Contact

Discovery & Network

Agentless Discovery

Network scanning dispatched through managed agents to find unmanaged hosts, classify them, and promote them into your managed inventory. All scanning runs inside the customer network — the SaaS backend never reaches into your infrastructure directly.

Technical Manual
Status: Available

Prerequisites

  • User role with discovery.view (read) or discovery.manage (write/execute)
  • At least one managed host with a running agent in the target network to serve as a probe host
  • For SSH discovery: a PAM Identity credential with SSH access to targets
  • For WinRM discovery: a PAM Identity credential with WinRM access to targets
  • For network scans: no credentials required (TCP port scan only)

Understanding Discovery

Discovery scans run inside the customer network, not from the SaaS backend. You designate a managed host as a probe, and the platform dispatches a scan job to that host. The agent performs the scan from inside the network and reports results back.

This architecture means the backend never needs direct network access to customer infrastructure. The probe host does all the work.

Discovery Types

TypeWhat It DoesCredentialDefault Port
sshSSH connection to targets, collects system info (hostname, OS, etc.)Required (PAM Identity)22
winrmWinRM connection to Windows targets, collects system infoRequired (PAM Identity)5985
network_scanTCP port scan — no authentication, finds open ports onlyNoneN/A
Default Scan Ports Network scans check these ports by default: 22, 80, 135, 443, 3389, 5985, 5986, 8080, 8443.

Discovery Host Statuses

discoveredNewly found by a scan. Awaiting operator review.
managedPromoted into managed inventory. Linked to a Host record.
ignoredDismissed by an operator. Hidden from default views but still in the database.

Configuring Discovery Scans

Create a discovery job that defines the target ranges, protocol, probe host, and optional schedule.

Create a Discovery Job

  1. Navigate to Discovery > Create Job.
  2. Provide the required fields:
OrganizationThe organization this job belongs to.
NameUnique name within the organization (e.g., "Office LAN Scan").
Discovery Typessh, winrm, or network_scan.
Target RangesList of CIDRs, IP ranges, or hostnames. Example: 192.168.1.0/24, 10.0.0.1-10.0.0.50
Probe HostAn existing managed host in the same org with a running agent. This host will execute the scan.
CredentialRequired for SSH/WinRM. A PAM Identity credential for authentication.
PortOptional port override. Defaults: SSH=22, WinRM=5985.
ScheduleOptional cron expression for recurring scans (e.g., 0 2 * * * for daily at 2 AM). If omitted, job runs on demand only.

The job is created in pending status. If a schedule is provided, the next run time is computed automatically.

Update or Delete a Job

  • Open the job detail page to edit the name, targets, schedule, credential, or other settings.
  • Use the Delete button to remove the job definition.
  • Neither operation is allowed while the job is currently running.

Running Discovery Scans

Manual Execution

  1. Open the discovery job and click Run Now.
  2. The platform verifies the probe host is configured and not already running a scan.
  3. A scan job is dispatched to the probe host.
  4. The agent scans target ranges from inside the customer network.
  5. Results arrive asynchronously. Refresh the job detail page to check status.

Scheduled Execution

Jobs with a cron schedule that are enabled are picked up by the scheduler every 5 minutes. When the next scheduled run time has passed and the job is not already running, the scheduler dispatches it automatically. After completion, the next run time advances to the next cron interval.

Job State Machine

pending --> running --> completed \--> failed
Running jobs are locked. You cannot update, delete, or re-run a job while it is in running status. Wait for it to complete or fail.

Reviewing Discovered Devices

  1. Navigate to Discovery > Discovered Hosts to view all discovered hosts.
  2. Filter results by discovery job, status (discovered/managed/ignored), OS type, or search by IP/hostname/FQDN.
  3. Each record includes: IP address, hostname, FQDN, OS type/version, MAC address, open ports, system info, and last seen time.
  4. Click a host row for full detail on a single discovered device.

When a discovery scan re-runs, existing hosts (matched by job and IP address) are updated in place rather than duplicated. New IPs create new records in "discovered" status.

Promoting to Managed Hosts

Promotion moves a discovered host into your managed inventory so it can receive policies, monitoring, and agent installation.

  1. Select a discovered host and click Promote. Optionally choose a target location.
  2. If the hostname matches an existing managed host in the same org, the discovered host is linked to it (no duplicate created).
  3. Otherwise, a new managed host record is created in offline status (no agent yet).
  4. The discovered host's status changes to "managed" and is linked to the host record.
  5. To make the promoted host fully managed, install an agent on it.
Duplicate prevention. Promotion checks hostname against existing managed hosts. If a match is found, it links rather than creates a duplicate record.

Ignore, Unignore & Delete

ActionHowEffect
IgnoreClick Ignore on a discovered hostStatus set to "ignored". Hidden from default views. Cannot ignore a managed host.
UnignoreClick Unignore on an ignored hostStatus reverted to "discovered". Only works from ignored state.
DeleteClick Delete on a discovered hostPermanently removes the discovery record.

IP Range Management

Target ranges are specified per discovery job and support multiple formats:

  • CIDR notation192.168.1.0/24 (scans 254 addresses)
  • IP ranges10.0.0.1-10.0.0.50 (scans 50 addresses)
  • Single hosts10.0.0.1 or fileserver.corp.local
  • Mixed — combine any of the above in the target_ranges array

Keep ranges focused on specific subnets or VLANs. Scanning large /16 or /8 ranges will generate enormous job payloads and long runtimes.

Discovery Dashboard

The Discovery Dashboard provides a summary view of all discovery activity. Optionally filter by organization.

Total JobsTotal discovery job definitions.
Active ScheduledJobs with an active cron schedule.
Total HostsTotal discovered host records.
By StatusBreakdown: discovered / managed / ignored counts.
By OS TypeBreakdown by detected OS (Linux, Windows, etc.).
By Discovery TypeBreakdown by scan type (SSH, WinRM, network scan).
Recent10 most recently discovered hosts.

Permissions Reference

PermissionGrants
discovery.viewList/get discovery jobs, discovered hosts, dashboard.
discovery.manageCreate/update/delete jobs, run scans, promote/ignore/unignore/delete hosts.

Troubleshooting

SymptomCauseFix
Scan stuck in "running"Agent offline or probe host unreachableVerify probe host is online and agent is heartbeating.
No hosts discoveredTarget range empty or probe cannot reach targetsVerify network connectivity from probe host to target range.
SSH discovery returns no system infoCredential invalid or SSH port wrongVerify PAM credential has SSH access. Check port setting.
WinRM discovery failsWinRM not enabled on targetsEnable WinRM on Windows targets. Verify ports 5985/5986.
Probe host not foundHost not in same org as jobEnsure probe host belongs to the same organization as the discovery job.
Scheduled job not runningJob disabled or invalid cronVerify the job is enabled and has a valid cron schedule expression.
Cannot promote hostAlready in "managed" statusHost was previously promoted. Check the linked host in the detail view.
Cannot ignore hostHost already "managed"Managed hosts cannot be ignored. Only discovered hosts can be ignored.
Job update returns 409Job is currently runningWait for the running scan to complete or fail before modifying.