Exporting Discover data

You can export interface and event information from Discover to Tanium™ Connect.

The preferred method for exporting data is to use the Discover data source in Connect. For more information, see Export interface data to a Connect destination.

Export to a CSV file

To export the current data grid of interfaces to a CSV file, click Export Data . The export includes the data as it is currently displayed in the data grid.

The Unmanageable column in the CSV file indicates if the endpoint can be managed by the Tanium Client. The following table explains the numbers in the Unmanageable column.

Number Label
0 Managed or Manageable (automatic)
1 Unmanageable (automatic)
2 Manually Marked Manageable
3 Manually Marked Unmanageable

Export interface data to a Connect destination

To create reports of the interfaces in Discover to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection. You must have Connect 4.10 or later.

You can export interfaces with the following reports:

All

Exports all interfaces in Discover.

Ignored

Exports interfaces marked as ignored. This list is also on the Ignored Interfaces page.

Labeled

Exports all interfaces that have a label applied, including configured automatic labels.

Managed

Exports interfaces that have the Tanium Client installed.

Unlabeled

Exports interfaces that do not have any labels applied.

Unmanageable

Exports interfaces that were marked as unmanageable.

Unmanaged

Exports interfaces that do not have the Tanium Client installed.

Connections to create

Create the following connections to track possible network issues, Tanium Client installations, and hard to inventory devices.

Connections to create for Discover in Tanium Connect
Purpose Source Type Select Destination
Alert on clients that are no longer reporting to Tanium, which might identify network issues Event > Discover notifications Lost Interface SIEM, helpdesk or email alerting
Generate executive rollup of interface status for multiple Tanium installations Tanium Discover Managed, Unmanaged Reporting tool
Classify hard to inventory devices (IP Telephony, printers, security cameras, Internet of Things devices ) Tanium Discover Unmanageable Reporting tool

Create connection to export interfaces

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.
  2. In the Source section, select the Tanium Discover source. Select the report that you want to use.
  3. Select a destination.
  4. Apply filters. You might want to apply a filter if you are trying to export a specific label. For example, if you want to export all interfaces that are tagged with Lost Interface, apply a regular expression filter and type Lost Interface as the text to match on the Labels target column.
  5. Choose format settings and schedule.
  6. Click Save.

Create connection for event notifications

You can send data notifications about Discover events to destinations such as email, SIEM, or Splunk. To configure notifications, create a connection with Connect. The following Discover event groups are available for configuring notifications:

  • Discover Label Notifications
    • Configure a notification based on a selected set of automatic notify labels. You can choose to create notifications for a single label or a group of labels. You must have custom notify labels defined to use this option.

  • Discover Notifications

    • All labels: Create notifications for all configured automatic notify labels.
    • New unmanaged interface: Discover found a new unmanaged interface in your environment. This behavior is controlled by the pre-configured New Unmanaged Interface label.
    • New managed interface: Discover found a new managed endpoint in your environment. This behavior is controlled by the pre-configured New Managed Interface label.
    • Lost interface: Discover found an unmanaged interface that was formerly managed. For an interface to be marked as lost, it must:
      • Not show up in the Managed Interfaces page for one day
      • Have a value in the Last Discovered column
      • Show up as an unmanaged interface as a result of active discovery methods in the last 4 hours (Nmap scan, connections, or simple ping script)

      This behavior is controlled by the pre-configured Lost Interface label. To update the conditions that determine a lost interface, change the default settings for the Lost Interface label.

Prerequisites

Configure notifications in Connect

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.

  2. Configure the data source.
    1. In Source, select the Event source.
    2. Select Discover Notifications and choose the event group that you want to use.
      • For the Discover Label Notifications event group, select the labels for which you want to send notifications.
        Label notifications are available for labels that you add, not for the predefined labels. If you do not have user-defined labels, you do not see the Discover Label Notification event group.
      • For the Discover Notifications event group, select one or more Discover events for which to send notifications.





  3. (Optional) Filter the data.
    You can optionally filter for new items, regular expressions, numeric operators, or unique values from data columns.
  4. Configure the connection destination.
    Select any of the connection destinations that are listed in the Select Destination menu. Common choices for notifications include Email, SIEM, and Splunk. However, you can use any of the available destinations. For more information, see Tanium Connect User Guide. Complete the required fields and click Create Connection.