Managing interfaces

Organize interfaces by applying locations or labels. Locations are a user-defined hierarchy of networks and physical locations. Labels are attributes that are added to the interface based on a set of conditions, and you can set actions to ignore, purge, mark unmanageable, or send notifications on the interfaces that match the conditions of the label.

Locations

You can group discovered interfaces by mapping subnets to geographic or physical locations. After you map the network address and network address translation (NAT) address (CIDR, IP, or IP range) to your own hierarchy of locations, you can see information about how many devices are at a location on the Interfaces pages. You can also assign access to network interface information to Tanium user groups.

To develop the location hierarchy, work with your network team. Typically, the network team has location information in an IP Address Management (IPAM) database.

Create location spreadsheet

Import locations by creating a comma-separated values (CSV) file. This file must be UTF-8 encoded.

CSV header

The first row of the CSV file must contain at least three headers: Network, NAT, and at least one location column. You can have multiple headers for location to create a hierarchy of location information. The naming of the headers does not need to follow a certain pattern, but the first two columns must contain Network and NAT values.

CSV values

CSV values can contain alphanumerics, white space, parenthesis ( ( ) ), number signs (#), or hyphens (-).

  • Network column: Values in the network column can contain a mix of CIDR and IP ranges.
  • NAT column: Values in the NAT column can contain a mix of CIDR and IP ranges. This column must exist in the CSV file, but the values can be left blank by using "" as the value.
  • Locations columns: Headers and values for the locations are user-defined and generally go from largest geographical location (country, region) to smallest (city, office). Use a maximum of 5 columns for location (for example: Country, State, City, Building, Floor).

Confirm that each row ends in a unique location in the hierarchy specified in the file. For more information, see Problem: Error with locations CSV file.

CSV example

"Network","NAT","Country","State","Site","Building","Floor"
"10.0.0.0/24","","United States","New York","NYC","300 Madison","33"
"10.1.5.100-10.1.5.250","","United States","New York","NYC","300 Madison","30"
"10.2.1.0/24","10.2.2.200-10.2.2.205","United States","North Carolina","RTP","Pinnacle 3005","5"

Import locations

Each time you upload a CSV file that contains locations, any existing locations in Discover are removed and replaced with the hierarchy in the new file.

  1. From the Discover menu, click Locations.
  2. Click Import Locations and upload the CSV file you created.
  3. A list of locations is displayed on the Locations tab. You can search the locations as needed. To export a filtered CSV file based on the search results, click Export.
  4. The location values are evaluated and applied to the interfaces list during the next scheduled Discover import process.

Assign location permissions

You can assign user group access to data in Discover based on location. When a user group is granted permission to a location, the users in that group can see only interfaces that are in the specified locations.

Before any locations are assigned permissions, all users can see all locations. After any permissions are assigned for locations, a user must be assigned location permissions to see interfaces. Tanium Administrator and Discover Administrator users can see all interfaces. If location permissions are defined, users with Discover User role can no longer create labels.

  1. Create a user group that has access to the Discover module. See Tanium Console User Guide: Managing User Groups.
  2. From the Discover menu, click Locations > Permissions > Create Permissions.
  3. Select user groups and associated locations. If a location has child locations, all the children are selected. Click Save.


Location results

Locations are evaluated and applied to interfaces during the import process of a discovery scan. You can use location data in the following places in Discover: 

  • Interfaces > Summary page: 
    • Filter by location.
    • The All Interfaces totals show for all users, but interfaces in grid show only what is permitted for the user based on their assigned permissions.
  • Interfaces pages: You can add Locations as a column to the grid.
  • Create Profile page: When you are configuring a profile, you can set scan inclusions and exclusions based on locations. See Configure profile for distributed scan.

Labels

Create labels to group interfaces by various attributes, such as organization or team, manufacturer. You can also mark devices that are not managed by Tanium, including printers, IP phones, and networking devices such as routers and switches.

Discover label gallery

Browse the Discover label gallery to see commonly defined labels in Discover. You can use the gallery to create automatic labels to mark interfaces for maintenance, common device types, or common server configurations. Not all labels are relevant to every environment, so review the list carefully to determine what to import. To import a label from the label gallery, see Manage labels .

Import the Collection of labels for New Deployment or POC label collection as a starting point, and customize to fit your environment. This collection includes labels for commonly unmanaged devices based on the manufacturer name, and a label that purges interfaces that have not been seen in 30 days. While this collection is a good starting point, you must customize labels for your specific environment. Define a label for targeting installation of Tanium Client on unmanaged interfaces.

Label interfaces manually

You can define multiple labels for a single interface. Label information is stored with the inventory in Discover and is preserved from one scan to the next.

Create labels

  • You can label interfaces in several of the Interfaces pages. Select the interfaces that you want to label and then click Label. Create a label or apply an existing label to the selected interfaces.
  • To create a label from the Labels page, go to the Discover menu and click Labels, then click Create Label.

You cannot manually add an automatic label to an interface. Automatic labels are only applied to interfaces based on the label conditions. See Automatically label interfaces.

Manage labels

Manage labels in the Labels view. Labels in Discover are JSON files that are imported or exported.

  • To import or export your label definitions, click Import Labels or Export Labels.
  • Click a label to view the label details. You can see which interfaces are connected to the label, export, edit, or delete the label. If you delete a label, the label is removed from all the related interfaces.

Ignore interfaces

When you ignore an interface, it is removed from the list of interfaces, and is added to the list on the Interfaces > Ignored page. An ignored interface is not included in views or counts.

