Discovering unmanaged interfaces

When you configure discovery methods, the managed interfaces in your environment are used to find unmanaged interfaces.

After identifying the unmanaged interfaces, you can bring these interfaces under the management of your Tanium Server by installing the Tanium Client with the Tanium Client Deployment service in Discover.

Discovery methods overview

To define a discovery method, you must specify a computer group to scope where the discovery method runs. For example, you might create a computer group that includes endpoints only when they are on the secure network.

Network impact per discovery method

The different discovery methods have varying impact on the network. Passive discovery methods use sensors to get information with a small amount of network impact. Active discovery methods distribute packages to endpoints and use those packages to scan the network for interfaces.

For active discovery methods, such as simple ping script discovery, you might choose to scope the discovery to computer groups in a specific subnet and run discovery a few times a day. For passive discovery methods, you might choose to scope the discovery to a computer group and run discovery every hour.

Each discovery method has its own set of benefits and drawbacks. A typical configuration usually contains a combination of passive and active discovery methods that are scoped by different computer groups and schedules. Work with your Technical Account Manager (TAM) to ensure that you fully understand the impact before you deploy a discovery method.

  ARP Cache Interface Connections Simple Ping Script Nmap scan
Method type Passive Passive Active Active
Network Impact Nearly no impact Nearly no impact Moderate Depends on configuration

Supported platforms per discovery method

  ARP Cache Interface Connections Simple Ping Script Nmap scan
Windows
(Windows XP is not supported)
Linux
(Discover 2.6 and later)

(Red Hat Enterprise Linux 5 is not supported)
Mac OS

(Discover 2.6 and later)

Solaris
AIX

ARP cache discovery

The Address Resolution Protocol (ARP) cache discovery method accesses ARP cache tables that are on all managed endpoints. These ARP cache tables provide data about the interfaces in the immediate network vicinity of each managed endpoint. When you enable ARP cache discovery, Discover uses a sensor to collect the ARP cache from each managed interface.

The ARP cache can include interfaces that are not a part of the network. When ARP cache discovery runs on a managed interface, it filters out the interfaces that are not in the immediate network vicinity by removing any interfaces that do not match the first three octets of any of the IP addresses. For example, the managed interface has one or more IP addresses assigned, such as 10.0.0.2 and 192.168.0.2. Only ARP interfaces that match the first three octets (either 10.0.0. or 192.168.0) are reported.

Value on Interfaces pages: arp

Interface connections discovery

The interface connections discovery method uses a sensor to collect all current IP connections that are made to each managed endpoint. Then, this discovery method looks up the interfaces in the local ARP cache to resolve the related MAC address.

This discovery method improves on the ARP cache discovery because of the IP connection data.

When connections discovery runs on an endpoint that has the Tanium Client, it filters out the interfaces that do not reside in the subnet of the endpoint.

Value on Interfaces pages: connected

Simple ping script discovery

The simple ping script discovery method finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints, then scanning only in the gaps between the managed interfaces. Scanning only in the gaps eliminates many of the common issues with network scanners that generate a lot of network traffic and trigger alarms in intrusion prevention systems (IPS) and firewalls.

Managed endpoints are connected to each other in a linear chain architecture. On a single managed endpoint, the scanning package calculates a range of IP addresses to scan by looking at its peers in the linear chain. This range is from the backward peer in the linear chain to either the forward peer or the end of the subnet.

After the range is calculated, the scanning package pings the targeted IP addresses with a ping -a command. After the scanning package finds interfaces, the simple ping script resolves host names. Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Deployment Guide: Configure "isolated subnets". To override this behavior, select the Enable Scanning on Isolated Endpoints option when you configure the discovery method.

When the results are imported, the Discover service checks to see if the interface is managed or unmanaged. The MAC and Device Type are also resolved as a part of the import process.

The simple ping script discovery causes a bit more network impact, therefore you might choose to run it on a smaller computer group or at a longer interval.

Limitations: The automatic scanning package distribution and configuration must be completed before discovery can begin. The maximum Distribute Over Time value is four hours, which means that package distribution must happen within that time. The package distribution takes about one and a half times the configured reissue setting (with a maximum up to four hours). For example, if you have the simple ping method set to run every hour, unmanaged interfaces start to display in Discover after 1.5 hours. This distribution cost is only for creation or update of the ping discovery method.

Value on Interfaces pages: script

Nmap scan discovery

The Npcap library replaced the WinPcap library in Discover 2.5. See Review changes to the Nmap discovery method after upgrading to Discover 2.5.

Nmap scan discovery finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints, then using the Network Mapper (Nmap) utility for network discovery and security auditing to do host discovery. Nmap can find information about network interfaces beyond what can be acquired with the other discovery methods, including OS fingerprinting.

The Nmap scan discovery method calculates a range of IP addresses to scan by looking at its peers in the linear chain, similar to the simple ping script discovery method. Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Deployment Guide: Configure "isolated subnets". To override this behavior, select the Enable Scanning on Isolated Endpoints option when you configure the discovery method.

