Creating assessments

You can create a new assessment on the Assessments page or create one using an existing standard on the Standards page. You must have the Comply Report Administrator role to create assessments. For more information about Comply roles, see User role requirements.

Run a configuration compliance assessment to check the security configuration compliance state of a group of machines on a set schedule. This will execute data collection using Security Content Automation Protocol (SCAP) Extensible Configuration Checklist Description Format (XCCDF) standards. Run a vulnerability assessment to execute Open Vulnerability and Assessment Language (OVAL) checks against your endpoints to check for the presence of identified vulnerabilities.

The results of assessments are listed in the Findings page. From the Comply menu, click Findings.

Run general assessments that address all known configuration compliance issues and vulnerabilities once a month or bi-monthly. In addition to that large, general assessment, configure a small lightweight assessment that uses only targeted compliance standards or high and critical severity vulnerability definitions from the current year so that you can run it frequently without negative performance impact. For example, you might run the lighter assessment weekly or every 3 days.

Create a configuration compliance assessment

Configuration compliance assessments are supported for all endpoint operating systems that are supported by Comply: Windows, macOS, Linux, AIX, and Solaris.

Create a configuration compliance assessment from the Assessments page

  1. Select Assessments from the Comply menu.
  2. Select Compliance from the Create Assessment drop-down button.
  3. On the Create Configuration Compliance Assessment page, in the Summary section, enter a Name. You can also provide Labels.
  4.  In the Targeting section:
    • Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown, and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection.
    • Be sure to select the appropriate platform (AIX, Linux, Mac, or Windows) and Computer Groups containing endpoints that align with the Platform for Comply to work correctly.

  5. The Tanium Comply action group is created automatically by Comply and will be automatically populated in the Action Group field. All saved actions created by Comply will be created under this action group.
  6. Select a Platform.
  7. Select the Engine. The Engine field displays only when more than one engine is installed.




  8. Select either Low or Normal from the Comply Process Priority drop-down list.

    If you select Low, the Comply scan process yields processor utilization to other processes running on the endpoint. If you select Normal, the scan process runs with the same priority as other processes on the endpoint.

    Selecting Low might increase the duration of the scan processes on endpoints with high processor utilization.

  9. Optionally, when the Tanium Scan Engine is selected, you can enable the Include network drives in scan check box. Network drives are not included in scans by default. Scanning them can be time-consuming and resource-intensive.
  10. In the Standards section:
    • Select the Standard from the drop-down list. Click Add Standard to include more than one.
    • In the Profile drop-down list, select an existing profile for the selected standard.

      When standards are imported with an engine, such as CIS-CAT or SCC, they are automatically assigned the applicable category. By default, new standards are assigned the Imported category.

    • In the Advanced Settings section, optionally select a Custom ID. Custom ID mappings allow you to create a custom column on results that associates a specific tag with a CVE. Create Custom IDs from the Setup > Vulnerability page in the Custom ID tab. See Customizing compliance results for more information.
    • Custom checks should take less than a minute to run – they can output anything to standard output as long as the last line is a valid rule result string such as passfail, or error.

  11. (Optional) In the Schedule section:
    • Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

      The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions.

    • (Optional) Select the Distribute Over option and enter values to run the report over minutes or hours. This value cannot be over four hours. For more information on deploying actions, see Tanium Console User Guide: Deploying actions (Step 5).
    • In the Repeat field, select Interval, Using report age, or Never.
      • If you choose Interval, the Reissue every field displays, and you can specify how often the report runs.
      • If you choose Using assessments age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the report runs again. If a targeted endpoint comes online that has never run the report, the report runs as soon as the next age-check occurs. The age of results is checked every 3 hours unless you specify an age less than 3 hours. In this case, the age of results is checked every hour.
      • Use the Using assessments age option and set it to 7 days.

  12. Click Create & Deploy and enter your credentials. Action results will display on the Findings page.

Create a Configuration Compliance assessment from the Standards page

On the Standards Compliance tab, click Create next to a profile to create an assessment for that profile.



Create a vulnerability assessment

Create a vulnerability assessments from the Assessments page.

  1. Select Assessments from the Comply menu.
  2. Select Vulnerability from the Create Assessment drop-down button.
  3. On the Create Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
  4.  In the Targeting section:

    • Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown, and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection.

    Be sure to select the appropriate platform and Computer Groups containing endpoints that align with the Platform.

  5. The Tanium Comply action group is created automatically by Comply and will be automatically populated in the Action Group field. All saved actions created by Comply will be created under this action group.
  6. Select a Platform.
  7. Select the Engine. The Engine field displays only when more than one engine is installed.
  8. Select either Low or Normal from the Comply Process Priority drop-down list.

