Managing sensors

Sensors overview

A sensor is a script that runs on an endpoint to compute a response to a Tanium question. Tanium as a Service (TaaS) The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

  • Hardware and software inventory and configuration
  • Running applications and processes
  • Files and directories
  • Network connections

TaaS provides The installation process for the Tanium Server automatically imports the Tanium™ Default Content and Tanium™ Interact content packs that include sensors for a wide range of common questions. Other Tanium solutions that you import might provide more sensors, depending on which Tanium content packs or Tanium solution modules you import. If you cannot find a sensor that you need within Tanium-provided content, you can create custom sensors.

A sensor configuration includes settings, script content, and script parameters. Sensors use industry-standard scripting languages rather than proprietary coding syntax. The best practice is for sensors to use the scripting engine available on the largest number of managed endpoints. On Windows endpoints, VBScript typically provides the most comprehensive out-of-the-box coverage because it is installed by default in every desktop release of Microsoft Windows since Windows 98 and in every Windows Server release since Windows NT 4.0 Option Pack. On macOS and Linux endpoints, shell script generally provides the most comprehensive out-of-the-box coverage. Of course, you can develop sensors using any other scripting language that the operating system supports (such as PowerShell on Windows), as long as the associated scripting engine already exists on the endpoint, or you can deploy and configure the engine on the endpoints that do not have it installed. You cannot edit the configurations of Tanium reserved sensors, which are core system sensors that include Computer Name, Action Statuses, Computer ID, and Download Statuses.

For the role permissions required to manage sensors, see Content management permissions.

View sensor configurations and runtime metrics

To see sensor configuration settings and runtime metrics:

  1. From the Main menu, select Administration > Content > Sensors.

    To help you assess the impact that sensors have on endpoint resources, the top of the page displays Sensor Runtime Metrics. For each runtime threshold, the metrics indicate the number of sensors that exceeded it, the average runtime for those sensors, and the maximum runtime for any of those sensors. The Overall metrics indicate the average and fastest runtimes among all the sensors. For details and tasks related to runtime thresholds and indicators, see Managing question and sensor thresholds.

    Below the runtime metrics, the grid shows the configuration settings of each sensor.

  2. (Optional) Use the text field above the grid to filter by sensor name or use the Filter Results options to filter by Runtime thresholds, Content Set, Category (such as module, tags, or SQL), and user (Modified by). You can also click the Sensor Runtime Metrics to filter the grid based on sensors that exceeded the High, Medium, or Low runtime thresholds.

Edit a sensor

As a best practice, do not edit predefined sensors that are provided through content packs imported from Tanium. For details, see Tip 4: Limit customizations to Tanium content. Consult your Technical Account Manager (TAM) if editing the Tanium-provided sensors is necessary. Alternatively, you can clone Tanium-provided sensors (see Clone a sensor) and edit the copies. You can also edit custom sensors that you created from scratch. To edit a sensor:

  1. From the Main menu, select Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to edit.
  3. Select the sensor row, click Edit, and configure the settings described in Table 1.
  4. Save your changes.

Move sensors between content sets

You can move sensors between content sets as necessary to accommodate changes to the role-based access control (RBAC) configuration of your Tanium deployment. For example, you might want to move certain sensors to a content set that only highly privileged users can access.

  1. From the Main menu, select Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to move.
  3. Select the sensor row and select Move to Content Set > <content_set_name>.

Clone a sensor

Cloning is useful when you need to:

  • Create a modified version of a predefined sensor from a Tanium content pack. As a best practice, do not modify the original Tanium sensor.
  • Create a new sensor with settings that differ only slightly from an existing sensor; this is often easier than creating a new sensor from scratch.

Perform the following steps to clone a sensor:

  1. From the Main menu, select Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to clone.
  3. Select the sensor row, click Clone, and configure the settings as described in Table 1.
  4. Save your changes.

Create a sensor

  1. From the Main menu, select Administration > Content > Sensors.
  2. Click New Sensor and complete the configuration as described in Table 1.
  3. Save the configuration.
Table 1:   Sensor configuration guidelines
Settings Guidelines
Name Specify a configuration name. The name appears in sensors lists on the Tanium Console. Observe the existing naming scheme so that you and other administrators can find it easily. Do not use an underscore character (_), which is a delimiter for sensor sub-columns. If the sensor name has an underscore, sensor-sourced packages cannot use the sensor as a sensor variable.

