DocumentationRelease Notes
Log In
Documentation

Manage scan jobs

From the Scans page, you can perform the following:

  • View active, completed, and scheduled scans
  • Locate specific scans by using the date, status, agent name, workgroup, scan name, start time, and end time filters
  • Use the row actions available from the vertical ellipsis menu for a scan to perform the following:
    • Open the discovery report for a completed scan
    • Stop active scans that are currently running
    • View and edit details for scheduled scans
    • Run completed and scheduled scans now
    • Deactivate scheduled scans
    • Reactivate inactive scans

ℹ️

Note

You can view inactive scans by selecting Inactive from the Status filter above the grid. You can still run inactive scheduled scans and completed scans that are linked to inactive scheduled scans by clicking the vertical ellipsis for the scan and selecting Run Scan Now. You can also reactivate inactive scans from the vertical ellipsis menu if desired.

Run discovery scans

Run a discovery scan to locate network assets, such as workstations, routers, laptops, and printers. A discovery scan also determines if an IP address is active. You can periodically repeat discovery scans to verify the status of devices, programs, and the delta between the current and previous scans.

ℹ️

Note

Discovered assets do not count toward your license.

  • The TCP discovery ports are 22, 80, 110, 139, 389, 443, 445, 1025, 1433, 1521, 3306, 3389, 5000, 5432, and 27017.
  • Use more than one scanner to distribute the coverage across the network.

Use the scan wizard to create a discovery scan

  1. From the left menu, click Run a New Discovery Scan.
  2. Select Scan Type: There are three types of scans to choose from. Select one and click Next.
    • Discover Local Accounts: This scan requires credentials and deploys a local scan service to the scan targets. This scan discovers systems as well as the local user accounts located on them.
    • Detailed Discovery Scan: This scan requires credentials and it deploys a local scan agent to the scan targets, which can be disabled if required. Besides systems, this scan provides associated information on services, scheduled tasks, users, and databases. This scan is customizable. Click Customized Detailed Discovery to select the type of data to collect.

ℹ️

Note

Selecting Software to enumerate and collect the software from scanned assets may result in longer scan times and should be used only when necessary. Data collected as part of software enumeration does not contain any identity information which can be used for account management.

  • IP Discovery: This scan does not use credentials for the scanning process and does not deploy any services to the scan targets. This scan discovers only the IP addresses for detected systems.

ℹ️

Note

Any assets discovered using the IP Discovery scan, if subsequently rescanned with another scan type, are listed in BeyondInsight as duplicates. This type of scan can only identify assets by IP address, while credentialed scans rely on a mix of hostname, DNS name, and workgroup to identify assets.

  1. Select Scan Targets: Enter scan targets in the field provided. You can enter single IP addresses, IP ranges, addresses in CIDR notation, or named hosts. Items must be separated by commas.
  2. Choose Scan Agent: Select which agents are used to execute the scan. If more than one agent is selected, the scan targets are split between the selected agents. If you have a large number of agents, you can use the filter dropdown to specify filter criteria. Click Next to continue.

ℹ️

Note

A warning banner appears at the top of the screen if your installation includes any Discovery Agents earlier than version 20.1. These must be updated by the end of 2021. You can identify outdated agents by referring to the grid of agents on this screen, which includes the version of each agent.

Click Dismiss to hide the warning banner until your next login. Dismissing the warning banner here does not hide it on the dashboard, and dismissing the warning banner on the dashboard does not hide it on this screen.

  1. Enter Credentials: If the type of scan you select requires credentials, you can select a credential from the Credential List, and/or use the Custom Credential section to provide a credential to use for this scan.
  • If you enter a Custom Credential, click Test Credential to verify its functionality.

ℹ️

Note

Clicking Test Credential tests only AD domain user accounts. It is not for use with local or SSH user accounts.

  • If using the Credential List, select one or more credentials from a list of available credentials.
  • If keys are required for discovery credentials in your environment, either provide a key for each credential or enable the Use the same key for all selected credentials option to provide a Universal Configuration Key used for all selected credentials.

ℹ️

Note

Configuration keys are not used or validated for Password Safe credentials.

ℹ️

Note

Use the Search Credentials box to filter the list of available credentials.

