Troubleshooting Benchmark

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

1. From the Main menu, go to Modules > Benchmark > Risk > Risk Health.

2. Review the Risk Coverage and Risk Vector Calculation Issues panels.

3. If the panels indicate endpoints need attention, see Monitor and troubleshoot Risk health.

Monitor and troubleshoot Benchmark metric health

Use the Health page to monitor and improve the data for each Benchmark metric.

Endpoints Sending Metric Data

The Endpoints Sending Metric Data chart shows an overview of how many endpoints are returning data for one or more of the available metrics.

Endpoints Sending Data for All Supported Metrics

The Endpoints Sending Data for All Supported Metrics chart shows how many endpoints are returning data for all of the available metrics.

Metric Health for Supported Endpoints

The Metric Health for Supported Endpoints chart shows how many supported endpoints are not sending data for a particular metric. Unsupported endpoints, for example, that use an operating system that is not supported by the metric, are not included in this count. Ideally, the values in this chart are as close to zero as possible. You can click a bar in the chart to view details about the status of that metric.

Some metrics do not return data that can be displayed in this chart. For example, the metric might be calculated across all endpoints, not calculated per endpoint. Some Threat Response data is sent only when an endpoint has data, but if an endpoint does not have data (for example, no alerts), no status is reported.

Metric Health

The Metric Health section includes detailed information about endpoints, whether they are supported for the metric and whether they are returning data.

Improve Metric Health

Improve your Benchmark data by regularly reviewing the metric health and making improvements to enable endpoints to return data.

1. From the Benchmark menu, go to Health.

2. Review detailed data for a metric. You can either click a bar in the Metric Health for Supported Endpoints, or select a metric in the Filters section.

3. Identify and resolve problems. In the Metric Health section, you can filter the results, or sort by columns in the table to group like results together.
• Sending Data: If the value for this column is No, the endpoint is not returning results for this metric. Review the other columns for this endpoint to determine the potential issue. If the value is Yes, the endpoint is returning data and no further analysis is required.

• Solution Supported: If the value for this column is No, the endpoint cannot return results for this metric. For example, the endpoint could be Linux operating and the metric is only supported for Windows. No further analysis is required for this endpoint.

• In Action Group:  If the value for this column is No, the endpoint is not in the Benchmark action group. For more information, see (Optional) Configure the Benchmark action group.
• Health Status: If the status is anything other than Optimal, the solution on the endpoint that is providing the metric data has a problem. Note the value for the Tanium Solution column, and then investigate the health status of endpoint in the related solution. For example, if a Patch metric has a health problem, you can investigate further by going to the Patch solution and looking at the Patch Coverage section of the home page.
4. Review individual endpoint details. In the Metric Health section, click Endpoint Details , then View Details.

Monitor and troubleshoot Risk health

The Risk Health page includes two charts to monitor the health of the module: Risk Coverage and Risk Vector Calculation Issues.

Risk Coverage

The Risk Coverage chart shows the coverage status of all endpoints on which risk vector scores were calculated in the last 30 days. The coverage metrics might report endpoints as Optimal, Needs Attention or Initializing. The Optimal status indicates that all necessary tools, configurations, and scans are installed and complete for an endpoint. The Initializing status is a transient status that returns when an endpoint is downloading required tools, configuring, or waiting on completion of an initial scan. No action is needed for Optimal or Initializing states.

Risk Vector Calculation Issues

The Risk Vector Calculation Issues chart breaks out the data from the Risk Coverage chart by vector. Use this chart to determine the vectors for which endpoints are unable to allow calculations.

Click the Risk Vector Calculation Issues chart title to open the Risk Health page, which includes a table that lists specific endpoints that are unable to allow risk vector calculations.

The following table lists contributing factors into why the coverage metric for a vector might report endpoints as Needs Attention, and corrective actions you can make.

