Managing sensors

Sensors overview

A sensor is a script that runs on an endpoint to compute a response to a Tanium question.Tanium Cloud The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

  • Hardware and software inventory and configuration
  • Running applications and processes
  • Files and directories
  • Network connections

Tanium Cloud provides The Tanium Server automatically imports initial content that includes sensors for a wide range of common questions (see Tanium Console User Guide: Initial content). Other Tanium solutions that you import might provide more sensors. If you cannot find a sensor that you need within Tanium-provided content, you can create custom sensors.

A sensor configuration includes settings, script content, and script parameters. Sensors use industry-standard scripting languages rather than proprietary coding syntax. The best practice is for sensors to use the scripting engine available on the largest number of managed endpoints. On Windows endpoints, VBScript typically provides the most comprehensive out-of-the-box coverage because it is installed by default in every desktop release of Microsoft Windows since Windows 98 and in every Windows Server release since Windows NT 4.0 Option Pack. On macOS and Linux endpoints, shell script generally provides the most comprehensive out-of-the-box coverage. Of course, you can develop sensors using any other scripting language that the operating system (OS) supports (such as PowerShell on Windows), as long as the associated scripting engine already exists on the endpoint, or you can deploy and configure the engine on the endpoints that do not have it installed.

Some Tanium sensors and packages require Windows Management Instrumentation (WMI) queries, VBScript execution in Windows Script Host (WSH), and PowerShell. If you disable any of these features on Windows endpoints, Tanium functionality is limited.

For Windows endpoints running Tanium Client version 7.2.314.3584 or later, PowerShell-based sensors require PowerShell 3.0 or later. You must update the default PowerShell on Windows Server 2008 or Windows Server 2008 R2 for PowerShell-based sensors to work on those endpoints.

For the role permissions required to manage sensors, see Content management permissions.

View sensor details

To see sensor configuration attributes and runtime metrics:

  1. From the Main menu, go to Administration > Content > Sensors.

    The Sensors grid displays columns for most of the sensor attributes that are described in Table 1.

  2. (Optional) To display attributes that the grid hides by default, click Customize Columns Customize columns and select the attributes.
  3. (Optional) For the Runtime option, click Show to display sensor runtime metrics or Hide (default) to conceal them.

    For each sensor, the Runtime column displays an icon that indicates whether the sensor has exceeded a runtime threshold. You can hover over the icon to display a tooltip with the runtime average in milliseconds. For details about the icons and the steps to configure runtime thresholds, see Managing sensor runtime thresholds.

    Set the Show Hidden option to Yes to display hidden sensors and a Hidden State column, which indicates which sensors are configured as Visible or Hidden. For details on hidden sensors, see Hide this sensor from sensor lists and parse results.

  4. (Optional) Use the filters to find specific sensors:
    • Filter by text: To filter the grid by sensor Name, Category, or Description, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute, select an operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  5. (Optional) To see all the attributes that are described in Table 1, click a sensor Name.

    Contact Tanium Support if you want to change the attribute values.

Edit a sensor

You can edit all the settings of all sensors except Tanium reserved sensors, which are core system sensors that include Computer Name, Action Statuses, Computer ID, and Download Statuses. For reserved sensors, you can edit only the Max String Age and Max Strings settings.

As a best practice, do not edit predefined sensors that are provided through content-only solutions imported from Tanium. For details, see Tip 4: Limit customizations to Tanium content. Contact Tanium Support if editing the Tanium-provided sensors is necessary. Alternatively, you can clone Tanium-provided sensors (see Clone a sensor) and edit the copies. You can also edit custom sensors that you created from scratch.

To change the content set assignment for multiple sensors that must belong to the same set, see Move sensors between content sets.

To edit a sensor:

  1. From the Main menu, go to Administration > Content > Sensors.
  2. (Optional) Use the search and column sorting features to find the sensor that you want to edit.
  3. Click the sensor Name.
  4. Click Edit Mode, configure the settings described in Table 1, and click Save.

Move sensors between content sets

You can move sensors between content sets as necessary to accommodate changes to the role-based access control (RBAC) configuration of your Tanium deployment. For example, you might want to move certain sensors to a content set that only highly privileged users can access.

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Select the sensor and click Move to Content Set.
  3. Select a content set and click Confirm.

Clone a sensor

Cloning is useful when you need to:

  • Create a modified version of a predefined sensor from a Tanium content-only solution.

    Do not modify the original Tanium sensor.

  • Create a new sensor with settings that differ only slightly from an existing sensor; this is often easier than creating a new sensor from scratch.

Perform the following steps to clone a sensor:

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to clone.
  3. Select the sensor and click Clone.
  4. Configure the settings as described in Table 1 and click Save.

Create a sensor

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Click New Sensor, configure the following settings, and click Save.
 Table 1: Sensor configuration guidelines
Settings Guidelines
Name Specify a name of up to 256 characters to identify the sensor wherever the Tanium Console displays sensor lists. The name cannot have certain special characters and the best practice is to avoid reserved words. See the lists of Special characters and reserved words. Note that certain Tanium-defined sensors use reserved words in their names. For instructions on how to enter such sensors in the Interact Ask a Question field, see Reserved words in sensor names.

