Discovering unmanaged interfaces

Discovery scans are performed by endpoints that are running the Tanium Client and have Discover tools installed. After identifying unmanaged interfaces, you can install the Tanium Client to bring the interfaces under management by the Tanium Server.

Profiles

Use profiles to define properties for scanning the network, including network inclusions and exclusions, discovery methods, and a scan schedule. You can create multiple profiles.

Discovery method impact

Before you configure a profile, you must understand the impact of the different discovery methods. Passive discovery methods use existing information on the endpoints to find interfaces. Active discovery methods perform network scanning.

You can use four levels of discovery. Lower levels are more passive, have less network impact, but provide a limited set of information. Higher levels perform active scans on the network, but provide more information about unmanaged interfaces, such as host name and operating system.

Profile configuration

You can create multiple profiles that include passive and active discovery methods. Each profile is scoped by different network inclusions, exclusions, and schedules. With an active discovery method, you might choose to scope the discovery to run on a specific subnet a few times a day. Because passive discovery methods have less network impact, you might choose to scope the discovery to scan a broader part of the network every hour.

Work with your Technical Account Manager (TAM) to ensure that you fully understand the impact before you deploy a profile.

Level 1 (ARP cache and interface connections)

Level 1 discovery is a passive discovery method that combines ARP cache and interface connections discovery. No endpoints are scanned with level 1 discovery because the results are returned from the local ARP cache on each endpoint.

All IPs that are in ARP cache are included in the scan results, limited to the locally configured subnet mask, up to a /22 range (1024 IP addresses). Discover caps scan ranges at the /22 range. Subnet masks lower than a /22 range do not get all the results returned because of the high number of IP addresses. A /16 range can return up to 65,536 IP addresses.

The interface connections method sends actions to the endpoints to trigger the collection of all current IP connections that are on each managed endpoint. Then, the related MAC address is resolved by looking up the interfaces in the local Address Resolution Protocol (ARP) cache.

Value on Interfaces pages: arp, connected

Level 2 (Simple ping script)

The level 2 discovery method uses a simple ping script discovery method to find unmanaged interfaces.

When level 2 discovery is initiated on a managed endpoint, the scan range is calculated based on its peers in the linear chain. See Scan range calculation for more information.

After the range is calculated, the scanning package pings the targeted IP addresses with an Internet Control Message Protocol (ICMP) ping. Pings without a response take 3 seconds. Pings that return a response take much less time. After the scanning package finds interfaces, the simple ping script resolves host names. Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Deployment Guide: Configure "isolated subnets". To enable scanning of isolated endpoints, deselect the Isolated Subnets/Systems option when you configure the discovery method.

When the results are imported, the Discover service checks to see if the interface is managed or unmanaged. The MAC address and Manufacturer are also resolved as a part of the import process.

The simple ping script discovery causes a small amount of network traffic over time. You might choose to run it on a smaller part of the network or at a longer schedule interval.

When you configure level 2 discovery on a sparsely populated network, set the schedule Frequency setting to an hour or more to prevent scans from overlapping. If scans overlap, data is never gathered for the upper end of the scan range.

Value on Interfaces pages: script

Level 3 (Nmap scan with host discovery)

The level 3 discovery method uses Network Mapper (Nmap) utility on each endpoint to find information about network interfaces.

When level 3 discovery is initiated on an endpoint, the scan range is calculated based on its peers in the linear chain. See Scan range calculation for more information.

Nmap scan host discovery finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints. This package consists of drivers, libraries, and executable files. Then, an Nmap scan runs with an ARP broadcast scan only. If an ARP reply to the target is found, the endpoint is listed as available. No operating system or open port information is returned about the interfaces. Because level 3 discovery performs an ARP broadcast, you might see a spike in network activity at the beginning of the scan.

Endpoint files: The Nmap discovery method installs the following files on the endpoint. For more information about exclusions that might need to be enabled for Nmap, see Discover requirements.

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-0.99-r6-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries and drivers that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. Npcap is loaded on demand and is available to only admin users on the endpoint. On Windows endpoints, Npcap files are installed in the C:\Program Files\Npcap directory.

Nmap is not supported on Windows 2003 Server, Windows XP, AIX, and Solaris. If level 3 scanning is configured for endpoints on these platforms, the endpoints perform level 2 scans.

Value on Interfaces pages: nmap

Level 4 (Nmap scan with host discovery and OS fingerprinting)

Like the level 3 discovery method, level 4 also uses Nmap to find unmanaged interfaces. Level 4 discovery also includes OS fingerprinting, which scans 1000 commonly used TCP ports on each endpoint. In the profile settings, you can configure a preferred source port from which the scan runs on endpoints, and the target endpoint ports. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

Endpoint files: The Nmap discovery method installs the following files on the endpoint. For more information about exclusions that might need to be enabled for Nmap, see Discover requirements.

  • nmap.exe: Runs scanning operations from the <Tanium Client>\Tools\Discover\nmap directory.
  • npcap-0.99-r6-oem.exe and vcredist_x86.exe: Run on the endpoint and add libraries and drivers that Nmap requires. These executable files run out of the <Tanium Client>\Downloads\Action_<action_id> directory. Npcap is loaded on demand and is available to only admin users on the endpoint. On Windows endpoints, Npcap files are installed in the C:\Program Files\Npcap directory.

Nmap is not supported on Windows 2003 Server, Windows XP, AIX, and Solaris. If level 4 scanning is configured for endpoints on these platforms, the endpoints perform level 2 scans.

