Exporting Discover data

You can export interface and event information from Discover to Tanium™ Connect. You can also block interfaces by configuring Tanium™ Network Quarantine or a blocking connection in Tanium Connect.

The preferred method for exporting data is to use the Discover data source in Connect. For more information, see Export interface data to a Connect destination.

Export to a CSV file

To export the current data grid of interfaces to a CSV file, click Export Data . The export includes the data as it is currently displayed in the data grid.

Export interface data to a Connect destination

To create reports of the interfaces in Discover to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection. You must have Connect 4.10 or later.

You can export interfaces with the following reports: 

All

Exports all interfaces in Discover.

Ignored

Exports interfaces marked as ignored. This list is also on the Ignored Interfaces page.

Labeled

Exports all interfaces that have a label applied, including configured automatic labels.

Managed

Exports interfaces that have the Tanium Client installed.

Unlabeled

Exports interfaces that do not have any labels applied.

Unmanageable

Exports interfaces that were marked as unmanageable.

Unmanaged

Exports interfaces that do not have the Tanium Client installed.

Create connection to export interfaces

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.
      In General Information, confirm that Enable is selected.
  2. In the Source section, select the Tanium Discover source. Select the report that you want to use.
  3. Select a destination.
  4. Apply filters. You might want to apply a filter if you are trying to export a specific label. For example, if you want to export all interfaces that are tagged with Lost Interface, apply a regular expression filter and type Lost Interface as the text to match on the tags target column.
  5. Choose format settings and schedule.
  6. Click Create Connection.

Configure event notifications

You can send data notifications about Discover events to destinations such as email, SIEM, or Splunk. To configure notifications, create a connection with Connect. The following Discover event groups are available for configuring notifications: 

  • Discover Label Notifications
    • Configure a notification based on a selected set of automatic notify labels. You can choose to create notifications for a single label, or a group of labels.
  • Discover Notifications

    • All labels: Create notifications for all configured automatic notify labels.
    • New unmanaged interface: Discover found a new unmanaged interface in your environment. This behavior is controlled by the pre-configured New Unmanaged Interface label.
    • New managed interface: Discover found a new managed endpoint in your environment. This behavior is controlled by the pre-configured New Managed Interface label.
    • Lost interface: Discover found an unmanaged interface that was formerly managed. For an interface to be marked as lost, it must:
      • Not show up in the Managed Interfaces page for one day
      • Have a value in the Last Discovered column
      • Show up as an unmanaged interface as a result of active discovery methods in the last 4 hours (Nmap scan, connections, or simple ping script)

      This behavior is controlled by the pre-configured Lost Interface label. To update the conditions that determine a lost interface, change the default settings for the Lost Interface label.

Prerequisites

Configure notifications in Connect

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.
      In General Information, confirm that Enable is selected.

  2. Configure the data source.
    1. In Source, select the Event source.
    2. Choose the event group that you want to use.
      • For the Discover Label Notifications event group, select the labels for which you want to send notifications.
      • For the Discover Notifications event group, select one or more Discover events for which to send notifications.





  3. (Optional) Filter the data.
    You can optionally filter for new items, regular expressions, numeric operators, or unique values from data columns.
  4. Configure the connection destination.
    Select any of the connection destinations that are listed in the Select Destination menu. Common choices for notifications include Email, SIEM, and Splunk. However, you can use any of the available destinations. For more information, see Tanium Connect User Guide. Complete the required fields and click Create Connection.

Block network access with Network Quarantine

With the Network Quarantine shared service, you can set up a network access control (NAC) solution to block and unblock interfaces based on MAC or IP address.

Configure a NAC

For information about setting up either a Palo Alto Networks Layer 3 firewall or Cisco Identity Services Engine (ISE) to quarantine endpoints, see Tanium Network Quarantine User Guide.

Quarantine or unquarantine interfaces

After you configure a NAC in Network Quarantine, you can quarantine or unquarantine an IP or MAC address from Discover.

You must have Network Quarantine User role to perform the quarantine or unquarantine action. For more information about configuring user roles, see Tanium Core Platform User Guide: Assign roles to a user.

  1. From the Discover menu, click Interfaces. Select one or more interfaces.
  2. Click Quarantine or Unquarantine. The menu displays the available NACs that were configured in Network Quarantine.
  3. After the IP or MAC address is quarantined, the row is highlighted on the Interfaces page.

Last updated: 10/15/2019 1:57 PM | Feedback