If you change the sensor name, reconfigure content that references it. For example, update the sensor name in any saved questions that are configured with the previous name.
Description Enter a description to help other users understand the purpose of the sensor. It might help to include examples of formatted results. The description appears in the Sensors page and in the Browse Sensors dialog of the Question Builder.
Content Set Assign the sensor to a content set. The list is populated with all content sets for which you have Write Sensor permission.
Category Select the sensor category, which you can use to filter the list of sensors on the Sensors page and in the Browse Sensors dialog of the Question Builder.
Result Type Select the data type for the values that the sensor returns. Choosing the correct type is required for the Tanium Server to properly evaluate results and sort them in results grids. For example, if you issue the question Get Uptime > "10 days", the server evaluates the greater than (>) operation based on the Time Duration type of the Uptime sensor. This ensures that the server returns results only for endpoints that rebooted more than 10 days ago. If that sensor used the Text result type instead, the server would evaluate the operation alphabetically and return results such as 2 days.
For a multi-column sensor, set the Result Type to Text and then select a specific result type for each column. For example, the Tanium Client Dump Files sensor returns both Date/Time (WMI) and Integer result types. See Split into multiple columns.

Different sensors can return values in different units even if the sensors use the same result type. For example, the Tanium Client CPU sensor returns a percentage value while the CPU Speed Mhz sensor returns a megahertz value, even though both sensors use the Numeric result type.

The result types are:

  • Text: An alphanumeric text string. For example, the Computer Name sensor returns a string such as workstation-1.company.com.

  • File Size: The size of the result, including both the number and units. For example, the Page File Details sensor returns size values for the page files on a Windows endpoint, such as 11264 MB for the Size On Disk.

    To return size values without the associated units, select Integer as the result type. For instance, a sensor that returns file sizes and uses Integer as the result type displays only the number of bytes: 1048576 instead of 1 MB, as an example.

  • IP Address: One or more IPv4 and/or IPv6 addresses. For example, the Tanium Client IP Address sensor returns the IP address (such as 192.168.1.1) that a Tanium Client is using to communicate with the Tanium Server or Tanium Zone Server.

  • Version: The version of an operating system, file, application, or other component on an endpoint. For example, the NET Version sensor returns the full version numbers of all .NET installations, such as version 4.5.51641.
  • Numeric: A number that can have decimals and a positive or negative value. For example, the Tanium Client CPU sensor returns the percentage of CPU utilization that the Tanium Client process currently uses on an endpoint, such as 1.4.

    For sensors that return unsigned whole numbers, select the Integer result type instead.

  • Date/Time (RFC822): A date-time string in RFC-822 format. For example, the OS Boot Time sensor returns the date and time when an endpoint operating system last booted, such as Mon, 05 Jan 2015 15:17:59 +0000.
  • Date/Time (WMI): A date-time string in Windows Management Instrumentation (WMI) format. For example, the Tanium Client Dump Files sensor returns the date and time when a Tanium Client dump file was created on an endpoint, such as 2017-09-13T18:29:22.412Z.
  • Time Duration: A time range. For example, the Uptime sensor returns the number of days since the last reboot of an endpoint, such as 48 days or Less than 1 day. Results can include units other than days (such as 42 minutes or 8 hours) and can include multiple units (such as 2 years, 3 months, 18 days, 4 hours, 22 minutes and 3.67 seconds).
  • Integer: An unsigned whole number, which excludes decimal values and negative values. For example, the RAM Slots Unused sensor returns the number of empty, unused RAM slots, such as 2.
Max Sensor Age Enter the maximum time for which the Tanium Client can use a cached result for this sensor, instead of reexecuting it for a fresh result, when answering questions. For example, the Max Sensor Age for the File Size sensor is 15 minutes by default. When a client receives a question that executes the File Size sensor, it caches the result. Within the next 15 minutes, if the client receives another question with the File Size sensor, it returns the cached result. After 15 minutes, if the client receives a question with the File Size sensor, it reexecutes the sensor script to return a fresh result.

To improve the accuracy of results, use shorter ages for sensors with values that change frequently, such as status and utilization sensors. To reduce unnecessary CPU usage on endpoints, use longer ages for sensors with values that typically do not change frequently, such as the chassis type or Active Directory domain membership.

By default, the Max Sensor Age applies to all questions that use the sensor. To set a different age for the sensor in a specific question, see Maximum Data Age.

A lower Max Sensor Age increases CPU usage on endpoints. Therefore, lower ages are more appropriate for sensors that you use in dynamic questions than for sensors in saved questions or in the endpoint membership questions of computer management groups and filter groups.
Max String Age If you want to reduce the impact that question results have on Tanium Server disk space, select Enable and specify the maximum age that answer strings can reach before the server removes them. The default is one week. The string age is based on the number of minutes since the Tanium Server last used the string or received it from Tanium Clients. For details, see Reference: Manage sensor string growth.

