Criticality overview

With Criticality, you can define levels for each endpoint, user, or group that are available to other Tanium solutions, such as Tanium™ Impact and Tanium™ Risk, to add context about the endpoint.

Criticality scale

Possible criticality levels include the following values:

  • Critical
  • High
  • Medium
  • Low

By default, the criticality level is Medium. You can modify the default criticality level. For more information, see Assign default endpoint criticality and Assign default user and group criticality.

All endpoints, users, and groups are assigned to the default level, unless they are assigned to rules. For more information on how rules work, see Criticality rules.

Criticality rules

Rules override default criticality for specific endpoints, users, or groups.

Create rules to override the default criticality based on attributes of the endpoints, for example, computer group or operating system. For example, you might create a rule to set all Windows endpoints in a specific domain to High criticality. If an endpoint is assigned to more than one unprioritized rule, the rule with a higher criticality level takes precedence. For example, if one rule sets all Windows endpoints to Medium and another rule sets all servers are set to High, a Windows server is always set to High.

You can prioritize rules to specify which rule takes precedence if an endpoint, user, or group is assigned to more than one rule. The priority of the rule overrides the criticality level of the rule. For example, if one rule is prioritized to 2 and sets all Windows endpoints to Medium and another rule is prioritized to 1 and sets Windows endpoints within a specific domain to Low, then Windows endpoints within the specified domain are set to Low.

When a rule is deleted, the endpoint criticality is set to the next highest applicable rule based on prioritization or criticality level (if no prioritized rules apply to the endpoint, user, or group). If no rule exists, Criticality assigns the default level to the endpoint, user, or group.

If you import Criticality with the Tanium Recommended Installation, Criticality contains the following default rules. You can edit or delete the default endpoint rules, but you cannot edit or delete the default group rule. To override the default group rule, you can create a prioritized group rule.

Default rule Rule type Criticality level
Domain Controllers Endpoint Critical
Servers Endpoint High
Workstations Endpoint Medium
Default Critical Active Directory Groups Group Critical

For more information, see Create rules to assign criticality to specific endpoints and Create rules to assign criticality to specific users or groups.

Schedule for criticality updates

Criticality updates endpoints and reports with different frequencies, depending on if you update the default criticality level or criticality rules.

Update to default endpoint criticality

If you modify the default endpoint criticality, the following events happen:

  • Criticality immediately updates the Configuration > Endpoints > View Endpoints table. Criticality updates the endpoints each hour. For more information, see View status of endpoint updates.

  • Within one minute, Risk updates scores and reports for the endpoints.

Update to endpoint rules

If you modify endpoint criticality rules, Criticality updates endpoints and reports each hour.

Risk uses a different update frequency than Criticality. Depending on your configuration, Risk can update from every 15 minutes or once a day, whereas Criticality updates each hour. If it is 10:00, for example, and you modify the Risk data collection time period to be 15 minutes, Risk does not receive updated criticality levels until 11:00, even though Risk collects data at 10:15, 10:30, and 10:45.

Update to default user and group criticality

If you modify the default user and group criticality, Criticality immediately updates the Configuration > Users and Groups > Results table.

Update to user and group rules

If you modify user or group criticality rules, Criticality updates and reports according to the schedule that you configured in the User/Group Settings tab in the Criticality Settings . You can also manually request a sync from the User/Group Schedule tab in the Criticality Settings . For more information, see View status of user and group updates.

Interoperability with other Tanium products

Criticality works with Tanium™ Benchmark, Tanium™ Impact, and Tanium™ Reporting.

Benchmark

Benchmark uses the endpoint criticality levels when calculating endpoint risk scores. For more information, see Tanium Benchmark User Guide: Configuring Benchmark.

Impact

Impact includes criticality levels for users, groups, and endpoints. For more information, see Tanium Impact User Guide: Identifying high impact users, endpoints, and groups.

Reporting

Create and view reports in Reporting that include criticality levels. For more information, see Tanium Reporting User Guide: Working with reports.