Managing computer groups

Computer groups overview

A computer group defines a set of endpoints that you want to manage as a group with respect to operations that Tanium users, modules, and shared services perform. For example, you can define a computer group that includes all endpoints that are in a data center, and assign the group only to users who will issue questions and deploy actions to data center endpoints. Computer groups are also the building blocks of action groups, which filter the target endpoints for actions (see Managing action groups). Furthermore, you can use computer groups to filter various lists in the Tanium Console, such as on the Administration > Permissions > Users page.

Based on the permissions that you want users to have when querying sets of endpoints, you can create the following types of computer groups:

Computer management group

A Tanium user can view question results from, and deploy actions to, only those endpoints that belong to a computer management group that is assigned to the user persona selected for the current session. Roles do not control access to computer management groups, but roles do control which content is available to the user for questions and actions. For example, you might want a user to see the processes running on endpoints in a data center. You must assign that user a role with Read Sensor permissions on the content set containing the Running Processes sensor, and also assign the user a computer management group that contains the data center endpoints. The following figure illustrates the relationship between computer management groups and other Tanium role-based access control (RBAC) components.computer management groups

Computer filter group

Tanium users use computer filter groups as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set, grant filter group permissions to that content set in custom roles, and assign the role to the personas of users or user groups. The following figure shows an example of a custom role that grants Read Filter Group and Write Filter Group permissions to the Default Filter Groups content set:

computer filter groups

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group and you assign that management group to users or user groups.

You can configure computer groups to function as both management groups and filter groups. The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first sign in to the Tanium Console after a fresh installation of the Tanium Server, the server automatically importsTanium Cloud provides additional predefined computer groups that function as both filter groups and management groups: see Default computer groups.

Use the Administration > Permissions > Computer Groups page to manage computer groups that function as both management groups and filter groups or that function exclusively as management groups. To manage computer groups that function exclusively as filter groups, use the Administration > Permissions > Filter Groups page (see Managing filter groups). After creating a computer group of either type, you cannot change its membership definition.

For the role permissions required to manage computer groups, see RBAC management permissions.

In Tanium Core Platform 7.3, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

To understand the interaction between computer management groups and filter groups, and how best to use them, it is important to understand how Tanium Clients process questions. Figure  1 illustrates an example of how computer group and role assignments control what question results a user can receive and filter. In this example, the user persona is assigned computer management groups that contain branch office endpoints, and therefore the user can issue a question that determines which of those endpoints has PowerShell version 2.0 installed. However, for security reasons, the management groups exclude headquarters endpoints because the user is not authorized to see information from those endpoints. The user issues the question Get Computer Name and PowerShell Version equals 2.0 from all machines with Country Code equals 44. All Tanium Clients that are online receive the question and process its components in the following order:

  1. Computer group management permissions

    Each Tanium Client first evaluates whether it belongs to a computer management group that is assigned to the user (persona) who issues the question. If no, the client does not process the question further, and does not add its answer to the answer message.

    In the example, only the clients in the UK and France management groups (UK_1 to UK_4 and FRA_1 to FRA_4) continue processing the question. Note that because All Windows and All Mac are filter groups, they are assigned to a content set (Default). Even though the user has a role (euro_admin) that provides access to that content set, filter groups bestow only filtering permissions, not the permission to receive answers from clients. Therefore, Windows and macOS clients HQ_1 to HQ4 do not continue processing the question. The other Windows and macOS clients continue to process the question, but only because they are also members of the UK and France management groups.

  2. Target filter (from) clause

    The from clause specifies whether question results are required from all Tanium Clients (from all machines) or only from clients that evaluate the filtering sensor to true. Optionally, you can use the Is <computer_group> sensor to base the filter on a filter group.

    In the example, only the UK clients match the target filter clause from all machines with Country Code equals 44 and continue to process the question.

  3. Select statement (get) clause

    The get clause specifies the sensors that Tanium Clients run to answer the question. If the select statement has a filter, clients do not process it; only Tanium Cloudthe Tanium Server processes select statement filters after receiving the answers. The Tanium Console then displays the answers in the Question Results grid.

    In the example, the UK clients run the select statement sensors Computer Name and PowerShell Version, and add their output to the answer message. Because equals 2.0 is a filter for the select statement PowerShell Version, the Tanium Server processes that filter after receiving the answers from all the UK clients. The Tanium Console then displays results only for UK clients that have PowerShell version 2.0 installed.

In the example, the user then decides to display results only for endpoints that run Windows, and therefore selects the All Windows filter group in the Filter by Computer Group dropdown list. Tanium CloudThe Tanium Server reissues the question using both Country Code equals 44 and Is Windows in the target filter clause. Only Tanium Clients UK_1 and UK_3 match both filters, and so the Tanium Console then displays results only for those clients.

