DeepSurface: Tanium Deploy

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

Using Tanium Deploy to Deploy DeepSurface Scans

Tanium Deploy is a software management module that you can use to rapidly install, update, and remove software across large organizations with minimal infrastructure requirements. You can create deployments to run during a maintenance window that is convenient for your IT operations.

You can deploy applications or a group of applications to a flexible set of targets, including computer groups, user groups, departments, locations, individual computers, and individual users. You can also update existing software installation to the latest available versions, and create custom packages to install, update, and remove applications.

Deploying DeepSurface agents or user managed scans can be done easily with Tanium, and all that's needed is a few simple steps.

Prerequisites

Obtain the Relevant Script

The first step to installing a DeepSurface Agent or running a User-Managed Scan with RiskAnalyzer is to configure the associated endpoints, and then obtain the script related to the specific deployment method.

DeepSurface Agent

  1. In the RiskAnalyzer console, navigate to: *Scanning > Agents > Edit Agent Configuration

  2. Ensure the endpoint configuration and blackout settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.

  3. Upon returning from the Edit Agent Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script. Finally, copy the command and arguments presented on the page for later use.

User-Managed

  1. In the RiskAnalyzer console, navigate to: *Scanning > User Managed> Edit User Managed Configuration

  2. Ensure the endpoint configuration settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.

  3. Upon returning from the Edit User Managed Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script.

  4. Finally, copy the command and arguments presented on the page for later use.

The command and arguments presented on the page should resemble this:

User Managed Configuration

NOTE: The name of the script varies depending on deployment method and will be referred to as “<deployment-script>” throughout the rest of this document.

Configure Tanium Deploy

Start this process by compressing the download DeepSurface PowerShell script for User Managed scanning into a .zip file.

  1. Start this process by compressing the downloaded <deployment-script> into a .zip file.

  2. On the Deploy Overview page browse the Quick Links section and click on "New Software Package":

Tanium Deploy

  1. Click on 'New Software Package'

  2. Configure your software package as shown in the image below, uploading the .zip file you created in step 1, and filling out the Product Vendor, Product Name, Product Version, OS Platform, and optionally the Self Service Display name.

Create Software Package

  1. Package details should be configured as shown below, with the product version and product name reflecting the appropriate DeepSurface script type. The 'ephemeral' script for User Managed Scans or the installation script:

Package Details

  1. Proceed to Deployment Operations, and Click the checkbox next to Install. Click Add Command > File/Folder. The Action will be to Extract File/Folder, File Type will be zip, and the Source should be the same as the name of the file you uploaded at the beginning of the package creation process.

Create Package

  1. Click Add Command > Run Command and configure the settings as shown below. In the 'Run Command' text box, enter the command copied from your DeepSurface console into the box that was presented when you configured your agent.

Create Package

  1. For Installation Verification, add the registry path check HKEY_LOCAL_MACHINE/Software/DeepSurface as shown.

Create Package

  1. Confirm your installation clicking Yes on the pop up that appears, and when initialization is complete your package is ready to deploy to the hosts you wish to scan as you require, following Tanium's documentation.