Managing interfaces

Organize interfaces by applying locations or labels. Locations are a user-defined hierarchy of networks and physical locations. Labels are attributes that are added to the interface based on a set of conditions, and you can set actions to ignore, purge, mark unmanageable, or send notifications on the interfaces that match the conditions of the label.

Locations

You can group discovered interfaces by mapping subnets to geographic or physical locations. After you map the network address and network address translation (NAT) address (CIDR, IP, or IP range) to your own hierarchy of locations, you can see information about how many devices are at a location on the Interfaces page. You can also assign access to network interface information to Tanium user groups.

For location permissions to work with personas, user groups that are assigned to a location must be added to the default persona for a user, not to an alternative persona. For more information about personas and user groups, see Tanium Console User Guide: Managing personas and Tanium Console User Guide: Managing user groups.

To develop the location hierarchy, work with your network team. Typically, the network team has location information in an IP Address Management (IPAM) database.

You can support disjointed subnets by adding two separate lines to the same location. For example 10.10.10.0/24 and 10.10.100.0/24.

Create location spreadsheet

Import locations by creating a comma-separated values (CSV) file. This file must be UTF-8 encoded.

CSV header

The first row of the CSV file must contain at least three headers: Network, NAT, and at least one location column. You can have multiple headers for location to create a hierarchy of location information. The naming of the headers does not need to follow a certain pattern, but the first two columns must contain Network and NAT values.

CSV values

CSV values can contain alphanumerics, white space, parenthesis ( ( ) ), number signs (#), or hyphens (-).

  • Network column: Values in the network column can contain a mix of CIDR and IP ranges.
  • NAT column: Values in the NAT column can contain a mix of CIDR and IP ranges. This column must exist in the CSV file, but the values can be left blank by using "" as the value.
  • Locations columns: Headers and values for the locations are user-defined and generally go from largest geographical location (country, region) to smallest (city, office). Use a maximum of 5 columns for location (for example: Country, State, City, Building, Floor).

Confirm that each row ends in a unique location in the hierarchy specified in the file. For more information, see Problem: Error with locations CSV file.

CSV example

"Network","NAT","Country","State","Site","Building","Floor"
"10.0.0.0/24","","United States","New York","NYC","300 Madison","33"
"10.1.5.100-10.1.5.250","","United States","New York","NYC","300 Madison","30"
"10.2.1.0/24","10.2.2.200-10.2.2.205","United States","North Carolina","RTP","Pinnacle 3005","5"

Import locations

Each time you upload a CSV file that contains locations, any existing locations in Discover are removed and replaced with the hierarchy in the new file.

  1. From the Discover menu, click Locations.
  2. Click Import Locations and upload the CSV file you created. The location values are evaluated and applied to the interfaces list.
  3. A list of locations is displayed on the Locations tab. You can search the locations as needed. To export a filtered CSV file based on the search results, click Export Locations.

Assign location permissions

You can assign user group access to data in Discover based on location. When a user group is granted permission to a location, the users in that group can see only interfaces that are in the specified locations.

Before any locations are assigned permissions, all users can see all locations. After any permissions are assigned for locations, a user must be assigned location permissions to see interfaces. Tanium Administrator, Discover Administrator, and Discover Operator users can see all interfaces.Discover Operator users can see all interfaces. If location permissions are defined, users with Discover User role can no longer create labels.

  1. Create a user group that has access to the Discover module. See Tanium Console User Guide: Managing User Groups.
  2. From the Discover menu, click Locations > Permissions > Create Permissions.
  3. Select user groups and associated locations. If a location has child locations, all the children are selected. Click Save.


Location results

Locations are evaluated and applied to interfaces during the import process of a discovery scan. You can filter by location in the Interfaces > Locations chart.

The chart shows all interfaces regardless of assigned permissions, but the interfaces in the grid below show only what is permitted for the user based on their assigned permissions.

Labels

Create labels to group interfaces by various attributes, such as organization or team, manufacturer. You can also mark devices that are not managed by Tanium, including printers, IP phones, and networking devices such as routers and switches.

Discover label gallery

Browse the Discover label gallery to see commonly defined labels in Discover. (The label gallery is also available from the Discover Overview > Help page.) You can use the gallery to create automatic labels to mark interfaces for maintenance, common device types, or common server configurations. Not all labels are relevant to every environment, so review the list carefully to determine what to import. To import a label from the label gallery, see Manage labels .

