Required only when you want to create or update vault information
Boolean
Set login_type=vault, to add vault information. By default, the parameter is set to basic.
vault_id={value}
Required only when action=create and login_type=vault
Integer
For Windows, vault_id and password parameters are mutually exclusive and cannot be specified in the same request.
For Unix, vault_id and password, cleartext_password parameters are mutually exclusive and cannot be specified in the same request.
vault_type={value}
Required only when action=create and login_type=vault
Boolean
Choose one vault type:
Arcon PAM|Azure Key | BeyondTrust PBPS | CA Access Control | CA PAM |CyberArk AIM | CyberArk PIM Suite | HashiCorp | Hitachi ID PAM (no parameters specific to this vault type) | Lieberman ERPM | Quest Vault | Thycotic Secret Server | Wallix AdminBastion (WAB)
ARCON PAM
vault_service_type={value}
Required if vault type is ARCON PAM
String
Specify a vault service type for authenticating to the vault and launching the scan on the host. This value is validated against the predefined list of service types.
Azure Key
ak_secret_name={value}
Required if vault type is Azure Key
String
The secret name assigned to the secret stored in the vault.
BeyondTrust PBPS
system_name={value}
Optional if vault type is BeyondTrust PBPS
String
The managed system name (also known as asset name). When not specified, we’ll attempt to auto-discover the system name for you at scan time.
account_name={value}
Optional if vault type is BeyondTrust PBPS
String
The account name. When not specified, we’ll try the username specified in the authentication record.
CA Access Control
end_point_name={value}
Required if vault type is CA Access Control
String
The End-Point name identifies a managed system, either a target for local accounts or a domain controller for domain accounts. An End-Point name is a user-defined value within your installation of CA Access Control Enterprise Management. The End-Point name entered in this record must match a pre-defined name exactly.
end_point_type={value}
Required if vault type is CA Access Control
Boolean
The End-Point type represents the method of access to the End-Point system. CA Access Control Enterprise Management uses pre-defined values for various methods and the End-Point type value must match a pre-defined value exactly. Examples: "Windows Agentless" (for Windows accounts) and "SSH Device" (for Unix via SSH).
end_point_container={value}
Required if vault type is CA Access Control
String
The End-Point container stores configuration values. CA Access Control Enterprise Management uses pre-defined values for various methods and the End-Point container value must match a pre-defined value exactly. Examples: "Accounts" (for Windows accounts) and "SSH Accounts" (for Unix via SSH).
CA PAM
vault_app_name={value}
Required
String
Application name as defined in the vault configuration for accessing a specific device.
vault_device_name={value}
Required
String
Specify the target device name defined in the vault configuration for which you want to retrieve the
credentials.
You can use one or more variables when defining the device name in order to match several targets that use the
same naming convention.
${ip} // The IP address of the target, i.e. 10.20.30.40.
${ip_dash} // The IP address of the target with dashes instead of dots, i.e. 10-20-30-40.
${dnshost} // The DNS host name of the target, i.e. host.domain.
${host} // The host name of the target, i.e. host before .domain.
${nbhost} // (Windows only) The NetBIOS host name of the target in upper-case, i.e.HOST_ABC.
Example, device-unix-${ip} will match these 3 devices: device-unix-10.50.60.70, device-unix-10.50.60.88 and device-unix-10.30.10.12.
Note
You must specify “vault_device_name” or “vault_device_host”, but not both.
vault_device_host={value}
Optional
String
Specify the target device address defined in the vault configuration for which you want to retrieve the credentials.
Use one or more variables in the target name to match several targets that use the same naming convention.
${ip} - The IP address of the target, i.e. 10.20.30.40.
${ip_dash} - The IP with dashes, i.e. 10-20-30-40.
${dnshost} - DNS hostname of the target, i.e. host.domain.
${host} - Hostname of the target, i.e. host before .domain.
${nbhost} - (Windows only) The NetBIOS name of the target in upper-case, i.e. HOST_ABC.
Example, ${host}-${ip_dash} will match these 3 hosts: host40-10-20-30-40, host80-10-50-60-70 and host12-10-30-10-12.
Note
You must specify “vault_device_name” or “vault_device_host”, but not both.
CyberArk AIM
folder={value}
Required if vault type is CyberArk AIM
String
Specify the name of the folder in the secure digital safe where the password to be used for authentication should be stored.
The folder name can contain a maximum of 169 characters. Entering a trailing /, as in folder/, is optional (when specified, the service removes the trailing / and does not save it in the folder name). The maximum length of a folder name with a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a folder name: / : * ? " < > | <tab>
You can use one or more variables when defining the
folder name in order to match several targets that use the
same naming convention.
${ip} - The IP address of the target, i.e. 10.20.30.40.
${ip_dash} - The IP with dashes, i.e. 10-20-30-40.
${dnshost} - DNS hostname of the target, i.e. host.domain.
${host} - Hostname of the target, i.e. host before .domain.
${nbhost} - (Windows only) The NetBIOS name of the
target in upper-case, i.e. HOST_ABC.
For example, ${host}-${ip_dash} will match these 3 targets:
host40-10-20-30-40, host80-10-50-60-70 and host12-10-30-
10-12.
file={value}
Required if vault type is CyberArk AIM
String
Specify the name of the file in the secure digital safe where the password to be used for authentication should be stored.
