Discover overview

With Discover, you can find and maintain an inventory of interfaces. By installing the Tanium™ Client on your endpoints, you can actively scan and monitor the local subnet or other defined network segments, detecting unmanaged interfaces.

Interfaces are unique media access control (MAC) addresses. An endpoint with multiple network interface controllers (NICs) displays as multiple interfaces in Discover.

Managed interfaces are on endpoints that have the Tanium Client running and are managed by Tanium. Unmanaged interfaces are on the network but do not have the Tanium Client running.

Discover gives you real-time information about unmanaged interfaces on your network.

Scan types

Scan types define which endpoints run Discover scans. For the most complete view of all unmanaged interfaces, use a combination of distributed, satellite, and centralized scans.For the most complete view of all unmanaged interfaces, use a combination of distributed and satellite scans.

Distributed scans

Configure distributed scans to use managed endpoints to scan for or detect unmanaged interfaces at configurable intervals. Discover queries endpoints for updated detection data periodically. New information is immediately available. The detection process provides continuous scanning without impact to network operations.

Distributed scan diagram for on premise environments

Distributed scan diagram for Tanium Cloud environments

Satellite scans

Configure satellite scans to use a satellite endpoint to scan for or detect unmanaged interfaces that cannot be reached directly from the Tanium Module Server, such as subnets that have only a bridged connection to the main network.

Satellites are specific Tanium Clients that you designate to run certain targeted, secure workloads on behalf of the Module Server. Because the server might need to send sensitive, encrypted data (such as credentials) to a satellite when running a workload, you must verify each endpoint that you designate as a satellite to prevent spoofing attacks. Any such sensitive data is never sent using the linear chain, nor is it stored on disk on the satellite.

For more information about managing satellites, see Tanium Direct Connect User Guide: Managing satellites.

Satellite scan diagram

Centralized scans

Configure centralized scans to use the Tanium Module Server to detect unmanaged interfaces beyond your local network, such as in cloud-hosted environments or targeted subnets where no Tanium Clients exist.

Centralized scan diagram

Profiles for unmanaged interface discovery

Create profiles to detect interfaces that are on the network but not under Tanium management. Each profile consists of a set of network inclusions and exclusions, a discovery method, and schedule information. You can configure multiple profiles to cover different types of scans and to scan different parts of the network. For more information, see Running distributed scans, Running satellite scans, and Running centralized scans Running distributed scans and Running satellite scans.

If you selected the Automatic configuration with default settings option during installation, a A Level 2 ping distributed profile is created by default. You can use or edit this profile or create a new one. For more information about this type of profile, see Level 2 (ping).

Discovery method impact

Before you configure a profile, you must understand the impact of the different discovery methods. Passive discovery methods use existing information on the endpoints to find interfaces, generating no network activity. Active discovery methods perform network scanning.

You can use four levels of distributed discovery. Satellite and centralized Nmap scans are equivalent to level 4 distributed scans. Satellite scans are equivalent to level 4 distributed scans. Lower levels of discovery are more passive, have less network impact, but provide a limited set of information. Higher levels perform active scans on the network, but provide more information about unmanaged interfaces, such as host name and operating system.

Discovery method network impact
Discovery Method Approximate Bytes per IP Found (DNS Lookup Disabled) Approximate Bytes per IP Found (DNS Lookup Enabled)
Distributed level 1 (ARP cache and interface connections) 0 512
Distributed level 2 (ping) 74 586
Distributed level 3 (Nmap scan with host discovery) 56 586
Distributed level 4 (Nmap scan with host discovery and OS fingerprinting, 1000 port default) n/a 122000
Centralized Nmap n/a 244000
Centralized Amazon EC2 environments n/a n/a
Satellite n/a 244000
All values are estimates and are calculated based on standard network equipment. Actual values can vary widely depending on your network configuration.

Profile configuration

Each profile is scoped by different network inclusions, exclusions, and schedules. With an active discovery method, you might choose to scope the discovery to run on a specific subnet a few times a day. Because passive discovery methods have less network impact, you might choose to scope the discovery to scan a broader part of the network every hour.

Overall, the best data is provided by satellite , centralized Nmap, or distributed level 4 (Nmap scan with host discovery and OS fingerprinting) profiles. These profile types provide data that includes open ports, and attempt to identify the OS platform and OS Generation. If Nmap is not allowed in your environment, the level 2 (ping) scan generates some OS Platform information.

Level 3 and level 1 scans provide the least information. Level 3 is a quick scan without port probing, but finds all IP addresses using active ARP probing. The level 1 scan is passive and looks at connections or ARP cache to determine what the endpoint knows about without any network probing.

Centralized Amazon EC2 environment profiles provide data only for AWS EC2 instances.


For more information about the data provided by each profile type, see Reference: Data returned by profile type.

Interface management

Organize interfaces by applying locations or labels. View statistics about interfaces over time.

Locations

Assign interfaces to geographic, physical, or logical locations. Define a hierarchy of network addresses, network address translation (NAT) addresses, and locations. Addresses can consist of an IP, IP range, or classless inter-domain routing (CIDR) address. The location hierarchy goes from a larger to smaller location, such as country, state, city or Site, building, floor. After the hierarchy is defined, locations are matched with the interfaces during the import process of a discovery scan. For more information, see Locations.

Labels

Labels include descriptive information or metadata that you can use to identify and group interfaces. Then, you can classify or search for interfaces based on the labels. You can also automatically apply labels or ignore interfaces based on a specifically defined set of conditions. To get started with labels, a gallery of commonly-defined labels is available. For more information about labels, see Labels.

Notifications

Discover records the following events:

  • Found an unmanaged interface
  • Found a new managed endpoint
  • Lost an interface

With a connection in Tanium™ Connect, Discover can send these events to a destination, such as security information and event management (SIEM) system, email, or file. For example, use the Found an unmanaged interface event as an alert to the operations team, so they install Tanium on unmanaged interfaces.

For more information about configuring the Discover notifications connection, see Create connection for event notifications.

Integration with other Tanium products

Discover integrates with other Tanium products to provide additional features and reporting.

Tanium Client Management

You can apply labels to unmanaged interfaces to target endpoints in Client Management deployments.

Trends

Discover features Trends boards that provide data visualization of Discover concepts.

Discover - Interfaces

Displays information about the interfaces that Discover has found in the environment. The following panels are in the Discover - Interfaces board:

  • Interfaces managed
  • Mean time to managed
  • Lost interfaces
  • All interfaces
  • Managed interfaces
  • Unmanaged interfaces
  • Unmanageable interfaces

Discover - Labels

Displays information about the labels that have been applied to interfaces. The following panels are in the Discover - Labels board:

  • Discover label counts - latest
  • Discover labels over time

Discover - Module Health

Displays information about the resource usage of the Discover service on the Module Server. The following panels are in the Discover - Module Health board:

  • Discover module average CPU usage
  • Discover module average heap memory used

For more information about how to import the Trends boards that are provided by Discover, see Tanium Trends User Guide: Importing the initial gallery.