Creating vulnerability assessments

You can create a new assessment on the Assessments page or create one using an existing standard on the Standards page. You must have the Comply Report Administrator role to create assessments that used client-based scanning. You must have the Comply RAS Assessment Create role to create assessments that use remote authenticated scanning. For more information about Comply roles, see User role requirements.

Configure a client-based scan assessment

  1. Select Assessments from the Comply menu.
  2. Select Vulnerability from the Create Assessment drop-down button.
  3. On the Create Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
  4. Select a Scan Method (This field is only visible to users with the Comply RAS Assessment permission. All assessments are client-based scans unless otherwise specified.):
    • Client-Based: Client-based scanning uses Tanium Clients installed on endpoints. This is the recommended method of scanning. (The following instructions are for this scan method.)
    • Remote Authenticated: Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints that do not support having the Tanium Client installed. See Configure a remote authenticated scan assessment for details.
  5.  In the Targeting section:

    • Select Computer Groups. Use the pulldown list to select a group. Add additional groups using the same pulldown and use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new row to the group. Use the Grouping button to build another And/Or combination for targeting. When finished, click Apply for each selection.

    Be sure to select the appropriate platform and Computer Groups containing endpoints that align with the Platform.

  6. The Tanium Comply action group is created automatically by Comply and will be automatically populated in the Action Group field. All saved actions created by Comply will be created under this action group.
  7. Select a Platform.
  8. Select the Engine. The Engine field displays only when more than one engine is installed.
  9. Select either Low or Normal from the Comply Process Priority drop-down list.

    If you select Low, the Comply scan process yields processor utilization to other processes running on the machine. If you select Normal, the scan process runs with the same priority as other processes on the machine.

    Selecting Low might increase the duration of the scan processes on endpoints with high processor utilization.

  10. Optionally, when the Tanium Scan Engine is selected, you can enable the Include network drives in scan check box. Network drives are not included in scans by default. Scanning them can be time-consuming and resource intensive.
  11. Select the Source from the drop-down list in the Vulnerability Content section.
  12. Select an Operating System.
  13. Specify the Range of CVEs. The Preview section on the right will show the number of CVEs and Definitions that will be included in the report.

    You can specify now in the Range of CVEs field as the end of a range. For example, entering 2016-now will run the report against all Common Vulnerabilities and Exposures (CVEs) from 2016 to the current date. By using this format, you can easily define a range that always is current.
    As a best practice, scan more frequently for recently released high and critical vulnerabilities (for example, 2018-now high and critical on a weekly basis), and conduct scans against all vulnerabilities less frequently (for example, monthly or quarterly).

  14. Check the scores you want to see in CVSS Score.
  15. List specific CVEs in the List of Individual CVEs field.



    If you specify a List of Individual CVEs, they will always be included in the report regardless of the values specified for Range of CVEs or CVSS Score. To search by year and score, you must provide values for both fields for the search to be valid. If you specify Range of CVEs, you must select at least one score in CVSS Score. If you select a score in CVSS Score, you must specify Range of CVEs. If you list specific CVEs, you can choose to leave the Range of CVEs field blank and select no CVSS Score.

    If you have previously saved a report with values for List of Individual CVEs, Range of CVEs, or CVSS Score, these values will remain the same for the next vulnerability report you create. You can edit these values as needed.

  16. Specify the Batch Size.

    Batch Size defines the number of checks that will run at a time. In order to run a manageable number of checks on your endpoints, the default value for this field is 500 for CIS-CAT and SCC, and the default is 2000 for Tanium Scan Engine (powered by JovalCM).
    This setting does not typically need to be adjusted from the default value.

  17. Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

    The date and time displayed by default is the local browser time.

  18. Select the Distribute Over option and enter values to run the report over minutes, hours, or days.
  19. Select Interval, Using report age, or Never for the Repeat field.
    • If you choose Interval, the Reissue every field displays, and you can specify how often the report is run.
    • If you choose Using assessment age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the assessment is run. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour.

      Use the Using assessment age option and set it to 7 days.

  20. Click Create & Deploy and enter your credentials. Results will display on the Findings page.

Configure a remote authenticated scan assessment

Remote authenticated scanning is useful for obtaining information from endpoints and subnets that do not support having the Tanium Client installed. For all other endpoints, you should use client-based scanning for performance reasons and to take advantage of the linear chain architecture.