ℹ️

Note

If you require a credential that isn't listed, click the Create New Credential link at the top of the list of credentials to open the Create New Credential form and create a new credential. The new credential is added to the list of existing credentials.

  1. Once credentials have been selected for the scan, click Next.
  2. Name the Scan: Provide a unique name for this scan. The scan name cannot be longer than 58 characters and cannot contain any of the following characters: [ ] ' $ & < + ? > * | " : ; \ /. You can also set the following options:
    • Apply job restrictions that allow you to abort the scan if it runs longer than a set number of minutes (max 48 hours).
    • Set a schedule, which can be Immediate, One Time, or Recurring.
  3. Click Finish to complete the Scan Wizard.

Run scans from a list of assets

If you want to run a scan but would prefer to select targets from a list of assets rather than type them, click Assets from the left menu.

From the Assets grid, select the assets you want to scan, and then click Scan Selected Assets.

The Scan Wizard screen appears. Here you can select the type of scan to run. The difference is that when you click Next and go to the Select Scan Targets page, you will find the targets already selected. The next steps in the Scan Wizard are the same as those outlined above.

Use Smart Rules as targets for scans

You can also run a scan on Smart Rules. From the Smart Rules grid, select a rule, click the vertical ellipsis for the rule, and then select Scan. You are taken to the Scan Wizard, for which the targets are preselected, and if the Smart Rule is configured to use specific scanners, the scan agents are also preselected. The next steps in the Scan Wizard are the same as those outlined above.

Check completed and scheduled scans

To check information on scans, click Active/Completed Scans or Scheduled Scans from the left menu in the console. From the Scans page you can see active, completed, and scheduled scans, and you can delete a scan. You can also see the scan status for each active or completed scan. For each active and completed scan you can click the vertical ellipsis for the scan, and then select Run Scan Now or Delete scan. For each scheduled scan you can click the vertical ellipsis for the scan, and then select View Scan Details, Run Scan Now, or Delete scan.

When viewing the Scan Data, you can:

  • Change the name of the scan.
  • Change the scanner agent associated with a scheduled scan job.
  • Apply job restrictions that allow you to abort the scan if it runs longer than a set number of minutes (max 48 hours).
  • Change the scan details, such as the accounts, services, databases, and software selected for discovery.
  • View the scan targets and modify the target Smart Rule if one is selected.
  • Change the schedule type and frequency for the job.
  • Change the credentials used to run the scan.
  • View the history of the scan, if any exists.

Discover assets using a Smart Group

When the Smart Group filter is an address group, Active Directory query, or cloud connector, you can discover assets. When the Use to discover new box is checked, any assets online since the Smart Group was last processed are detected . The scan results on the Assets page reflect the number of assets found.

ℹ️

Note

If you create an address group that includes the /19 CIDR block, the range possesses 8190 potential assets. The Discovery Scan always tries to discover those assets. Keep this in mind when you are reviewing scan results.

Key steps

To create a Smart Group, go to Configuration > General > Smart Rules > Create Smart Rule.

  • Create an address group or Active Directory query that includes the IP address range or domain.
  • Create a Smart Group that includes the address group or query as the filter. Enable the Use to discover new assets during scans option.
  • You can also configure the Smart Rule to use specific scanners by selecting the Set Scanner Properties action, and then selecting specific scan agents from the list.

ℹ️

Note

We recommend you run a discovery scan at a regular interval. You can discover assets manually by entering a host name, IP address, or address range.

Add Credentials for Use in Scans

You can create the following credential types that can be used for scans:

  • Microsoft SQL Server
  • MySQL
  • Oracle
  • SNMPv2
  • SSH
  • Windows

To create a credential:

  1. Select Configuration > Discovery Management > Credentials.
  2. Click Create New Credential.
  3. Enter a Credential Name.
  4. Select a credential type from the Type list.

ℹ️

Note

The fields of information you need to enter change based on the type selection.