Important: If you change the sensor name, be sure to reconfigure content that references it. For example, you must update the sensor name in any saved questions that are configured with the previous name.

Description Enter a description. Include examples of formatted results. The description appears in the Sensors page and in the Browse Sensors dialog of the Question Builder.
Content Set Assign to a content set. The list is populated with all content sets for which you have Write Sensor permission.
Category Specify one of the categories that appears on the Sensors page and in the Browse Sensors dialog of the Question Builder.
Result Type The Question Results grid treats values that the sensor returns as the type of data you specify:
  • Date/Time (RFC822)
  • Date/Time (WMI)
  • File Size
  • Integer
  • IP Address
  • Numeric
  • Text
  • Time Duration
  • Version
Max Sensor Age Enter the maximum time for which the Tanium Client can use a cached result for this sensor when answering questions that use the sensor. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client receives a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client receives a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client receives a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

Use shorter ages for sensors that return values that change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory domain membership.

The Max Sensor Age affects only the results cache on the Tanium Client, not the results cache that the Tanium™ Data Service stores on the Tanium Server (see Manage sensor results collection).

Set Max String Age If you want to reduce the impact that question results have on Tanium Server disk space, select Enable and specify the maximum age that answer strings can reach before the server removes them. The default is one week. The string age is based on the number of minutes since the Tanium Server last used the string or received it from Tanium Clients. For details, see Manage sensor string growth.

The Max String Age does not apply to the results cache that the Tanium Data Service stores on the Tanium Server (see Manage sensor results collection).

Set Max Strings If you want to reduce the impact that question results have on Tanium Server disk space, select Enable and enter the maximum number of answer strings that the server stores for this sensor before removing the oldest strings. The server includes the string count for temporary sensors when calculating the string count for their source sensors. The default is 0, which specifies no limit. The string age is based on when the Tanium Server last used the string or received it from Tanium Clients.

Important: When limiting string growth, the best practice is to set the Max Strings Age instead of the Max Strings (see Manage sensor string growth). In extreme cases that might require a string count limit for individual sensors, consult your TAM before setting the Max Strings.

The Max Strings does not apply to the results cache that the Tanium Data Service stores on the Tanium Server (see Manage sensor results collection).

Ignore case in result values Group and count result values regardless of differences in upper-case and lower-case characters.
Hide this sensor from sensor lists and parse results Select this option if you want sensor lists throughout the user interface to exclude the object.
Split into multiple columns using delimiter (Multi-column sensors only) If the sensor script returns multiple results, display them in multiple columns on the Question Results grid. Specify the delimiter character used to separate result values in the script. Enter column names and corresponding result types, and arrange them in the order you want them displayed in the results grid. Select the Hide option to hide the column from the default view of the results grid. The following figure shows the settings for the Running Applications sensor.

Multi-column sensor settings

Note: When creating questions that filter multi-column sensors, single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:).

Scripts For each target platform:
  1. Click + to add a target platform.
  2. Set the Query Type to the desired scripting engine.
  3. Paste in script text.
Parameter Inputs (Parameterized sensors only) Click + and then Add Parameter to configure a parameter. Options include:
  • Checkbox—User enables a setting by checking a box. 0 or 1 is entered into the variable. Returns 1 if checked and 0 if not checked.
  • Date, Date Time, Date Time Range—User selects a date and time or a range. The date time format is epoch with milliseconds. For a range, the user specifies two date times separated by a pipe.
  • Drop Down List—User selects only one option from a list.
  • List—User selects one or more values. Multiple values are separated by a pipe.
  • Numeric—User enters a number. The input can be controlled with minimum and maximums. You can specify a Step Size to require that the input be divisible by the specified value. Snap Interval is the amount that a number is increased or decreased by pressing the up or down button respectively. The value for Step Size should be a multiple of the value for Snap Interval unless Snap Interval is 0. The user-selected number is entered into the variable.
  • Numeric Interval—User selects a number and an item from a list. The list item has a numeric value. The value entered into the variable is the result of the multiplication. For example, if a user selects 2 and selects High (with high having a value of 3), the value is 6 in the variable.
  • Plugin—Not intended for use by most users. Contact your TAM for additional information about its use.
  • Separator—A separator is a graphical way to separate sections in the user input form.
  • Text Area—User enters a large amount of text. The text is entered into the variable.
  • Text Input—User enters text input. Allowed entries can be controlled with regular expressions. The user input is entered into the variable.
  • Time—User selects a time from a drop-down list. The input can be subject to restrictions.
Sensor Preview Select a computer group or click Add to build one and then click Preview to see test results for the sensor.