The Max String Age does not apply to the results cache that the Tanium Data Service stores on the Tanium Server (see Manage sensor results collection).
Max Strings If you want to reduce the impact that question results have on Tanium Server disk space, select Enable and enter the maximum number of answer strings that the server stores for this sensor before removing the oldest strings. The server includes the string count for temporary sensors when calculating the string count for their source sensors. The default is 0, which specifies no limit. The string age is based on when the Tanium Server last used the string or received it from Tanium Clients.

When limiting string growth, set the Max Strings Age instead of the Max Strings (see Reference: Manage sensor string growth). Contact Tanium Support before setting the Max Strings in extreme cases that might require a string count limit for individual sensors.

The Max Strings does not apply to the results cache that the Tanium Data Service stores on the Tanium Server (see Manage sensor results collection).
Ignore case in result values Group and count result values regardless of differences in upper-case and lower-case characters.
Hide this sensor from sensor lists and parse results Select this option if you want sensor lists throughout the Tanium Console to exclude the sensor.
Split into multiple columns (Multi-column sensors only) If the sensor returns multiple results from each endpoint, display the results in multiple columns on the Question Results grid. In the Use delimiter field, specify a character to separate result values in the sensor script. Enter column names and corresponding result types, and arrange them in the order you want the results grid to display them. Select the Hide option if you want to hide the column from the default view of the results grid. The following figure shows the settings for the Running Applications sensor.

Multi-column sensor settings

When creating questions that filter multi-column sensors, single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:).

Parameter Inputs (Parameterized sensors only) In the Parameters section perform the following steps for each parameter. For details on the parameter types and their settings, see Parameter input settings.
  1. Select Add Parameter > <Type>.
  2. Select a time standard for any date- or time-based parameter:
    • Local Time (default) is local to the system that you use to access the Tanium Console
    • UTC is Coordinated Universal Time
  3. Configure the settings for the selected parameter type.
Scripts Perform the following steps for each target operating system (OS):

  1. Select the OS type and select Enable sensor for <OS> platform.

  2. Set the Query Type to the desired scripting engine.

  3. Enter the script text.

    For details about scripts for parameterized sensors, see Sensor script.
Sensor Preview Previewing sensor results on a small number of non-critical endpoints enables you to test the sensor before making it available for questions or sensor harvesting. Previewing is a useful precaution in case the sensor script has flaws that might adversely affect endpoints.
  1. Click Select Groups to Preview and perform one of the following steps:
    • Select an existing computer group.
    • Click Create Ad Hoc Group, perform one of the following steps to define group membership, and click Create Group. Note that the computer group will exist only for the sensor preview and will not appear elsewhere in the Tanium Console.
      • Dynamic membership: Select a method to define the membership filter:
      • Manually defined membership: Select Manual Group and enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  2. Click Preview Sensor Results and review the results.
 Table 1: Sensor settings
Settings Guidelines
Name

A name that identifies the sensor wherever the Tanium Console displays lists of sensors.

For instructions on how to enter sensor names that contain reserved words when you issue questions through the Interact Ask a Question field, see Reserved words in sensor names.
Description The description is intended to help other users understand the purpose of the sensor. The description appears in the Sensors page and in the Browse Sensors dialog of the Question Builder.
Content Set The content set to which the sensor is assigned.
Category You can use the sensor category to filter the list of sensors on the Sensors page and in the Browse Sensors dialog of the Question Builder.
Result Type The data type for the values that the sensor returns. Tanium Cloud evaluates results and sorts them in results grids based on the type. For example, in the question Get Uptime > "10 days", Tanium Cloud evaluates the greater than (>) operation based on the Time Duration type of the Uptime sensor. This ensures that Tanium Cloud returns results only for endpoints that rebooted more than 10 days ago. If that sensor used the Text result type instead, Tanium Cloud would evaluate the operation alphabetically and return results such as 2 days.
The Result Type is always Text for a multi-column sensor but each column can have a unique result type. For example, the Tanium Client Dump Files sensor returns both Date/Time (WMI) and Integer result types. See Split into multiple columns.

Different sensors can return values in different units even if the sensors use the same result type. For example, the Tanium Client CPU sensor returns a percentage value while the CPU Speed Mhz sensor returns a megahertz value, even though both sensors use the Numeric result type.

The result types are:

  • Text: An alphanumeric text string. For example, the Computer Name sensor returns a string such as workstation-1.company.com.

  • File Size: The size of the result, including both the number and units. For example, the Page File Details sensor returns size values for the page files on a Windows endpoint, such as 11264 MB for the Size On Disk.

  • IP Address: One or more IPv4 and/or IPv6 addresses. For example, the Tanium Client IP Address sensor returns the IP address (such as 192.168.1.1) that a Tanium Client is using to communicate with Tanium Cloud.