  1. Enter the user account information appropriate for the type of credential you are creating:
TypeInformation
MS SQL Server
  • Authentication Type
  • Domain (Optional)
  • Username
  • Password
  • Confirm password
  • Description
  • Port numbers
  • Key
  • Confirm key
MySQL
  • Username
  • Password
  • Confirm password
  • Description
  • Port numbers
  • Key
  • Confirm key
Oracle
  • Username
  • Password
  • Confirm password
  • Description
  • Access level
  • Connect to
  • Protocol
  • Port numbers
  • Key
  • Confirm key
MongoDB
  • Username
  • Password
  • Confirm password
  • Description
  • Database
  • Host
  • Port numbers
  • Key
  • Confirm key
PostgreSQL
  • Username
  • Password
  • Confirm password
  • Description
  • Database
  • Host
  • Port numbers
  • Key
  • Confirm key
Sybase
  • Username
  • Password
  • Confirm password
  • Description
  • Host
  • Port numbers
  • Key
  • Confirm key
Teradata
  • Username
  • Password
  • Confirm password
  • Description
  • Host
  • Port numbers
  • Key
  • Confirm key
SNMPv2
  • Description
  • Key
  • Confirm key
  • Community string
SSH
  • Authentication Type
  • Userrname
  • Password
  • Confirm password
  • Description
  • Port numbers
  • Key
  • Confirm key
  • Elevation
Windows
  • Domain (Optional)
  • Username
  • Password
  • Confirm password
  • Description
  • Key
  • Confirm key

ℹ️

Note

All credentials are stored in the database using an AES-256 block cipher by RijndaelManaged.

ℹ️

Note

This feature propagates credentials stored in BeyondInsight to Discovery Scanner servers and allows end users and API calls to leverage credentials locally on the network scanner. This eliminates the need to provide credentials separately for those scanners.

If the credential name matches an existing credential in the BeyondTrustDiscovery Scanner, the credential is overwritten with the value from BeyondInsight.

  1. Click Create New Credential.

To edit a credential, browse or Search for it in the list of Credentials, then click it. Enter the updated information and click Update Credential. Some credential information cannot be edited once the credential has been created.

Create Oracle credentials

If you are scanning Oracle databases, you can create Oracle credentials. The tnsnames.ora file is updated automatically after you create an Oracle credential.

  1. Navigate to Configuration > Discovery Management > Credentials.
  2. Click Create New Credential +.
  3. Enter a Credential Name.
  4. From the Type list, select Oracle.
  5. Provide a username and password, and confirm it.
  6. Select an Access level from the list: Standard, SYSDBA, or SYSOPER.
  7. Select additional connection options:
    • Connect To: Select Database SID or Named Service.
    • Enter the database SID or name of the service, depending on which option you had selected.
    • Protocol: Select TCP, TCPS, or NMP.
    • Host: Enter the host name where the Oracle database resides. If this credential is used for multiple Oracle hosts, separate each host name by a comma.
    • Port: The default port is 1521. Use the + and - buttons to change this if necessary.

ℹ️

Note

IPv4 addresses, IP address ranges, CIDR notation, and named hosts are supported formats. Multiple SIDs, named services, TCP ports, and pipe names are not supported.

  1. Enter a key and confirm if those fields are available.

ℹ️

Note

The Key and Confirm Key fields display only when your administrator has enabled the global site setting to require access keys for discovery credentials: Configuration > System > Site Options > Global Discovery Credential.

Create SNMP credentials

If scanning devices are managed by an SNMP community, you can add your community strings.

  1. Navigate to Configuration > Discovery Management > Credentials.
  2. Click Create New Credential +.
  3. Enter a Credential Name.
  4. From the Type list, select SNMPv2.
  5. Enter a key and confirm it if those fields are available.

ℹ️

Note

The Key and Confirm Key fields display only when your administrator has enabled the global site setting to require access keys for discovery credentials: Configuration > System > Site Options > Global Discovery Credential.

  1. Enter the Community String.
  2. Click Create Credential.

Create SSH credentials

You can create Public Key Encryption credentials to connect to SSH-configured targets. You can select a credential that contains a public and private key pair used for SSH connections.

ℹ️

Note

DSA and RSA key formats are supported.

Optionally, when configuring SSH, you can select to elevate the credential. Using sudo, you can access scan targets that are not configured to allow root accounts to log on remotely. You can log on as a normal user and use sudo to connect with a more privileged account. Additionally, you can use sudo to elevate the same account to get more permissions. Using pbrun, you can elevate the credential when working with Privilege Management for Unix & Linux target assets.

