Device Classification with Tanium for Windows

Device Classification with Tanium for Windows

The Netskope and Tanium integration enables joint customers to leverage Tanium’s high-fidelity endpoint data and user-friendly natural language search capabilities to determine if an endpoint’s overall posture equates to compliant, safe, or managed. These endpoint posture dispositions, determined either one-time or on a recurring basis, would drive a decision to have Netskope treat that endpoint differently than a non-compliant, risky, or unmanaged device. Utilizing adaptive policy controls, the user of that non-compliant device may not be able to download or upload files while the device is in a risky posture, but can still perform basic functions, such as browsing the web, sending email, etc.

Once Tanium finds the device to be compliant again, it can flag the endpoint enabling Netskope to determine its new state, match against the compliant policy, and in this example, let the user again move files around, knowing that the user is making those decisions, not a potentially compromised host.  

Of course, users can’t benefit from Netskope’s protection capabilities if it isn’t deployed or up-to-date. Leveraging Tanium’s software management and configuration management capabilities, you can ensure that the latest Netskope steering client is deployed, installed, and active on managed hosts.

Here’s an illustration of how Netskope and Tanium work together.

Tanium-Netskope-Integration.png

Click play to watch a video about the Netskope and Tanium integration.

 

Integrate Tanium with Netskope for Windows

  1. Create the following Saved Questions:
    Saved Question NameTanium Question
    Netskope Installed WindowsGet Computer Name from all machines with Installed Applications contains Netskope Client
    Netskope Not Installed WindowsGet Computer Name from all machines with ( Is Windows contains true and all Installed Applications not contains Netskope Client )
    Netskope Managed WindowsGet Computer Name from all machines with Registry Value Data[HKEY_LOCAL_MACHINESOFTWARENetskopeProvisioning,Managed] contains 1
    Netskope Unmanaged WindowsGet Computer Name from all machines with Registry Value Data[HKEY_LOCAL_MACHINESOFTWARENetskopeProvisioning,Managed] contains 0
    Netskope Running WindowsGet Computer Name from all machines with Running Service contains Netskope Client Service
    Netskope Stopped WindowsGet Computer Name from all machines with Stopped Service contains Netskope Client Service

    Note

    These Saved Questions can be organized under a Dashboard and Category for browsing in Interact or Home.

  2. Create the following Packages:
    Package NamePackage Command
    Netskope Health – Managedcmd /c ….TPythonTPython netskope_tanium_3_0_0.py -ns -s enable
    Netskope Health – Unmanagedcmd /c ….TPythonTPython netskope_tanium_3_0_0.py -ns -s disable -v 0
    Netskope Installer Windowscmd /c msiexec /I NSClient_addon-<tenant-URL>_###_.msi

    Note

    Please contact your Netskope or Tanium Account Manager for client installation and python script package files.

  3. Create Scheduled Actions for Managed and Unmanaged Policies:
    1. Using Interact and a targeting Question that results in managed, compliant, or safe, select Deploy Action and pick the package Netskope Health – Managed.
    2. Using Interact and a targeting Question that results in unmanaged, non-compliant, or risky, select Deploy Action and pick the package Netskope Health – Unmanaged.

    Note

    See the following for an example targeting Question based on Tanium Patch compliance: https://community.tanium.com/s/article/Use-Tanium-Patch-data-to-determine-if-systems-are-out-of-compliance-with-SLAs

  4. Optional: Using Interact, run a targeting Question for Netskope Agent installation. Select Deploy Action and pick the Netskope Installer package created in step #2
  5. This data can also be visualized in Tanium Trends. Please contact your Technical Account Manager (TAM) for details.
  6. In the Netskope tenant go to Settings > Manage > Device Classification, click New Device Classification Rule, and then select Windows.

    Enter these parameters:

    • Enter a Rule Name.
    • Under Classification Criteria, select Registry.
    • Select HKEY_LOCAL_MACHINE, enter SOFTWARENetskopeProvisioning for Key, and enter managed for Value.
    • Select Reg_SZ and enter 1 for Data.
    image2.png
  7. Click Save. A match on that registry value constitutes managed.
    image1.png
Share this Doc

Device Classification with Tanium for Windows

Or copy link

In this topic ...