Managing filter groups

Filter groups are a type of computer group that you use as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set that is associated with an advanced role or module role, assign the role to personas, and assign the personas to users or user groups. The following figure shows an example of an advanced role that grants Read Filter Group and Write Filter group permissions to the Default Filter Groups content set:

Figure  1:  Filter group assignment

computer filter groups

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group that is assigned to the persona that the user used to issue the question. For details about the interaction between computer management groups and filter groups, and how best to use them, see Computer groups overview.

Use the Administration > Content > Filter Groups page to view, create, clone, edit, and delete filter groups, as described in the following procedures. After creating a filter group, you cannot change its membership definition.

To manage computer groups that are both filter groups and management groups, use the Administration > Management > Computer Groups page (see Managing computer groups). The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first sign into the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports Tanium as a Service (TaaS) provides default computer groups that are both filter groups and management groups: see Default computer groups.

For the role permissions required to manage filter groups, see Content management permissions.

In Tanium Core Platform 7.3 or earlier, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

View filter groups

  1. From the Main menu, go to Administration > Content > Filter Groups.

    The Filter Groups grid displays the following attributes for each filter group:

    Table 1:   Filter group attributes
    SettingDescription
    NameThe name that identifies the filter group.
    TypeIndicates how membership is defined for the group:
    • Standard: Dynamic membership based on a sensor filter
    • Manual: Manually defined membership

    For details, see Computer group membership.

    Content SetThe content set to which the group is assigned.
    ExpressionFor standard filter groups, the expression is a sensor-based filter that defines group membership. For manual filter groups, the value is [Manual List].

    To see which specific endpoints are members of a filter group, you must display its configuration.

  2. (Optional) Use the filters to find specific filter groups:
    • Filter by text: To filter the grid by filter group Name or membership Expression, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the attributes that are described in Table 1, as well as a list of endpoints that are members of a filter group, select the group and click View.

Create filter groups

Before you create a filter group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership).

  1. From the Main menu, go to Administration > Content > Filter Groups and click New Group.
  2. Enter a Name to identify the group.
  3. Assign the group to a Content Set.
  4. Define which endpoints are Members of the filter group:
    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  5. Click Save and confirm the operation when prompted.

Clone filter groups

Cloning is useful when you need a new filter group with membership conditions that differ only slightly from an existing group.

  1. From the Main menu, go to Administration > Content > Filter Groups.
  2. Select the filter group and click Clone.
  3. Enter a Name to identify the group.
  4. Assign the group to a Content Set.
  5. Define which endpoints are Members of the group. For details, see Create filter groups.
  6. Click Save and confirm the operation when prompted.

Edit filter groups

You can edit the display name and content set assignment of a filter group. However, changing the display name does not change the object ID of a filter group. Also, you cannot change the group membership definition.

  1. From the Main menu, go to Administration > Content > Filter Groups.
  2. Select the filter group and click View.
  3. (Optional) Enter a new Name.
  4. (Optional) Change the Content Set assignment and click Save.

Export or import filter groups

The following procedures describe how to export and import the configurations of specific filter groups or all filter groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export filter groups

Export filter groups as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export filter groups as a JSON file to import them into another Tanium Server.

If you want to export other types of content in addition to filter groups, see Manage Tanium shared services and content.

  1. From the Main menu, go to Administration > Content > Filter Groups.
  2. Select rows in the grid to export only specific filter groups. If you want to export all filter groups, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-filter_groups-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All filter groups in the grid or just the Selected filter groups.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import filter groups

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy filter group configuration details

Copy information from the Filter Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Filter Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete filter groups

Before you delete filter groups, be sure to understand the consequences for scheduled actions and questions: see Delete computer groups. If you delete a filter group that also functions as a management group, it remains on the Tanium Server as a management group with filtering disabled; the Administration > Computer Groups page continues displaying the group but the Content > Filter Groups page does not.

  1. From the Main menu, go to Administration > Content > Filter Groups.
  2. Select the filter group and click Delete Selected .
  3. Click OK and confirm the operation when prompted.