Discover overview

With Discover, you can find and maintain an inventory of interfaces. By installing the Tanium™ Client on your endpoints, you can actively scan and monitor the local subnet or other defined network segments, detecting unmanaged interfaces.

Interfaces are unique media access control (MAC) addresses. An endpoint with multiple network interface controllers (NICs) displays as multiple interfaces in Discover.

Managed interfaces are on endpoints that have the Tanium Client running and are managed by Tanium. Unmanaged interfaces are on the network but do not have the Tanium Client running.

 With Discover, you can perform the following tasks:

  • Get real-time information about unmanaged interfaces on your network.
  • Block unmanaged interfaces from network access.

 

Scan types

Scan types define which endpoints run Discover scans. For the most complete view of all unmanaged interfaces, use a combination of distributed and centralized scans.

Scan types

 

Scan types

 

Distributed scans

Configure distributed scans to use managed endpoints to scan for or detect unmanaged interfaces at configurable intervals. Discover queries endpoints for updated detection data periodically. New information is immediately available. The detection process provides continuous scanning without impact to network operations.

Centralized scans

Configure centralized scans to use the Tanium Module Server to detect unmanaged interfaces beyond your local network, such as in cloud-hosted environments or targeted subnets where no Tanium Clients exist.

Unmanaged interface discovery

Create profiles to detect interfaces that are on the network but not under Tanium management. Each profile consists of a set of network inclusions and exclusions, a discovery method, and schedule information. You can configure multiple profiles to cover different parts of the network. For more information, see Running distributed scans.

Interface management

Organize interfaces by applying locations or labels. View statistics about interfaces over time.

Locations

Assign interfaces to geographic, physical, or logical locations. Define a hierarchy of network addresses, network address translation (NAT) addresses, and locations. Addresses can consist of an IP, IP range, or classless inter-domain routing (CIDR) address. The location hierarchy goes from a larger to smaller location, such as country, state, city or Site, building, floor. After the hierarchy is defined, locations are matched with the interfaces during the import process of a discovery scan. For more information, see Locations.

Labels

Labels include descriptive information or metadata that you can use to identify and group interfaces. Then, you can classify or search for interfaces based on the labels. You can also automatically apply labels or ignore interfaces based on a specifically defined set of conditions. To get started with labels, a gallery of commonly-defined labels is available. For more information about labels, see Labels.

Blocking

Use the Tanium™ Network Quarantine shared service to set up a network access control (NAC) that can block by IP or MAC address as a built-in action of Discover. Cisco Identity Services Engine (ISE) is the supported NAC device.

For more information, see Block network access with Network Quarantine.

Notifications

Discover records the following events:

  • Found an unmanaged interface
  • Found a new managed endpoint
  • Lost an interface

With a connection in Tanium™ Connect, Discover can send these events to a destination, such as security information and event management (SIEM) system, email, or file. For example, use the Found an unmanaged interface event as an alert to the operations team, so they install Tanium on unmanaged interfaces.

For more information about configuring the Discover notifications connection, see Create connection for event notifications.

Integration with other Tanium products

Trends

Discover features Trends boards that provide data visualization of Discover concepts.

Discover - Interfaces

Displays information about the interfaces that Discover has found in the environment. The following panels are in the Discover - Interfaces board:

  • Interfaces managed
  • Mean time to managed
  • Lost interfaces
  • All interfaces
  • Managed interfaces
  • Unmanaged interfaces
  • Unmanageable interfaces

Discover - Labels

Displays information about the labels that have been applied to interfaces. The following panels are in the Discover - Labels board:

  • Discover label counts - latest
  • Discover labels over time

Discover - Module Health

Displays information about the resource usage of the Discover service on the Module Server. The following panels are in the Discover - Module Health board:

  • Discover module average CPU usage
  • Discover module average heap memory used

For more information about how to import the Trends boards that are provided by Discover, see Tanium Trends User Guide: Importing the initial gallery.