Figure  1:  Computer management groups and filter groups

Computer group membership

Before you create a computer management group or filter group, be sure to understand the following options for defining which endpoints are members. After creating a group, you cannot change its membership definition.

  • Dynamic membership:

    Membership is based on the results of a sensor filter expression, such as is Windows equals true. Tanium Clients process the expression to determine whether their endpoints belong to the group.

    If you base the sensor filter on a custom tag, you can change tag assignments on endpoints to adjust the membership of a computer group. See Manage custom tags for computer groups.

  • Manually defined membership:

    Membership is based on a manually entered list of computer names, IP addresses, or fully qualified domain names (FQDNs). The Tanium Client obtains configuration information for the computer groups when registering with the Tanium Server.

Whenever possible, define computer group membership based on sensors. Only groups based on a sensor dynamically adjust their membership as endpoints join or leave your network. For example, you might create a manual group called Critical Servers for three special servers. If you later add a fourth server to the cluster, you cannot change the Critical Servers membership. Instead, you would have to: create a new manual computer group; assign it to users; and re-create pertinent action groups and saved questions that you want to target the new computer group. A better approach is to define the computer group based on a sensor that identifies which servers qualify as critical, so that the fourth server automatically becomes a member.

Default computer groups

Tanium Cloud When you first sign in to the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports the Default Computer Groups content pack, which includes predefined computer groups. They all function as both management groups and filter groups, and are assigned to the Default Filter Groups content set. To list the defaults groups on the Computer Groups page, filter the grid by Content Set. See View computer group details.

The Tanium Server does not import these default computer groups when you upgrade.

ClosedView default computer groups

View computer group details

  1. From the Main menu, go to Administration > Permissions > Computer Groups.

    The Computer Groups grid displays the following attributes for each computer group:

     Table 2: Computer group attributes
    SettingDescription
    NameThe name that identifies the computer group.
    TypeIndicates how membership is defined for the group:
    • Standard: Dynamic membership
    • Manual: Manually defined membership

    For details, see Computer group membership.

    ManagementIndicates whether you can (true) or cannot (false) use the group as a computer management group.
    Content Set(Filter groups only) The content set to which the group is assigned.
    ExpressionThe filter used to define membership in the computer group. The value is [Manual List] for groups with manually defined membership.
    Modified By (Persona)The name of the user (persona) who last modified the computer group.
    Last ModificationThe date-time when a user (persona) last modified the computer group.
  2. (Optional) Use the filters to find specific computer groups:
    • Filter by text: To filter the grid by computer group Name or membership Expression, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. To see a list of endpoints that are members of a group, click the group Name and scroll to the Members section.

Create a computer group

Before you create a computer group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership). Perform the following steps to create a group that functions exclusively as a management group or that functions as both a management group and filter group.

To create a computer group that functions exclusively as a filter group, see Create a filter group.

  1. From the Main menu, go to Administration > Permissions > Computer Groups and click New Computer Group.
  2. Enter a Name to identify the group.
  3. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you enable the filter group function, select a content set. To use the filter group, users require a role that specifies permissions for that content set.
  4. Define which endpoints are Members of the computer group.

    You cannot change the Members definition after you save the computer group. However, if you configure dynamic membership and base it on a custom tag, you can change tag assignments on endpoints to adjust the group membership. See Manage custom tags for computer groups.

    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Select Manual Group and enter a list of endpoint identifiers, which can be one of the following:
      • Computer names that match the results of the Computer Name sensor. Short forms or alternative names do not work.
      • Fully qualified domain names (FQDNs).
      • IP addresses that match the entries in the Administration > Configuration > Client Status page, Network Location (from server) column.
  5. Review the list of endpoints that are members of the group and click Save.

To provide computer group management rights to users, assign the computer groups to user accounts, user groups, and personas:

Edit a computer group

You can change the name and filtering settings of computer groups. However, changing the name does not change the object ID of a computer group. Also, you cannot change the group membership definition.

  1. From the Main menu, go to Administration > Permissions > Computer Groups.
  2. Click the computer group Name and click Edit Mode.
  3. (Optional) Enter a new Name.
  4. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
  5. Click Save.

To change computer group assignments, edit the configurations of users, user groups, and personas:

Manage custom tags for computer groups

If you configure a computer group with dynamic membership that is based on a custom tag, you can change which endpoints are members by changing tag assignments, even though you cannot change the Members setting in the group configuration. For example, you can configure a computer group with Members set to the filter Custom Tags contains "Lab". Then you can add or remove the tag Lab on endpoints that move in or out of the environment to change the group membership.