  • To ignore interfaces, select interfaces and click Ignore, or create an automatic label to ignore interfaces.
  • To start tracking an interface again, update the interface on the Interfaces > Ignored page.

If you ignore an interface with an automatic label, you cannot override the ignore with a manual setting on the interface. If you have manually ignored an interface, locate the interface under Ignored in the Discover menu and click Unignore.

Mark interfaces as unmanageable

By default, the Unmanageable OS Platforms predefined automatic label defines which interfaces are marked as unmanageable, and show up on the Interfaces > Unmanageable page.

  • To manually mark an interface as unmanageable from an Interfaces page, select interfaces from the list and click Mark Unmanageable. This action applies the label: Manually Marked Unmanageable.
  • To automatically mark interfaces as unmanageable with custom criteria, use the Mark Unmanageable label activity. See Automatically label interfaces.
  • To later mark a manually marked interface as manageable, you can update the interface on the Interfaces > Unmanageable page.

If you mark an interface as manageable, but the interface is considered to be unmanaged by the Unmanageable OS Platforms automatic label criteria, the interface stays manageable.

Automatically label interfaces

When you have many interfaces to label, you might want to consider setting up automatic labeling on your interfaces. Automatic labels are applied to interfaces each time the discover unmanaged interfaces operation runs. In addition to applying a label, you can set actions to ignore, purge, mark unmanageable, or send notifications on the interfaces that match the conditions of the label.

  1. Set up automatic labeling with one of the following methods:
    • When you create the label, change the type to Automatic Label.
    • To make an existing label automatic, open the label in the Labels view, then click Edit. Change the type to Automatic Label.

  2. Add conditions on which to apply the label. For a list of these conditions and which discovery methods return information, see Reference: Data returned by profile type.

    Multi-value Conditions

    The IP Address, Hostname, and Labels conditions support matching on patterns and ranges. Each of these conditions has a corresponding negative version. Regular expressions are not supported.

    • Has a <value> that equals: An exact match, such as 192.168.1.195

    • Has an address in the range: For IP Address, a range (CIDR included), such as 192.168.1.195-192.168.1.197 or 192.168.1.0/24

    • Has a <value> that matches pattern: A glob match that supports * (multiple characters) and ? (single character), such as 192.168.1.??? matches IP that have three digits in the last octet

      The pattern must match the entire value.

    • Has a <value> that contains: A partial match for a value

    • Has <value>: A match for at least one value


  3. Set an activity that runs when the conditions in the label are matched.
    • Label: Apply a label to the interface
    • Ignore: Add the interface to the list of Ignored Interfaces
    • Mark Unmanageable: Mark interface as unmanageable (cannot run Tanium Client)
    • Notify: Send a notification about the interface
    • Purge: Remove interfaces that match the criteria from the Discover database

    Labeling is applied to interfaces each time the results from the discovery methods are imported.

    Example: Automatically ignore or purge interfaces based on last discovered date

    Purge interfaces after they have not been seen for 30 days.

    To handle situations with ephemeral devices that go quickly on and off of the network, you can set up an automatic label that either moves the interface to the Ignored Interfaces page or removes the interface from Discover.

    For example, you might want to ignore any interfaces that have not been seen in the last 30 days. To set up this label, select: Last Seen, Older Than, 30 days as the conditions, and choose Ignore as the label activity.

    To remove an interface, choose Purge as the label activity. Purging an interface completely removes all historical information about that interface from Discover and the Discover database. If you want to maintain some historical information about the interface, consider using the Ignore label activity.

    Example: Automatically label interfaces by using a wildcard character

    You can use an underscore (_) character as a wildcard in your automatic labels.

    For example, you might want to filter the labeling on your interfaces by MAC address. You might have the following MAC addresses:

    02-0F-B5-61-AB-01
    02-0F-B5-38-1F-39
    02-0F-B5-98-5B-69
    02-0F-B5-55-0C-21
    02-0F-B5-32-FA-E1

    You can set up an automatic label: Mac Address contains B5-3_-

    that matches the following interfaces:

    02-0F-B5-38-1F-39
    02-0F-B5-32-FA-E1

View interface data

On the Interfaces pages, you can view interfaces by several different categories. You can customize and filter these results, and export the results to a CSV file.

In addition to the Summary page, use the Unmanaged, Unmanageable, and Managed pages.

View charts

You can view bar charts that represent the device types and locations of managed and unmanaged interfaces.

  1. From the Discover menu, click Interfaces > Summary. You can view a graph by Manufacturer or Location.
  2. To filter the content of the chart, click Filter By . You can customize the interface type (managed, unmanaged, unmanageable), ignored interfaces, or labels.
  3. To change the column data that is displayed in the chart, click Select Columns . When you change the column data, the data in the data grid is also filtered.
    • On the Manufacturer tab, select the manufacturers that are displayed for each bar in the chart.
    • On the Location tab, select any combination of your location hierarchy to display as bars in the chart.

Add columns to data grid

From any of the data grids on the Interfaces pages, you can customize the columns in the data grid. Click the menu on a column. Then, sort the results on that column, add columns to the data grid, and filter the results.

Export data

To export the current data grid of interfaces to a CSV file, click Export Data . The export includes the data as it is currently displayed in the data grid.

The Unmanageable column in the CSV file indicates if the endpoint can be managed by the Tanium Client. The following table explains the numbers in the Unmanageable column.

Number Label
0 Managed or Manageable (automatic)
1 Unmanageable (automatic)
2 Manually Marked Manageable
3 Manually Marked Unmanageable

 

View data in Tanium Trends

After you have well-defined labels, use the Discover - Labels board in Tanium Trends to view the current label count and the label count over time.