Running satellite scans

Use satellite scans to scan from an endpoint configured as a satellite to remote subnets.

Scan unmanaged subnets with a satellite scan

Use satellite scans to find interfaces in unmanaged subnets. The Network Mapper (Nmap) utility finds information about network interfaces by running host discovery and OS fingerprinting from the satellite on a target network. The satellite that returned the data about an interface is listed in the Satellite ID column of the Details table on the Interfaces page.

The satellite scan is equivalent to a level 4 distributed scan.

Value on Interfaces pages: satellite nmap

By default, Discover scans 1000 commonly used TCP ports to calculate the OS Generation field. (For more information, see Top 1,000 TCP and UDP ports (nmap default).) In the profile settings you can configure different ports to scan and can change the source port from which the scan originates. The value of the OS Generation field is a “best guess” from Nmap, and is not displayed for managed interfaces.

The accuracy of OS fingerprinting and host name resolution depends on how remote the network is that you choose to scan. The more network hops away you search, the harder it is for Nmap to identify the operating system.

Remote network scans might not return a MAC address for discovered interfaces. If an interface does not have a MAC address, the IP address is used as the unique identifier.

The Nmap utility is installed on the satellite after you create a satellite profile. If you remove all of the satellite profiles, the Nmap utility gets removed.

Configure profile for satellite scan

Configure a profile for the satellite scan by selecting the satellite to use, defining which networks to scan, and setting a scan schedule.

Create profiles according to your deployment plan. See Develop a deployment plan.

Before you begin

  • To scan portions of the network, you must know the IP ranges or the networks that you want to scan. Enter a network address or IP ranges for up to 4096 IP addresses (or the equivalent of a /20 network).

  • You must have configured satellites in Tanium Direct Connect. Satellite configuration is available in Direct Connect version 2.1 and later. For more information about configuring satellites, see Tanium Direct Connect User Guide: Managing satellites.

  • (Optional) Create a locations file to map physical locations to discovered interfaces. Assign users to specific locations to limit access to interface data to specific user groups. You can configure locations at any time because the locations are evaluated every time a Discover scan completes. For more information, see Locations.

    For the most complete results from the scan, import locations before configuring a profile. You can update locations later as you find more information about your networks.

  1. Add a profile. From the Discover menu, click Profiles. Click Create Profile.
  2. Give the profile a name and select the Satellite profile type.
  3. Select how Tanium manages the Npcap driver on Windows endpoints.

    • To use the existing Npcap version on the endpoint and not update to a newer version, select Use existing Npcap version. Tanium installs Npcap on the endpoint if it is not already installed. This is the default setting.

      If you update to the latest Discover version to Discover 4.1.240 or later from an older version, be aware that the default Npcap management behavior changed to no longer automatically update Npcap. To have Tanium continue to update Npcap on endpoints, select the Update Tanium version of Npcap option.

      Select this option if you plan to manually update Npcap versions.

    • To use the Npcap version included with Discover, select Update Tanium version of Npcap. Tanium updates Npcap if it is not on the endpoint or if Npcap was previously installed by Tanium. If Npcap was installed outside of Tanium, Tanium does not update Npcap. This is the recommended setting.

  4. Specify the ports to scan.
  5. Configure scan inclusions and exclusions to specify the networks that are scanned by the satellite.
    1. Scan Inclusions: Specify networks that you want included in the scan. Select a network from the Included Networks list or click to add a network to scan. The satellite scans only the selected network.
    2. Scan Exclusions: To exclude a portion of the Included Networks from the scan, select Specific Networks and select a network from the list, or click to add a subnet or IP address to exclude from the scan. The IPs you exclude are not contacted during the scan process. For example, if you specify 192.168.0.0/20 in Included Networks, you might specify to exclude 192.168.1.0/24 and 192.168.0.1.
  6. Configure the scan schedule and scan window.

    1. Schedule: The schedule defines how often to run the scan.
      Recommended scanning frequency is once an hour in most environments.
    2. Scan Window (Windows, Mac, and Linux endpoints only): Configure specific times to run the discovery process on your endpoints. If a scan is scheduled to run outside the scan window, nothing is run as a part of the scan.
      The time can either be the local endpoint time of the Tanium Client (distributed scans) or satellite (satellite scans), or the local time of the Tanium user that is configuring the profile. For example, you can choose Local Endpoint Time and create a scan configuration to scan your endpoints daily, but restrict the scans to run during non-business hours, such as from 6:30 PM to 11:30 PM. If some of your endpoints are offline during the scan window, you can choose the Override option to scan any endpoints that have a scan age older than a specified amount of time, in hours or days.
      The Duration of the scan window must be greater than or equal to the Reissue every plus Distribute over settings in the schedule section. If the value is set to less than the sum of these values, some endpoints never scan.

  7. Click Create.

Discovery process

  1. On the first run of a satellite profile, Discover installs the Nmap utility on the satellite. The scan runs at the scheduled interval.
  2. Perform a satellite scan on the targeted network, as defined in the profile settings.

    To check the status of a satellite scan, from the Discover menu, click Profiles. Hover over the icon in the Status column to view the status message, or click Expand to expand the profile and view more detailed status and troubleshooting information.

  3. Import results into Discover at the Reissue every interval that you defined.

Satellite scan results

Scan results

After you discover interfaces, the Interfaces pages list the interfaces with the following icons:

  • : Managed interfaces that have Tanium Client installed.
  • : Unmanaged interfaces that do not have Tanium Client installed, but might be a candidate for a Tanium Client installation.
  • : Unmanageable interfaces are on devices that cannot run the Tanium Client. By default, unmanageable interfaces have an OS Platform that is not supported by the Tanium Client, defined by the Unmanageable OS Platforms predefined automatic label. Unmanageable interfaces are not included in the managed and unmanaged interface statistics.

The profile type and discovery method that were used to find the interface return varying columns on the Interfaces pages. For more information, see Reference: Data returned by profile type.

Unmanaged interfaces discovered by a satellite scan include the ID of the satellite that discovered them. This ID is displayed in the Satellite ID column of the Details table on the Interfaces page.

Force import of scan results

Instead of waiting for the Reissue every time to pass, you can force an import of the most recent scan results.

  1. Go to the Discover Profiles page.
  2. Click Reimport Scan Results. When you click this button:
      • Level 1 profile scan results are collected and imported.
      • Level 2, 3, and 4 scan results are collected. If these methods are not active on the endpoints, no results are collected.
      • Satellite profile scan results are collected from the satellite.
      • Centralized profile scan results are collected from the Tanium Module Server.

      Clicking Reimport Scan Results does not force the execution of a level 2, 3, or 4 distributed scans, satellite, or any centralized scans. The results for level 2, 3, or 4 distributed scans are gathered if they are already distributed and active on the endpoints. For satellite scans, the results from the latest scan are collected from the associated satellite. For centralized scans, the results from the last scan are collected from the Tanium Module Server.

What to do next