# DISCOVER Quick Start Guide ## Overview GuardWare DISCOVER is a cross-platform data discovery, investigation, and remediation system that locates, analyses, and manages sensitive data across endpoint devices, file servers, email systems, and cloud storage. DISCOVER follows a simple operating flow: * **Scan** finds sensitive data across selected targets. * **Investigation** lets you flag files of interest and securely download and review them. * **Remediation** lets you move, delete, copy, and classify the sensitive data detected across scanned systems and send emails regarding the results to end users or data owners. See [Introduction to DISCOVER](/discover/about/introduction-to-discover.md) for the platform overview. DISCOVER has three core components: * **Management Console:** The central web application. Stores configuration and results. Schedules scan jobs. Displays scan status, reports, investigations, and remediation options. * **Scanning Server:** A Windows service where the scanning agent is installed. It performs scans on target devices and shows the scan results in the Management Console. * **Targets:** The systems being scanned. Can include endpoints, SMB file shares, Exchange Online, and SharePoint Online. #### Architecture: Local vs Agentless scanning 1. **Local scan**: A local scan is performed when the agent is installed on a target device, and the device scans itself for sensitive data. 2. **Agentless scan (Remote scan)**: An agentless scan is performed using a scanning server where the agent is installed. The scanning server remotely connects to target devices that do not have the agent installed using protocols such as WinRM, SSH, or SMB (for file servers) and performs the scan on those devices. {% hint style="info" %} We recommend using remote scanning for centralised coverage across devices and services. {% endhint %} #### Classifications, data types, and data owners DISCOVER uses a simple governance model: * **Classifications** define sensitivity levels. * **Data Types** define what DISCOVER detects. * **Data Owners** define who is notified. The relationship is direct: * A data type belongs to a classification. * One or more data owners can be assigned to a data type. * A file inherits the highest sensitivity classification from matched data types. See [DATA GOVERNANCE](https://docs.guardware.com/data-governance/) for the full governance model. #### What this guide covers * Console access * Scanning Server configuration * Connecting Microsoft 365 * Target discovery, scanning, and review * Investigation and remediation This guide introduces the essential steps for quickly initiating scan jobs and getting visibility into your sensitive data landscape. {% hint style="warning" %} Before getting started, make sure you have installed the GuardWare Server and can access the GuardWare Management Console. {% endhint %} {% stepper %} {% step %} ### Log in to the Console 1. Open the GuardWare Management Console URL. 2. Sign in with your admin or organisation account. 3. Complete 2FA, EULA acceptance, and password setup if prompted. If Microsoft sign-in is enabled, you can also use your Microsoft account. {% endstep %} {% step %} ### Whitelist DISCOVER Add the following directories and executables to your security solution's exclusion or trusted applications list. 1. `C:\Program Files\Guardware\GuardWare DISCOVER`. 2. `C:\Program Files\Guardware\GuardWare DISCOVER\MIPLabelHandler`. 3. `GuardWareDiscoverAgent.exe` 4. `GWActiveMon.exe` {% endstep %} {% step %} ### Download the Agent 1. Navigate to **ORGANISATION** > **Agent Download > DISCOVER Agent**. 2. Set the **Location** and click **Update**. 3. Click **Submit**. The Download link only appears after the configuration is complete. Once the installation settings are complete, the **Download Installer** link becomes available. Click it to download the agent with the configured settings. {% endstep %} {% step %} ### Configure the Scanning Server 1. For **local scan**, install the downloaded agent on a target device. 2. For **agentless/remote scan**, install the downloaded agent on a Windows host. The Windows host becomes the Scanning Server and scans multiple remote systems across the network. 3. Complete the setup wizard. 4. Confirm the Scanning Server appears as **Online** in the Console. For remote scan, each target device must be configured to accept connections from the Scanning Server host using the appropriate protocol. GuardWare provides PowerShell scripts that enable the required services, set permissions, and configure firewall rules. For Microsoft 365 targets, no script is required on target devices. The Scanning Server host needs outbound HTTPS access and valid Microsoft Entra ID credentials. See [Scanning Server Deployment Guide](/setup-and-deploy/install-agent/install-discover-agent.md) for remote access configuration. {% endstep %} {% step %} ### Connect Microsoft 365 Connect your Microsoft 365 environment to enable scanning of Exchange Online and SharePoint Online. Ensure you have the **Global Administrator** account's credentials ready. 1. Navigate to ***ORGANISATION > Integrations**.* 2. Click **Connect Microsoft 365**. 3. Sign in with a **Global Administrator** account. 4. Review the requested permissions. 5. Select **Consent on behalf of your organisation**. 6. Click **Accept**. {% endstep %} {% step %} ### Define classifications and data types Set up classifications and data types before you run scans. This makes results easier to review and act on. 1. Navigate to **DATA GOVERNANCE** > **Data Classification**. 2. Create classifications manually with **+Add Classification**, or click **Sync** to import published Microsoft Purview Information Protection sensitivity labels. 