You can find vulnerabilities on unmanaged endpoints in your environment by creating a remote vulnerability assessment.
You must have the Discover module
Discover currently scans only for IPv4 addresses.
For Comply 2.7 or later, you must use Discover 4.0 or later.
Remote vulnerability reports are not supported with the CIS-CAT scan engine.
The scan method displayed for remote vulnerability assessments is remote unauthenticated.
- From the Comply menu, select Assessments.
- Click the Create Assessment button and select Remote Vulnerability.
- On the Create Remote Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
- In the Scan Frequency section, specify how often you want the scan to run.
- In the Port Specification section, select one of the following:
Target Ports: Specify the TCP ports that you want to scan: Top 1000 Ports, Top 1000 Ports plus specified ports, or Only Specified Ports.
By default, the Network Mapper utility (Nmap) scans the top 1000 most commonly used TCP ports. If needed, you can customize the ports that are scanned during the discovery process and the source ports from which clients run scans.
Excluded Ports: Specify a list of TCP ports to exclude from the ports scanned. These ports are excluded from all types of scans.
Source Port: Specify a source port from which Nmap on clients attempts to run scans.
- In the Scan Inclusions section, specify networks to scan as part of this assessment. You can only make one selection.
For best results, choose All Networks.
All Networks: It is recommended you include all networks in the scan.
Specific Networks: Enter the IP addresses for specific networks to include in the scan. Tanium clients within those networks will perform the scan.
Computer groups: Select specific computer groups to include in the scan.
These are the computers from which the results will be pulled.
- In the Scan Exclusions section, specify networks to exclude from the assessment. You can select multiple options.
Isolated Subnets/Systems: Select this check box to prevent devices that have no peers from performing scans.
Specific Networks: Enter IP addresses to be excluded from scans. These can be single addresses, address ranges, or comma-separated CIDRs.
VPN Networks: Enter VPN networks to be excluded from scans. This prevents computers that are not on the network from being scanned. These can be single addresses, address ranges, or comma-separated CIDRs.
Zone Servers: Enter zone servers to be excluded from scans. This prevents computers that are not on the network from being scanned by using IP addresses or host names of DMZ facing servers. These can be IP addresses or host names separated by commas.
Create a report. See Create a remote vulnerability report.
- Export the results using Tanium Connect. See Exporting vulnerability assessments.
- Use the Comply NMAP Scan results sensor ("Get Comply - NMap Scan Results from all machines").
From the Comply menu, select Reports.
- Select the Remote tab.
- Click the Create Report button and select Remote Vulnerability.
- Enter a Name.
- Select a Label.
- Under Targeting,
- Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. Click Apply for each selection.
The Tanium Comply action group is created automatically by Comply and will be automatically populated in the Action Group field. All saved actions created by Comply will be created under this action group.
View the status of an assessment in the Status column on the list page. Hover over the icon to see one of the following statuses:
No statistics have been received from the Comply service for the assessment.
At least one endpoint in the assessment has not yet run the scan, but there are no scan errors.
The assessment has at least one successful run with no errors and no scans not run.
The assessment has at least one endpoint that produced an error during the scan.
Any issue that does not fall into the other status categories.
You must reload the page to update the status column.
On the Assessments page, select an assessment and click Deploy Now to run it again.
The following instructions are for exporting one assessment at a time. To export findings using Tanium Connect, see Exporting findings and assessments for instructions.
- On the Assessments page, select an assessment and click the Export icon . You can only export one assessment at a time. If you have more than one assessment selected, the Export icon is not displayed.
- In the Export Assessment window, provide the following for each assessment type:
- When the export report is complete, select the export and click the Download icon to download the report in the format you selected.
Go to the Reports > Exports page to view the progress of any report export jobs currently running. The last column in the results table on indicates the status of the report export job.
- On the Assessments page, select the assessment you want edit and click the Edit icon .
- Edit the Name if needed.
- Add labels in the Labels field. Click the X next to a label to remove it.
- Change the Engine if needed.
- Change the Comply Process Priority if needed.
- Select Start at and End at and complete the date and time values to limit the assessment to run only during a specific time period. The date and time displayed by default is the local browser time. For details on how this time is used to deploy the scheduled action, see Tanium Console User Guide: Deploying actions.
- Select the Distribute over and enter values to run the assessment over minutes or hours.
- Select None, Interval, or Use assessment age for the Repeat field.
- If you choose None, the report will run once if the Start At field is specified for a date and time in the future. Otherwise, the report will not run again.
- If you choose Interval, the Reissue every field will appear, and you can specify how often the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If you choose Interval and do not enter a value for End At, the assessment will run at the specified interval forever.
- If you choose Use assessment age, then the Run when results are older than field will appear, and you can specify how old you want the results to be before the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour. If do not enter a value for End At, the assessment will continue to run forever.
Remote vulnerability assessments are updated automatically.
You cannot delete a standard, custom check, or custom ID mapping if they are associated with an assessment.
Last updated: 9/20/2022 2:57 PM | Feedback