Performing monthly maintenance

Monthly maintenance includes reviewing health and performance information for the Tanium Core Platform, Tanium Clients, and Tanium solutions.

For all tasks that provide the option to issue a question in Tanium™ Interact, you can perform additional investigation or remediation on the Question Results page by issuing drill-down questions, opening single endpoint views, or deploying actions. See Tanium Console User Guide: Managing question results.

For tasks that involve viewing reports, you can perform additional investigation or remediation in the Tanium™ Reporting workbench. See Tanium Reporting User Guide: Working with reports.

For tasks that involve viewing Tanium™ Trends boards, you can perform additional investigation in the Trends workbench. See Tanium Trends User Guide: Viewing chart results.

Review Tanium security advisories

Review the security advisories that Tanium publishes to identify and remediate vulnerabilities in Tanium solutions. A Tanium™ Community account is required to perform this task.

  1. In your browser, go to the Tanium Technical Support home page and click Tanium Vulnerabilities.

    For each advisory, the page provides a brief description that indicates the affected solution and provides a link to a page with full details about the associated vulnerability, such as its severity level.

  2. Click each link for vulnerabilities that apply to your licensed solutions and review the vulnerability details.
  3. Apply any Workarounds and Mitigations for the vulnerabilities if solution updates are not available. If updates are available, Tanium Cloud imports them automatically. Perform one of the following tasks:

Review all TPAN findings

  1. Copy the latest Tanium Platform Analyzer (TPAN) report to wherever you store Tanium files for diagnostics. See Tanium Health Check User Guide: Download a TPAN report.
  2. Open the report and select the Findings page.
  3. Review any Critical, High, Medium, or Low findings to decide whether they require:
    • Resolution: Resolve all Critical and High findings. For example, if the report indicates that the Tanium™ Module Server is not connected, you must resolve the issue immediately because numerous Tanium operations depend on that server. Resolve the Medium and Low findings only if appropriate. For example, if the Medium findings indicate that some actions target the Default action group, which includes only the No Computers computer group, those actions do not deploy to endpoints. Reconfiguring the actions to target another action group is required only if deploying them to endpoints is appropriate.
    • Investigation: You might have to see more information about findings before deciding if they require resolution or no action. For example, if the Low findings indicate that the Tanium Server is using a self-signed certificate for securing user access to the Tanium™ Console, you might have to consult your network security team before deciding whether to replace that certificate with one that a certificate authority (CA) has signed.
    • No action: Some findings might be known conditions that you regard as acceptable. For example, if the Low findings indicate that isolated subnets are not defined but you already know that your network does not require isolated subnets, no action is required.
  4. Troubleshoot the findings. See Tanium Core Platform Deployment Reference Guide: Troubleshoot issues during server deployment or solution operations.
  5. Contact Tanium Support for help troubleshooting the findings if necessary.

Review Appliance health

Perform the following tasks if your Tanium deployment uses Appliance infrastructure. If these tasks reveal issues that require resolution, see Tanium Appliance Deployment Guide: Troubleshooting.

Review the Health Check report

The Health Check report provides information on the health of the Appliance operating system, hardware, users, network, services, applications, database replication, RAID security, Postgres SSL, and virtual machine (if applicable).

  1. Run the report. See Tanium Appliance Deployment Guide: Run the Health Check.
  2. Review the output for actionable items, which are summarized at the end of the output.

    For example, the output might indicate that the End User License Agreement (EULA) is not accepted.

Monitor Appliance performance (optional)

See the following tasks in the Tanium Appliance Deployment Guide for the steps to run commands for viewing Appliance performance information:

  • Run a sar command to view statistical information such as CPU load, memory paging, memory utilization, swap usage, and network input/output (I/O).
  • Run the iotop command to view I/O utilization by process.
  • Run the perf-top command to view CPU usage by function.
  • Run the htop command to view detailed information about each running process, such as memory and CPU consumption. The output provides an interface whereby you can navigate among values and tabs by keyboard and mouse.

