Extensible Discovery Overview

Answer

Title :
Extensible Discovery Overview
A description of the Scriptable Discovery feature available in Secret Server version 10.0 and above.
Article :
Starting with Secret Server 10.0, Discovery scanners can now run custom PowerShell scripts as well as our built-in scanners for Active Directory, UNIX, and VMWare ESXi. You can use one or more built-in or custom scanners at each step of the discovery process: host range discovery, machine discovery, local account discovery, and dependency discovery. As a result of this change, you can now also determine which dependencies are scanned for each Active Directory domain rather than globally on the Discovery Configuration page. You do this by selecting which dependency scanners you want to run within the scanner configuration for each domain.

Extensible Discovery added the concept of Discovery Scanners. Previously, all scanners were built into the discovery process based on the type of discovery source (Active Directory, UNIX, or ESXi). You can now create your own scanners using PowerShell scripts. SSH Scripts are also still supported using the existing Command Sets. If you have any discovery sources using Command Sets, they will be converted to SSH discovery scanners when you upgrade Secret Server.

When creating rules for importing local accounts as Secrets you can now import non-local account secrets discovered through scripted discovery to secret templates based on the type of account returned by each account scanner. You can also create dependency rules to automatically import any type of dependency scanned through scripted discovery, including remote files and dependencies that need to be changed through PowerShell, SSH, and SQL scripts. The correct scripts will be applied to the dependencies automatically based on a new feature called Dependency Templates. Dependency Templates allow you to define how the dependencies found by scripted dependency scanners will be processed when their associated secret changes.

Extensible Discovery added the following components that need to be configured:
· Scan Templates
· Discovery Scanners
· Dependency Changers
· Dependency Templates
In addition, changes were made to the following features:
· Scripts
· Discovery Sources
· Password Types
· Secret Dependencies View
· Local Account Rules
· Dependency Rules
Scan Templates
Scan templates define the types of objects that can be retrieved by discovery scanners. Each of these items -- host ranges, machines, accounts, and dependencies -- is defined by a scan template. Each scan template contains a set of fields which are the properties that will be returned by the built-in scanner or script for each discovered item. These fields can then be used by later scanners.

Discovery Scanners
Discovery item scanners define how a specific item -- host range, machine, account, or dependency -- is discovered. Scanners can use either built-in methods or PowerShell scripts. The two central parts of a scanner are its Input Template and Output Template. These are scan templates. Each scanner needs to use the output of a previous step as its input. It will then use that input to perform its scan and return a list of results as its output. The Input Template defines what to use as the input data for this scanner. The Output Template defines what is being returned from this scan. When a scanner runs it gets the results of the scanner run during the previous step that had a Output Template matching the current scanner's Input Template. At the next step, one of the scanners defined there should have an Input Template matching the current scanner's Output Template in order to do further discovery on the results of this scan.

Discovery Sources
Discovery Sources create the workflow or series of workflows that a specific discovery scan will execute. Here you select which discovery scanners will be run at each step of the discovery process. By selecting scanners that chain the output template from a scanner at one step to the input template of one or more scanners at the next step you establish how the results are processed. The end result of any discovery scan is a list of accounts and dependencies that can be brought under management in Secret Server as secrets and dependencies on those secrets.

Dependency Changers and Dependency Templates
Dependency Changers are the new way to define both a type of dependency and how to act on that dependency when the dependency secret's password changes. Like scanners, dependency changers are associated with scan templates. This determines the fields that are available to be set on manually-created dependencies. It also determines which Dependency Changer to assign to discovered Dependencies that are added to secrets through Dependency Rules and how to set the information on that dependency.

Dependency Templates are the way the rest of the system interacts with Dependency Changers. In order to be used, a Dependency Changer must have a corresponding Dependency Template.

Secret Dependencies View
The Secret Dependencies View page has been changed to base all dependencies off dependency templates instead of dependency types. Any existing dependencies except for PowerShell, SSH, and SQL dependencies will be automatically converted to the new format when you upgrade. PowerShell, SSH, and SQL dependencies cannot be automatically converted and will remain as "legacy" dependencies. Legacy dependencies are still fully functional. If you want to replace a legacy template with one based on a Dependency Template you will need to delete the legacy dependency and create a new dependency.

Password Types
Password Types now have the option to have a Local Account Scan Template associated with them. These associations determine which Secret Types are valid when creating a Local Account Rule based on the Scan Template. If a Secret Template allows remote password changing, it is associated with a password type. When you create a Local Account Rule and select the Scan Template to process by that rule, you will be able to assign all secrets created by that rule to one of the Secret Types that use any password type associated with that Scan Template.

Local Account Rules
In the second step of the New Rule wizard you are now prompted to select a Scan Template. This is one of the valid Local Account Scan Templates. The selections for Secret Type in the third step are set based on the selected Scan Template. The list of available secret types is based on the assignments of Scan Templates to password types.

Dependency Rules
After selecting a Domain or Organizational Unit you are now prompted to select a Scan Template from the list of Dependency Scan Templates associated with that Discovery Source. After that, select a Dependency Template from the list of Dependency Templates associated with the selected Scan Template. This is the Discovery Template that will be used on all dependencies created by this rule.

Additional Resources
For more information about these features and integrating extensible discovery into your discovery process see our Discovery Guide: https://thycotic.force.com/support/s/article/Account-Discovery
For step-by-step instructions on setting up extensible discovery including sample PowerShell scripts, see our Extensible Discovery Tutorial: https://thycotic.force.com/support/s/article/Scriptable-Discovery-Tutorial-Creating-a-Complete-Discovery-Source-Using-PowerShell-Scripts-Part-1 
https://thycotic.force.com/support/s/article/Scriptable-Discovery-Tutorial-Creating-a-Complete-Discovery-Source-Using-PowerShell-Scripts-Part-2