Vault settings in auth record

login_type={basic|vault}

(Required only when you want to create or update vault information) Set login_type=vault, to add vault information. By default, the parameter is set to basic.

vault_id={value}

(Required only when action=create and login_type=vault) A vault ID.

For Windows, vault_id and password parameters are mutually exclusive and cannot be specified in the same request.

For Unix, vault_id and password, cleartext_password parameters are mutually exclusive and cannot be specified in the same request.

vault_type={value}

(Required only when action=create and login_type=vault) Choose one vault type:

Azure Key | BeyondTrust PBPS | CA Access Control | CyberArk AIM | CyberArk PIM Suite | HashiCorp | Hitachi ID PAM (no parameters specific to this vault type) | Lieberman ERPM | Quest Vault | Thycotic Secret Server | Wallix AdminBastion (WAB)

ARCON PAM

vault_service_type={value}

(Required if vault type is ARCON PAM) Specify a vault service type for authenticating to the vault and launching the scan on the host. This value is validated against the predefined list of service types.

Azure Key

ak_secret_name={value}

(Required if vault type is Azure Key) The secret name assigned to the secret stored in the vault.

BeyondTrust PBPS

system_name={value}

(Optional if vault type is BeyondTrust PBPS) The managed system name (also known as asset name). When not specified, we’ll attempt to auto-discover the system name for you at scan time.

account_name={value}

(Optional if vault type is BeyondTrust PBPS) The account name. When not specified, we’ll try the username specified in the authentication record.

CA Access Control

end_point_name={value}

(Required if vault type is CA Access Control) The End-Point name identifies a managed system, either a target for local accounts or a domain controller for domain accounts. An End-Point name is a user-defined value within your installation of CA Access Control Enterprise Management. The End-Point name entered in this record must match a pre-defined name exactly.

end_point_type={value}

(Required if vault type is CA Access Control) The End-Point type represents the method of access to the End-Point system. CA Access Control Enterprise Management uses pre-defined values for various methods and the End-Point type value must match a pre-defined value exactly. Examples: "Windows Agentless" (for Windows accounts) and "SSH Device" (for Unix via SSH).

end_point_container={value}

(Required if vault type is CA Access Control ) The End-Point container stores configuration values. CA Access Control Enterprise Management uses pre-defined values for various methods and the End-Point container value must match a pre-defined value exactly. Examples: "Accounts" (for Windows accounts) and "SSH Accounts" (for Unix via SSH).

CA PAM

vault_app_name={value}

(Required) Application name as defined in the vault configuration for accessing a specific device.

vault_device_name={value}

(Required) Specify the target device name defined in the vault configuration for which you want to retrieve the

credentials.

You can use one or more variables when defining the device name in order to match several targets that use the

same naming convention.

${ip} // The IP address of the target, i.e. 10.20.30.40.

${ip_dash} // The IP address of the target with dashes instead of dots, i.e. 10-20-30-40.

${dnshost} // The DNS host name of the target, i.e. host.domain.

${host} // The host name of the target, i.e. host before .domain.

${nbhost} // (Windows only) The NetBIOS host name of the target in upper-case, i.e.HOST_ABC.

Example, device-unix-${ip} will match these 3 devices: device-unix-10.50.60.70, device-unix-10.50.60.88 and device-unix-10.30.10.12.

Note

You must specify “vault_device_name” or “vault_device_host”, but not both.

vault_device_host={value}

(Optional) Specify the target device address defined in the vault configuration for which you want to retrieve the credentials.

Use one or more variables in the target name to match several targets that use the same naming convention.

${ip} - The IP address of the target, i.e. 10.20.30.40.

${ip_dash} - The IP with dashes, i.e. 10-20-30-40.

${dnshost} - DNS hostname of the target, i.e. host.domain.

${host} - Hostname of the target, i.e. host before .domain.

${nbhost} - (Windows only) The NetBIOS name of the target in upper-case, i.e. HOST_ABC.

Example, ${host}-${ip_dash} will match these 3 hosts: host40-10-20-30-40, host80-10-50-60-70 and host12-10-30-10-12.

Note

You must specify “vault_device_name” or “vault_device_host”, but not both.