Vector	Contributing factor	Corrective action
All vectors	Endpoints do not have the latest Risk tools installed	Ask this question in Interact to determine whether endpoints have the necessary tools installed: Get Endpoint Configuration - Tools Status Details contains Risk from all machines.  Check for endpoints where the Status column lists as Not Installed or Error. Reinstall the tools on the endpoint. For more information, see Endpoint Configuration User Guide: Reinstall one or more tools installed by Endpoint Configuration.
All vectors	Endpoints do not have the latest tools for a required solution installed	Ask this question in Interact to determine whether endpoints have the necessary tools installed: Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains <Solution associated with the vector> from all machines. Substitute the following solution names for the vector that you are troubleshooting: System vulnerability: Comply System compliance: Comply Administrative access: Impact Password identification: Reveal Expired certificates: SSL Server Audit Insecure SSL / TLS: SSL Server Audit Check for endpoints where the Status column lists as Not Installed or Error. Reinstall the tools on the endpoint. For more information, see Endpoint Configuration User Guide: Reinstall one or more tools installed by Endpoint Configuration.
System Vulnerability	Endpoints do not have the latest scan engine installed Specific endpoints missing Comply tools, scan engines, or JREs Issue with a specific endpoint that might prevent Comply from running successfully	If endpoints return the status Needs Attention for the System Vulnerability vector, use these steps to troubleshoot further: Comply User Guide: Monitor and troubleshoot Comply coverage.
System Compliance	Endpoints do not have the latest scan engine installed Specific endpoints missing Comply tools, scan engines, or JREs Issue with a specific endpoint that might prevent Comply from running successfully	If endpoints return the status Needs Attention for the System Compliance vector, use these steps to troubleshoot further: Comply User Guide: Monitor and troubleshoot Comply coverage.
Administrative Access	Python tools are not installed	If endpoints return the status Needs Attention for the Administrative Access vector, use these steps to troubleshoot further: Impact User Guide: Monitor and troubleshoot Impact coverage. A 0 score is returned for Linux endpoints, macOS endpoints and Windows endpoints that are not joined to a domain. Tanium Impact is used to measure this vector and is supported only on domain-joined Windows endpoints, so this vector applies only to domain-joined Windows endpoints with the Impact tools.
Password Identification	Index Health and Configuration	If endpoints return the status Needs Attention, use these steps to troubleshoot further: Reveal User Guide: Monitor and troubleshoot Reveal coverage.
Expired Certificates Insecure SSL/TLS	SSL Server Audit Tools are not installed	Ask this question in Interact to determine whether endpoints are missing the tools: Get SSL Server Audit Tools Required from all machines. If endpoints return the status Not Installed or Missing: <package name>, reinstall the SSL Server Audit tools on the endpoint.

Remove Benchmark tools from endpoints

You can deploy an action to remove Benchmark tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

1. In Interact, target the endpoints from which you want to remove the tools. For example, ask a question that targets a specific operating system:
   Get Endpoint Configuration - Tools Status from all machines with Is Windows equals true
2. In the results, select the row for Benchmark, drill down as necessary, and select the targets from which you want to remove Benchmark tools. For more information, see Tanium Interact User Guide: Drill Down.
   
3. Click Deploy Action.
4. For the Deployment Package, select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.

5. For Tool Name, select Benchmark.

6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

   If reinstallation is blocked, you must unblock it manually:

   • To allow Benchmark to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

   • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

7. (Optional) To remove all Benchmark databases and logs from the endpoints, clear the selection for Soft uninstall.

   When you perform a hard uninstallation of some tools, the uninstallation also removes data that is associated with the tool from the endpoint. This data might include important historical or environmental data. If data that you want to keep is associated with the tool, make sure you perform only a soft uninstallation of the tool.

8. (Optional) To also remove any tools that were dependencies of the Benchmark tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

9. (Optional) In the Deployment Schedule section, configure a schedule for the action.

   If some target endpoints might be offline when you initially deploy the action, select Recurring Deployment and set a reissue interval.

10. Click Show preview to continue.

11. A results grid appears at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration approval, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.