Managing computer groups

Computer groups overview

A computer group defines a set of endpoints that you want to manage as a group with respect to operations that Tanium users, modules, and shared services perform. For example, you can define a computer group that includes all endpoints that are in a data center, and assign the group only to users who will issue questions and deploy actions to data center endpoints. Computer groups are also the building blocks of action groups, which filter the target endpoints for actions (see Managing action groups). Furthermore, you can use computer groups to filter various lists in the Tanium Console, such as on the Administration > Permissions > Users page.

Based on the permissions that you want users to have when querying sets of endpoints, you can create the following types of computer groups:

Computer management group:

A Tanium user can view question results from, and deploy actions to, only those endpoints that belong to a computer management group that is assigned to the user persona selected for the current session. Roles do not control access to computer management groups, but roles do control which content is available to the user for questions and actions. For example, you might want a user to see the processes running on endpoints in a data center. You must assign that user a role with Read Sensor permissions on the content set containing the Running Processes sensor, and also assign the user a computer management group that contains the data center endpoints. The following figure illustrates the relationship between computer management groups and other Tanium role-based access control (RBAC) components.

Figure 1: Computer management group
Computer filter group:

Tanium users use computer filter groups as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set, grant filter group permissions to that content set in custom roles, and assign the role to the personas of users or user groups. The following figure shows an example of a custom role that grants Read Filter Group and Write Filter Group permissions to the Default Filter Groups content set:

Figure 2: Computer filter group

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group and you assign that management group to users or user groups.

You can configure computer groups to function as both management groups and filter groups. The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first sign in to the Tanium Console after a fresh installation of the Tanium Server, the server automatically importsTanium Cloud provides additional predefined computer groups that function as both filter groups and management groups. See Default computer groups.

Use the Administration > Permissions > Computer Groups page to manage computer groups that function as both management groups and filter groups or that function exclusively as management groups. To manage computer groups that function exclusively as filter groups, use the Administration > Permissions > Filter Groups page (see Managing filter groups). After creating a computer group of either type, you cannot change its membership definition.

For the role permissions required to manage computer groups, see RBAC management permissions.

In Tanium Core Platform 7.3, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

Review computer groups on a quarterly basis and delete any that are no longer useful. See Tanium Maintenance User Guide: Delete unnecessary computer groups.

Computer groups in questions

To understand the interaction between computer management groups and filter groups, and how best to use them, it is important to understand how Tanium Clients process questions. Figure 3 illustrates an example of how computer group and role assignments control what question results a user can receive and filter. In this example, the user persona is assigned computer management groups that contain branch office endpoints, and therefore the user can issue a question that determines which of those endpoints has PowerShell version 2.0 installed. However, for security reasons, the management groups exclude headquarters endpoints because the user is not authorized to see information from those endpoints. The user issues the question Get Computer Name and PowerShell Version equals 2.0 from all machines with Country Code equals 44. All Tanium Clients that are online receive the question and process its components in the following order:

Computer group management permissions
Each Tanium Client first evaluates whether it belongs to a computer management group that is assigned to the user (persona) who issues the question. If no, the client does not process the question further, and does not add its answer to the answer message.
In the example, only the clients in the UK and France management groups (UK_1 to UK_4 and FRA_1 to FRA_4) continue processing the question. Note that because All Windows and All Mac are filter groups, they are assigned to a content set (Default). Even though the user has a role (euro_admin) that provides access to that content set, filter groups bestow only filtering permissions, not the permission to receive answers from clients. Therefore, Windows and macOS clients HQ_1 to HQ4 do not continue processing the question. The other Windows and macOS clients continue to process the question, but only because they are also members of the UK and France management groups.
Target filter (from) clause
The from clause specifies whether question results are required from all Tanium Clients (from all machines) or only from clients that evaluate the filtering sensor to true. Optionally, you can use the Is <computer_group> sensor to base the filter on a filter group.
In the example, only the UK clients match the target filter clause from all machines with Country Code equals 44 and continue to process the question.
Select statement (get) clause
The get clause specifies the sensors that Tanium Clients run to answer the question. If the select statement has a filter, clients do not process it; only Tanium Cloudthe Tanium Server processes select statement filters after receiving the answers. The Tanium Console then displays the answers in the Question Results grid.
In the example, the UK clients run the select statement sensors Computer Name and PowerShell Version, and add their output to the answer message. Because equals 2.0 is a filter for the select statement PowerShell Version, the Tanium Server processes that filter after receiving the answers from all the UK clients. The Tanium Console then displays results only for UK clients that have PowerShell version 2.0 installed.