3. Run **Sync** again after labels are added or changed in Microsoft Purview. 4. Go to **DATA GOVERNANCE** > **Data Type**. 5. Click **+Data Type** and enter the data type name and description. 6. Choose the identifier type: * **Sensitive Words** * **Regular Expressions** * **Filename Expressions** 7. Assign a classification and data owner. 8. Click **Save**. See [DATA GOVERNANCE](/data-governance/data-governance/data-classification.md) for more details. {% endstep %} {% step %} ### Discover target devices and services Before you can scan, DISCOVER must know what to scan. Targets are the systems and services DISCOVER scans to detect sensitive data. Properly defining targets ensures scans reach the correct data sources and provide comprehensive visibility across your environment. Start with your highest-priority systems that are most likely to contain sensitive data and expand gradually based on your requirements. **Devices** Device targets include workstations, laptops, and file servers where sensitive data may reside. 1. Go to **DISCOVER** > **Target Discovery** > **Devices** and click **+New Target Discovery.**
2. Enter a **Job Name** for the discovery job, and specify the **Target IP range** to define the network segment in which DISCOVER should search for devices. 3. Set the **Location** to filter the list of scanning servers by their assigned location. 4. Select the appropriate **Protocol** (WinRM, SSH, or FILE SERVER) to connect to the devices and provide **Authentication** credentials. * **SSH** for non-Windows devices. * **WinRM** for Windows devices. * **File Server (SMB)** for shared storage and file servers. 5. Set the **Connection Attempt Interval** to define how frequently DISCOVER will try to connect to a target. 6. Set **Give-up Trying After** to specify the maximum duration DISCOVER will continue attempting the connection before abandoning it. 7. Click **Save**. **Services** Cloud services extend DISCOVER's reach to data stored in external platforms, ensuring complete coverage of your digital assets regardless of location. 1. Go to **DISCOVER** > **Target Discovery** > **Services** and click **+New Target Discovery**.
2. Enter the **Discovery Job** name, then select the **Cloud Connector** for the service type (Microsoft Exchange or SharePoint). 3. Specify the **Organisation** (for SharePoint) and provide the **Client ID** and **Tenant ID** for authentication. 4. Set the **Location** to filter the list of scanning servers by their assigned location. 5. Select either **Client Exchange Secret** or **Certificate** as an authentication method. 6. Set the **Connection Attempt Interval** to define how frequently DISCOVER will try to connect to a target. 7. Set **Give-up Trying After** to specify the maximum duration DISCOVER will continue attempting the connection before abandoning it. 8. Click **Save**. Discovered devices and services then appear in **Devices/Services Found** and can be selected in scans. {% hint style="info" %} After a target discovery job completes, you can use **Rediscover** from **DISCOVER** > **Target Discovery** to run that same job again. Rediscover uses the same settings and target discovery parameters as the original job. You cannot change them during the rerun. Use it when devices in the discovery range were temporarily unavailable or unreachable. {% endhint %} For more details, see [Target Discovery](/discover/scan/target-discovery.md). {% endstep %} {% step %} ### Create and run a scan After target devices are found, create your first scan. During a scan, DISCOVER examines the selected devices and services by checking the specified directories (or all directories, if configured) and the specified file types for sensitive data. It then searches within those files, identifying and reporting any sensitive data it detects. You can run a [**One-Time Scan**](/discover/scan/scans.md#one-time-scan) for testing or targeted scans, or an [**Ongoing Scan**](/discover/scan/scans.md#ongoing-scan) for routine monitoring. {% tabs %} {% tab title="Configure and Run a One-Time Scan" %} A **One-Time Scan** checks new or changed files on the selected targets against your configured data types and classifications. Use it to validate a new rule, perform a targeted check, or test new scan configurations. 1. Navigate to **DISCOVER** > **Scans** and click **+New Scan.**
2. Select **One-Time Scan** and click **Proceed.**
3. Enter a **Scan Name** and give a **Description** (optional), then click **Next**. 4. Select the data types you want to search for and click **Next**. 5. Select the targets and services to scan, then click **Next**. 6. Configure the **File Handling Options**, specify the files and folders you want to include or exclude from the scan, and then click **Next**. 7. Review the scan configurations and click **Save Scan**. The scan will begin automatically. {% endtab %} {% tab title="Configure and Run an Ongoing Scan" %} An Ongoing Scan performs a full scan of selected targets and services on a recurring schedule. Use it for routine checks, to validate compliance with data-handling policies, and to maintain continuous visibility into sensitive information across your environment. Each scan contributes to a historical record that DISCOVER uses to generate trends, enabling you to monitor changes over time, identify emerging risks, and track remedial actions. Ongoing Scans are resource-intensive, so schedule them during off-peak hours to minimise impact on business operations. 1. Go to **DISCOVER** > **Scans** and click **+New Scan**. 2. Select **Ongoing Scan** and click **Proceed**.