  • Version: The version of an operating system, file, application, or other component on an endpoint. For example, the NET Version sensor returns the full version numbers of all .NET installations, such as version 4.5.51641.
  • Numeric: A number that can have decimals and a positive or negative value. For example, the Tanium Client CPU sensor returns the percentage of CPU utilization that the Tanium Client process currently uses on an endpoint, such as 1.4.
  • Date/Time (RFC822): A date-time string in RFC-822 format. For example, the OS Boot Time sensor returns the date and time when an endpoint operating system last booted, such as Mon, 05 Jan 2015 15:17:59 +0000.
  • Date/Time (WMI): A date-time string in Windows Management Instrumentation (WMI) format. For example, the Tanium Client Dump Files sensor returns the date and time when a Tanium Client dump file was created on an endpoint, such as 2017-09-13T18:29:22.412Z.
  • Time Duration: A time range. For example, the Uptime sensor returns the number of days since the last reboot of an endpoint, such as 48 days or Less than 1 day. Results can include units other than days (such as 42 minutes or 8 hours) and can include multiple units (such as 2 years, 3 months, 18 days, 4 hours, 22 minutes and 3.67 seconds).
  • Integer: An unsigned whole number, which excludes decimal values and negative values. For example, the RAM Slots Unused sensor returns the number of empty, unused RAM slots, such as 2. The Integer result type returns values without the associated units. For instance, a sensor that returns file sizes and uses Integer as the result type displays only the number of bytes: 1048576 instead of 1 MB, as an example.
Max Sensor Age The maximum time for which the Tanium Client can use a cached result for this sensor, instead of reexecuting it for a fresh result, when answering questions. For example, the Max Sensor Age for the File Size sensor is 15 minutes by default. When a client receives a question that executes the File Size sensor, it caches the result. Within the next 15 minutes, if the client receives another question with the File Size sensor, it returns the cached result. After 15 minutes, if the client receives a question with the File Size sensor, it reexecutes the sensor script to return a fresh result.

Sensors with values that change frequently, such as status and utilization sensors, typically have shorter ages. Sensors with values that typically do not change frequently, such as the chassis type or Active Directory domain membership, usually have longer ages.

When you issue a question, you can override the Max Sensor Age for individual sensors by specifying the Maximum Data Age option in the Question Builder or by appending the ?maxAge=<value> option in the Ask a QuestionExplore Data field. For details, see Maximum Data Age.
Max String Age To reduce the impact that question results have on Tanium Cloud resources, some sensors have a maximum age that answer strings can reach before Tanium Cloud removes those strings. The default is one week. The string age is based on the number of minutes since Tanium Cloud last used the string or received it from Tanium Clients. For details, see Reference: Manage sensor string growth.

The Max String Age does not apply to the results cache that the Tanium Data Service stores on Tanium Cloud (see Manage sensor results collection).
Max Strings To reduce the impact that question results have on Tanium Cloud resources, some sensors have a maximum number of answer strings that Tanium Cloud stores for the sensors before removing the oldest strings. Tanium Cloud includes the string count for temporary sensors when calculating the string count for their source sensors. The default is 0, which specifies no limit. The string age is based on when Tanium Cloud last used the string or received it from Tanium Clients.

The Max Strings does not apply to the results cache that the Tanium Data Service stores on Tanium Cloud (see Manage sensor results collection).
Ignore case in result values Group and count result values regardless of differences in upper-case and lower-case characters.
Hide this sensor from sensor lists and parse results This option specifies that sensor lists throughout the Tanium Console exclude the sensor.
Split into multiple columns (Multi-column sensors only) If the sensor returns multiple results from each endpoint, this option causes the results to appear in multiple columns on the Question Results grid. The Use delimiter field specifies the character that separates result values in the sensor script. The grid below these fields indicates the column names and corresponding result types, as well as the order in which the results grid to displays them. The Hide option specifies that the column is hidden from the default view of the results grid. The following figure shows the settings for the Running Applications sensor.

Multi-column sensor settings

When creating questions that filter multi-column sensors, single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:).

Parameter Inputs (Parameterized sensors only) For details on the parameter types and their settings, see Parameter input settings.
Scripts For details about scripts for parameterized sensors, see Sensor script.
Sensor Preview Previewing sensor results on a small number of non-critical endpoints enables you to test the sensor before making it available for questions or sensor harvesting. Previewing is a useful precaution in case the sensor script has flaws that might adversely affect endpoints.
  1. Click Select Groups to Preview and perform one of the following steps:
    • Select an existing computer group.
    • Click Create Ad Hoc Group, perform one of the following steps to define group membership, and click Create Group. Note that the computer group will exist only for the sensor preview and will not appear elsewhere in the Tanium Console.
      • Dynamic membership: Select a method to define the membership filter:
      • Manually defined membership: Select Manual Group and enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  2. Click Preview Sensor Results and review the results.

Export or import sensors

The following procedures describe how to export and import specific sensors or all sensors.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export sensors

Export sensors as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the sensors with the same attributes (columns) as the Sensors page displays.