Review and update global bandwidth throttles

Global throttles limit the bandwidth and the number of concurrent connections that Tanium Cloudthe Tanium Server or Zone Server uses to send data to all Tanium Client subnets. Disruptions to Tanium Cloudserver functions might occur if it consumesthey consume too much bandwidth or doesdo not have enough bandwidth to perform operations at a reasonable speed. Review the global throttles and, if necessary, update them.

For details about global throttles, see Tanium Console User Guide: Bandwidth throttling overview.

  1. Check the delays for global throttles to evaluate the current risk of disruptions to Tanium functions. See Tanium Console User Guide: Verify throttle delays.
  2. Update the global throttles if necessary. See Tanium Console User Guide: Configure global throttles.

Review and update site bandwidth throttles during quarterly maintenance.

Review and import solution updates

Determine whether updates are available for Tanium solutions (modules, shared services, and content-only solutions), and import the updates if appropriate. The best practice is to import solution updates as soon as they become available. However, in certain cases, you might need to delay updates for some solutions while importing others immediately. For example, your organization might have a policy that mandates testing each update in a lab environment before importing it into a production environment.

To review and import solution updates, see Tanium Console User Guide: Import or update specific solutions.

Review and remediate Tanium™ API Gateway issues

  1. Verify that API tokens have not expired. See Tanium Console User Guide: View API token details.
  2. Verify whether any API tokens are due for rotation based on the policy of your organization. See Tanium Console User Guide: Rotate an API token.
  3. Revoke any API tokens that are no longer needed. See Tanium Console User Guide: Revoke API tokens.
  4. Check for deprecated fields and, if necessary, update the integration scripts that use them. See Tanium API Gateway User Guide: Reference: Deprecated fields.
  5. To investigate and remediate API Gateway issues, see Tanium API Gateway User Guide: Troubleshooting API Gateway.

Review and remediate Tanium™ Asset issues

Review Tanium source imports

  1. From the Main menu, go to Modules > Asset > Overview.

  2. Scroll to the Health dashboard to see load time metrics for source data that Asset imports.
  3. To investigate load time issues, click Load Time to view the import schedules.
  4. For any jobs with failed runs Error, click Edit Edit, set the Log Level to Trace, and click Update.
  5. To troubleshoot source imports, see Tanium Asset User Guide: Troubleshoot asset data exports and imports.

Review the status of import and export jobs

  1. From the Main menu, go to Modules > Asset > Overview and scroll to the Activity dashboard.

    The dashboard shows the status of import and export jobs.

  2. Select each of the Recent & Upcoming Jobs and check the status of finished jobs for both Yesterday and Today. If all the jobs have success status Success, no troubleshooting is necessary.
  3. From the Asset menu, go to Inventory Management > Schedules to see more information about the last completed run for each job in the Import Schedules and Export Schedules tabs.
  4. For any jobs with failed runs Error, click Edit Edit, set the Log Level to Trace, and click Update.
  5. To troubleshoot failed jobs, see Tanium Asset User Guide: Troubleshoot asset data exports and imports.

Review reports

  1. From the Asset menu, go to Reports and check the Status of the reports.

    If all the reports are enabled Success, no troubleshooting is necessary.

  2. For any custom reports that have disabled or missing attributes (columns) Disabled, click Edit Edit, correct the report configuration as necessary, and click Submit.

If you see a report timeout error message when viewing a report, see Tanium Asset User Guide: Troubleshoot reports.

Review views

  1. From the Asset menu, go to Views and check the Status of the views.

    If all the views are enabled Success, no troubleshooting is necessary.

  2. For any custom views that have disabled or missing attributes (columns) Disabled, click Edit Edit, correct the view configuration as necessary, and click Submit.

