Configuring Discover notifications
You can send data notifications about Discover events to destinations such as email, SIEM, or Splunk. To configure notifications, create a connection with Tanium™ Connect. The following Discover event groups are available for configuring notifications:
- Discover Label Notifications
- Configure a notification based on a selected set automatic notify labels. You can choose to create notifications for a single label, or a group of labels.
- All labels: Create notifications for all configured automatic notify labels.
- New unmanaged interface: Discover found a new unmanaged interface in your environment. This behavior is controlled by the pre-configured New Unmanaged Interface label.
- New managed interface: Discover found a new managed endpoint in your environment. This behavior is controlled by the pre-configured New Managed Interface label.
- Lost interface: Discover found an unmanaged interface that was formerly managed. For an interface to be marked as lost, the interface must not show up in the Managed Interfaces page for one day, but show up as a result of active discovery methods in the last 4 hours (Nmap scan, connections, or simple ping script). This behavior is controlled by the pre-configured Lost Interface label. To update the conditions that determine a lost interface, change the default settings for the Lost Interface label.
- You must have Connect installed. For more information, see Installing Tanium Connect.
- Verify that the automatic labels that you want to use for the notifications are configured to generate a notify activity and provide the correct data. For more information about automatic labels, see Automatically label interfaces .
- Create the connection.
- Configure the data source.
- In Source, select the Event source.
- Choose the event group that you want to use.
- For the Discover Label Notifications event group, select the labels for which you want to send notifications.
- For the Discover Notifications event group, select one or more Discover events for which to send notifications.If you configured notifications before installing Discover 2.5, you might also see the following options in the Discover Notifications event group in Connect. These options are from the previous versions of Discover and provide fewer columns in the notification data.
- Rules Notification (subset of All Labels)
- New Unmanaged Asset (subset of New Unmanaged Interface)
- New Managed Asset (subset of New Managed Interface)
- Lost Asset (subset of Lost Interface)
- (Optional) Filter the data.
You can optionally filter for new items, regular expressions, numeric operators, or unique values from data columns.
- Configure the connection destination.
Select any of the connection destinations that are listed in the Select Destination menu. Common choices for notifications include Email, SIEM, and Splunk. However, you can use any of the available destinations. For more information, see Tanium Connect User Guide. Complete the required fields and click Create Connection.
Last updated: 7/17/2018 4:28 PM | Feedback