Running centralized scans

Use centralized scans to scan from the Tanium Module server to unmanaged environments, such as Amazon EC2 or an unmanaged subnet.

Scan unmanaged subnets with a centralized Nmap scan

Use centralized Nmap scans to find interfaces in unmanaged subnets. The Network Mapper (Nmap) utility finds information about network interfaces by running host discovery and OS fingerprinting from the Module Server on a target network.

The centralized Nmap scan is an equivalent of a level 4 distributed scan.

Value on Interfaces pages: centralized nmap

By default, Discover scans 1000 commonly used TCP ports to calculate the OS Generation field. (For more information, see Top 1,000 TCP and UDP ports (nmap default).) In the profile settings you can configure different ports to scan and can change the source port from which the scan originates. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

The accuracy of OS fingerprinting and host name resolution depends on how remote the network is that you choose to scan. The more network hops away you search, the harder it is for Nmap to identify the operating system.

Remote network scans might not return MAC addresses for discovered interfaces. If an interface does not have a MAC address, the IP address is used as the unique identifier.

The Nmap utility is installed on the Module Server after you create a centralized Nmap profile. If you remove all of the centralized Nmap profiles, the Nmap utility gets removed.

Configure profile for centralized Nmap scan

Configure a profile for the centralized Nmap scan by defining which networks to scan, the discovery method, and the scan schedule.

For information about the data provided by each profile type, see Reference: Data returned by profile type.

Before you begin

• Ensure that you have the target network information, which is a comma-separated list of CIDR addresses of up to 4096 IP addresses (or the equivalent of a /20 network).

• (Optional) Create a locations file to map physical locations to discovered interfaces. Assign users to specific locations to limit access to interface data to specific user groups. You can configure locations at any time because the locations are evaluated every time a Discover scan completes. For more information, see Locations.

  For the most complete results from the scan, import locations before configuring a profile. You can update locations later as you find more information about your networks.

1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
2. Give the profile a name and select the Centralized profile type.
3. For the Discovery Method, choose Nmap Scan with Host Discovery and OS Fingerprinting.
4. Specify the ports to scan.
5. When you define scan inclusions, indicate the set of CIDR addresses for the Tanium Module Server to target with the scan. Add exclusions (such as individual IP addresses or subnets) to limit the scan within the specified inclusion range. For example, if you specify the Target Network is 192.168.0.0/20, you might specify to exclude 192.168.1.0/24 and 192.168.0.1.

6. Configure the scan schedule and scan window.

   1. Schedule: The schedule defines how often to run the scan.
      Recommended scanning frequency is once an hour in most environments.

   2. Scan Window: Configure specific times to run the discovery process.
      If a scan is scheduled to run outside the scan window, nothing is run as a part of the scan. For example, you can create a scan configuration to scan daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM.
      The Duration of the scan window must be greater than or equal to the Reissue every setting in the schedule section or the scan might not run.

7. Click Create.

Discovery process

1. On the first run of a centralized Nmap profile, Discover installs the Nmap utility on the Module Server. The scan runs at the scheduled interval.
2. Perform an Nmap scan on the targeted network, as defined in the profile settings.
3. Import results into Discover at the Import Frequency interval that you defined. For more information, see Configure import frequency.

If you have enabled Endpoint Configuration approval, configuration changes must be approved in Endpoint Configuration before they deploy to endpoints.

Scan Amazon EC2 environments

Discover unmanaged interfaces in an Amazon EC2 environment from the Tanium Module Server.

Discover does not support creating a profile for an AWS organization that allows access to AWS accounts within that organizational hierarchy. You must create centralized AWS profile in Discover for each account that might contain an EC2 instance.

Value on Interfaces pages: aws api

Before you begin

• Configure your network to allow access from the Tanium Module Server to ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com on port 443.

• If you have a proxy server configured for your Tanium Module Server, confirm that it is the Basic server type. Amazon EC2 does not support the NTLM server type. For more information, see Tanium Core Platform Deployment Reference Guide: Types of proxy servers.
• (Optional) Create a locations file to map physical locations to discovered interfaces. Assign users to specific locations to limit access to interface data to specific user groups. You can configure locations at any time because the locations are evaluated every time a Discover scan completes. For more information, see Locations.

  For the most complete results from the scan, import locations before configuring a profile. You can update locations later as you find more information about your networks.

Configure API user

To access the EC2 environment, you must have a user that has API access and the required permissions.

1. Create a user in Amazon Web Services (AWS) with programmatic access. This user must have an access key ID and secret access key. For more information, see AWS docs: Creating an IAM user in your AWS account.
2. Attach the following policy to the user you created in AWS. This policy limits the access of the user to the minimum requirements for Discover. For more information, see AWS docs: Create and Attach Your First Customer Managed Policy.

   {
   	"Version": "2012-10-17",
   	"Statement": [
   		{
   			"Effect": "Allow",
   			"Action": [
   				"ec2:DescribeImages",
   				"ec2:DescribeInstances",
   				"ssm:DescribeInstanceInformation"
   			],
   			"Resource": "*"
   		}
   	]
   } 

Optionally, you can provide a role that the user must assume in AWS. If you provide this role, the user must have the appropriate IAM to assume the role and that role must have access to the appropriate policy to perform the scan. If you decide not to require the user to assume this role, then the Assume IAM Role field in Discover should remain empty.

Configure profile for Amazon EC2 centralized scan

Configure a profile for the centralized scan by defining the credentials for AWS and a scan schedule.

For information about the data provided by each profile type, see Reference: Data returned by profile type.

1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
2. Give the profile a name and select the Centralized profile type.
3. For the Discovery Method, choose Amazon Web Services EC2 Cloud API.
4. Enter details for the discovery method to connect the Tanium Module Server to the Amazon EC2 environment.
   
   
   
   
   

   The secret access key persists after you save the profile. You do not need to enter the key if you edit the profile later.

5. Test the connection to AWS. Click Test Credentials. The credentials are tested against all selected regions. Edit the Regions setting to include only regions to which the ID and key have access.
6. Configure the scan schedule, which defines how often to query AWS.
7. Click Create.

Discovery process

After you save an Amazon EC2 centralized scanning profile, the following actions occur:

1. On the scheduled interval, the Tanium Module Server uses the AWS API to query your EC2 environment.
2. The information from AWS comes from the AWS API. The individual EC2 instances are not contacted by Tanium.
3. Import results into Discover at the Import Frequency interval that you defined. For more information, see Configure import frequency.

An EC2 instance with multiple NICs results in multiple interfaces in Discover, one for each NIC.

If you have enabled Endpoint Configuration approval, configuration changes must be approved in Endpoint Configuration before they deploy to endpoints.

Centralized scan results

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons:

• : Managed interfaces that have Tanium Client installed.
• : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
• : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

The profile type and discovery method that were used to find the interface return varying columns on the Interfaces pages. For more information, see Reference: Data returned by profile type.

What to do next

• To troubleshoot problems with scans, see Troubleshooting Discover.
• Manage your interfaces with labels. For more information, see Managing interfaces .
• Configure notifications for Discover events. For more information, see Create connection for event notifications.