Export or import a sensor configuration

As a best practice, develop and test content in your lab environment before distributing it to your production servers. The Tanium Console import and export features support this practice.

Export specific sensors

  1. From the Main menu, select Administration > Content > Sensors.
  2. Select one or more sensors and click Export in the toolbar above the table header.
  3. Enter a File Name or accept the default, and then click OK. TaaS The Tanium Server exports the content file to the Downloads folder on the system you use to access the Tanium Console.

Export the complete sensors configuration

  1. From the Main menu, select Administration > Content > Sensors.
  2. Click Export All in the table header.

    Alternatively, or if you want to export other configuration objects in addition to sensors, go to any Administration > Content or Administration > Permissions page, click Export Content in the top right of the Tanium Console, select Sensors and any other object types, select the Export Format (JSON or XML), and click Export.

  3. Enter a File Name or accept the default, and then click OK. TaaS The Tanium Server exports the content file to the Downloads folder on the system you use to access the Tanium Console.

Import a sensors configuration

You can import files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature, as described under Authenticating content files.
  2. From the Main menu, select any Administration > Content or Administration > Permissions page and click Import Content at the top right of the page.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
  6. Click Import again, and click Close when the import finishes.

Manage sensor quarantines

Overview of sensor quarantines

Tanium Client 7.2 or later supports sensor quarantines which, when enforced, prevent a sensor from running for the current question or action if that sensor exceeded the runtime timeout during a previous question or action. Enforcing quarantines is useful for limiting the impact on endpoint resources, such as CPU utilization, when questions and actions use excessively long-running sensors. The non-configurable timeout is set to one minute. By default, quarantines are not enforced: after a sensor exceeds the timeout and stops running, the sensor will have quarantined status but will still run for future questions or actions until it completes or times out. In this case, the Tanium Client uses the quarantined status just to record that the sensor timed out. Regardless of whether you enable enforcement, the Tanium Client stops any sensor at the moment it exceeds the timeout. You can enable or disable quarantine enforcement for all clients through a global setting. However, each client quarantines sensors and enforces the quarantines independently, so a sensor might be quarantined on some endpoints and not on others.

When a Tanium Client quarantines a sensor, the Tanium Console displays the following message in the Question Results grid: TSE-Error: Sensor evaluation timed out. When you issue a question that uses a sensor that is already quarantined and enforcement is enabled, the Question Results grid displays TSE-Error: The sensor is quarantined. The Tanium Client adds entries to the client logs and sensor history logs when it quarantines a sensor or prevents an already quarantined sensor from running.

If temporary sensors exceed the one-minute timeout, the Tanium Client quarantines the original sensor as well as all current and future temporary sensors that are based on the original sensor.

When enforcement is enabled, quarantined sensors do not run when you use them for targeting endpoints, even if the sensors are members of computer groups. However, quarantined sensors might skew the targeting of a question that has a vague from clause, such as from all machines with Is Windows not equals true. In this case, Windows endpoints on which the Is Windows sensor is quarantined would match the condition not equals true because their response would be TSE-Error: The sensor is quarantined rather than true. As a best practice to avoid such outcomes, make the target clause as specific as possible and do not use negative matching conditions such as not equals true.

View quarantined sensors

From the Main menu, select Administration > Content > Sensors > Quarantined Sensors to see details about the sensors that have quarantined status. The page displays the same Sensor Runtime Metrics and filtering options as the Sensor Management page (see View sensor configurations and runtime metrics).

Add a sensor to quarantine

You can manually quarantine a sensor on an endpoint if you anticipate that running the sensor will negatively affect the endpoint.

Quarantining a sensor does not automatically enable quarantine enforcement; only the EnableSensorQuarantine global setting controls enforcement.

  1. In the URL field of the browser that you use to access the Tanium Console, enter https://<Tanium_Server>/hash/<sensor>. For the <Tanium_Server>, enter the FQDN or IP address of the Tanium Server. The <sensor> must match the sensor name that the Tanium Console displays with respect to capitalization and spaces.

    The browser displays the hash value associated with the sensor.

  2. Access the operating system CLI on the endpoint and change directory (cd) to the Tanium Client installation folder.
  3. Enter the following command.

