DeepSurface: Tanium Deploy
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
Using Tanium Deploy to Deploy DeepSurface Scans
Tanium Deploy is a software management module that you can use to rapidly install, update, and remove software across large organizations with minimal infrastructure requirements. You can create deployments to run during a maintenance window that is convenient for your IT operations.
You can deploy applications or a group of applications to a flexible set of targets, including computer groups, user groups, departments, locations, individual computers, and individual users. You can also update existing software installation to the latest available versions, and create custom packages to install, update, and remove applications.
Deploying DeepSurface agents or user managed scans can be done easily with Tanium, and all that's needed is a few simple steps.
Prerequisites
- The DeepSurface appliance is installed and configured
- Hosts that will run the agent must be able to communicate with the DeepSurface console or subordinate console over TCP port 44305 using the configured endpoint address
- Your team has a license for Tanium Deploy.
Obtain the Relevant Script
The first step to installing a DeepSurface Agent or running a User-Managed Scan with RiskAnalyzer is to configure the associated endpoints, and then obtain the script related to the specific deployment method.
DeepSurface Agent
In the RiskAnalyzer console, navigate to:
*Scanning > Agents > Edit Agent Configuration
Ensure the endpoint configuration and blackout settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.
Upon returning from the Edit Agent Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script.
Finally, copy the command and arguments presented on the page for later use.
User-Managed
In the RiskAnalyzer console, navigate to:
*Scanning > User Managed> Edit User Managed Configuration
Ensure the endpoint configuration settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.
Upon returning from the Edit User Managed Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script.
Finally, copy the command and arguments presented on the page for later use.
The command and arguments presented on the page should resemble this:
NOTE: The name of the script varies depending on deployment method and will be referred to as “<deployment-script>” throughout the rest of this document.
Configure Tanium Deploy
Start this process by compressing the download DeepSurface PowerShell script for User Managed scanning into a .zip file.
Start this process by compressing the downloaded <deployment-script> into a .zip file.
On the Deploy Overview page browse the Quick Links section and click on "New Software Package":
Click on 'New Software Package'
Configure your software package as shown in the image below, uploading the .zip file you created in step 1, and filling out the Product Vendor, Product Name, Product Version, OS Platform, and optionally the Self Service Display name.
- Package details should be configured as shown below, with the product version and product name reflecting the appropriate DeepSurface script type. The 'ephemeral' script for User Managed Scans or the installation script:
- Proceed to Deployment Operations, and Click the checkbox next to Install. Click Add Command > File/Folder. The Action will be to Extract File/Folder, File Type will be zip, and the Source should be the same as the name of the file you uploaded at the beginning of the package creation process.
- Click Add Command > Run Command and configure the settings as shown below. In the 'Run Command' text box, enter the command copied from your DeepSurface console into the box that was presented when you configured your agent.
- For Installation Verification, add the registry path check HKEY_LOCAL_MACHINE/Software/DeepSurface as shown.
- Confirm your installation clicking Yes on the pop up that appears, and when initialization is complete your package is ready to deploy to the hosts you wish to scan as you require, following Tanium's documentation.