    If you select Low, the Comply scan process yields processor utilization to other processes running on the machine. If you select Normal, the scan process runs with the same priority as other processes on the machine.

    Selecting Low might increase the duration of the scan processes on endpoints with high processor utilization.

  9. Optionally, when the Tanium Scan Engine is selected, you can enable the Include network drives in scan check box. Network drives are not included in scans by default. Scanning them can be time-consuming and resource-intensive.
  10. Select the Source from the drop-down list in the Vulnerability Content section.
  11. Select an Operating System.
  12. Specify the Range of CVEs. The Preview section on the right will show the number of CVEs and Definitions that will be included in the report.

    You can specify now in the Range of CVEs field as the end of a range. For example, entering 2016-now will run the report against all Common Vulnerabilities and Exposures (CVEs) from 2016 to the current date. By using this format, you can easily define a range that always is current.
    As a best practice, scan more frequently for recently released high and critical vulnerabilities (for example, 2018-now high and critical on a weekly basis), and conduct scans against all vulnerabilities less frequently (for example, monthly or quarterly).

  13. Check the scores you want to see in CVSS Score.
  14. List specific CVEs in the List of Individual CVEs field.

    If you specify a List of Individual CVEs, they will always be included in the report regardless of the values specified for Range of CVEs or CVSS Score. To search by year and score, you must provide values for both fields for the search to be valid. If you specify Range of CVEs, you must select at least one score in CVSS Score. If you select a score in CVSS Score, you must specify Range of CVEs. If you list specific CVEs, you can choose to leave the Range of CVEs field blank and select no CVSS Score.

    If you have previously saved a report with values for List of Individual CVEs, Range of CVEs, or CVSS Score, these values will remain the same for the next vulnerability report you create. You can edit these values as needed.

  15. Specify the Batch Size.

    Batch Size defines the number of checks that will run at a time. In order to run a manageable number of checks on your endpoints, the default value for this field is 500 for CIS-CAT and SCC, and the default is 2000 for Tanium Scan Engine (powered by JovalCM).
    This setting does not typically need to be adjusted from the default value.

  16. Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

    The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions (Step 5).

  17. Select the Distribute Over option and enter values to run the report over minutes, hours, or days. For more information on deploying actions, see Tanium Console User Guide: Deploying actions (Step 5)
  18. Select Interval, Using report age, or Never for the Repeat field.
    • If you choose Interval, the Reissue every field displays, and you can specify how often the report is run.
    • If you choose Using assessment age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the assessment is run. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour.

      Use the Using assessment age option and set it to 7 days.

  19. Click Create & Deploy and enter your credentials. Action results will display on the Findings page.

Create a vulnerability report from the Standards page

Select Standards from the main menu, select the Vulnerability tab, and click Create next to the vulnerability standard for which you want to create an assessment.



Create a remote vulnerability assessment

You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability assessment. To create remote vulnerability assessments in Comply, you must use the Discover module. Confirm that the Discover configuration is complete. For more information, see Discover User Guide: Installing Discover.

You must have the Discover module installed and configured to use this feature. You must also have the following privileges: Discover Profile Read to view a remote vulnerability assessment and Discover Profile Write to create a remote vulnerability assessment. There is background information and detailed instructions for this section in the Tanium Discover User Guide.

Discover currently scans only for IPv4 addresses.

For Comply 2.7 or later, you must use Discover 4.0 or later.

Remote vulnerability reports are not supported with the CIS-CAT scan engine.

  1. From the Comply menu, select Assessments.
  2. Click the Create Assessment button and select Remote Vulnerability.
  3. On the Create Remote Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
  4.  In the Scan Frequency section, specify how often you want the scan to run.
  5.  In the Port Specification section, select one of the following:

      By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.

    • Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.

    • Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.

    • Source Port: Specify a source port from which Nmap on clients attempts to run scans.

  6.  In the Scan Inclusions section, specify networks to scan as part of this assessment. You can only make one selection.

    For best results, choose All Networks.

    • All Networks: It is recommended you include all networks in the scan.

    • Specific Networks: Enter the IP addresses for specific networks to include in the scan. Tanium clients within those networks will perform the scan.

    • Computer groups: Select specific computer groups to include in the scan.

    These are the computers from which the results will be pulled.

  7. In the Scan Exclusions section, specify networks to exclude from the assessment. You can select multiple options.
    • Isolated Subnets/Systems: Select this check box to prevent devices that have no peers from performing scans.

    • Specific Networks: Enter IP addresses to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.