  1. Navigate to Configuration > Discovery Management > Credentials.
  2. Click Create New Credential +.
  3. Enter a Credential Name.
  4. From the Type list, select SSH.
  5. Enter a Username.
  6. Select an Authentication Type
    • Password: Enter a password and confirm it.
    • SSH Key: Upload a private key file. Enter key and confirm it if those fields are available.

ℹ️

Note

The Key and Confirm Key fields display only when your administrator has enabled the global site setting to require access keys for discovery credentials: Configuration > System > Site Options > Global Discovery Credential.

  1. Enter a port number, or multiple port numbers separated by commas.
  2. Elevating credentials is optional. To elevate credentials, select one of the following from the Elevation list:
    • sudo: The optional sudo username should be blank in most cases. When blank, commands run with the effective privileges of the root account. If an optional username is entered, sudo runs in the security context of that user.
    • Enable: Enter the credentials for Cisco devices. If you are auditing Cisco devices, you can elevate the credentials to privileged for more thorough scans.
    • pbrun: Enter the pbrunuser username.
  3. Click Create Credential.

Run Scans on Cloud Platforms in BeyondInsight

You can run scans on the following cloud types: Amazon EC2, Rackspace, IBM SmartCloud, Microsoft Azure, Microsoft Hyper-V, and Google Cloud.

Before you create a cloud connector, ensure the following requirements are in place.

Amazon EC2 requirements

To use the Amazon EC2 connector, you must adhere to the following recommendation from Amazon:

  • User accounts must have minimal permissions assigned (for example, describe instances).

The following minimum permissions are required to successfully enumerate a list of targets and run a scan:

  • elasticloadbalancing:DescribeLoadBalancers
  • ec2:DescribeInstances
  • ec2:DescribeInstancesTypes
  • ec2:DescribeInstanceTypeOfferings
  • ec2:DescribeRegions
  • ec2:DescribeInstanceStatus
  • ec2:DescribeImages

Azure requirements

The Azure connector extracts virtual machines and load balancers from Resource Manager. You must create an Entra ID application.

You can either use the premade Reader role, or set up a new Virtual Machine Contributor role to the Azure Resource Group. You must choose where in the Azure hierarchy you are giving access — either as high as the subscription, or for a specific Resource Group. If you choose to set up a new role, the minimum permissions that must be granted are:

  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Network/loadBalancers/read
  • Microsoft.Network/loadBalancers/frontendIPConfigurations/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/loadBalancers/read
  • Microsoft.Network/publicIPAddresses/read

ℹ️

Note

For detailed instructions, please see Create an Entra ID Application.

Google cloud requirements

  • Key file: You must download a key file from the Google cloud instance. The key file is uploaded when you create the connector in BeyondInsight.

ℹ️

Note

The key file is not required if your BeyondInsight server is hosted on your Google cloud instance.

  • Compute Engine Network Viewer Role: The BeyondInsight service account that you create in the Google cloud instance requires the Compute Engine Network Viewer role.

ℹ️

Note

For more information, please see Compute Engine IAM Roles.

Hyper-V requirements

ℹ️

Note

The steps required for successful authentication vary depending on your environment. These instructions are to connect a Hyper-Vi virtual machine on the CIMV2 namespace off root (not connecting to a Hyper-V server).

Set firewall

  1. Open Windows Firewall (Start > Control Panel > Security > Windows Firewall).
  2. Select Allow a program or feature through Windows Firewall.
  3. Check the Windows Management Instrumentation (WMI) box, and then check the Public box.
  4. At this point you can send requests but receive unauthorized exceptions, whereas previously the host would not be found.

Add WMI user to COM Security

  1. Start Component Services (using the Run command, enter dcomcnfg.exe).
  2. Expand Component Services > Computers.
  3. Right-click My Computer, and then select Properties.
  4. Select the COM Security tab, and then in Access Permissions, click Edit Limits.
  5. Add the username you are using for WMI, and then select Local Access and Remote Access.
  6. Click OK.
  7. In Launch and Activation Permissions, click Edit Limits.
  8. Add the WMI user, and then select Remote Launch and Remote Activation.