In the example, the user then decides to display results only for endpoints that run Windows, and therefore selects the All Windows filter group in the Filter by Computer Group dropdown list. Tanium CloudThe Tanium Server reissues the question using both Country Code equals 44 and Is Windows in the target filter clause. Only Tanium Clients UK_1 and UK_3 match both filters, and so the Tanium Console then displays results only for those clients.

Figure 3: Computer management groups and filter groups

Computer group membership

Before you create a computer management group or filter group, be sure to understand the following options for defining which endpoints are members. After creating a group, you cannot change its membership definition.

Dynamic membership:

Membership is based on the results of a sensor filter expression, such as is Windows equals true. Tanium Clients process the expression to determine whether their endpoints belong to the group.

If you base the sensor filter on a custom tag, you can change tag assignments on endpoints to adjust the membership of a computer group. See Manage custom tags for computer groups.
Manually defined membership:

Membership is based on a manually entered list of computer names, IP addresses, or fully qualified domain names (FQDNs). The Tanium Client obtains configuration information for the computer groups when registering with the Tanium Server.

Whenever possible, define computer group membership based on sensors. Only groups based on a sensor dynamically adjust their membership as endpoints join or leave your network. For example, you might create a manual group called Critical Servers for three special servers. If you later add a fourth server to the cluster, you cannot change the Critical Servers membership. Instead, you would have to: create a new manual computer group; assign it to users; and re-create pertinent action groups and saved questions that you want to target the new computer group. A better approach is to define the computer group based on a sensor that identifies which servers qualify as critical, so that the fourth server automatically becomes a member.

Default computer groups

Tanium Cloud When you first sign in to the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports the content-only solution Default Computer Groups, which includes predefined computer groups. They all function as both management groups and filter groups, and are assigned to the Default Filter Groups content set. To list the defaults groups on the Computer Groups page, filter the grid by Content Set. See View computer group details.

Tanium Cloud provides The Tanium Server creates additional default computer groups as part of Initial content during installation.

The Tanium Server does not import default computer groups when you upgrade the server.

View default computer groups

Table 1: Default computer groups
Platform	Computer Group Name
AIX	All AIX All AIX 7.2 All AIX 7.1
Linux	All Amazon All Amazon Linux 2 All Linux All CentOS All CentOS 9 All CentOS 8 All CentOS 7 All CentOS 6 All Debian All Debian 12 All Debian 11 All Debian 10 All Debian 9 All Debian 8 All Debian 7 All Debian 6 All Oracle All Oracle 8 All Oracle 7 All Oracle 6 All Red Hat All Red Hat 9 All Red Hat 8 All Red Hat 7 All Red Hat 6 All Red Hat 5 All SUSE All SLES 15 All SLES 12 All SLES 11 All Ubuntu All Ubuntu 22 All Ubuntu 21 All Ubuntu 20 All Ubuntu 19 All Ubuntu 18 All Ubuntu 16 All Ubuntu 14
macOS	All Mac All Mac Laptops All MacOS 13 All macOS 12.5 All macOS 12.4 All macOS 12.3 All macOS 12.2 All macOS 12.1 All macOS 12.0 All macOS 12 All macOS 11 All macOS 11.6 All macOS 11.5 All macOS 11.4 All macOS 11.3 All macOS 11.2 All macOS 11.1 All macOS 11.0 All macOS 10.15 All macOS 10.14 All macOS 10.13
Solaris	All Solaris All Solaris 11 All Solaris 10
Windows	All Windows All Windows Laptops All Windows Servers All Windows Server 2022 All Windows Server 2019 All Windows Server 2016 All Windows Server 2012 R2 All Windows Server 2012 All Windows Server 2008 R2 All Windows Server 2008 All Windows Server 2003 All Windows Servers - x86 All Windows Servers - x64 All Windows Servers - Virtual All Windows Servers - Physical All Windows Workstations All Windows Workstations - x86 All Windows Workstations - x64 All Windows Workstations - Physical All Windows Workstations - Virtual All Windows 11 All Windows 11 release 22H2 All Windows 11 release 21H2 All Windows 10 All Windows 10 release 21H2 All Windows 10 release 21H1 All Windows 10 release 20H2 All Windows 10 release 2009 All Windows 10 release 2004 All Windows 10 release 1909 All Windows 10 release 1903 All Windows 10 release 1809 All Windows 10 release 1803 All Windows 10 release 1709 All Windows 10 release 1703 All Windows 10 release 1607 All Windows 10 release 1511 All Windows 8.1 All Windows 8 All Windows 7 All Windows XP
Other	All Workstations All Servers All Laptops All Virtual Machines All Physical Machines

View computer group details

From the Main menu, go to Administration > Permissions > Computer Groups.