Before you begin

To configure a remote authenticated scan assessment, do the following:

  1. Select Assessments from the Comply menu.
  2. Select Vulnerability from the Create Assessment drop-down button.
  3. On the Create Vulnerability Assessment page, in the Summary section, enter a Name for the assessment. You can also provide Labels.
  4. Select a Scan Method (This field is only visible to users with the Comply RAS Assessment permission. All assessments are client-based scans unless otherwise specified.):
    • Client-Based: Client-based scanning uses Tanium Clients installed on endpoints. This is the recommended method of scanning.
    • Remote Authenticated: Remote authenticated scanning uses Tanium Clients as satellites to scan endpoints that do not have the Tanium Client installed. This scan type is useful for obtaining information from endpoints that do not support having the Tanium Client installed. Note that remote authenticated scanning only supports using the Tanium Scan Engine. (The following instructions are for this scan method.)
    • The Discover scan cannot get the MAC address from endpoints that are not in the same subnet as the satellite. Therefore only endpoints in the same subnet as the satellite will be scanned.



  5. In the Satellite section, select a satellite to perform the scan.
  6. Optionally, in the Targeting section:
    • Select one of the following to filter the list of endpoints:
    • TargetAvailable OperatorsValue
      IP Addressis equal to, is not equal to, contains, does not containEnter a single IP address or multiple addresses, each separated by a comma. For example, 192.168.1.1, 192.168.1.3
      Discover Labelsinclude one of, include all ofSelect one or more labels configured in Tanium Discover. See Tanium Discover User Guide: Labels for more information.
      IP RangeequalsEnter an IP address range. For example, 192.168.1.1 - 192.168.1.150
      CIDRequalsEnter an IP address range in CIDR format. For example, 192.168.1.0/24
      OS Platformcontains, does not containEnter text for targeting a specific OS.

      To select multiple items in the Value field, click within the field after adding an item, and you can select additional items.

      Use the And/Or buttons to build upon or narrow your selection. Use the Row button to add a new target to the group. Use the Grouping button to build another And/Or combination for targeting. Click Apply for each selection.

    • In the Preview section, click the Show Preview button to view the list of unmanaged endpoints you selected for targeting. You can use the information in the preview grid to expand or narrow your targeting. For example, you can target a satellite initially and then add an IP range to further filter your targets based on what you observed in the preview.
    • Select the Credential List for this assessment. You can only use one list per assessment. In order for satellites to perform secure scans of non-Tanium endpoints, the login credentials for those endpoints are required. See Configure credentials lists for remote-authenticated scans.
    • Make sure the credential list you select matches the targeting in the assessment. If too many incorrect credentials are attempted and fail, this could trigger security alerts and cause account lockouts.



  7. Optionally but not recommended, in the Subsequent Scan Configuration section, enable the Include newly discovered endpoints on recurring scans check box. By default, if scans are recurring, Comply only scans endpoints that were reachable during the initial scan. If new endpoints come online, they are not scanned unless you change the assessment's targeting or select this check box.
  8. If you enable the Include newly discovered endpoints on recurring scans check box and your network is compromised at any point after the initial scan, a honeypot could be installed in your environment that matches the scan configuration requirements. If that occurs, an unmanaged endpoint could capture the credentials being passed to it and use them with malicious intent.

  9. Select the Source from the drop-down list in the Vulnerability Content section.
  10. Select an Operating System.
  11. Specify the Range of CVEs. The Preview section on the right will show the number of CVEs and Definitions that will be included in the report.

    You can specify now in the Range of CVEs field as the end of a range. For example, entering 2016-now will run the report against all Common Vulnerabilities and Exposures (CVEs) from 2016 to the current date. By using this format, you can easily define a range that always is current.
    As a best practice, scan more frequently for recently released high and critical vulnerabilities (for example, 2019-now high and critical on a weekly basis), and conduct scans against all vulnerabilities less frequently (for example, monthly or quarterly).

  12. Check the scores you want to see in CVSS Score.
  13. List specific CVEs in the List of Individual CVEs field.

    If you specify a List of Individual CVEs, they will always be included in the report regardless of the values specified for Range of CVEs or CVSS Score. To search by year and score, you must provide values for both fields for the search to be valid. If you specify Range of CVEs, you must select at least one score in CVSS Score. If you select a score in CVSS Score, you must specify Range of CVEs. If you list specific CVEs, you can choose to leave the Range of CVEs field blank and select no CVSS Score.

    If you have previously saved a report with values for List of Individual CVEs, Range of CVEs, or CVSS Score, these values will remain the same for the next vulnerability report you create. You can edit these values as needed.

  14. Specify the Batch Size.

    Batch Size defines the number of checks that will run at a time. In order to run a manageable number of checks on your endpoints, the default value for this field is 500 for CIS-CAT and SCC, and the default is 2000 for Tanium Scan Engine (powered by JovalCM).
    This setting does not typically need to be adjusted from the default value.

  15. Select Start on and End on and complete the date and time values to limit the report to run only during a specific time period.

    The date and time displayed by default is the local browser time.

  16. Select the Distribute Over option and enter values to run the report over minutes, hours, or days.
  17. Select Interval, Using report age, or Never for the Repeat field.
    • If you choose Interval, the Reissue every field displays, and you can specify how often the report is run.
    • If you choose Using assessment age, then the Run when results are older than field displays, and you can specify how old you want the results to be before the assessment is run. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour.

