Exporting Discover data
You can export interface and event information from Discover to Tanium™ Connect. You can also block interfaces by configuring Tanium™ Network Quarantine or a blocking connection in Tanium Connect.
The preferred method for exporting data is to use the Discover data source in Connect. For more information, see Export interface data to a Connect destination.
To export the current data grid of interfaces to a CSV file, click Export Data . The export includes the data as it is currently displayed in the data grid.
To create reports of the interfaces in Discover to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection. You must have Connect 4.10 or later.
You can export interfaces with the following reports:
Exports all interfaces in Discover.
Exports interfaces marked as ignored. This list is also on the Ignored Interfaces page.
Exports all interfaces that have a label applied, including configured automatic labels.
Exports interfaces that have the Tanium Client installed.
Exports interfaces that do not have any labels applied.
Exports interfaces that were marked as unmanageable.
Exports interfaces that do not have the Tanium Client installed.
Create connection to export interfaces
- Create the connection.
- From the Main menu, open Tanium Connect. Click Create Connection.
- Name the connection.
In General Information, confirm that Enable is selected.
- In the Source section, select the Tanium Discover source. Select the report that you want to use.
- Select a destination.
- Apply filters. You might want to apply a filter if you are trying to export a specific label. For example, if you want to export all interfaces that are tagged with Lost Interface, apply a regular expression filter and type Lost Interface as the text to match on the tags target column.
- Choose format settings and schedule.
- Click Create Connection.
You can send data notifications about Discover events to destinations such as email, SIEM, or Splunk. To configure notifications, create a connection with Connect. The following Discover event groups are available for configuring notifications:
- Discover Label Notifications
- Configure a notification based on a selected set of automatic notify labels. You can choose to create notifications for a single label, or a group of labels.
- All labels: Create notifications for all configured automatic notify labels.
- New unmanaged interface: Discover found a new unmanaged interface in your environment. This behavior is controlled by the pre-configured New Unmanaged Interface label.
- New managed interface: Discover found a new managed endpoint in your environment. This behavior is controlled by the pre-configured New Managed Interface label.
- Lost interface: Discover found an unmanaged interface that was formerly managed. For an interface to be marked as lost, it must:
- Not show up in the Managed Interfaces page for one day
- Have a value in the Last Discovered column
- Show up as an unmanaged interface as a result of active discovery methods in the last 4 hours (Nmap scan, connections, or simple ping script)
This behavior is controlled by the pre-configured Lost Interface label. To update the conditions that determine a lost interface, change the default settings for the Lost Interface label.
- You must have Connect installed. For more information, see Tanium Connect User Guide: Installing Tanium Connect.
- You must have the Connect User role to create a connection. For more information about configuring user roles, see Tanium Core Platform User Guide: Assign roles to a user.
- Verify that the automatic labels that you want to use for the notifications are configured to generate a notify activity and provide the correct data. For more information about automatic labels, see About Us.
- Create the connection.
- Configure the data source.
- In Source, select the Event source.
- Choose the event group that you want to use.
- (Optional) Filter the data.
You can optionally filter for new items, regular expressions, numeric operators, or unique values from data columns.
- Configure the connection destination.
Select any of the connection destinations that are listed in the Select Destination menu. Common choices for notifications include Email, SIEM, and Splunk. However, you can use any of the available destinations. For more information, see Tanium Connect User Guide. Complete the required fields and click Create Connection.
With the Network Quarantine shared service, you can set up a network access control (NAC) solution to block and unblock interfaces based on MAC or IP address.
Configure a NAC
For information about setting up either a Palo Alto Networks Layer 3 firewall or Cisco Identity Services Engine (ISE) to quarantine endpoints, see Tanium Network Quarantine User Guide.
Quarantine or unquarantine interfaces
After you configure a NAC in Network Quarantine, you can quarantine or unquarantine an IP or MAC address from Discover.
You must have Network Quarantine User role to perform the quarantine or unquarantine action. For more information about configuring user roles, see Tanium Core Platform User Guide: Assign roles to a user.
- From the Discover menu, click Interfaces. Select one or more interfaces.
- Click Quarantine or Unquarantine. The menu displays the available NACs that were configured in Network Quarantine.
- After the IP or MAC address is quarantined, the row is highlighted on the Interfaces page.
Last updated: 10/15/2019 1:57 PM | Feedback