Device Classification with Tanium for Windows
Device Classification with Tanium for Windows
The Netskope and Tanium integration enables joint customers to leverage Tanium’s high-fidelity endpoint data and user-friendly natural language search capabilities to determine if an endpoint’s overall posture equates to compliant, safe, or managed. These endpoint posture dispositions, determined either one-time or on a recurring basis, would drive a decision to have Netskope treat that endpoint differently than a non-compliant, risky, or unmanaged device. Utilizing adaptive policy controls, the user of that non-compliant device may not be able to download or upload files while the device is in a risky posture, but can still perform basic functions, such as browsing the web, sending email, etc.
Once Tanium finds the device to be compliant again, it can flag the endpoint enabling Netskope to determine its new state, match against the compliant policy, and in this example, let the user again move files around, knowing that the user is making those decisions, not a potentially compromised host.
Of course, users can’t benefit from Netskope’s protection capabilities if it isn’t deployed or up-to-date. Leveraging Tanium’s software management and configuration management capabilities, you can ensure that the latest Netskope steering client is deployed, installed, and active on managed hosts.
Here’s an illustration of how Netskope and Tanium work together.
Click play to watch a video about the Netskope and Tanium integration.
Integrate Tanium with Netskope for Windows
- Create the following Saved Questions:
Saved Question Name Tanium Question Netskope Installed Windows Get Computer Name from all machines with Installed Applications contains Netskope Client Netskope Not Installed Windows Get Computer Name from all machines with ( Is Windows contains true and all Installed Applications not contains Netskope Client ) Netskope Managed Windows Get Computer Name from all machines with Registry Value Data[HKEY_LOCAL_MACHINESOFTWARENetskopeProvisioning,Managed] contains 1 Netskope Unmanaged Windows Get Computer Name from all machines with Registry Value Data[HKEY_LOCAL_MACHINESOFTWARENetskopeProvisioning,Managed] contains 0 Netskope Running Windows Get Computer Name from all machines with Running Service contains Netskope Client Service Netskope Stopped Windows Get Computer Name from all machines with Stopped Service contains Netskope Client Service Note
These Saved Questions can be organized under a Dashboard and Category for browsing in Interact or Home.
- Create the following Packages:
Package Name Package Command Netskope Health – Managed cmd /c ….TPythonTPython netskope_tanium_3_0_0.py -ns -s enable Netskope Health – Unmanaged cmd /c ….TPythonTPython netskope_tanium_3_0_0.py -ns -s disable -v 0 Netskope Installer Windows cmd /c msiexec /I NSClient_addon-<tenant-URL>_###_.msi Note
Look in your Tanium Management Console for client installation and python script package files.
- Create Scheduled Actions for Managed and Unmanaged Policies:
- Using Interact and a targeting Question that results in managed, compliant, or safe, select Deploy Action and pick the package Netskope Health – Managed.
- Using Interact and a targeting Question that results in unmanaged, non-compliant, or risky, select Deploy Action and pick the package Netskope Health – Unmanaged.
Note
See the following for an example targeting Question based on Tanium Patch compliance: https://community.tanium.com/s/article/Use-Tanium-Patch-data-to-determine-if-systems-are-out-of-compliance-with-SLAs
- Optional: Using Interact, run a targeting Question for Netskope Agent installation. Select Deploy Action and pick the Netskope Installer package created in step #2
- This data can also be visualized in Tanium Trends. Please contact your Technical Account Manager (TAM) for details.
- In the Netskope tenant go to Settings > Manage > Device Classification, click New Device Classification Rule, and then select Windows.
Enter these parameters:
- Enter a Rule Name.
- Under Classification Criteria, select Registry.
- Select HKEY_LOCAL_MACHINE, enter
SOFTWARENetskopeProvisioning
for Key, and entermanaged
for Value. - Select Reg_SZ and enter
1
for Data.
- Click Save. A match on that registry value constitutes
managed
.