  • JSON: If you are assigned a role with the Export Content permission, you can export sensor configurations as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

Perform the following steps to export sensors:

  1. From the Main menu, go to Administration > Content > Sensors.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific sensors. If you want to export all sensors, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All sensors in the grid or just the Selected sensors.

  7. Select the file Format:

    • List of Sensors - CSV

    • Sensor Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import sensors

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

    If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy sensor configuration details

Copy information from the Sensors page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Manage sensor quarantines

Overview of sensor quarantines

Enforcing sensor quarantines prevents sensors from running on an endpoint for the current question or action if those sensors exceeded the runtime timeout during a previous question or action. Quarantines are useful for limiting the impact on endpoint resources, such as CPU utilization, when questions and actions use excessively long-running sensors. The non-configurable timeout is set to one minute.

By default, quarantines are not enforced: after a sensor exceeds the timeout and stops running, the sensor has quarantined status but still runs for future questions or actions until it completes or times out. In this case, the Tanium Client uses the quarantined status just to record that the sensor timed out.

Regardless of whether you enable enforcement, the Tanium Client stops any sensor at the moment it exceeds the timeout. Each client quarantines sensors and enforces the quarantines independently. Consequently, a sensor might be quarantined on some endpoints and not on others.

When a Tanium Client quarantines a sensor, the Tanium Console displays the following message in the Question Results grid: TSE-Error: Sensor evaluation timed out. When you issue a question that uses a sensor that is already quarantined and enforcement is enabled, the Question Results grid displays TSE-Error: The sensor is quarantined. The Tanium Client adds entries to the client logs and sensor history logs when it quarantines a sensor or prevents an already quarantined sensor from running.

If temporary sensors exceed the one-minute timeout, the Tanium Client quarantines the original sensor as well as all current and future temporary sensors that are based on the original sensor.

When enforcement is enabled, quarantined sensors do not run when you use them for targeting endpoints, even if the sensors are members of computer groups. However, quarantined sensors might skew the targeting of a question that has a vague from clause, such as from all machines with Is Windows not equals true. In this case, Windows endpoints on which the Is Windows sensor is quarantined would match the condition not equals true because their response would be TSE-Error: The sensor is quarantined rather than true. To avoid such outcomes, make the target clause as specific as possible and do not use negative matching conditions such as not equals true.

View quarantined sensors

To see the attributes of quarantined sensors:

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.

    The Quarantined Sensors grid displays many of the sensor attributes that are described in Table 1Table 1.

  2. (Optional) To display attributes that the grid hides by default, click Customize Columns Customize columns and select the attributes.
  3. (Optional) Use the filters to find specific sensors:
    • Filter by text: To filter the grid by sensor Name or Description, enter a text string in the Filter By Text field.
    • Filter by attributeExpand: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Row or Add Grouping (to group by Boolean operators), click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional)  To see all the attributes that are described in Table 1, click a sensor Name.

Add a sensor to quarantine

You can manually quarantine a sensor on an endpoint if you anticipate that running the sensor will negatively affect the endpoint.

Quarantining a sensor does not automatically enable quarantine enforcement.

  1. In the URL field of the browser that you use to access the Tanium Console, enter https://<Tanium Cloud Client Edge URLTanium Server>/hash/<sensor>. For the <Tanium Server>, enter the Tanium Server FQDN or IP address. The <sensor> must match the sensor name that the Tanium Console displays with respect to capitalization and spaces.

    The browser displays the hash value associated with the sensor.

  2. Access the operating system CLI on the endpoint and change directory (cd) to the Tanium Client installation directory.

  3. Enter the following command.

    • Windows: TaniumClient quarantine add <sensor_hash>
    • Non-Windows: ./TaniumClient quarantine add <sensor_hash>

Remove sensors from quarantine

You can use the Tanium Console to unquarantine a sensor on some or all endpoints if you imported Default Content (previously Initial Content - Base) version 7.1.10.0000 or later (see Managing Tanium solutions). After you unquarantine a sensor, the Tanium Client allows it to run for subsequent questions and actions, but will stop and quarantine the sensor again if it exceeds the timeout.

If you modify a sensor, Tanium Clients that receive its new definition will automatically unquarantine that sensor.

Tanium Cloud The Tanium Server cannot unquarantine sensors on endpoints that are offline. If you know that some endpoints might come online only at a later time, consider scheduling an action that uses the Un-Quarantine Sensor or Un-Quarantine Sensor (Non-Windows) package (see Deploying actions).

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.
  2. Select the sensors and click Unquarantine.
  3. Select the Action Group that includes the endpoints where you want to unquarantine the sensors.
  4. Preview the affected endpoints and then click Unquarantine.

Enable or disable enforcement of quarantined sensors

After you enable quarantine enforcement, Tanium Clients do not answer questions that use quarantined sensors and those sensors do not run for actions. After you disable enforcement, clients still quarantine sensors and log quarantine events, but do not prevent those sensors from running.