Import the Collection of labels for New Deployment or POC label collection as a starting point, and customize to fit your environment. This collection includes labels for commonly unmanaged devices based on the manufacturer name, and a label that purges interfaces that have not been seen in 30 days. While this collection is a good starting point, you must customize labels for your specific environment. Define a label for targeting installation of Tanium Client on unmanaged interfaces.

Label interfaces manually

You can define multiple labels for a single interface. Label information is stored with the inventory in Discover and is preserved from one scan to the next.

Create labels

  • You can label interfaces in the Interfaces page. Select the interfaces that you want to label and then click Add Label. Apply an existing label to the selected interfaces.
  • To create a label from the Labels page, go to the Discover menu and click Labels, then click Create Label.

You cannot manually add an automatic label to an interface. Automatic labels are only applied to interfaces based on the label conditions. See Automatically label interfaces.

Manage labels

Manage labels in the Labels view. Labels can be imported or exported as JSON files.

  • To import or export your label definitions, click Import Labels or Export All. You can also select labels and click Export.
  • Click a label to view the label details. You can see which interfaces are connected to the label, export, edit, or delete the label. If you delete a label, the label is removed from all the related interfaces.

Ignore interfaces

When you ignore an interface, it is removed from the list of interfaces, and is added to the list on the Interfaces > Ignored page. An ignored interface is not included in views or counts.

  • To ignore interfaces, select interfaces and click Ignore, or create an automatic label to ignore interfaces.
  • To start tracking an interface again, update the interface on the Interfaces > Ignored page.

If you ignore an interface with an automatic label, you cannot override the ignore with a manual setting on the interface. If you have manually ignored an interface, locate the interface under Ignored in the Discover menu and click Unignore.

Mark interfaces as unmanageable

By default, the Unmanageable OS Platforms predefined automatic label defines which interfaces are marked as unmanageable, and show up on the Interfaces > Unmanageable page.

  • You can manually mark an interface as unmanageable from the Interfaces page.
    1. From the top of the page, select Unmanaged.
    2. From the Details table, select an unmanaged interface.
    3. Click Mark Unmanageable to apply the Manually Marked Unmanageable label.
  • You can use the Mark Unmanageable label activity to automatically mark interfaces as unmanageable with custom criteria. See Automatically label interfaces.
  • You can mark an interface as manageable that was manually marked as unmanageable from the Interfaces page.
    1. From the top of the page, select Unmanageable.
    2. Select an interface from the Details table.
    3. Click Mark Manageable.

If you mark an interface as manageable, but the interface is considered to be unmanaged by the Unmanageable OS Platforms automatic label criteria, the interface stays manageable.

Automatically label interfaces

When you have many interfaces to label, you might want to consider setting up automatic labeling on your interfaces. Automatic labels are applied to interfaces each time the Discover unmanaged interfaces operation runs. In addition to applying a label, you can set activities to perform on interfaces that match the conditions of the label.

  1. Set up automatic labeling with one of the following methods:
    • When you create the label, change the type to Automatic.
    • To make an existing label automatic, open the label in the Labels view, then click Edit. Change the type to Automatic.

  2. Select activities to apply to interfaces that match criteria you set in Conditions
    • Retain: Retain matching interfaces in the Discover database. You must select at least one Retain Activity and add at least one condition.
      • Labeling
        • Label: Apply the label to the interface.
        • Mark Unmanageable: Mark interface as unmanageable (cannot run Tanium Client).
      • Notifications and promotion
        • Notify: Send notification about the interface using Tanium Connect.
        • Promote: Promote unmanaged interface data to Tanium Data Service for use in other modules. Only unmanaged interfaces can be promoted. If found during a network scan, the interface must also have a MAC address.

          Conditions are automatically applied when you select Promote. Additional conditions are not required.
          For more information about Tanium Data Service, see Tanium Interact User Guide: Managing Tanium Data Service.

    • Ignore: Add the interface to the list of Ignored Interfaces.
    • Purge: Remove interfaces that match the criteria from the Discover database.
  3. Add conditions on which to apply the activity. For a list of these conditions and which discovery methods return information, see Reference: Data returned by profile type.

