Managing computer groups

Computer groups overview

A computer group defines a set of endpoints that you want to manage as a group with respect to operations that Tanium users and modules perform. For example, you can define a computer group that includes all endpoints that are in a data center, and assign the group only to users who will issue questions and deploy actions to data center endpoints. Computer groups are also the building blocks of action groups, which filter the target endpoints for actions (see Managing action groups). Furthermore, you can use computer groups to filter various lists in the Tanium Console, such as on the Administration > Users page. Based on the permissions that you want users to have when querying sets of endpoints, you can create the following types of computer groups:

Computer management group

A Tanium user can view question results from, and deploy actions to, only those endpoints that belong to a computer management group that is assigned to the user persona selected for the current session. Roles do not control access to computer management groups, but roles do control which content is available to the user for questions and actions. For example, you might want a user to see the processes running on endpoints in a data center. You must assign that user a role with Read Sensor permissions on the content set containing the Running Processes sensor, and also assign the user a computer management group that contains the data center endpoints. The following figure illustrates the relationship between computer management groups and other Tanium RBAC components.computer management groups

Computer filter group

Tanium users use computer filter groups as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set, grant filter group permissions to that content set in an advanced role or module role, and assign the role to the personas of users or user groups. The following figure shows an example of an advanced role that grants Read Filter Group and Write Filter group permissions to the Default Filter Groups content set:

computer filter groups

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group and you assign that management group to users or user groups.

You can configure computer groups to function as both management groups and filter groups. The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first log into the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports Tanium as a Service (TaaS) provides additional predefined computer groups that function as both filter groups and management groups: see Default computer groups.

Use the Administration > Computer Groups page to view, create, clone, edit, and delete both management groups and filter groups. To manage only filter groups, you can also use the Content > Filter Groups page (see Managing filter groups). After creating a computer group of either type, you cannot change its membership definition.

For the role permissions required to manage computer groups, see RBAC management permissions.

In Tanium Core Platform 7.3 or earlier, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

To understand the interaction between computer management groups and filter groups, and how best to use them, it is important to understand how Tanium Clients process questions. Figure  1 illustrates an example of how computer group and role assignments control what question results a user can receive and filter. In this example, the user persona is assigned computer management groups that contain branch office endpoints, and therefore the user can ask a question that determines which of those endpoints require Windows security patches. However, for security reasons, the management groups exclude headquarters endpoints because the user is not authorized to see information from those endpoints. The user issues the question Get Computer Name and Security Patches Needed Above Threshold equals yes from all machines with Country Code equals 44. All Tanium Clients that are online receive the question and process its components in the following order:

  1. Computer group management permissions

    Each Tanium Client first evaluates whether it belongs to a computer management group that is assigned to the persona used to issue the question. If no, the client does not process the question further, and does not add its answer to the answer message.

    In the example, only the clients in the UK and France management groups (UK_1 to UK_4 and FRA_1 to FRA_4) continue processing the question. Note that because Windows and macOS are filter groups, they are assigned to a content set (Default). Even though the user persona has a role (euro_admin) that provides access to that content set, filter groups bestow only filtering permissions, not the permission to receive answers from clients. Therefore, Windows and macOS clients HQ_1 to HQ4 do not continue processing the question. The other Windows and macOS clients continue to process the question, but only because they are also members of the UK and France management groups.

  2. Target filter (from) clause

    The from clause specifies whether question results are required from all Tanium Clients (from all machines) or only from clients that evaluate the filtering sensor to true. Optionally, you can use the Is <computer_group> sensor to base the filter on a filter group.

    In the example, only the UK clients match the target filter clause from all machines with Country Code equals 44 and continue to process the question.

  3. Select statement (get) clause

    The get clause specifies the sensors that Tanium Clients run to answer the question. If the select statement has a filter, clients do not process it; only the Tanium Server processes select statement filters after receiving the answers. The Tanium Console then displays the answers in the Question Results grid.

    In the example, the UK clients run the select statement sensors Computer Name and Security Patches Needed Above Threshold, and add their output to the answer message. Because equals yes is a filter for the select statement Security Patches Needed Above Threshold, the Tanium Server processes that filter after receiving the answers from all the UK clients. The Tanium Console then displays results only for UK clients that need more than the threshold number of security patches.

In the example, the user then decides to display results only for endpoints that run Windows, and therefore selects the Windows filter group in the Computer Group drop-down list. The Tanium Server reissues the question using both Country Code equals 44 and Is Windows in the target filter clause. Only Tanium Clients UK_1 and UK_3 match both filters, and so the Tanium Console then displays results only for those clients.

Figure  1:  Computer management groups and filter groups

Computer group membership

Before you create a computer management group or filter group, be sure to understand the following options for defining which endpoints are members. After creating a group, you cannot change its membership definition.

Dynamic membership

Membership is based on the results of a sensor filter expression, such as is Windows equals true. Tanium Clients process the expression to determine whether their endpoints belongs to the group.

Manually defined membership

Membership is based on a manually entered list of computer names or IP addresses. The Tanium Client obtains configuration information for the computer groups when registering with the Tanium Server.

Whenever possible, define computer group membership based on sensors. Only groups based on a sensor dynamically adjust their membership as endpoints join or leave your network. For example, you might create a manual group called Critical Servers for three special servers. If you later add a fourth server to the cluster, you cannot change the Critical Servers membership. Instead, you would have to: create a new manual computer group; assign it to personas; and re-create pertinent action groups and saved questions that you want to target the new computer group. A better approach is to define the computer group based on a sensor that identifies which servers qualify as critical, so that the fourth server automatically becomes a member.