Configure the EnableSensorQuarantine setting on clients to enable (1) or disable (0) the enforcement of quarantined sensors. See Tanium Client Management User Guid: Modify client settings.

After you enable quarantine enforcement, Tanium Clients do not answer questions that use quarantined sensors and those sensors do not run for actions. After you disable enforcement, clients still quarantine sensors and log quarantine events, but do not prevent those sensors from running.

Your user account must have a role with the Global Settings write permission to enable or disable quarantine enforcement. Users with the Administrator reserved role have this permission.

The first time you enable enforcement, you must add the EnableSensorQuarantine setting to the platform settings on the Tanium Server as follows. By default, enforcement is disabled and the setting does not appear in the Tanium Console. After you add the setting, the Tanium Server applies it to all Tanium Clients.

  1. Access the Tanium Console.
  2. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings, and click Add Setting.
  3. Enter the following values and click Save.
    • Setting Type = Server
    • Platform Setting Name = EnableSensorQuarantine
    • Value Type = Numeric
    • Value = 1

Perform the following steps if you want to change the enforcement setting after adding it to the platform settings:

  1. From the Main menu, go to Administration > Configuration > Settings > Advanced Settings.
  2. In the Name column, click EnableSensorQuarantine, set the value to 1 to enable enforcement or 0 to disable enforcement, and click Save.

If you want to change the enforcement setting in specific Tanium Clients instead of all clients, add or edit the EnableSensorQuarantine setting in the local configuration of those clients (see Tanium Client Management User Guide: Tanium Client CLI and client settings).

Export quarantined sensor details

Export information about quarantined sensors as a CSV file to view in an application that supports that format. The file lists the sensors with the same attributes (columns) as the Quarantined Sensors page displays.

You can export the details of specific quarantined sensors if you are assigned a role with Write Sensor permission on the content sets for those sensors. Users with the Administrator or Content Administrator reserved role can export the details of all quarantined sensors.

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.
  2. (Optional) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific sensors. If you want to export all sensors, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.
  6. To include grid column headers in the CSV file, select Include headers in export.

    Skip the Flatten rows option. It does not apply to quarantined sensors.

  7. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy quarantined sensor details

Copy information from the Quarantined Sensors page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Manage sensor results collection

The Tanium Data Service enables you to see stored sensor results for endpoints when you issue a question. After you register sensors for collection, the service issues questions with those sensors to all managed endpoints and caches the results. To keep the results current, the service reissues the questions every 30 minutes. The Interact Question Results grid displays only the latest collected results. For details on displaying the results, see Display results for online and offline endpoints.

When the Tanium Data Service issues questions, they remain open (not expired) on endpoints for the entire 30-minute reissue interval. Therefore, Tanium Clients return updated results to the Tanium Data Service whenever values change for registered sensors. For example, if a client initially returns 50% for the CPU Consumption sensor and consumption subsequently increases to 75%, the client then returns 75%.

When you decide which sensors to register, consider that results collection consumes resources such as network bandwidth, processing on endpoints, and resources on Tanium Clouddisk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage than the Operating System sensor.

To optimize resource consumption, configure collection only for low cardinality sensors that produce frequently accessed results, such as for daily reports. For example, you might generate reports based on the results of the Applicable Patches sensor to assess the hygiene or security posture of both online and offline endpoints. Conversely, the results of the High CPU Processes sensor fluctuate too much to be reliable for gauging activity on offline endpoints.

For details on monitoring the resource consumption associated with results collection, see Monitor resource usage for sensor results collection.

Tanium Cloud The Tanium Server automatically registers certain sensors for collection. For example, Tanium Cloudthe server automatically registers sensors that identify endpoints or define membership in computer management groups. For the full list, see Sensors that are registered by default.

For the user role permissions required to manage sensor collection, see Tanium Data Service permissions.

To modify the service account that the Tanium Data Service uses to collect sensor results, see Tanium Interact User Guide: Configure the service account.

Display sensor collection registration details

Display the registration status and other details of each sensor:

  1. Go to the Interact Overview page and click Settings Settings.

    In the Registration & Collection tab, the Status column contains a status for all sensors. Status icons include the following:

    StatusDescription
    The sensor is registered and enabled for collection.
    The sensor is registered but collection is disabled.
    The sensor is blocked due to high cardinality and cannot be registered.
    (no icon)The sensor is not registered.

    You can hover the mouse cursor over any icon to see additional information.

    In the far right column, the Actions drop-down contains the available operations for each sensor: register (Add), unregister (Release), pause collection (Disable), resume collection (Enable), and purge results (Purge). Note that you cannot unregister, pause collection, or purge results for the sensors listed under Sensors that are registered by default.

    By default, the sensor grid is filtered to exclude hidden sensors. For details about hidden sensors, see the Hide this sensor from sensor lists and parse results setting in Table 1.