The Computer Groups grid displays the following attributes for each computer group:

Table 2: Computer group attributes
Setting	Description
Name	The name that identifies the computer group.
Type	Indicates how membership is defined for the group: Standard: Dynamic membership Manual: Manually defined membership For details, see Computer group membership.
Management	Indicates whether you can (true) or cannot (false) use the group as a computer management group.
Content Set	(Filter groups only) The content set to which the group is assigned.
Expression	The filter used to define membership in the computer group. The value is [Manual List] for groups with manually defined membership.
Modified By (Persona)	The name of the user (persona) who last modified the computer group.
Last Modification	The date-time when a user (persona) last modified the computer group.

(Optional) Use the filters to find specific computer groups:
- Filter by text: To filter the grid by computer group Name or membership Expression, enter a text string in the Filter items field.
- Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the Filters section, click Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
To see a list of endpoints that are members of a group, click the group Name and scroll to the Members section.

Create a computer group

Before you create a computer group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership). Perform the following steps to create a group that functions exclusively as a management group or that functions as both a management group and filter group.

To create a computer group that functions exclusively as a filter group, see Create a filter group.

From the Main menu, go to Administration > Permissions > Computer Groups and click New Computer Group.
Enter a Name to identify the group.
Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you enable the filter group function, select a content set. To use the filter group, users require a role that specifies permissions for that content set.
Define which endpoints are Members of the computer group.

You cannot change the Members definition after you save the computer group. However, if you configure dynamic membership and base it on a custom tag, you can change tag assignments on endpoints to adjust the group membership. See Manage custom tags for computer groups.
- Dynamic membership (best practice): Select a method for defining the membership filter:
  - Select Filter Bar if you want to define a filter using the same syntax as in the from clause of the Interact Ask a Question field. For details, see Issue a question through the Ask a Question field.
  - Select Filter Builder if you want to define a filter using the same from computers with fields as in the Interact Question Builder. For details, see Issue a question through the Question Builder.
- Manually defined membership: Select Manual Group and enter a list of endpoint identifiers, which can be one of the following:
  - Computer names that match the results of the Computer Name sensor. Short forms or alternative names do not work.
  - Fully qualified domain names (FQDNs).
  - IP addresses that match the entries in the Administration > Configuration > Client Status page, Network Location (from server) column.
Review the list of endpoints that are members of the group and click Save.

Assign computer groups

To provide computer group management rights to users, assign the computer groups to user accounts, user groups, and personas:

To target computer groups for action deployment, assign them to action groups: Create an action group.

Edit a computer group

You can change the name and filtering settings of computer groups. However, changing the name does not change the object ID of a computer group. Also, you cannot change the group membership definition.

From the Main menu, go to Administration > Permissions > Computer Groups.
Click the computer group Name and click Edit Mode.
(Optional) Enter a new Name.
Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
Click Save.

To change computer group assignments, edit the configurations of users, user groups, and personas:

Manage custom tags for computer groups

If you configure a computer group with dynamic membership that is based on a custom tag, you can change which endpoints are members by changing tag assignments, even though you cannot change the Members setting in the group configuration. For example, you can configure a computer group with Members set to the filter Custom Tags contains "Lab". Then you can add or remove the tag Lab on endpoints that move in or out of the environment to change the group membership.

To configure computer groups based on enhanced tags, sign in to the Tanium KB and view the Enhanced Tags Documentation.

Review custom tags

To see which custom tags are assigned to endpoints, ask a question using the Custom Tags sensor, such as:

Get Custom Tags from all machines

To see which endpoints have a specific custom tag, ask a question using the Custom Tag Exists parameterized sensor, such as:

Get Tanium Client Version from all machines with Custom Tag Exists[lab,1] equals true

For details on asking questions, see Asking questions and searching endpoints.

Add custom tags

Ask a question to target the endpoints that require custom tags. Because different packages add tags for Windows or non-Windows endpoints, ask a question that specifies the distinction, such as:

Get Tanium Client Version from all machines with Is Windows equals true
Select the endpoints to target and click Deploy Action.

You can drill-down or merge questions to refine the results before selecting endpoints.
Select one of the following packages as the Deployment Package:
- Custom Tagging - Add Tags for Windows endpoints
- Custom Tagging - Add Tags (Non-Windows)
Enter a list of tag names with spaces as delimiters.

(Windows only) To include any tag names with spaces, use the character sequence #|# as a delimiter. To apply a single tag that includes spaces, enter the character sequence #|# after the tag name.
Configure the remaining action settings.
Click Show Preview To Continue, review the list of targeted endpoints, and click Deploy Action.