Review and remediate Tanium™ Benchmark issues

  1. From the Main menu, go to Modules > Benchmark > Risk > Risk Health.

  2. Review the Risk Coverage and Risk Vector Calculation Issues panels.

  3. If the panels indicate endpoints need attention, see Tanium Benchmark User Guide: Monitor and troubleshoot Risk health.

Review and remediate Tanium™ Certificate Manager issues

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Overview section, review the Certificate Manager Coverage panel for endpoints with the Needs Attention status.
  3. To investigate issues, see Tanium Certificate Manager User Guide: Monitor and troubleshoot Certificate Manager Coverage.
  4. To troubleshoot other Certificate Manager issues, see Tanium Certificate Manager User Guide: Troubleshooting Certificate Manager.

Review and remediate Tanium Client issues

Perform the following tasks to review the state of the Tanium Clients running on endpoints, as well as client communication and registration with Tanium CloudTanium Servers and Zone Servers. If you observe client issues that require resolution, see Tanium Client Management User Guide: Troubleshooting Tanium Clients and Client Management.

Review and remediate Tanium Client health and client extension issues

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, select Client Health and click the Deployment tab to review the Health Failures panel. This panel shows failures associated with Tanium™ Client Extensions. Perform the remaining steps if you need to troubleshoot client extension issues.
  3. Click Interact Interact action in the Health Failures panel to display the question results that provide the panel data.

  4. Retrieve any additional details from endpoints that you need to diagnose client extension issues. See Tanium Console User Guide: Managing question results.
  5. To resolve client extension failures, see the following sections:

Review and adjust the distribution of Tanium Client registration traffic

Tanium Clients must register with a Tanium™ Cloud Client EdgeTanium Server or Zone Server for the client hosts to function as managed endpoints. As clients and client subnets are added to or removed from your network, you might have to update connections to Client Edge URLsclient-server connections to optimize registration traffic.

Each Tanium Client connects to only one Tanium Cloud Client EdgeTanium Server or Zone Server at a time. However, to avoid a single point of failure, you can configure the ServerNameList setting with a list of Client Edge URLsservers to which the client can attempt a connection. The Client Edge URLs are available in the Tanium™ Cloud Management Portal (CMP). For more information, see Tanium Cloud Deployment Guide: Getting started with Tanium Cloud.

For details about Client Edge URLsclient-server connections, see Tanium Client Management User Guide: Configuring connections to the Tanium Core Platform.

To determine which Client Edgesservers are processing client registrations and, if necessary, to rebalance registration traffic among them:

  1. From the Main menu, go to Administration > Shared Services > Client Management.
  2. From the Client Management menu, select Client Health and click the Settings tab.
  3. Scroll to the ServerNameList setting to determine whether clients are connecting to the correct Client Edges and that the list is the same for all clients.servers.
  4. Review the ServerName setting to verify that client connections are balanced among Client Edges.Zone Servers.
  5. Deploy actions with packages that reset the ServerNameList settings if necessary to ensure that all clients target the same, correct list of Client Edge URLs. See Tanium Client Management User Guide: Content for configuring connections to Tanium Cloud. To verify that clients can connect to Client Edges, see Tanium Cloud Deployment Guide: Step 5: Deploy Tanium Client.connect clients to different servers. See Tanium Client Management User Guide: Content for configuring connections to Tanium Cloud.
  6. Add Zone Servers if necessary to rebalance client registration traffic and then repeat step 5 to connect clients to those servers. See the procedure for your Tanium infrastructure:

Review and update Tanium Client logging levels

Tanium Clients generate logs that can help you troubleshoot issues. Higher logging levels record more details about events on clients but also consume more client resources. The default logging level is 1. Review client logging levels and adjust them if necessary to ensure new endpoints that join your network have optimal logging levels.

Set the logging level to 0 (logging disabled) for clients that run on sensitive endpoints, endpoints with limited resources, or virtual desktop infrastructure (VDI) endpoints.

For details about logging levels, see Tanium Core Platform Deployment Reference Guide: Logging levels.

