Discover overview
With Discover, you can find and maintain an inventory of interfaces. By installing the Tanium™ Client on your endpoints, you can actively scan and monitor the local subnet or other defined network segments, detecting unmanaged interfaces.
Interfaces are unique media access control (MAC) addresses. An endpoint with multiple network interface controllers (NICs) displays as multiple interfaces in Discover.
Managed interfaces are on endpoints that have the Tanium Client running and are managed by Tanium. Unmanaged interfaces are on the network but do not have the Tanium Client running.
Discover gives you real-time information about unmanaged interfaces on your network.
Scan types
Scan types define which endpoints run Discover scans.
Distributed scans
Configure distributed scans to use managed endpoints to scan for or detect unmanaged interfaces at configurable intervals. Discover queries endpoints for updated detection data periodically. New information is immediately available. The detection process provides continuous scanning without impact to network operations.
Satellite scans
Configure satellite scans to use a satellite endpoint to scan for or detect unmanaged interfaces that cannot be reached directly from the Tanium Module Server, such as subnets that have only a bridged connection to the main network.
Satellites are specific Tanium Clients that you designate to run certain targeted, secure workloads on behalf of the Module Server. Because the server might need to send sensitive, encrypted data (such as credentials) to a satellite when running a workload, you must verify each endpoint that you designate as a satellite to prevent spoofing attacks. Any such sensitive data is never sent using the linear chain, nor is it stored on disk on the satellite.
For more information about managing satellites, see Tanium Direct Connect User Guide: Managing satellites.
Centralized scans
Configure centralized scans to use the Tanium Module Server to detect unmanaged interfaces beyond your local network, such as in cloud-hosted environments or targeted subnets where no Tanium Clients exist.
Profiles for unmanaged interface discovery
Create profiles to detect interfaces that are on the network but not under Tanium management. Each profile consists of a set of network inclusions and exclusions, a discovery method, and schedule information. You can configure multiple profiles to cover different types of scans and to scan different parts of the network. For more information, see
Discovery method impact
Before you configure a profile, you must understand the impact of the different discovery methods. Passive discovery methods use existing information on the endpoints to find interfaces, generating no network activity. Active discovery methods perform network scanning.
You can use four levels of distributed discovery.
| Discovery Method | Approximate Bytes per IP Found (DNS Lookup Disabled) | Approximate Bytes per IP Found (DNS Lookup Enabled) |
|---|---|---|
| Distributed level 1 (ARP cache and interface connections) | 0 | 512 |
| Distributed level 2 (ping) | 74 | 586 |
| Distributed level 3 (Nmap scan with host discovery) | 56 | 586 |
| Distributed level 4 (Nmap scan with host discovery and OS fingerprinting, 1000 port default) | n/a | 122000 |
| Centralized Nmap | n/a | 244000 |
| Centralized Amazon EC2 environments | n/a | n/a |
| Satellite | n/a | 244000 |
| All values are estimates and are calculated based on standard network equipment. Actual values can vary widely depending on your network configuration. | ||
Profile configuration
Each profile is scoped by different network inclusions, exclusions, and schedules. With an active discovery method, you might choose to scope the discovery to run on a specific subnet a few times a day. Because passive discovery methods have less network impact, you might choose to scope the discovery to scan a broader part of the network every hour.
Overall, the best data is provided by satellite
Level 3 and level 1 scans provide the least information. Level 3 is a quick scan without port probing, but finds all IP addresses using active ARP probing. The level 1 scan is passive and looks at connections or ARP cache to determine what the endpoint knows about without any network probing.
Centralized Amazon EC2 environment profiles provide data only for AWS EC2 instances.
For more information about the data provided by each profile type, see Reference: Data returned by profile type.
Interface management
Organize interfaces by applying locations or labels. View statistics about interfaces over time.
Locations
Assign interfaces to geographic, physical, or logical locations. Define a hierarchy of network addresses, network address translation (NAT) addresses, and locations. Addresses can consist of an IP, IP range, or classless inter-domain routing (CIDR) address. The location hierarchy goes from a larger to smaller location, such as country, state, city or Site, building, floor. After the hierarchy is defined, locations are matched with the interfaces during the import process of a discovery scan. For more information, see Locations.
Labels
Labels include descriptive information or metadata that you can use to identify and group interfaces. Then, you can classify or search for interfaces based on the labels. You can also automatically apply labels or ignore interfaces based on a specifically defined set of conditions. To get started with labels, a gallery of commonly-defined labels is available. For more information about labels, see Labels.
Notifications
Discover records the following events:
- Found an unmanaged interface
- Found a new managed endpoint
- Lost an interface
With a connection in Tanium™ Connect, Discover can send these events to a destination, such as security information and event management (SIEM) system, email, or file. For example, use the Found an unmanaged interface event as an alert to the operations team, so they install Tanium on unmanaged interfaces.
For more information about configuring the Discover notifications connection, see Create connection for event notifications.
Integration with other Tanium products
Trends
Discover features Trends boards that provide data visualization of Discover concepts.
Discover - Interfaces
Displays information about the interfaces that Discover has found in the environment. The following panels are in the Discover - Interfaces board:
- Interfaces managed
- Mean time to managed
- Lost interfaces
- All interfaces
- Managed interfaces
- Unmanaged interfaces
- Unmanageable interfaces
Discover - Labels
Displays information about the labels that have been applied to interfaces. The following panels are in the Discover - Labels board:
- Discover label counts - latest
- Discover labels over time
Discover - Module Health
Displays information about the resource usage of the Discover service on the Module Server. The following panels are in the Discover - Module Health board:
- Discover module average CPU usage
- Discover module average heap memory used
For more information about how to import the Trends boards that are provided by Discover, see Tanium Trends User Guide: Importing the initial gallery.
Last updated: 5/17/2022 9:10 AM | Feedback