The file name can contain a maximum of 165 characters. The maximum length of a folder name plus a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a file name: \ / : * ? " < > | <tab>
You can use one or more variables when defining the file
name in order to match several targets that use the same
naming convention.
${ip} - The IP address of the target, i.e. 10.20.30.40.
${ip_dash} - The IP with dashes, i.e. 10-20-30-40.
${dnshost} - DNS hostname of the target, i.e. host.domain.
${host} - Hostname of the target, i.e. host before .domain.
${nbhost} - (Windows only) The NetBIOS name of the
target in upper-case, i.e. HOST_ABC.
For example, ${host}-${ip_dash} will match these 3 targets:
host40-10-20-30-40, host80-10-50-60-70 and host12-10-30-
10-12.
HashiCorp
secret_kv_path={value}
Optional if vault type is HashiCorp
String
The path of the secret engine. The default is “secret/data”. For a custom path, please provide path in the format "path/to/secret/data".
Note that we only support Key-Value Secret Engine version 2 to retrieve secrets from the HashiCorp Vault.
secret_kv_name={value}
Required if vault type is HashiCorp
String
The secret name which stores key-value pairs.
secret_kv_key={value}
Required if vault type is HashiCorp
Integer
The key name for identifying a specific key-value pair.
Note: This field does not appear while using Database Secrets Engine or Active Directory (AD) Secrets Engine while creating or updating HashiCorp authentication records (Oracle, Windows, HTTP, MS SQL, Network SSH,and Unix record).
CyberArk PIM Suite
folder={value}
Required if vault type is CyberArk PIM Suite
String
Specify the name of the folder in the secure digital safe where the password to be used for authentication should be stored.
The folder name can contain a maximum of 169 characters. Entering a trailing /, as in folder/, is optional (when specified, the service removes the trailing / and does not save it in the folder name). The maximum length of a folder name with a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a folder name: / : * ? " < > | <tab>
file={value}
Required if vault type is CyberArk PIM Suite
String
Specify the name of the file in the secure digital safe where the password to be used for authentication should be stored.
The file name can contain a maximum of 165 characters. The maximum length of a folder name plus a file name is 170 characters (the leading and/or trailing space in the input value will be removed). These special characters cannot be included in a file name: \ / : * ? " < > | <tab>
Lieberman ERPM
auto_discover_system_name={0|1}
Required if vault type is Lieberman ERPM
Integer
Specify 1 to enable auto discovery of the system name and 0 to disable auto discovery.
Each system in your ERPM environment has a system name and this is needed in order to retrieve the password for authentication. Use auto discovery to allow the service to find the system name for you at scan time. The service uses information known about each host (like the IP address and FQDN) to query ERPM for the system name. Auto discovery is the only option available when your record includes multiple IPs.
system_name_single_host={value}
Required if vault type is Lieberman ERPM
String
Specify the system name that is needed to retrieve password for authentication.
To specify system_name_single_host, ensure that auto discovery of system name is disabled (auto_discover_system_name=0). If auto discovery of system name is enabled (auto_discover_system_name=1), specifying system_name_single_host is invalid.
system_type={value}
Required if vault type is Lieberman ERPM
Boolean
A valid value is one of the following system type: auto, windows, unix, oracle, mssq, ldap, cisco, custom
custom_system_type={value}
Required if vault type is Lieberman ERPM
String
Specify the custom system type name.
custom_system_type is valid only when system_type=custom.
Quest Vault
system_name={value}
Required if vault type is Quest Vault
String
Specify the system name. During a scan we'll perform a search for the system name and then retrieve the password. A single exact match of the system name must be found in order for authentication to be successful.
Thycotic Secret Server
secret_name={value}
Required if vault type is Thycotic Secret Server
String
Specify the secret name that contains the password to be used for authentication. The scanning engine will perform a search for the secret name and then get the password from the secret returned by the search. A single exact match of the secret name must be found in order for authentication to be successful. The secret name may contain a maximum of 256 characters, and must not contain multibyte characters.
Wallix AdminBastion (WAB)
authorization_name=
{value}
Required when vault_type=Wallix AdminBastion (WAB)
String
The name of the authorization that enables secret retrieval from a group of targets.
target_name={value}
Required when vault_type=Wallix AdminBastion (WAB)
String
Specify the name of the target device using one of these formats:
user@global_WABdomain
user@local_WABdomain@device
where user is the user with access to the target, global_WABdomain is a domain name in a domain controller, local_WABdomain is a local domain, device is the device you want to scan
Use one or more variables in the target name to match
several targets that use the same naming convention.
${ip} - The IP address of the target, i.e. 10.20.30.40.
${ip_dash} - The IP with dashes, i.e. 10-20-30-40.
${dnshost} - DNS hostname of the target, i.e. host.domain.
${host} - Hostname of the target, i.e. host before .domain.
${nbhost} - (Windows only) The NetBIOS name of the
target in upper-case, i.e. HOST_ABC.
For example, the target name
user@local_WABdomain@${ip} will match these 3 devices:
10.50.60.70, 10.50.60.88 and 10.30.10.12.
Hitachi ID PAM
resource_id
Optional
Integer
Specify resource id for a Hitachi ID PAM authentication record.