Use one of the following options for configuring Nmap scan discovery: 

Host

Run Nmap scan discovery on the local subnet with default settings. If an ARP reply to the target is found, the endpoint is listed as available. No operating system or open port information is returned about the interfaces.

Host Discovery and OS fingerprint

Run Nmap scan discovery with default settings, same as the Host Discovery setting. By default, OS fingerprinting scans about 1000 commonly used TCP ports on each endpoint. You can specify your own list of TCP ports to scan and exclude with advanced settings on the discovery method. The value of the OS Generation field is a “best guess” from Nmap.

Endpoint files: The Nmap discovery method installs the following files on the endpoint. For more information about exclusions that might need to be enabled for Nmap, see Host and network security requirements.

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-0.99-r4-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. Npcap is loaded on demand and is available to only admin users on the endpoint. On Windows endpoints, Npcap files are installed in the C:\Program Files\Npcap directory.

Limitations: The automatic scanning package distribution and configuration must be completed before discovery can begin. The maximum Distribute Over Time value is four hours, which means that package distribution must happen within that time. The package distribution takes about one and a half times the configured reissue setting (with a maximum up to four hours). For example, if you have the Nmap scan discovery method set to reissue every hour, unmanaged interfaces start to display in Discover after 1.5 hours. This distribution cost is only for creation and update of the Nmap discovery method.

Value on Interfaces pages: nmap

Managed interfaces

In addition to the discovery methods for unmanaged interfaces, interfaces that respond to the Managed Assets saved question are created with a Computer ID value only.

Value on Interfaces pages: managed

Configure scan exclusions

To exclude a group of IPs from Nmap and simple ping script scans, configure scan exclusions.

  1. From the Discover home page, click Settings , then go to Scan Exclusions. Click Add Scan Exclusions.
  2. Specify a name and comma-separated list of IP addresses to exclude. Click Save.
  3. Associate the exclusions with one or more discovery methods. You can specify the Scan Exclusions to use when you create or edit a simple ping script or Nmap scan discovery method.

Configure discovery methods

After you decide which discovery methods meet the requirements of your environment, you can create discovery methods.

Prerequisites

You must have computer groups defined to specify a scope in which to run your discovery method. To configure computer groups, click the Main Menu, then Administration > Computer Groups.

Procedure

  1. (Optional) Configure the background process frequency. From the Discover home page, click Settings and edit the Background Processes Frequency setting. This setting determines how often the results from running discovery methods are imported to the Interfaces pages.
  2. Add discovery methods. From the Discover home page, click Settings and click the Discovery Methods tab. Click Add Discovery Method. The settings vary depending on the discovery method that you select.

    Your Discover service account must have access to the computer groups that you configure for the discovery method. For more information about assigning computer groups to a user, see Tanium Core Platform User Guide: Assign computer groups to a user.


    If you are configuring simple ping script or Nmap scan discovery, you can specify whether isolated endpoints should be scanned and the sets of scan exclusions to use. To configure exclusions, see Configure scan exclusions.
  3. The results of discovery methods are imported on the reissue interval that you defined. The results are imported on the interval that you defined for background process frequency.
    To force an import of the results, go to the Discover home page. In the How to Use Discover section, click Configure Discover Settings then Discover Unmanaged Interfaces. When you click this button: 
    • ARP cache and interface connections results are collected and imported.
    • Simple ping script and Nmap discovery active results are collected. If these methods are not active on the endpoints, no results are collected.

    Clicking Discover Unmanaged Interfaces does not force the execution of the simple ping script or the Nmap discovery methods. The results for those methods are gathered if they are already distributed and active on the endpoints.

What to do next

Reference: Data by discovery method

  ARP Cache Interface Connections Simple Ping Script Nmap scan (Host) Nmap Scan (Host + OS Fingerprint) Managed Interfaces

Computer ID

Device Type

Discovery Method

First Seen

Hostname

IP Address

Labels

Labels are applied to interfaces after they are imported by a discovery method. For more information, see Labels.

n/a n/a n/a n/a n/a n/a

Last Discovered

The last time the interface was found with simple ping script, interface connections or Nmap scan discovery methods. This attribute does not get applied to managed interfaces or interfaces found with ARP cache discovery. This attribute is used to determine when an interface is flagged as Lost.

Last Managed

The last time that the interface was returned as a managed interface. This attribute is used to determine when an interface is flagged as Lost.

Last Seen

The last time the interface was found with any discovery method. All discovery methods return this value. This attribute is not used to determine when an interface is flagged as Lost.

Mac Address

NAT IP Address

Open Ports

The most common 1000 ports that get scanned by Nmap, or from a list of ports provided in the discovery method configuration.

OS Generation

(Nmap only) A "best guess" of OS version from OS fingerprinting. Consider carefully if you choose OS Generation as a label condition.

OS Platform

The operating system.

Unmanageable

Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label.

Last updated: 9/18/2018 2:04 PM | Feedback