Succeeding with Discover

Follow these best practices to achieve maximum value and success with Tanium Discover. These steps align with the key benchmark metrics: increasing the percentage of managed endpoints and reducing the amount of time it takes to bring endpoints under management by Tanium.

steps to succeeding with discover steps to succeed with discover

Step 1: Gain organizational effectiveness

Complete the key organizational governance steps to maximize Discover value. For more information about each task, see Gaining organizational effectiveness.

Develop a dedicated change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional organizational alignment.

Develop a deployment plan.

Track operational metrics.

Step 2: Install Tanium modules

Install Tanium Discover. See Installing Discover.

Configure service account. See Configure service account.

Configure default action group computers. See Configure Discover action group.

Install Tanium Connect. See Tanium Connect User Guide: Installing Connect.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Install Tanium Network Quarantine. See Tanium Network Quarantine User Guide: Installing Network Quarantine.

Install Tanium Client Management, which provides Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing Client Management.

When you import Discover with the Tanium Recommended Installation workflow, the following default settings are configured:

The following settings are configured by default:

  • The Discover service account is set to the account that you used to import the module.
  • The Discover action group is set to the computer group All Computers.

    (Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

  • Level 2 ping distributed profile is created and deployed to all Tanium Clients. For more information about this type of profile, see Level 2 (ping).

Step 3: Define labels define labels

Step 2: Define labels define labels

Start with the Discover Label Gallery. Import the Collection of labels for New Deployment or POC. This collection includes labels for commonly unmanaged devices based on the manufacturer name, and a label that purges interfaces that have not been seen in 30 days.

In addition to these sample labels, customize labels for your specific environment. Define a label for targeting installation of Tanium Client on unmanaged interfaces.

See Labels.

Step 4: Run distributed Discover scans

Step 3: Run distributed Discover scans

If you already have the Tanium Client installed on a few endpoints in a subnet, you can use distributed scans. Distributed scans run on managed endpoints to identify unmanaged interfaces in targeted networks.

Based on the initial Develop a deployment plan, build a Discover profile.

If you are using a by-subnet deployment policy, test and continue to add subnets to the profile until you are comfortable that all required networks are covered.

See Running distributed scans.

Step 5: Run centralized Discover scans

Centralized scans are run from the Tanium Module Server and can scan environments where no managed endpoints are available, such as Amazon Web Services (AWS) or an unmanaged subnet.

If you have an AWS environment with EC2 instances you would like to scan, you can create a centralized Amazon Web Services EC2 Cloud API scan. This scan uses the AWS API to get information about your EC2 instances.

If you have subnets that contain no Tanium Clients, run a centralized Nmap scan on the subnet targets.

See Running centralized scans.

Step 6: Assign locations

Step 4: Assign locations

Populating any information you have about your network before running Discover scans enriches the data that is returned. After you run scans, you might find networks that you did not originally know about. You can update the locations information to further populate locations in subsequent scans.

Determine a source for all network locations that exist in the enterprise. Typically the network team has this information in an IP Address Management (IPAM) database.

Create a CSV file to import into Discover. This hierarchy helps with regional identification of interfaces.

See Locations.

Step 7: Quarantine interfaces

Set up certificate or password-based authentication to the network access control (NAC) solution.

Use Discover to send devices to be quarantined (devices can be managed or unmanaged). See Block network access with Network Quarantine. Cisco Identity Services Engine (ISE) is the supported NAC device with Network Quarantine.

Step 8: Deploy Tanium Client

Use Discover labels for targeting the installation of Tanium Client on unmanaged interfaces. See Tanium Client Management User Guide: Configure a deployment.

Step 5: Download Tanium Client download tanium client

Download and install the Tanium Client. See Tanium Client Management User Guide.

Step 9: Monitor Discover metrics

Step 6: Monitor Discover metrics

From the Trends menu, click Boards and then click IT Operations Metrics to view the Interfaces Managed and Mean Time to Managed panels in the Discover section.

Customize Trends boards based on requirements. For example, you might build a panel of unmanaged devices in New York City based on criteria in Discover and watch it over time.

Monitor and troubleshoot endpoints managed.

Monitor and troubleshoot mean time to manage.