    TaniumClient quarantine add <sensor_hash>

Remove sensors from quarantine

You can use the Tanium Console to unquarantine a sensor on some or all endpoints if you imported Default Content (previously Initial Content - Base) version 7.1.10.0000 or later (see Manage Tanium shared services and content packs). After you unquarantine a sensor, the Tanium Client allows it to run for subsequent questions and actions, but will stop and quarantine the sensor again if it exceeds the timeout.

If you modify a sensor, Tanium Clients that receive its new definition will automatically unquarantine that sensor.

TaaS The Tanium Server cannot unquarantine sensors on endpoints that are offline. If you know that some endpoints might come online only at a later time, consider scheduling an action that uses the Un-Quarantine Sensor or Un-Quarantine Sensor (Non-Windows) package (see Deploying actions).

  1. From the Main menu, select Administration > Content > Sensors > Quarantined Sensors.
  2. Select the sensors and click Unquarantine.
  3. Select the Action Group that includes the endpoints where you want to unquarantine the sensors.
  4. Preview the affected endpoints and then click Unquarantine.

Enable or disable enforcement of quarantined sensors

After you enable quarantine enforcement, Tanium Clients do not answer questions that use quarantined sensors and those sensors do not run for actions. After you disable enforcement, clients still quarantine sensors and log quarantine events, but do not prevent those sensors from running.

Your user account must have a role with the Write Global Settings (micro admin) permission to enable or disable quarantine enforcement. Users with the Administrator reserved role have this permission.

The first time you enable enforcement, you must add the EnableSensorQuarantine setting to the global settings on the Tanium Server as follows. By default, enforcement is disabled and the setting does not appear in the Tanium Console. After you add the setting, the Tanium Server applies it to all Tanium Clients.

  1. Access the Tanium Console.
  2. From the Main menu, select Administration > Management > Global Settings, and click New Setting.
  3. Enter the following values and click Save.
    • Setting Name = EnableSensorQuarantine
    • Setting Value = 1
    • Affects = Client
    • Value Type = Numeric

Perform the following steps if you want to change the enforcement setting after adding it to the global settings:

  1. From the Main menu, select Administration > Management > Global Settings.
  2. Select EnableSensorQuarantine, click Edit, set the value to 1 to enable enforcement or 0 to disable enforcement, and click Save.

If you want to change the enforcement setting in specific Tanium Clients instead of all clients, add or edit the EnableSensorQuarantine setting in the local configuration of those clients (see Tanium Client User Guide: Tanium Client settings).

Manage sensor results collection

The Tanium Data Service enables you to see stored sensor results for endpoints that are offline at the moment you issue a question. After you register sensors for collection, the service queries all managed endpoints to collect the results of those sensors and store them in the Tanium database. To keep the results current, the service periodically reissues questions that contain the registered sensors. The Interact Question Results grid displays only the latest collected results. For details on displaying the results, see Display results for online and offline endpoints.

When you decide which sensors to register, consider that results collection consumes resources such as network bandwidth, processing on endpoints, and disk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage than the Operating System sensor.

To optimize resource consumption, configure collection only for low cardinality sensors that produce frequently accessed results, such as for daily reports. For example, you might generate reports based on the results of the Applicable Patches sensor to assess the hygiene or security posture of both online and offline endpoints. Conversely, the results of the High CPU Processes sensor fluctuate too much to be reliable for gauging activity on offline endpoints.

For details on monitoring the resource consumption associated with results collection, see Monitor resource usage for sensor results collection.

The Tanium Server automatically registers certain sensors for collection. For example, the server automatically registers sensors that identify endpoints or define membership in computer management groups. For the full list, see Sensors that are registered by default.

For the user role permissions required to manage sensor collection, see Tanium Data Service permissions.

To modify the service account that the Tanium Data Service uses to collect sensor results, see Tanium Interact User Guide: Configure the service account.

The Max Sensor Age, Max String Age, and Max Strings settings in sensor configurations do not apply to the sensor results that the Tanium Data Service collects and stores. For details about these settings, see Table 1.

Display sensor collection registration details

Display the registration status and other details of each sensor:

  1. Go to the Interact Home page and click Settings Settings.

    In the Registration & Collection tab, the Registered column displays True for sensors that are registered and enabled for collection. The column displays False for sensors that are not registered or that are registered but disabled (collection is paused).

    In the far right column, the Actions drop-down displays the available operations for each sensor: register (Add), unregister (Release), pause collection (Disable), resume collection (Enable), and purge results (Purge). Note that you cannot unregister, pause collection, or purge results for the sensors listed under Sensors that are registered by default.