  2. (Optional) To show only specific sensors, click to expand Filters and select from the following options:
    • Category: Show only the sensors that are used in questions that are assigned to dashboards contained in a specific category.
    • Registered: Show only the sensors that are registered and enabled for collection (True), or are not registered (False) for collection.
    • Show Hidden Sensors: Show only the sensors that are hidden (True) or are not hidden (False).
    • Has Parameters: Show only parameterized sensors (True) or non-parameterized sensors (False).
    • Status: Show only sensors that match the corresponding status.

    To clear a filter, select Any in the corresponding field.

  3. (Optional) Enter a text string in the Filter Items field above the grid to filter it by sensor Name or Category.

Register or unregister sensors for collection

After you register or unregister sensors for collection, the Tanium Data Service automatically applies the changes for the next collection, when it issues questions to update the sensor results. Additionally, after you register a sensor for collection, Tanium Cloudthe Tanium Server immediately begins collecting results for the sensor. Registration changes also apply if you Manually start collection. You cannot unregister sensors that are registered by default.

After you unregister a sensor, the Tanium Data Service purges results for the sensor 30 days later. To purge results sooner so that the Question Results page does not display them, see Purge results for specific sensors.

  1. Go to the Interact Overview page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors. See Display sensor collection registration details.
  3. Perform one of the following actions:
    • Register sensors: Select Actions > Add to register a sensor.

      The Sensor Preview page opens with a preview of the results while the Tanium Data Service checks the cardinality (uniqueness) of the sensor results. For example, a sensor would have high cardinality if it returns an event date/time that typically varies on each endpoint. The Online sensor has low cardinality because it returns only one possible value (True) from all responding endpoints. After the service checks the cardinality, a message indicates if you can register the sensor or if the service blocks registration due to high cardinality. If you can register the sensor, click Confirm and then click Yes to confirm the registration.

      For each parameterized sensor, you can register multiple instances. For each instance, specify the parameters and click Apply.

      Tanium recommends that you do not disable the cardinality check because high cardinality sensors can negatively impact Tanium Server performance. Contact Tanium Support for guidance if you want to disable the cardinality check.
    • Unregister sensors: Select Actions > Release to unregister a sensor.

Pause or resume collection for sensors

When Tanium Cloudthe Tanium Server issues questions to update sensor results, it excludes any paused sensors. You can pause or resume collection for individual sensors without unregistering or re-registering them. When you pause a sensor, the Interact Question Results page continues displaying the last results (if any) that Tanium Cloudthe server collected for that sensor before you paused it. You cannot pause sensors that are registered by default.

  1. Go to the Interact Overview page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors. See Display sensor collection registration details.
  3. Select Actions > Disable to pause collection or Actions > Enable to resume collection for a sensor.

After you resume collection for a sensor, Tanium Cloudthe server immediately begins collecting results for the sensor.

Manually start collection

To keep sensor results up-to-date, Tanium Cloudthe Tanium Server automatically reissues questions to all endpoints and retrieves results continuously. Tanium CloudThe Tanium Server also collects results immediately for sensors that you register or for which you resume collection.

  1. Go to the Interact Overview page and click Settings Settings.
  2. In the Registration & Collection tab, click Collect Now above the grid.

Purge results for specific sensors

You can purge the results of selected sensors from storage so that the Question Results page does not display them.

You cannot purge the results of sensors that are registered by default.

The Tanium Data Service automatically removes results for endpoints that do not answer questions within the Max Endpoint Age interval. To configure this garbage collection process, see Configure removal of expired sensor results.

  1. Go to the Interact Overview page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors. See Display sensor collection registration details.
  3. Unregister or pause collection for the sensors that you want to purge:
    • Pause collection: Select Actions > Disable.
    • Unregister: Select Actions > Release.
  4. For each sensor that you want to purge, select Actions > Purge and click Confirm.

Configure advanced settings for sensor collection

To collect results for registered sensors, the Tanium Data Service issues questions that contain the sensors. The service issues one batch of questions at a time, downloads the results from the Tanium Server, and writes the results to the Tanium database. The default collection settings prevent the questions from consuming too much network bandwidth and endpoint processing. The default settings also prevent the service from consuming too much Tanium Server memory when downloading and writing results. You can edit the settings as necessary based on the number of sensors that you registered for collection and on the resource limits of your network, endpoints, and Tanium Server.

Contact Tanium Support before modifying the collection settings. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the sensor collection process, go to the Interact Overview page, click Info Info, and view the Data Collection metrics in the Data Service Status chart.

  1. Go to the Interact Overview page and click Settings Settings.
  2. Select Service Configuration and configure the following setting in the Collection tab:
     Table 2: Sensor collection process setting
    SettingDescription
    Max Sensors Per QuestionSpecify the maximum number of single-column sensors in each question that the Tanium Data Service issues to collect results. A single-column sensor returns an answer that the Question Results grid displays in a single column. The default is 30 sensors per question.

    The service applies a non-configurable limit of one multi-column sensor per question.