For Tanium™ Client Containers, the default logging level is 10 and you cannot change it through actions. Contact Tanium Support to change the logging level on Client Containers.

For details about logs on Tanium Clients, see Tanium Client Management User Guide: Troubleshooting Tanium Clients and Client Management.

  1. From the Client Management menu, go to Client Health and click the Settings tab.

    If the logging level is set to a value other than the default 1 on any clients, the LogVerbosityLevel setting displays the Count of clients for each value. If all clients have the default value, the page does not display the setting.

    To verify that the logging level is set to the best practice value 0 for clients on VDI endpoints, select All Virtual Machines in the Computer Group drop-down.

  2. To update the logging level on clients, see Tanium Client Management User Guide: Managing client settings and configurations in Client Management.

Review and update Tanium Client settings

  1. From the Client Management menu, go to Client Health and click the Settings tab.
  2. Verify that the setting values are correct and that the Count column indicates they apply to the expected number of clients.
  3. To update settings, see Tanium Client Management User Guide: Managing client settings and configurations in Client Management.

Review and upgrade Tanium Client versions

The best practice is to run the latest Tanium Client version on all endpoints. However, in certain cases, temporarily running earlier client versions might be acceptable for some endpoints. For example, if you are rolling out client upgrades in phases, one group of endpoints at a time, you might want to finish testing the upgrade for the first phase before upgrading more endpoints in the next phase. Endpoints might also run an earlier client version if the upgrade process failed.

For details about client versions, see Tanium Client Management User Guide: Client version and host system requirements.

Determine which endpoints are running a client that is not at the latest version and decide whether to accept the earlier versions or upgrade the clients:

  1. From the Main menu, go to Administration > Client Management.

  2. Scroll to the Health dashboard to see the Client Version panel.
  3. If any endpoints are running an earlier client version, click the Client Version title and then click Interact Interact action in the Client Version panel to display the question results that provide the panel data.

  4. Retrieve any details from endpoints that you need to determine whether the versions are appropriate, or upgrades are required, or upgrades failed.

    For example, select a Filter by Computer Group option (such as All Windows) or issue a drill-down question. For the steps to retrieve additional details, see Tanium Console User Guide: Managing question results.

  5. Upgrade the client on any endpoints that require the latest version. See Tanium Client Management User Guide: Upgrading Tanium Clients.
  6. Troubleshoot client upgrade issues if necessary. See Tanium Client Management User Guide: Troubleshooting Tanium Clients and Client Management.

Review and update Tanium Client subnets

Separated subnets, intentional subnets, and isolated subnets provide methods for modifying the default peering behavior of Tanium Clients. Default peering settings define the boundaries of client subnets in the Tanium linear chain architecture. As subnets are added to or removed from your network, you might have to update the client subnet configurations. For example, add isolated subnets for any new virtual private networks (VPNs).

For details about client peering and subnets, see Tanium Client Management User Guide: Configuring Tanium Client peering.

Review and update isolated subnets

Configure isolated subnets for Tanium Clients that are in VPNs. VPN clients have local IP addresses in a special VPN address block, but their host endpoints are actually not close to each other. If VPN clients are not isolated, they use WAN links for peering and latency is significantly greater than for client-to-server connections.

  1. Go to Administration > Configuration > Subnets and review the Isolated Subnets. If necessary, consult your networking team to determine if the configurations require updates.
  2. Update isolated subnet configurations if necessary. See Tanium Client Management User Guide: Configure isolated subnets.

Review and update separated subnets

Configure separated subnet configurations to apply more granular subnet boundaries for Tanium linear chains than the default boundaries.

  1. Go to Administration > Configuration > Subnets and review the Separated Subnets. If necessary, consult your networking team to determine if the configurations require updates.
  2. Update separated subnet configurations if necessary. See Tanium Client Management User Guide: Configure separated subnets.

Review and update intentional subnets

In a network configuration that uses network address translation (NAT), you might have to configure intentional subnets to ensure that clients in the same subnet can peer with each other.

