Exporting Discover data

You can export interface and event information from Discover to Tanium™ Connect. You can also block interfaces by configuring Tanium™ Network Quarantine or a blocking connection in Tanium Connect.

The preferred method for exporting data is to use the Discover data source in Connect. For more information, see Export interface data to a Connect destination.

Export to a CSV file

To export the current data grid of interfaces to a CSV file, click Export Data . The export includes the data as it is currently displayed in the data grid.

Export interface data to a Connect destination

To create reports of the interfaces in Discover to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection. You must have Connect 4.10 or later.

You can export interfaces with the following reports: 


Exports all interfaces in Discover.


Exports interfaces marked as ignored. This list is also on the Ignored Interfaces page.


Exports all interfaces that have a label applied, including configured automatic labels.


Exports interfaces that have the Tanium Client installed.


Exports interfaces that do not have any labels applied.


Exports interfaces that were marked as unmanageable.


Exports interfaces that do not have the Tanium Client installed.

Connections to create

Create the following connections to track possible network issues, Tanium Client installations, and hard to inventory devices.


Table 1:   Connections to create for Discover in Tanium Connect
Purpose Source Type Select Destination
Alert on clients that are no longer reporting to Tanium, which might identify network issues Event > Discover notifications Lost Interface SIEM, helpdesk or email alerting
Generate executive rollup of interface status for multiple Tanium installations Tanium Discover Managed, Unmanaged Reporting tool
Classify hard to inventory devices (IP Telephony, printers, security cameras, Internet of Things devices ) Tanium Discover Unmanageable Reporting tool

Create connection to export interfaces

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.
      In General Information, confirm that Enable is selected.
  2. In the Source section, select the Tanium Discover source. Select the report that you want to use.
  3. Select a destination.
  4. Apply filters. You might want to apply a filter if you are trying to export a specific label. For example, if you want to export all interfaces that are tagged with Lost Interface, apply a regular expression filter and type Lost Interface as the text to match on the tags target column.
  5. Choose format settings and schedule.
  6. Click Create Connection.

Create connection for event notifications

You can send data notifications about Discover events to destinations such as email, SIEM, or Splunk. To configure notifications, create a connection with Connect. The following Discover event groups are available for configuring notifications: 

  • Discover Label Notifications
    • Configure a notification based on a selected set of automatic notify labels. You can choose to create notifications for a single label, or a group of labels. You must have custom notify labels defined to use this option.
  • Discover Notifications

    • All labels: Create notifications for all configured automatic notify labels.
    • New unmanaged interface: Discover found a new unmanaged interface in your environment. This behavior is controlled by the pre-configured New Unmanaged Interface label.
    • New managed interface: Discover found a new managed endpoint in your environment. This behavior is controlled by the pre-configured New Managed Interface label.
    • Lost interface: Discover found an unmanaged interface that was formerly managed. For an interface to be marked as lost, it must:
      • Not show up in the Managed Interfaces page for one day
      • Have a value in the Last Discovered column
      • Show up as an unmanaged interface as a result of active discovery methods in the last 4 hours (Nmap scan, connections, or simple ping script)

      This behavior is controlled by the pre-configured Lost Interface label. To update the conditions that determine a lost interface, change the default settings for the Lost Interface label.


Configure notifications in Connect

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.
      In General Information, confirm that Enable is selected.

  2. Configure the data source.
    1. In Source, select the Event source.
    2. Choose the event group that you want to use.
      • For the Discover Label Notifications event group, select the labels for which you want to send notifications.
        Label notifications are available for labels that you add, not for the predefined labels. If you do not have user-defined labels, you don not see the Discover Label Notification event group.
      • For the Discover Notifications event group, select one or more Discover events for which to send notifications.

  3. (Optional) Filter the data.
    You can optionally filter for new items, regular expressions, numeric operators, or unique values from data columns.
  4. Configure the connection destination.
    Select any of the connection destinations that are listed in the Select Destination menu. Common choices for notifications include Email, SIEM, and Splunk. However, you can use any of the available destinations. For more information, see Tanium Connect User Guide. Complete the required fields and click Create Connection.

Block network access with Network Quarantine

With the Network Quarantine shared service, you can set up a network access control (NAC) solution to block and unblock interfaces based on MAC or IP address.

Configure a NAC

For information about setting up either a Palo Alto Networks Layer 3 firewall or Cisco Identity Services Engine (ISE) to quarantine endpoints, see Tanium Network Quarantine User Guide.

Quarantine or unquarantine interfaces

After you configure a NAC in Network Quarantine, you can quarantine or unquarantine an IP or MAC address from Discover.

You must have Network Quarantine User role to perform the quarantine or unquarantine action. For more information about configuring user roles, see Tanium Core Platform User Guide: Assign roles to a user.

  1. From the Discover menu, click Interfaces. Select one or more interfaces.
  2. Click Quarantine or Unquarantine. The menu displays the available NACs that were configured in Network Quarantine.
  3. After the IP or MAC address is quarantined, the row is highlighted on the Interfaces page.

Deploy Download Tanium Client

After you define labels to apply on unmanaged interfaces, you can select the label to use for deployment targeting in Tanium Client Management. See Tanium Client Management User Guide: Configure a deployment.

Download and install the Tanium Client. See Tanium Client User Guide.