Change WMI permissions

  1. Start the Computer Management snap-in by using the Run command, and entering compmgmt.msc.
  2. Expand Services and Applications.
  3. Right-click WMI Control, and then select Properties.
  4. Click the Security tab.
  5. Select Root\CIMV2, and then click Security.
  6. Add the user, and then click Advanced.
  7. Double-click the user, and then check the following boxes: Enable Account, Remote Enable, and Read Security.
  8. From the Apply to list, select This namespace and subnamespaces.
  9. Restart the WMI service.

Test connection

Use WBEMTest on the local machine (not your Hyper-V server) to test your connection.

  1. Run wbemtest.exe from the command prompt.
  2. Click Connect.
  3. Enter the namespace in the format \\HOST\root\CIMV2, where HOST is a computer name on a domain or an IP address.
  4. Enter a username and password.
  5. Click Connect.

Configure a cloud connector

  1. In the BeyondInsight console, go to Configuration > General > Connectors.

  2. In the Connectors pane, click Create New Connector.

  3. Provide a name for the connector, and then select a Connector Type from the list:

    • AWS Scan Target Collector
    • Azure Scan Target Collector
    • Google Cloud Scan Target Collector
    • Hyper-V Scan Target Collector
    • Rackspace Scan Target Collector
  4. Click Create Connector.

  5. Enter the connector information in the right pane:

    • For AWS cloud connections, required fields are: Region, Access Key ID, and Secret Access Key ID.

      Instances associated with the region are displayed in the Connection Test Results section.

    • For Azure, required fields are: Region, Client ID, Client Server, Tenant ID, Subscription ID, and Azure Scope.

    • For Google Cloud, required fields are Server (the region), Project Name (the project ID), and the Key File. Upload the key that you downloaded from the Google Cloud.

    • Hyper-V server, required fields are: Server (IP address), Username, and Password.

    • For Rackspace, required fields are Account Type, Username, and API Key.

  6. After you configure the connector, click Test Connector to ensure the connector works.

  7. Click Create Connector.

After you create a cloud connector, you can run a scan and review the results to determine what cloud assets were discovered..

Cloud connector Smart Groups

You can create Smart Groups based on the cloud connectors that you are using.

  1. From the left menu, click Smart Rules.
  2. Click Create Smart Rule.
  3. Select a category, and then enter a name and description.
  4. Under Selection Criteria, select Cloud Assets, and then select the cloud connector type to filter on (AWS, Azure, Hyper-V).
  5. For AWS, click Select AWS Instance Types to pick specific instance types.
  6. For AWS, Azure, and Google, check the Use Private IP Address box to scan internal IP addresses.
  7. Under Actions, select Show asset as Smart Group.
  8. Click Create Smart Rule.
  9. Run a discovery scan on the smart group to see the cloud assets in reports.
  10. On the Assets page, select the cloud connector, and then click the vertical ellipsis button to review the details.

Configure BeyondInsight AWS connector

This section provides information on setting up an Amazon AWS connector, including details on the AWS configuration.

Set up a policy

  1. Log in to the AWS Management Console.
  2. Select Identity & Access Management.
  3. Select Policies from the Details menu.
  4. Select Create Policy.
  5. Select Create Your Own Policy.
  6. Enter a policy name and description.
  7. Paste the following JSON into Policy Document:
{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "elasticloadbalancing:DescribeLoadBalancers",
            "ec2:DescribeInstances",
            "ec2:DescribeRegions",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeImages"
        ],
        "Resource": "*"
    }
]
}

ℹ️

Note

For "Resource": "*", you must determine what JSON is required for your current needs. You may also need a condition with this, such as if you want only the dev group to have access to certain instances.

Grant access to a third party (optional)

ℹ️

Note

The ARN and External Name fields are for granting access to a third party. For more information, please see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

After you configure the AWS settings, you can create the AWS Scan Target Collector connector and Smart Group in the BeyondInsight console.

ℹ️

Note

When creating, editing, or viewing the connector, the Cloud Scan Targets grid only shows results immediately after a test is completed. The targets are not automatically loaded into the BeyondInsight UI each time the connector is viewed or edited.


©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.