    • VPN Networks: Enter VPN networks to be excluded from scans. This prevents computers that are not on the network from being scanned. These can be single addresses, address ranges, or comma-separated CIDRs.

    • Zone Servers: Enter zone servers to be excluded from scans. This prevents computers that are not on the network from being scanned by using IP addresses or host names of DMZ facing servers. These can be IP addresses or host names separated by commas.

  8. Click Create and enter your credentials. Action results will display on the Findings page.

Run an assessment again

On the Assessments page, select an assessment and click Deploy Now to run it again.

Export assessments

The following instructions are for exporting one assessment at a time. To export all compliance findings or all vulnerability findings using Tanium Connect, see Exporting findings and assessments for instructions.

  1. On the Assessments page, select an assessment and click the Export icon . You can only export one assessment at a time. If you have more than one assessment selected, the Export icon is not displayed.
  2. In the Export Assessment window, provide the following for each assessment type:
    • Compliance
      1. Enter an Assessment Name.
      2. Optionally, enter a Description.
      3. Enter a File Name.
      4. Select a Format: HTML or CSV. If you select CSV, no further information is required.
      5. Select one or more Results Types for the export.
      6. Select which Group Details to export: Description, Endpoint list, Summary.
      7. Select one or more Finding Attributes to export.
      8. Click Export.
    • Vulnerability
      1. Enter an Assessment Name.
      2. Optionally, enter a Description.
      3. Enter a File Name.
      4. Select a Format: HTML or CSV. If you select CSV, no further information is required.
      5. Select one or more Results Display types for the export: Details, Endpoint List, Open Ports (if applicable), and Vulnerability Test Criteria.
      6. Click Export.
    • Remote Vulnerability
      1. Select a Report from the pulldown list.
      2. Enter an Assessment Name.
      3. Optionally, enter a Description.
      4. Enter a File Name.
      5. Select a Format: HTML or CSV
      6. Click Export.
  3. Go to the Reports > Exports page to view the progress of any report export jobs currently running. The last column in the results table on indicates the status of the report export job.

  4. When the export report is complete, select the export and click the Download icon to download the report in the format you selected.


Update vulnerability assessments

When vulnerability sources are updated and contain new definitions that match an assessment's vulnerability content, the assessment will get the updated feed the next time it is deployed. That process occurs automatically if it is deployed by a set schedule. If the vulnerability assessment does not have a recurring schedule, you must manually deploy it to receive the new vulnerability feed.

This update workflow does not apply to configuration compliance assessments, which require a new assessment to use updated configuration compliance standards.

Edit an assessment

  1. On the Assessments page, select the assessment you want edit and click the Edit icon .
  2. Edit the Name if needed.
  3. Add labels in the Labels field. Click the X next to a label to remove it.
  4. Change the Engine if needed.
  5. Change the Comply Process Priority if needed.
  6. Select Start at and End at and complete the date and time values to limit the assessment to run only during a specific time period. The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions.
  7. Select the Distribute over and enter values to run the assessment over minutes or hours. This value cannot be over four hours.
  8. Select None, Interval, or Use assessment age for the Repeat field.
    • If you choose None, the report will run once if the Start At field is specified for a date and time in the future. Otherwise, the report will not run again.
    • If you choose Interval, the Reissue every field will appear, and you can specify how often the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If you choose Interval and do not enter a value for End At, the assessment will run at the specified interval forever.
    • If you choose Use assessment age, then the Run when results are older than field will appear, and you can specify how old you want the results to be before the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour. If do not enter a value for End At, the assessment will continue to run forever.
  9. Click Save.

Delete an assessment

When an updated version of a new configuration compliance standard is released, you must delete the configuration compliance assessment that uses the old standard and create a new assessment with the updated standard.

  • This workflow does not apply to vulnerability assessment, which are updated automatically if a service account is configured. See Update vulnerability assessments.
  • You cannot delete a standard, custom check, or custom ID mapping if they are associated with an assessment.

On the Assessment page, select a report and click the Delete icon to delete it.

Delete stale assessments from endpoints

If you delete an assessment using the procedure described in Delete an assessment, that assessment is removed from the console but it remains on the endpoint. To delete stale assessments from endpoints, do the following.

  1. From the Comply main page, click Help .

  2. On the Troubleshooting tab, click Manage Assessments.
  3. On the Stale Assessments page, select one or more and click Schedule Deletion.
  4. Select and edit the following fields to schedule the removal action:
    • Select Start On and End On and complete the date and time values to limit the removal to occur only during a specific time period. The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions.

    • Select the Distribute Over and enter values to run the removal over minutes, hours, or days.

    • Click Schedule Deletion.