Criticality overview

With Criticality, you can define levels for each endpoint that are available to other Tanium solutions, such as Tanium™ Risk, to add context about the endpoint.

Criticality scale

Possible criticality levels include the following values:

  • Critical
  • High
  • Medium
  • Low

By default, the criticality level is Medium. You can modify the default criticality level. For more information, see Assign default endpoint criticality.

All endpoints are assigned to the default level, unless they are assigned to rules. For more information on how rules work, see Criticality rules.

Criticality rules

Rules override default criticality for specific endpoints.

Create rules to override the default criticality based on attributes of the endpoints, for example, computer group or operating system. For example, you might create a rule to set all Windows endpoints in a specific domain to High criticality. If an endpoint is assigned to more than one unprioritized rule, the rule with a higher criticality level takes precedence. For example, if one rule sets all Windows endpoints to Medium and another rule sets all servers are set to High, a Windows server is always set to High.

You can prioritize rules to specify which rule takes precedence if an endpoint is assigned to more than one rule. The priority of the rule overrides the criticality level of the rule. For example, if one rule is prioritized to 2 and sets all Windows endpoints to Medium and another rule is prioritized to 1 and sets Windows endpoints within a specific domain to Low, then Windows endpoints within the specified domain are set to Low.

When a rule is deleted, the endpoint criticality is set to the next highest applicable rule based on prioritization or criticality level (if no prioritized rules apply to the endpoint). If no rule exists, Criticality assigns the default level to the endpoint.

If you import Criticality with the Tanium Recommended Installation, Criticality contains the following default rules. You can edit or delete the defaults.

Default rule Criticality level
Domain Controllers Critical
Servers High
Workstations Medium

For more information, see Create rules to assign criticality to specific endpoints.

Schedule for criticality updates

Criticality updates endpoints and reports with different frequencies, depending on if you update the default criticality level or criticality rules.

Update to default criticality

If you modify the default criticality, the following events happen:

  • Criticality immediately updates the View Endpoints table on the Overview page. Criticality updates the endpoints each hour. For more information, see Criticality overview.

  • Within one minute, Risk updates scores and reports for the endpoints.

Update to rules

If you modify endpoint criticality rules, Criticality updates endpoints and reports each hour.

Risk uses a different update frequency than Criticality. Depending on your configuration, Risk can update from every 15 minutes or once a day, whereas Criticality updates each hour. If it is 10:00, for example, and you modify the Risk data collection time period to be 15 minutes, Risk does not receive updated criticality levels until 11:00, even though Risk collects data at 10:15, 10:30, and 10:45.

Integration with other Tanium products

Criticality has built in integration with Tanium™ Reporting and Tanium™ Risk.

Reporting

Create and view reports in Reporting that include criticality levels. For more information, see Tanium Reporting User Guide: Working with reports.

Risk

Risk uses the criticality levels when calculating endpoint scores. For more information, see Tanium Risk User Guide: Configure Risk.