    By default, the sensor grid is filtered to exclude hidden sensors. For details about hidden sensors, see the Hide this sensor from sensor lists and parse results setting in Table 1.

    Click the Name of a sensor to edit its configuration.

  2. (Optional) To display only specific sensors, click Advanced Filters and select from the following options:
    • Category: Display only the sensors that are used in questions that are assigned to dashboards contained in a specific category.
    • Registered: Display only the sensors that are registered and enabled for collection (True), or are not registered (False) for collection.
    • Hidden: Display only the sensors that are hidden (True) or are not hidden (False).
    • Has Parameters: Display only parameterized sensors (True) or non-parameterized sensors (False).
  3. (Optional) Enter a text string in the Filter Items field above the grid to filter it by sensor Name or Category.

Register or unregister sensors for collection

After you register or unregister sensors for collection, the Tanium Data Service automatically applies the changes for the next Collection Interval (see Configure advanced settings for sensor collection), when it issues questions to update the sensor results. The changes also apply if you Manually start collection. You cannot unregister sensors that are registered by default.

Unregistering a sensor does not remove its existing results from the Tanium Data Service storage. To purge results from storage so that the Question Results page does not display them, see Purge results for specific sensors.

  1. Go to the Interact Home page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors: see Display sensor collection registration details.
  3. Perform one of the following actions:
    • Register sensors: Select Actions > Add to register a sensor.

      For each parameterized sensor, you can register multiple instances. For each instance, specify the parameters and click Apply.

    • Unregister sensors: Select Actions > Release to unregister a sensor.

Pause or resume collection for sensors

When the Tanium Server issues questions to update sensor results, it excludes any paused sensors. You can pause or resume collection for individual sensors without unregistering or re-registering them. When you pause a sensor, the Interact Question Results page continues displaying the last results (if any) that the server collected for that sensor before you paused it. You cannot pause sensors that are registered by default.

  1. Go to the Interact Home page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors: see Display sensor collection registration details.
  3. Select Actions > Disable to pause collection or Actions > Enable to resume collection for a sensor.

Manually start collection

To keep sensor results up-to-date, the Tanium Server automatically reissues questions to all endpoints at every Collection Interval (hourly by default). However, you might want to manually start the collection process for sensors that you recently registered before the next interval. Note that manual collections do not affect the Collection Interval schedule (see Configure advanced settings for sensor collection).

  1. Go to the Interact Home page and click Settings Settings.
  2. In the Registration & Collection tab, click Collect Now above the grid.

Purge results for specific sensors

You can purge the results of selected sensors from storage so that the Question Results page does not display them.

You cannot purge the results of sensors that are registered by default.

The Tanium Data Service automatically removes results for endpoints that do not answer questions within the Max Endpoint Age interval. To configure this garbage collection process, see Configure removal of expired sensor results.

  1. Go to the Interact Home page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors: see Display sensor collection registration details.
  3. Unregister or pause collection for the sensors that you want to purge:
    • Pause collection: Select Actions > Disable.
    • Unregister: Select Actions > Release.
  4. For each sensor that you want to purge, select Actions > Purge and click Confirm.

Configure advanced settings for sensor collection

To collect results for registered sensors, the Tanium Data Service issues questions that contain the sensors. The service issues one batch of questions at a time, downloads the results from the Tanium Server, and writes the results to the Tanium database. The default collection settings prevent the questions from consuming too much network bandwidth and endpoint processing. The default settings also prevent the service from consuming too much Tanium Server memory when downloading and writing results. You can edit the settings as necessary based on the number of sensors that you registered for collection and on the resource limits of your network, endpoints, and Tanium Server.

Do not modify the collection settings without first consulting your TAM. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the sensor collection process, select Interact > Info and view the Data Collection metrics in the Data Service Status chart.

  1. Go to the Interact Home page and click Settings Settings.
  2. Select Service Configuration and configure the following settings in the Collection tab:
    Table 2:   Sensor collection process settings
    SettingDescription
    Collection IntervalSpecify how frequently the Tanium Data Service runs the process to collect results for registered sensors. The units are minutes and the default is 60 (one hour).
    Poll IntervalSpecify how frequently the Tanium Data Service checks for results for each issued question. The units are seconds and the default is 30.
    Poll TimeoutSpecify the amount of time that must pass, starting from when the Tanium Data Service last received new results for questions, before it stops checking for new results. The units are seconds and the default is 60 (1 minute).
    Max Sensors per QuestionSpecify the maximum number of single-column sensors in each question that the Tanium Data Service issues to collect results. A single-column sensor returns an answer that the Question Results grid displays in a single column. The default is 30 sensors per question. When you configure this setting, consider how it combines with the Max Concurrent Questions to affect resource consumption during collection.

