations**, choose the **PAM Configuration** you want to use.

<figure><img src="/files/9xXQf0zauwMbluJ225Lu" alt="" width="411"><figcaption></figcaption></figure>

* The **rules associated with that PAM Configuration** will be applied when the job runs on the selected Gateway.
* If the selected PAM Configuration has **no rules**, you’ll be able to create them **during setup.**

<figure><img src="/files/luCMbQ4a5YbGfEhWyTRV" alt="" width="563"><figcaption></figcaption></figure>

#### Ordering and priority

Rules run in a defined order:

* By default, rules follow **creation order**
* You can manually reorder rules
* **First match wins** (only one rule applies per Discovery Job)

#### Rule actions

Each rule can apply one of the following actions:

* **Add** – Automatically applies the rule logic to the given resource and adds it to the vault.
* **Ignore** – Excludes matching resources to reduce noise and false positives
* **Prompt** – Flags the resource for users to review when more input is needed

#### Fields supported by the Rules Engine

* `recordType` - The PAM record type.
* `recordTitle` - The autogenerated record title.
* `recordNotes` - The notes, pre-rule engine, from the post discovery process. These can be internationalized.
* `recordDesc` - The description of the object. These can be internationalized.
* `parentUid` - The UID of the parent record. This is used mainly on PAM User records where you need to match the user to a resource.
* `parentRecordType` - The record type of the parent record. This can be used to group the users on a resource with the resource record.
* `login` - The login field on PAM User, Machine, Database, and Directory objects. This may be set in Discovery based on the provider and resource type. Most of the time it will be blank.
* `password` - The password field on PAM User, Machine, Database, and Directory objects. Discovery normally will not populate this.
* `privatePEMKey` - The private key field on PAM User, Machine, Database, and Directory objects. Discovery normally will not populate this.
* `distinguishedName` - The Distinguished Name on the PAM User and PAM Directory object.
* `connectDatabase` - The database to use for connection on the PAM User and PAM Database object.
* `managed` - Flag to indicate if the user is managed by another process. For AWS, this would be [IAM Users in RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html). Other providers may offer the same services.
* `hostName` - The hostname/IP of a resource. This will match on the hostname or IP value. When the rule engine evaluates this field, it will be explained to include the ip. For example, `hostName == ‘127.0.0.1’` would be expanded to `(hostName == ‘127.0.0.1’ or ip == ‘127.0.0.1’)`. And `hostName != ‘127.0.0.1’`to `(hostName != ‘127.0.0.1’ and ip != ‘127.0.0.1’)`.
* `port` - The connection port. This is handled as a number, not a string. This allows Arithmetic-Comparison Operators.
* `operatingSystem` - This is the operating system discovery of a PAM Machine object. This will be populated for providers like AWS and Azure, however Local Network cannot detect the operating system from outside of the machine.
* `instanceId` - For a PAM Machine object, the value depends on the provider. For AWS, this will be a EC2 Instance ID, for Azure VM name, else the IP/hostname. This value is intended to be unique for the gateway PAM Machines.
* `instanceName` - For a PAM Machine object, the value depends on the provider. For AWS, this will be a EC2 Instance name or ID, for Azure VM name, else the IP/hostname.
* `providerGroup` - A general name for cloud provider groups. This is the resource group in Azure. This is not used in AWS.
* `providerRegion` - A general name for cloud provider regions. This is the **Region Name** in AWS. This can be used Azure as the **Location**.
* `databaseId` - For a PAM Database object, the value depends on the provider. For AWS this is the RDS Database Instance ID, for Azure it’s the database name. Otherwise, it’s the IP/hostname:port. This value is intended to be unique for the gateway PAM Database.
* `databaseType` - The enumeration for the type of database.
* `useSSL` - A boolean to indicate if discovery requires SSL or not.
* `domainName` - The domain name of a directory service. This is not a distinguished name.
* `directoryId` - For a PAM Directory object, the value depends on the provider. For AWS this is the Directory ID, for Azure it’s the domain name. Otherwise, it’s the IP/hostname:port. This value is intended to be unique for the gateway PAM Directory.
* `directoryType` - The enumeration for the type of directory.

{% hint style="info" %}
`port` supports Arithmetic-Comparison Operators such as `>`, `>=`, `<` and `<=`. In the rule statement the value should not be quoted. Arithmetic-Comparison Operators can be used on strings. For example, `hostName > "C"` would be True if the hostName starts with a "D", and False if the hostName starts with a "B".

`managed` and `useSSL` as boolean. In the rule statement the value should not be quoted.
{% endhint %}

### Operators <a href="#operators" id="operators"></a>

| **Operator** | **Description**                                                                                     | **Regex?** | **Data Types**            |
| ------------ | --------------------------------------------------------------------------------------------------- | ---------- | ------------------------- |
| ==           | Equal                                                                                               | No         | Works for all data Types  |
| !=           | Not Equal                                                                                           | No         | Works for all data types. |
| >            | Greater Than                                                                                        | No         | Works for all data types. |
| <            | Less Than                                                                                           | No         | Works for all data types. |
| >=           | Greater Than or Equal                                                                               | No         | Works for all data types. |
| <=           | Less Than or Equal                                                                                  | No         | Works for all data types. |
| =^           | Starts With                                                                                         | No         | String                    |
| =\*          | Contains                                                                                            | No         | String                    |
| =$           | Ends With                                                                                           | No         | String                    |
| !^           | Does not Start With                                                                                 | No         | String                    |
| !\*          | Does not Contain                                                                                    | No         | String                    |
| !$           | Does not End With                                                                                   | No         | String                    |
| =\~\~        | Regular Expression Search. Will search content of a string value. True if match found.              | Yes        | String                    |
| !\~\~        | Regular Expression Search. Will search content of a string value. False if match found.             | Yes        | String                    |
| =\~          | Regular Expression Match. Will search from the beginning of the string value. True if match found.  | Yes        | String                    |
| !\~          | Regular Expression Match. Will search from the beginning of the string value. False if match found. | Yes        | String                    |
| in           | Values in the set. Values is a JSON array. i.e., \[ “One”, “Two”, “Three” ]                         | No         | \[String\|Float\|Int, …]  |

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/discovery/discovery-using-the-vault/discovery-rules-engine.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.