Configure advanced settings for sensor collection

To collect results for registered sensors, the Tanium Data Service issues questions that contain the sensors. The service issues one batch of questions at a time, downloads the results from the Tanium Server, and writes the results to the Tanium database. The default collection settings prevent the questions from consuming too much network bandwidth and endpoint processing. The default settings also prevent the service from consuming too much Tanium Server memory when downloading and writing results. You can edit the settings as necessary based on the number of sensors that you registered for collection and on the resource limits of your network, endpoints, and Tanium Server.

Contact Tanium Support before modifying the collection settings. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the sensor collection process, go to the Interact Overview page, click Info Info, and view the Data Collection metrics in the Data Service Status chart.

  1. Go to the Interact Overview page and click Settings Settings.
  2. Select Service Configuration and configure the following settings in the Collection tab:
     Table 2: Sensor collection process settings
    SettingDescription
    Max Sensors Per QuestionSpecify the maximum number of single-column sensors in each question that the Tanium Data Service issues to collect results. A single-column sensor returns an answer that the Question Results grid displays in a single column. The default is 30 sensors per question.

    The service applies a non-configurable limit of one multi-column sensor per question.

Configure removal of expired sensor results

When the Tanium Data Service stores results, it maps them to each endpoint and evaluates their expiration age relative to when the endpoint last returned updates. This means that if multiple endpoints returned the same results but at different times, the garbage collection process removes only the results for endpoints that did not return updates within the expiration interval (Max Endpoint Age). You can edit garbage collection settings as necessary based on the growth rate for result strings and the available resources (storage space and memory) in your deployment. To monitor string growth and determine which sensors are generating the most strings, see Monitor resource usage for sensor results collection.

Contact Tanium Support before modifying garbage collection settings. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the garbage collection process, go to the Interact Overview page, click Info Info, and view the Garbage Collection metrics in the Data Service Status chart. For example, the chart displays an error Error for the process if it times out before removing all the expired results.

  1. Go to the Interact Overview page and click Settings Settings.
  2. Select Service Configuration > Garbage Collection and configure the following settings:
     Table 3: Garbage collection settings for sensor results
    SettingDescription
    Garbage Collection IntervalSpecify how frequently the Tanium Data Service checks which results have expired and removes them. The units are minutes and the default is 15.
    Garbage Collection TimeoutSpecify how long the garbage collection process runs before timing out. The units are minutes and the default is 30. While the process is running, the Tanium Data Service delays any pending updates to the stored results. Be sure to specify enough time to remove all the expired results without delaying updates to a degree that significantly affects users who need to see the latest results.

    If the garbage collection process times out before removing all the expired results, it resumes the removal at the next Garbage Collection Interval.

    Max Endpoint AgeSpecify the expiration age of the collected results. For each endpoint, the Tanium Data Service evaluates the age of its results based on when the endpoint last returned updates for any sensors. The units are days and the default is 30. The garbage collection process removes the entries for any endpoints and their associated results from storage if those endpoints have not answered sensor collection questions within the Max Endpoint Age interval.
    Reference Sensor NameSpecify the sensor that the Tanium Data Service uses to identify endpoints when evaluating which results have expired based on the Max Endpoint Age. The default sensor is Computer ID. The best practice is to use one of the following endpoint identification (EID) sensors because they are updated most frequently: Computer ID, Computer Name, or Endpoint Fingerprint.
    Computer Group Max Endpoint AgeFor each computer group, you can specify the expiration age of the collected results. Use this option to set lower expiration ages than the value specified in Max Endpoint Age. Note that any values that you set in Computer Group Max Endpoint Age do not override the value set in Max Endpoint Age; whichever value is lower triggers the garbage collection process. The units are hours.

Troubleshoot sensor collection

To determine whether sensor collection is consuming too much network bandwidth, processing on endpoints, or Tanium CloudTanium Server resources, see Monitor resource usage for sensor results collection.

To troubleshoot other sensor collection issues, see:

  • Tanium Core Platform Deployment Reference Guide: Tanium Data Service logs: The logs indicate when the Tanium Server issued each question to collect results, the question ID, and information about each sensor in the question.
  • Question history: In the Administration > Content > Question History page, use the question ID (Harvesting qid) from the Tanium Data Service logs to find specific questions that the Tanium Server issued to collect sensor results.

Sensors that are registered by default

There are certain Tanium Core Platform sensors that are registered for collection by default, including the following examples. After you install Interact, the Tanium Data Service immediately begins collecting and storing results for the registered sensors. You cannot unregister, pause collection, or purge results for these sensors.

  • Endpoint identifier (EID) sensors:
    • Computer ID
    • Computer Name
    • Computer Serial Number
  • Sensors that define membership in computer management groups:
    • Chassis Type
    • Computer Name
    • Is AIX
    • Is Linux
    • Is Mac
    • Is Solaris
    • Is Virtual
    • Is Windows
    • Operating System
    • Operating System Generation
    • Windows OS Release ID
    • Windows OS Type

Certain Tanium modules include additional sensors that are registered by default when you import the modules.

If some sensors that define computer group membership are not yet available in your deployment, you can import them through the content-only solution Default Computer Groups. See Managing Tanium solutions.