Configuring Investigate

If you did not install Investigate with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Investigate action group to target the No Computers filter group by enabling restricted targeting before adding Investigate to your Tanium licenseimporting Investigate. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Investigate action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Investigations with automatic configuration, the following default settings are configured:

The following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For information about installing Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Installing Endpoint Configuration.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Investigate, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Investigate

 

(Optional) Configure the Investigations action group

Importing the Investigate module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Investigate, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Investigate, configuring the Investigate action group is optional.

Select the computer groups to include in the Investigate action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Investigate are included in the Investigate action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Investigate.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

(Optional) Configure Investigate for ServiceNow

Investigate provides the ability to integrate activities from ServiceNow.

  1. From the Investigate Overview page, click Settings .

  2. In the ServiceNow Configuration section provide the Host URL, Username, and Password for the ServiceNow environment from which you want to add activities.
  3. Click Submit.

Set up Investigate users

You can use the following set of predefined user roles to set up Investigate users.

To review specific permissions for each role, see User role requirements.

On installation, Investigate creates a Investigate user to automatically manage the Investigate service account. Do not edit or delete the Investigate user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Investigate Administrator

Assign the Investigate Administrator role to users who manage the configuration and deployment of Investigate functionality to endpoints.
This role can perform the following tasks:

  • View and modify Investigate investigations.
  • Dismiss or reject approvals for Investigate tasks in Tanium Endpoint Configuration.

Investigate Operator

Assign the Investigate Operator role to users who manage the configuration and deployment of Investigate functionality to endpoints.
This role can perform the following tasks:

  • View and modify Investigate investigations.
  • Dismiss or reject approvals for Investigate tasks in Tanium Endpoint Configuration.

Investigate User

Assign the Investigate User role to users who manage the configuration and deployment of Investigate functionality to endpoints but do not need to administer or configure settings for Investigate. This role can perform the following tasks:

  • View connections to remote endpoints.
  • View and modify Investigate investigations.

Investigate Read Only User

Assign the Investigate Read Only User role to users who need visibility into Investigate data.
This role can perform the following tasks:

  • View connections to remote endpoints.
  • View investigations.

Do not assign the Investigate Service Account and Investigate Service Account - All Content Sets roles to users. These roles are for internal purposes only.