    Multi-value Conditions

    The IP Address, Hostname, and Labels conditions support matching on patterns and ranges. Each of these conditions has a corresponding negative version. Regular expressions are not supported.

    A label can contain up to 900 condition clauses.

    • Has a <value> that equals: An exact match, such as 192.168.1.195

    • Has an address in the range: For IP Address, a range (CIDR included), such as 192.168.1.195-192.168.1.197 or 192.168.1.0/24

    • Has a <value> that matches pattern: A glob match that supports * (multiple characters) and ? (single character), such as 192.168.1.??? matches IP that have three digits in the last octet.

      The pattern must match the entire value.

    • Has a <value> that contains: A partial match for a value

    • Has <value>: A match for at least one value

  4. Apply the conditions and verify the Matching Interfaces.
  5. Create the label.


    Labeling is applied to interfaces each time the results from the discovery methods are imported.

    Example: Automatically ignore or purge interfaces based on last discovered date

    Purge interfaces after they have not been seen for 30 days.

    To handle situations with ephemeral devices that go quickly on and off of the network, you can set up an automatic label that either moves the interface to the Ignored Interfaces page or removes the interface from Discover.

    For example, you might want to ignore any interfaces that have not been seen in the last 30 days. To set up this label, select: Last Seen, Older Than, 30 days as the conditions, and choose Ignore as the label activity.

    To remove an interface, choose Purge as the label activity. Purging an interface completely removes all historical information about that interface from Discover and the Discover database. If you want to maintain some historical information about the interface, consider using the Ignore label activity.

    Depending on your deployment, you might also If you installed Discover for the first time with version 4.4 and used the Tanium Recommended Installation workflow, you also have the more aggressive Purge Stale Interface label. This label is configured to purge cloud interfaces that have not been seen in 24 hours and all other interfaces that have not been seen in seven days. You can modify these settings from the Labels page.

    Example: Automatically label interfaces by using a wildcard character

    You can use an underscore (_) character as a wildcard in your automatic labels.

    For example, you might want to filter the labeling on your interfaces by MAC address. You might have the following MAC addresses:

    02-0F-B5-61-AB-01
    02-0F-B5-38-1F-39
    02-0F-B5-98-5B-69
    02-0F-B5-55-0C-21
    02-0F-B5-32-FA-E1

    You can set up an automatic label: Mac Address contains B5-3_-

    that matches the following interfaces:

    02-0F-B5-38-1F-39
    02-0F-B5-32-FA-E1

View interface data

On the Interfaces pages, you can view interfaces by several different categories. You can customize and filter these results, and export the results to a CSV file.

In addition to the Summary page, use the Unmanaged, Unmanageable, and Managed pages.

View charts

You can view bar charts that represent the device types, locations, and labels of interfaces.

  1. From the Discover menu, click Interfaces. You can view a graph by Manufacturers, Locations, or Labels. You can filter the chart based on interface type by clicking the applicable button, for example, Managed or Unmanaged.
  2. To add additional filters, under Filters, click +Add and specify the filter details.

Determine data source that found an interface

The Discovery Method value in the Details table on the Interfaces page corresponds to the data source that discovered the interface.

Discovery Method Data Source

arp

 Distributed level 1 scan
connected Distributed level 1 scan
ping Distributed level 2 scan
nmap Distributed level 3 or level 4 scan
aws api Centralized Amazon EC2 environment scan
centralized nmap Centralized nmap scan
satellite nmap Satellite scan
managed Discover - Managed Interfaces saved question

Add columns to data grid

From any of the data grids on the Interfaces pages, you can customize the columns in the data grid. Click Customize Columns . Then, sort the results on that column, add columns to the data grid, and filter the results.

Export data

To export the current data grid of interfaces to a CSV file, click Export Data . The export includes the data as it is currently displayed in the data grid.

The Unmanageable column in the CSV file indicates if the endpoint can be managed by the Tanium Client. The following table explains the numbers in the Unmanageable column.

Number Label
0 Managed or Manageable (automatic)
1 Unmanageable (automatic)
2 Manually Marked Manageable
3 Manually Marked Unmanageable

View data in Tanium Trends

After you have well-defined labels, use the Discover - Labels board in Tanium Trends to view the current label count and the label count over time.