Value on Interfaces pages: nmap

Scan range calculation

With level 2-4 discovery methods, scans run only in the gaps between the managed interfaces. Scanning only in the gaps eliminates many of the common issues with network scanners that generate significant network traffic and trigger alarms in intrusion prevention systems (IPS) and firewalls.

Typically, endpoints perform forward scans to avoid overlaps in scanning from other endpoints. Review the following scenarios to fully understand how scan ranges are calculated.

Scenario: Endpoint has forward and backward peers

A managed endpoint at address 192.168.1.10 has a forward peer at address 192.168.1.20 and a backward peer at address 192.168.1.5.

A forward scan occurs from 192.168.1.11 to 192.168.1.19. Because the IP address has backward peer, a backward scan is not performed.

Scenario: Endpoint has forward peer but no backward peer

A managed endpoint at address 192.168.1.10 has a forward peer at address 192.168.1.20, but no backward peer.

A forward scan occurs from 192.168.1.11 to 192.168.1.19. Because the endpoint has no backward peer, a backward scan from 192.168.1.1 to 192.168.1.9 is performed.

A scan occurs from 192.168.1.1 to 192.168.1.19 (excluding the origin endpoint: 192.168.1.10).

Configure profiles

Discover profiles enable scans for unmanaged interfaces to occur on a defined schedule.

Before you begin

  • To scan portions of the network, you must know the IP ranges or the networks that you want to scan. Verify that the Discover service account has access to the networks that are configured as inclusions in the profile.
  • (Optional) Create a locations file to map physical locations to discovered interfaces. Assign users to specific locations to limit access to interface data to specific user groups. You can configure locations at any time because the locations are evaluated every time a discover scan completes. Configure locations as inclusions or exclusions in scans. For more information, see Locations.

Create profile

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Configure targeting. Targeting specifies the networks to include and exclude from the scan.
    1. Scan Inclusions: Specify networks that you want to scan.
      Typically, choose All Networks to include the broadest results. The All Networks option scans all networks that are accessible to the endpoints that are configured for the Discover action group. For the best results, configure the Discover action group to include all computers. For more information, see Add computer groups to Discover action group.
      To run scans on endpoints that are only in certain networks, select Specific Networks, then click . With this selection, results outside the scope of the selected networks are not included in the final report.
    2. Scan Exclusions: Specify networks that you want to exclude from scans. Endpoints on these networks do not perform scans, and no results are returned from endpoints on these networks.
    3. Discovery Method Select a discovery method (level 1-4) and whether you want to include host name lookup. Host name resolution consumes some network resources, even with lower impact discovery methods.
  3. Configure the scan schedule and scan window.
    1. Schedule: The schedule defines how often to run the scan and how long to take to distribute the scan tools to endpoints. If you are using level 2 discovery, set the Frequency to an hour or more to ensure that the next scan does not begin before the current scan completes..
    2. Scan Window (Windows, Mac, and Linux endpoints only): Configure specific times to run the discovery process on your endpoints. If a scan is scheduled to run outside the scan window, nothing is run as a part of the scan.
      The time can either be the local endpoint time of the Tanium Client, or the local time of the Tanium user that is configuring the profile. For example, you can choose Local Endpoint Time and create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. If some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.
      The Duration of the scan window must be greater than or equal to the Frequency plus Distribute Over settings in the schedule section. If the value is set to less than the sum of these values, some endpoints never scan.
  4. Click Create.

Discovery process

After you save a profile, the following actions occur: 

  1. Scheduled actions are created for the profile: Discover Content - Execute Scan [profile_name] and Discover Content - Execute Scan for non-Windows [profile_name].
  2. Scans run according to the defined schedule.
  3. Results of discovery scans are imported into Discover at the Import Frequency that you defined.

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons: 

  • : Managed interfaces that have Tanium Client installed.
  • : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
  • : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

Force import of scan results

Instead of waiting for the Import Frequency time to pass, you can force an import of the most recent scan results.

  1. Go to the Discover Home page.
  2. In the Required Configuration section, click Create Profiles then Reimport Scan Results. When you click this button:
      • Level 1 profile scan results are collected and imported.
      • Level 2, 3, and 4 results are collected. If these methods are not active on the endpoints, no results are collected.

      Clicking Reimport Scan Results does not force the execution of a level 2, 3, or 4 scan. The results for those methods are gathered if they are already distributed and active on the endpoints.

What to do next

Reference: Data by discovery method

Table 1:   Information returned on interface pages for each discovery method
  Level 1 Level 2 Level 3 Level 4 Returned for managed interfaces

Computer ID

Discovery Method

First Seen

Hostname

IP Address

Labels

Labels are applied to interfaces after they are imported by a discovery method. For more information, see About Us.

n/a n/a n/a n/a n/a

Last Discovered

The last time the interface was found with simple ping script, interface connections or Nmap scan discovery methods. This attribute does not get applied to managed interfaces or interfaces found with ARP cache discovery. This attribute is used to determine when an interface is flagged as Lost.


(connected results only)

Last Managed

The last time that the interface was returned as a managed interface. This attribute is used to determine when an interface is flagged as Lost.

Last Seen

The last time the interface was found with any discovery method. All discovery methods return this value. This attribute is not used to determine when an interface is flagged as Lost.

Mac Address

Manufacturer

The network card manufacturer, derived from the MAC address.

NAT IP Address

Open Ports

The most common 1000 ports that get scanned by Nmap, or from a list of ports provided in the discovery method configuration.

OS Generation

(Nmap only) A "best guess" of OS version from OS fingerprinting. Consider carefully if you choose OS Generation as a label condition. OS generation is not displayed for managed interfaces.

OS Platform

The operating system.

Unmanageable

Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label.

Last updated: 10/15/2019 1:57 PM | Feedback