CyberArk AIM

folder={value}

(Required if vault type is CyberArk AIM) Specify the name of the folder in the secure digital safe where the password to be used for authentication should be stored.

The folder name can contain a maximum of 169 characters. Entering a trailing /, as in folder/, is optional (when specified, the service removes the trailing / and does not save it in the folder name). The maximum length of a folder name with a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a folder name: / : * ? " < > | <tab>

file={value}

(Required if vault type is CyberArk AIM) Specify the name of the file in the secure digital safe where the password to be used for authentication should be stored.

The file name can contain a maximum of 165 characters. The maximum length of a folder name plus a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a file name: \ / : * ? " < > | <tab>

HashiCorp

secret_kv_path={value}

(Optional if vault type is HashiCorp) The path of the secret engine. The default is “secret/data”. For a custom path, please provide path in the format "path/to/secret/data".

Note that we only support Key-Value Secret Engine version 2 to retrieve secrets from the HashiCorp Vault.

secret_kv_name={value}

(Required if vault type is HashiCorp) The secret name which stores key-value pairs.

secret_kv_key={value}

(Required if vault type is HashiCorp) The key name for identifying a specific key-value pair.

CyberArk PIM Suite

folder={value}

(Required if vault type is CyberArk PIM Suite) Specify the name of the folder in the secure digital safe where the password to be used for authentication should be stored.

The folder name can contain a maximum of 169 characters. Entering a trailing /, as in folder/, is optional (when specified, the service removes the trailing / and does not save it in the folder name). The maximum length of a folder name with a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a folder name: / : * ? " < > | <tab>

file={value}

(Required if vault type is CyberArk PIM Suite) Specify the name of the file in the secure digital safe where the password to be used for authentication should be stored.

The file name can contain a maximum of 165 characters. The maximum length of a folder name plus a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a file name: \ / : * ? " < > | <tab>

Lieberman ERPM

auto_discover_system_name={0|1}

(Required if vault type is Lieberman ERPM) Specify 1 to enable auto discovery of the system name and 0 to disable auto discovery.

Each system in your ERPM environment has a system name and this is needed in order to retrieve the password for authentication. Use auto discovery to allow the service to find the system name for you at scan time. The service uses information known about each host (like the IP address and FQDN) to query ERPM for the system name. Auto discovery is the only option available when your record includes multiple IPs.

system_name_single_host={value}

(Required if vault type is Lieberman ERPM) Specify the system name that is needed to retrieve password for authentication.

To specify system_name_single_host, ensure that auto discovery of system name is disabled (auto_discover_system_name=0). If auto discovery of system name is enabled (auto_discover_system_name=1), specifying system_name_single_host is invalid.

system_type={value}

Required if vault type is Lieberman ERPM) A valid value is one of the following system type: auto, windows, unix, oracle, mssq, ldap, cisco, custom

custom_system_type={value}

(Required if vault type is Lieberman ERPM) Specify the custom system type name.

custom_system_type is valid only when system_type=custom.

Quest Vault

system_name={value}

(Required if vault type is Quest Vault) Specify the system name. During a scan we'll perform a search for the system name and then retrieve the password. A single exact match of the system name must be found in order for authentication to be successful.

Thycotic Secret Server

secret_name={value}

(Required if vault type is Thycotic Secret Server) Specify the secret name that contains the password to be used for authentication. The scanning engine will perform a search for the secret name and then get the password from the secret returned by the search. A single exact match of the secret name must be found in order for authentication to be successful. The secret name may contain a maximum of 256 characters, and must not contain multibyte characters.

AdminBastion (WAB)

authorization_name=
{value}

(Required when vault_type=Wallix AdminBastion (WAB))

The name of the authorization that enables secret retrieval from a group of targets.

target_name={value}

(Required when vault_type=Wallix AdminBastion (WAB))

Specify the name of the target device using one of these formats:

user@global_WABdomain

user@local_WABdomain@device

where user is the user with access to the target, global_WABdomain is a domain name in a domain controller, local_WABdomain is a local domain, device is the device you want to scan

You can use one or more variables to match several targets that use the same naming convention. WAB vault target name. Learn more