Configuring Impact

If you did not install Impact with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Impact action group to target the No Computers filter group by enabling restricted targeting before adding Impact to your Tanium licenseimporting Impact. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Impact action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Impact with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group

    Because Impact is currently supported only on Windows endpoints, the Targeting Criteria for the action to distribute the Impact tools filters the group to Windows endpoints.

  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Impact, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Impact requires Python tools on endpoints. If the Initial Content - Python content pack is not already installed by another solution on the endpoints, Impact uses Endpoint Configuration to install the Impact Tools content pack, which also includes Python tools.

Configure Impact

(Optional) Configure the Impact action group

Importing the Impact module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Impact, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Impact, configuring the Impact action group is optional.

Select the computer groups to include in the Impact action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Impact.
  3. Select the computer groups that you want to include in the action group and click Save.

    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

    Because Impact is currently supported only on Windows endpoints, the Targeting Criteria for the action to distribute the Impact tools filters the group to Windows endpoints.

Configure synchronization settings

Configure how Impact synchronizes data between the Active Directory server and Impact.

  1. From the Main menu, go to Modules > Impact to open the Impact Overview page.
  2. Click Settings and open the Sync Settings tab.
  3. Select the schedule type:
    • Basic: Select the schedule, options, and time zone.
    • Cron: Select the time zone and enter a cron expression of five values representing minutes, hours, day of the month, month, and day of the week. For example, enter 0 2 * * 1,2,3,4,5 to set the schedule to run at 02:00 AM only on Monday, Tuesday, Wednesday, Thursday, and Friday.
  4. Review the Summary and then click Submit.
To ensure that Criticality synchronizations are complete before Impact starts to sync, configure Impact synchronizations as follows:
  • Start at least one hour after Criticality synchronizations start.
  • Choose the same frequency or sync less frequently than Criticality.

Configure connections to domains

To configure connections to the Active Directory domains that you want to analyze with Impact, see Tanium Directory Query User Guide: Add a domain.

After you save the domain connection, data collection and analysis begins automatically at the next scheduled synchronization. For more information, see Collect and analyze data.

Collect and analyze data

Data is automatically synchronized between endpoints, users, groups, all configured domains, and Impact according to the schedule in Sync Settings. To view the last time that data was collected and analyzed , and the next scheduled collection and analysis , go to the Data Collection & Sync tab in Impact Settings .

To initiate data collection and analysis manually, click Collect & Analyze.

Data collection and analysis is a long-running process. Do not initiate this process frequently. If a request is already in progress, the requested operation does not run.

Set up Impact users

You can use the following set of predefined user roles to set up Impact users.

To review specific permissions for each role, see User role requirements.

On installation, Impact creates a Impact user to automatically manage the Impact service account. Do not edit or delete the Impact user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Impact Administrator

Assign the Impact Administrator role to users who manage the configuration and deployment of Impact functionality to endpoints.
This role can perform the following tasks:

  • Configure Impact service settings, including creating and editing domain connections
  • Manually start a domain synchronization and check the status
  • View all ratings, details, and graphs for endpoints, users, and groups
  • Generate and view the Impact support bundle

Impact Operator

Assign the Impact Operator role to users who manage the configuration and deployment of Impact functionality to endpoints.
This role can perform the following tasks:

  • Configure Impact service settings, including creating and editing domain connections
  • Manually start a domain synchronization and check the status
  • View all ratings, details, and graphs for endpoints, users, and groups

Impact User

Assign the Impact User role to users who perform analysis of Impact ratings.
This role can perform the following tasks:

  • View the domain synchronization status
  • View all ratings, details, and graphs for endpoints, users, and groups

Impact Endpoint Configuration Approver

Assign the Impact Endpoint Configuration Approver role to a user who approves or rejects Impact configuration items in Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Impact is installed.

Do not assign the Impact Service Account role to users. This role is for internal purposes only.