      Use the Using assessment age option and set it to 7 days.

  18. Click Create & Deploy and enter your credentials. Results will display on the Findings page.

Remote authenticated scan workflow

When a remote authenticated scan begins, it asks the Comply service for its targets and credentials. The service uses the scan’s criteria for IP inclusion to query for currently reachable targets for that satellite and sends that list to the client to execute the scan. Scheduled periodic RAS scans do not automatically include new targets as they are identified by the associated Tanium Discover scan. Reoccurring assessments will only include the unmanaged assets that were reachable at the time of the initial scan, unless you select the Include newly discovered endpoints on reoccurring scans check box, which is not recommended.

Create a vulnerability report from the Standards page

Select Standards from the main menu, select the Vulnerability tab, and click Create next to the vulnerability standard for which you want to create an assessment.

Status definitions

View the status of an assessment in the Status column on the list page. Hover over the icon to see one of the following statuses:

Loading

No statistics have been received from the Comply service for the assessment.

Pending

At least one endpoint in the assessment has not yet run the scan, but there are no scan errors.

Success

The assessment has at least one successful run with no errors and no scans not run.

Error

The assessment has at least one endpoint that produced an error during the scan.

Warning

Any issue that does not fall into the other status categories.

You must reload the page to update the status column.

Run an assessment again

On the Assessments page, select an assessment and click Deploy Now to run it again.

Run an on-demand scan

On-demand scans are only supported for client-based assessments.

An on-demand scan lets you run an assessment at the push of a button using existing targeting or with additional filters.

To run an on-demand scan:

  1. Select the check box for an assessment or click the arrow for the fly-out window to access the Run on-demand scan button.

  2. Click the Run on-demand scan button and optionally configure the following:
    • Configure additional filtering - Select Individual Endpoints and enter those endpoints into the edit field or select Computer Group and choose a group to filter by.
  3. Click the Run Scan button.




Export an assessment

The following instructions are for exporting one assessment at a time. To export findings using Tanium Connect, see Exporting findings and assessments for instructions.

  1. On the Assessments page, select an assessment and click the Export icon . You can only export one assessment at a time. If you have more than one assessment selected, the Export icon is not displayed.
  2. In the Export Assessment window, provide the following:
    • Vulnerability
      1. Enter an Assessment Name.
      2. Optionally, enter a Description.
      3. Enter a File Name.
      4. Select a Format: HTML or CSV. If you select CSV, no further information is required.
      5. Select one or more Results Display types for the export: Details, Endpoint List, Open Ports (if applicable), and Vulnerability Test Criteria.
      6. Click Export.
  3. Go to the Reports > Exports page to view the progress of any report export jobs currently running. The last column in the results table on indicates the status of the report export job.

  4. When the export report is complete, select the export and click the Download icon to download the report in the format you selected.


Update vulnerability assessments

When vulnerability sources are updated and contain new definitions that match an assessment's vulnerability content, the assessment will get the updated feed the next time it is deployed. That process occurs automatically if it is deployed by a set schedule. If the vulnerability assessment does not have a recurring schedule, you must manually deploy it to receive the new vulnerability feed.

This does not apply to configuration compliance assessments, which require a new assessment to use updated configuration compliance standards.

Edit an assessment

  1. On the Assessments page, select the assessment you want edit and click the Edit icon .
  2. Edit the Name if needed.
  3. Add labels in the Labels field. Click the X next to a label to remove it.
  4. Change the Engine if needed.
  5. Change the Comply Process Priority if needed.
  6. Select Start at and End at and complete the date and time values to limit the assessment to run only during a specific time period. The date and time displayed by default is the local browser time.
  7. Select the Distribute over and enter values to run the assessment over minutes or hours.
  8. Select None, Interval, or Use assessment age for the Repeat field.
    • If you choose None, the report will run once if the Start At field is specified for a date and time in the future. Otherwise, the report will not run again.
    • If you choose Interval, the Reissue every field will appear, and you can specify how often the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If you choose Interval and do not enter a value for End At, the assessment will run at the specified interval forever.
    • If you choose Use assessment age, then the Run when results are older than field will appear, and you can specify how old you want the results to be before the assessment is run. The default value for this field is 1 Days and, if you do not specify a value for Start at, the assessment will run immediately. If a targeted endpoint comes online that has never run the assessment, the assessment will be run as soon as the next age-check occurs. The age of results is checked either every hour or every 3 hours. If you specify an age less than 3 hours, the age of results will be checked every hour. If do not enter a value for End At, the assessment will continue to run forever.
  9. Click Save.

Delete an assessment

Vulnerability assessments are updated automatically if a service account is configured.

You cannot delete a standard, custom check, or custom ID mapping if they are associated with an assessment.