    The service applies a non-configurable limit of one multi-column sensor per question.

    Max Concurrent QuestionsSpecify the maximum number of questions that the Tanium Data Service issues simultaneously in each batch to collect results. The default is 10 questions. When you configure this setting, consider how it combines with the Max Sensors per Question to affect resource consumption during collection.
    Results Download Page SizeSpecify the maximum number of endpoints for which the Tanium Data Service downloads results from the Tanium Server during collection. The default is 10,000. The purpose of this setting is to optimize memory usage for the service and server by preventing them from processing too large a data set for any single download.

Configure removal of expired sensor results

When the Tanium Data Service stores results, it maps them to each endpoint and evaluates their expiration age relative to when the endpoint last returned updates. This means that if multiple endpoints returned the same results but at different times, the garbage collection process removes only the results for endpoints that did not return updates within the expiration interval (Max Endpoint Age). You can edit garbage collection settings as necessary based on the growth rate for result strings and the available resources (storage space and memory) in your deployment. To monitor string growth and determine which sensors are generating the most strings, see Monitor resource usage for sensor results collection.

Do not modify garbage collection settings without first consulting your TAM. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the garbage collection process, select Interact > Info and view the Garbage Collection metrics in the Data Service Status chart. For example, the chart displays an error Error for the process if it times out before removing all the expired results.

  1. Go to the Interact Home page and click Settings Settings.
  2. Select Service Configuration > Garbage Collection and configure the following settings:
    Table 3:   Garbage collection settings for sensor results
    SettingDescription
    Garbage Collection IntervalSpecify how frequently the Tanium Data Service checks which results have expired and removes them. The units are minutes and the default is 15.
    Garbage Collection TimeoutSpecify how long the garbage collection process runs before timing out. The units are minutes and the default is 5. While the process is running, the Tanium Data Service delays any pending updates to the stored results. Be sure to specify enough time to remove all the expired results without delaying updates to a degree that significantly affects users who need to see the latest results.

    If the garbage collection process times out before removing all the expired results, it resumes the removal at the next Garbage Collection Interval.

    Max Endpoint AgeSpecify the expiration age of the collected results. For each endpoint, the Tanium Data Service evaluates the age of its results based on when the endpoint last returned updates for any sensors. The units are days and the default is 30. The garbage collection process removes the entries for any endpoints and their associated results from storage if those endpoints have not answered sensor collection questions within the Max Endpoint Age interval.
    Reference Sensor NameSpecify the sensor that the Tanium Data Service uses to identify endpoints when evaluating which results have expired based on the Max Endpoint Age. The default sensor is Computer ID. The best practice is to use one of the following endpoint identification (EID) sensors because they are updated most frequently: Computer ID, Computer Name, or Computer Serial Number.

Troubleshoot sensor collection

To determine whether sensor collection is consuming too much network bandwidth, processing on endpoints, or Tanium Server resources, see Monitor resource usage for sensor results collection.

To troubleshoot other sensor collection issues, see:

  • Tanium Core Platform Deployment Reference Guide: Tanium Data Service logs: The logs indicate when the Tanium Server issued each question to collect results, the question ID, and information about each sensor in the question.
  • Question history: In the Administration > Question History page, use the question ID (Harvesting qid) from the Tanium Data Service logs to find specific questions that the Tanium Server issued to collect sensor results.

Sensors that are registered by default

The following Tanium Core Platform sensors are registered for collection by default. After you install Interact, the Tanium Data Server immediately begins collecting and storing results for the registered sensors. You cannot unregister, pause collection, or purge results for these sensors.

Certain Tanium modules include additional sensors that are registered by default when you import the modules.

If some sensors that define computer group membership are not yet available in your deployment, you can import them through the Default Computer Groups content pack: see Manage Tanium shared services and content packs.

  • Endpoint identifier (EID) sensors:
    • Computer ID
    • Computer Name
    • Computer Serial Number
  • Sensors that define membership in computer management groups:
    • Chassis Type
    • Computer Name
    • Is AIX
    • Is Linux
    • Is Mac
    • Is Solaris
    • Is Virtual
    • Is Windows
    • Operating System
    • Operating System Generation
    • Windows OS Release ID
    • Windows OS Type