Remove custom tags

Ask a question to target the endpoints from which to remove custom tags. Because different packages remove tags for Windows or non-Windows endpoints, ask a question that specifies the distinction, such as:

Get Custom Tags from all machines with ( Is Windows equals true and Computer Name contains ABC )
Select the Question Results rows for the tags that you want to remove and click Deploy Action.

You can drill-down or merge questions to refine the results before selecting endpoints.
Select one of the following packages as the Deployment Package:
- Custom Tagging - Remove Tags for Windows endpoints
- Custom Tagging - Remove Tags (Non-Windows)
Configure the remaining action settings.
Click Show Preview To Continue, review the list of targeted endpoints, and click Deploy Action.

Clone a computer group

Cloning is useful when you need a new computer group with a membership filter that differs only slightly from an existing group.

From the Main menu, go to Administration > Permissions > Computer Groups.
Select the computer group that you want to duplicate, and then click Clone.
Enter a Name to identify the new computer group.
Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
Define which endpoints are Members of the computer group:
- Dynamic membership (best practice): Select a method for defining the membership filter:
  - Select Filter Bar if you want to define a filter using the same syntax as in the from clause of the Interact Ask a Question field. For details, see Issue a question through the Ask a Question field.
  - Select Filter Builder if you want to define a filter using the same from computers with fields as in the Interact Question Builder. For details, see Issue a question through the Question Builder.
- Manually defined membership: Select Manual Group and enter a list of endpoint identifiers, which can be one of the following:
  - Computer names that match the results of the Computer Name sensor. Short forms or alternative names do not work.
  - Fully qualified domain names (FQDNs).
  - IP addresses that match the entries in the Administration > Configuration > Client Status page, Network Location (from server) column.
Review the list of endpoints that are members of the group and click Save.

Export or import computer groups

The following procedures describe how to export and import specific computer groups or all computer groups.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export computer groups

Export computer groups as a file in one of the following formats:

CSV: When you open the file in an application that supports CSV format, it lists the computer groups with the same attributes (columns) as the Computer Groups page displays.
JSON: If you are assigned a role with the Export Content permission, you can export computer group configurations as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

Perform the following steps to export computer groups:

From the Main menu, go to Administration > Permissions > Computer Groups.
(Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns in the grid and select the attributes.
Select rows in the grid to export only specific computer groups. If you want to export all computer groups, skip this step.
Click Export .
(Optional) Edit the default export File Name.
The file suffix (.csv or .json) changes automatically based on the Format selection.
Select an Export Data option: All computer groups in the grid or just the Selected computer groups.
Select the file Format:
- List of Computer Groups - CSV
- Computer Group Definitions - JSON (Administrator reserved role only)
Click Export.
Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import computer groups

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or sensor configurations) that are in JSON format. The Administrator reserved role has this permission.

(Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.
If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.
From the Main menu, go to any of the following Administration pages:
- Configuration > Solutions
- Permissions > Filter Groups
- Under Content, select Sensors, Packages, or Saved Questions
- Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
Select an Import option based on the source of the content:
- Import > Import Files: Perform one of the following steps to select one or more files:
  - Drag and drop files from your file explorer.
  - Click Browse for File, select the files, and click Open.
- Import > Import URL: Enter the URL in the Import URL field, and click Import.
For each file, expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
Click Begin Install.

Copy computer group configuration details

Copy information from the Computer Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

From the Main menu, go to Administration > Permissions > Computer Groups.
Perform one of the following steps:
- Copy row information: Select one or more rows and click Copy .
- Copy cell information: Hover over the cell, click Options , and click Copy .

Delete computer groups

Deleting a computer group involves the following tasks and considerations:

Account for user and user group configurations that might reference the computer management group through personas. Be prepared to modify those configurations as needed.
Account for other configurations that might have referenced the computer group, such as action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information that the computer group provided at the time it was created.
Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the Tanium Client configuration, so targeting questions based on a manual group ID continue to match as well.
If you intend to stop the scheduled activities (such as scheduled actions and saved questions) that target those computers, you must disable, edit, or delete the corresponding configurations.
Deleting a computer management group through the Administration > Permissions > Computer Groups page removes all instances of the group from the Tanium Server even if the group also functions as a filter group. However, if you use the Content > Filter Groups page to delete a filter group that also functions as a management group, the group remains on the server as a management group with filtering disabled.

To delete a filter group, see Delete filter groups.

When you are ready to delete the computer management group, perform the following steps.

From the Main menu, go to Administration > Permissions > Computer Groups.
Select the computer group, click Delete Selected , and click Confirm.