3. Select data types you want to search for and click **Next**. 4. Select the Targets/Services to scan, then click **Next**. 5. Configure File Handling Options and filters, then click **Next**. 6. Schedule the scan time and click **Next**.
7. Review the scan configurations and click **Save Scan**. The scan will automatically initiate. {% endtab %} {% endtabs %} During execution, track progress in **DISCOVER** > **Scans**. When the scan completes, open **View Result** or go to **DISCOVER** > **Results**. {% endstep %} {% step %} ### Check results From **DISCOVER > Results**, you can filter findings and move selected items into an investigation. After a scan completes, you can view details such as what sensitive data was found, which device or service it was found on, how many instances were detected, and any remediation actions that have been applied. By default, you'll see results from all completed scans. Use the filter options at the top of the page to narrow results by scan job, date range, data type, classification, or target name. {% endstep %} {% step %} ### Analyse discovered data Use the dashboard for trends and the results view for details. 1. Go to **DISCOVER** > **Dashboard** > **Dashboard** for high-level metrics. 2. Review widgets such as **Potential Sensitive Data**, **Potential Data by Target**, and remediation status. 3. Go to **DISCOVER** > **Dashboard** > **Summary Report** to review files and targets by data type for a specific scan. 4. Go to **DISCOVER** > **Results** to inspect individual findings and refine filters by scan, target, data type, and classification. Use this review to confirm risk, prioritise targets, and decide what needs investigation or remediation first. See [DISCOVER Dashboard](/discover/dashboard/discover-dashboard.md) for more details. {% endstep %} {% step %} ### Classify discovered information DISCOVER classifies files based on the matched data types. The highest matched classification is applied to the result. 1. Confirm that the relevant data types already have classifications assigned. 2. Review findings in **DISCOVER** > **Results**. 3. If a file needs a different label, use **Remediate** > **Classify**. 4. If you need to update the default mapping, go to **DATA GOVERNANCE** > **Data Type** and assign the correct classification to the data type. This keeps discovered information aligned with your handling policy. {% endstep %} {% step %} ### Create an investigation Use the Investigation feature when you need to review discovered files more closely. Before you investigate files, configure the secure location and investigation password first. #### Set up a secure location and an investigation password When DISCOVER identifies sensitive files during a scan, you may need to investigate or remediate them. A **secure location** is a designated storage area where these files are copied or moved, keeping them in a controlled environment separate from their original location. **Investigation password** is the password you need to access the files downloaded using DISCOVER's Investigate function. Set the investigation password before conducting any investigations, and store it securely. If it is lost, previously downloaded files cannot be opened. Set them in **ORGANISATION** > **Set Up Secure Location**.
See [Secure Location](/discover/investigate-and-remediate/set-up-secure-location.md) and [Investigation Password](/discover/investigate-and-remediate/set-investigation-password.md) for more details. #### Create a new investigation 1. Navigate to **DISCOVER** > **Investigation**. 2. Click **+ New Investigation**. 3. Enter a name and a short purpose. 4. Click **Create**. #### Move items into the investigation 1. Navigate to **DISCOVER** > **Results**. 2. Select one or more findings. 3. Click **Investigate**. 4. Select an existing investigation from the drop-down or create a new one by entering a new name. 5. Add an optional comment, and click **Investigate**. Investigation results are made available as password-protected ZIP downloads. 6. Click the download icon to download the file. The files inside the ZIP are password-protected. Use the password you set up while setting up the secure location. See [Investigation ](/discover/investigate-and-remediate/investigation.md)for more details. {% endstep %} {% step %} ### Remediate sensitive information Use **Remediate** to reduce risk after you confirm a finding. You can move, copy, delete, classify, or notify the right owner. 1. Go to **DISCOVER** > **Results** > **Remediate** or **DISCOVER** > **Investigation** > **Remediate**. 2. Select one or more files and click **Remediate**. 3. Choose a remediation action from the drop-down.
ActionFunction
MoveRelocates the file to a secure location.
CopyCreates a copy of the file to a secure or alternate location.
DeletePermanently removes the file.
ClassifyClassify file according to selected classification.
Send Email to Data OwnerNotifies the assigned data owner with an email.
Send Email to Device OwnerNotifies the file owner or user who has the device in their possession.
4. Add a comment (optional) to provide context or notes for the task. 5. Click **Remediate** to execute the selected action. Use **DISCOVER** > **Remediation** to track what action was taken, by whom, and when. See [Remediation](/discover/investigate-and-remediate/remediation.md) for more details. {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.guardware.com/discover/getting-started/discover-quick-start-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.