Review custom tags

To see which custom tags are assigned to endpoints, ask a question using the Custom Tags sensor, such as:

Get Custom Tags from all machines

To see which endpoints have a specific custom tag, ask a question using the Custom Tag Exists parameterized sensor, such as:

Get Tanium Client Version from all machines with Custom Tag Exists[lab,1] equals true

For details on asking questions, see Asking questions.

Add custom tags

  1. Ask a question to target the endpoints that require custom tags. Because different packages add tags for Windows or non-Windows endpoints, ask a question that specifies the distinction, such as:

    Get Tanium Client Version from all machines with Is Windows equals true

  2. Select the endpoints to target and click Deploy Action.

    You can drill-down or merge questions to refine the results before selecting endpoints.

  3. Select one of the following packages as the Deployment Package:
    • Custom Tagging - Add Tags for Windows endpoints
    • Custom Tagging - Add Tags (Non-Windows)
  4. Enter a list of tag names with spaces as delimiters.

    (Windows only) To include any tag names with spaces, use the character sequence #|# as a delimiter. To apply a single tag that includes spaces, enter the character sequence #|# after the tag name.

  5. Configure the remaining action settings.
  6. Click Show Preview To Continue, review the list of targeted endpoints, and click Deploy Action.

Remove custom tags

  1. Ask a question to target the endpoints from which to remove custom tags. Because different packages remove tags for Windows or non-Windows endpoints, ask a question that specifies the distinction, such as:

    Get Custom Tags from all machines with ( Is Windows equals true and Computer Name contains ABC )

  2. Select the Question Results rows for the tags that you want to remove and click Deploy Action.

    You can drill-down or merge questions to refine the results before selecting endpoints.

  3. Select one of the following packages as the Deployment Package:
    • Custom Tagging - Remove Tags for Windows endpoints
    • Custom Tagging - Remove Tags (Non-Windows)
  4. Configure the remaining action settings.
  5. Click Show Preview To Continue, review the list of targeted endpoints, and click Deploy Action.

Clone a computer group

Cloning is useful when you need a new computer group with a membership filter that differs only slightly from an existing group.

  1. From the Main menu, go to Administration > Permissions > Computer Groups.
  2. Select the computer group that you want to duplicate, and then click Clone.
  3. Enter a Name to identify the new computer group.
  4. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
  5. Define which endpoints are Members of the computer group:
    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Select Manual Group and enter a list of endpoint identifiers, which can be one of the following:
      • Computer names that match the results of the Computer Name sensor. Short forms or alternative names do not work.
      • Fully qualified domain names (FQDNs).
      • IP addresses that match the entries in the Administration > Configuration > Client Status page, Network Location (from server) column.
  6. Review the list of endpoints that are members of the group and click Save.

Export or import computer groups

The following procedures describe how to export and import specific computer groups or all computer groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export computer groups

Export computer groups as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the computer groups with the same attributes (columns) as the Computer Groups page displays.

  • JSON: If you are assigned a role with the Export Content permission, you can export computer group configurations as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

Perform the following steps to export computer groups:

  1. From the Main menu, go to Administration > Permissions > Computer Groups.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select the attributes.
  3. Select rows in the grid to export only specific computer groups. If you want to export all computer groups, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All computer groups in the grid or just the Selected computer groups.
  7. Select the file Format:

    • List of Computer Groups - CSV
    • Computer Group Definitions - JSON (Administrator reserved role only)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import computer groups

Users who are assigned a role with Import Signed Content permission can import content files that are in JSON or XML format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy computer group configuration details

Copy information from the Computer Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Computer Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete computer groups

Deleting a computer group involves the following tasks and considerations:

  • Account for user and user group configurations that might reference the computer management group through personas. Be prepared to modify those configurations as needed.
  • Account for other configurations that might have referenced the computer group, such as action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information that the computer group provided at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the Tanium Client configuration, so targeting questions based on a manual group ID continue to match as well.
  • If you intend to stop the scheduled activities (such as scheduled actions and saved questions) that target those computers, you must disable, edit, or delete the corresponding configurations.
  • Deleting a computer management group through the Administration > Permissions > Computer Groups page removes all instances of the group from the Tanium Server even if the group also functions as a filter group. However, if you use the Content > Filter Groups page to delete a filter group that also functions as a management group, the group remains on the server as a management group with filtering disabled.

To delete a filter group, see Delete filter groups.

When you are ready to delete the computer management group, perform the following steps.

  1. From the Main menu, go to Administration > Permissions > Computer Groups.
  2. Select the computer group, click Delete Selected , and click Confirm.