Default computer groups

TaaS When you first log into the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports the following computer groups. They all function as both management groups and filter groups, and are assigned to the Default Filter Groups content set.

The Tanium Server does not import these default computer groups when you upgrade.

Table 1:   Default computer groups
Platform Computer Group Name
AIX All AIX
Linux
  • All Linux
  • All CentOS
  • All CentOS 8
  • All CentOS 7
  • All CentOS 6
  • All Red Hat
  • All Red Hat 8
  • All Red Hat 7
  • All Red Hat 6
  • All Ubuntu 19
  • All Ubuntu 18
macOS
  • All Mac
  • All macOS 10.15
  • All macOS 10.14
  • All macOS 10.13
Solaris All Solaris
Windows
  • All Windows
  • All Windows Servers
  • All Windows Server 2019
  • All Windows Server 2016
  • All Windows Server 2012 R2
  • All Windows Server 2012
  • All Windows Server 2008 R2
  • All Windows Server 2008
  • All Windows Server 2003
  • All Windows Servers - x86
  • All Windows Servers - x64
  • All Windows Servers - Virtual
  • All Windows Servers - Physical
  • All Windows Workstations
  • All Windows Workstations - x86
  • All Windows Workstations - x64
  • All Windows Workstations - Physical
  • All Windows Workstations - Virtual
  • All Windows 10
  • All Windows 10 release 1909
  • All Windows 10 release 1903
  • All Windows 10 release 1809
  • All Windows 10 release 1803
  • All Windows 10 release 1709
  • All Windows 10 release 1703
  • All Windows 10 release 1607
  • All Windows 10 release 1511
  • All Windows 8.1
  • All Windows 8
  • All Windows 7
  • All Windows XP
Other
  • All Workstations
  • All Servers
  • All Laptops
  • All Virtual Machines
  • All Physical Machines

View computer group configurations

From the Main menu, select Console > Administration > Computer Groups to see the following computer group settings:

Table 2:   Computer group settings
Setting Description
Name The computer group name. To filter the grid by name, enter a string in the Show Content Name Containing field above the grid.
Type Indicates how membership is defined for the group:
  • Standard: Dynamic membership
  • Manual: Manually defined membership

For details, see Computer group membership.

Filter Indicates whether you can (true) or cannot (false) use the group as a filter group.
Management Indicates whether you can (true) or cannot (false) use the group as a management group.
Content Set (Filter groups only) The content set to which the group is assigned.
Expression The filter used to define membership in the computer group. The value is [Manual List] for groups with manually defined membership.

Create computer groups

Before you create a computer group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership). Perform the following steps to create a group that functions exclusively as a management group or that functions as both a management group and filter group.

To create a computer group that functions exclusively as a filter group, see Create filter groups.

  1. From the Main menu, selectConsole > Administration > Computer Groups and click New Group.
  2. Enter a Name to identify the group.
  3. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the filter group, users require a role that specifies permissions for that content set.
  4. Define which endpoints are Members of the computer group:
    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  5. Save the configuration.

Edit computer groups

You can change the name and filter settings of computer groups. However, changing the display name does not change the object ID of a computer group. Also, you cannot change the group membership definition.

  1. From the Main menu, select Console > Administration > Computer Groups.
  2. Select the computer group and click Edit.
  3. (Optional) Enter a new Name .
  4. (Management groups only) Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
  5. Save the configuration.

Clone computer groups

Cloning is useful when you need a new computer group with a membership filter that differs only slightly from an existing group.

  1. From the Main menu, select Console > Administration > Computer Groups.
  2. Select the computer group you want to copy, and then click Clone.
  3. Enter a Name to identify the new computer group.
  4. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
  5. Define which endpoints are Members of the group. For details, see Create computer groups.
  6. Review the Preview list of members, and then save the configuration.

Export or import computer groups

You can export and import computer management groups and filter groups to copy them between Tanium Servers. As a best practice, develop and test content in your lab environment before distributing it to your production servers. The Tanium Console import-export feature supports this practice.

Export computer groups

Perform the following steps to export filter groups and computer management groups (you cannot export each type of group separately):

  1. Go to any Console > Content or Permissions page.
  2. Click Export Content at the top right of the Tanium Console.
  3. Select Computer Groups, select the Export Format (JSON or XML), and click Export.
  4. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the content file to the Downloads folder on the system you use to access the Tanium Console.

Import computer groups

You can import files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature, as described under Authenticating content files.
  2. From the Main menu, select any Console > Content or Console > Permissions page and click Import Content at the top right of the page.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
  6. Click Import again, and click Close when the import finishes.

Delete computer groups

Deleting a computer management group or filter group involves the following tasks and considerations:

  • Account for user and user group configurations that might reference the computer management group through personas. Be prepared to modify those configurations as needed.
  • Account for other configurations that might have referenced the computer group, such as action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information that the computer group provided at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the Tanium Client configuration, so targeting questions based on a manual group ID continue to match as well.
  • If you intend to stop the scheduled activities (such as scheduled actions and saved questions) that target those computers, you must disable, edit, or delete the corresponding configurations.
  • Deleting a computer management group through the Administration > Computer Groups page removes all instances of the group from the Tanium Server even if the group also functions as a filter group. However, if you use the Content > Filter Groups page to delete a filter group that also functions as a management group, the group remains on the server as a management group with filtering disabled.

When you are ready to delete the computer management group, perform the following steps. To delete a filter group, see Delete filter groups.

  1. From the Main menu, select Console > Administration > Computer Groups.
  2. Select the computer group and click Delete Selected .
  3. Confirm the operation when prompted, then click OK.