  1. From the Main menu, go to Administration > Configuration > Client Status.

    The Network Location (from client) values indicate which clients are in the same subnet based on the AddressMask setting. See Tanium Client Management User Guide: AddressMask.

    The Network Location (from server) column indicates the NAT IP addresses of clients.

  2. Select the endpoints that are in the same subnet but are not peering because their NAT IP addresses differ.

  3. Click Export Export, set the Format to List of Clients - CSV, and click Export.
  4. Go to Administration > Configuration > Subnets and compare the Intentional Subnets configurations to the exported list of clients.
  5. Update the intentional subnet configurations if necessary to enable peering among clients in the same subnets. See Tanium Client Management User Guide: Configure intentional subnets.

Review and remediate Tanium™ Comply issues

  1. From the Main menu, go to Modules > Comply > Overview.

  2. Scroll to the Health dashboard to review any Comply health check errors on endpoints.

    The Comply Health Checks panel shows a bar for each type of error, such as outdated tools, scan failures, or insufficient disk space. The number above each bar indicates how many endpoints are affected.

  3. To investigate a health check error, click the number above the error bar. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, coverage status, and client extensions status for the affected endpoints.
  4. To troubleshoot health check errors, see Tanium Comply User Guide: Reference: Common errors.

Review and update Comply assessments and configurations during quarterly maintenance.

Review and remediate Tanium Connect issues

Review and remediate connection issues

  1. Check for connection failures:
    • If you configured a failed connections report with automatic delivery, access the report at the specified destination. See Configure a failed connections report.

      If you do not have the authority to delete or disable connections that are no longer required, also configure delivery of the report to a team in your organization that has the authority.

    • To manually review connection failures, see Tanium Connect User Guide: View connection status.

      If the list of connections is long, click the Failed toggle to show only failed connections.

  2. Review connection throughput metrics to check for issues. See Tanium Connect User Guide: View connection metrics.
  3. Troubleshoot connection issues if necessary. See Tanium Connect User Guide: Troubleshooting.
  4. Edit connections if necessary to resolve failures. See Tanium Connect User Guide: Edit connections.
  5. Delete or disable connections that are no longer required if you have the authority to perform those actions:
    1. From the Main menu, go to Modules > Connect > Connections.
    2. Select the connections that require an action and select Actions > Disable or Actions > Delete.

Review and remediate connection schedules

  1. From the Connect menu, go to Connections.

    Perform the remaining steps for each connection.

  2. Click the connection Name to show all its details.
  3. Verify that the Schedule and Next Run show the expected values.
  4. If you must change the schedule, click Edit, update the Schedule settings, and click Save or Save and Run.

Review and update connection owners

  1. From the Connect menu, go to Connections.

    Perform the remaining steps for each connection.

  2. Click the connection Name to show all its details.
  3. Verify that the connection Owner (user account) and persona (Run as Persona) are still valid.

    When you delete a user or persona, connections that the user or persona owns stops running. If this occurs, perform one of the following tasks:
    1. Verify that the user account is active. See Tanium Console User Guide: View user settings.
    2. If an alternative persona runs the connection, verify that the persona still exists. See Tanium Console User Guide: View persona details.
    3. Verify that the owner has the role permissions that are required to run the connection:
  4. Verify that the user password is compliant with the password rotation policy of your organization.

Review and remediate destination issues

  1. From the Connect menu, go to Connections.

    Perform the remaining steps for each connection.

  2. Click the connection Name to show all its details.
  3. Verify that the Destination settings are correct.
  4. If you must change the settings, click Edit, update the settings, and click Save or Save and Run.
  5. Verify that the destination (such as a server) is available and running without issues.
  6. Verify that the destination certificates are still valid.

Review and remediate Tanium™ Criticality issues

To monitor and troubleshoot Criticality health issues, see Tanium Criticality User Guide: Troubleshooting Criticality.

Review and remediate Tanium Deploy issues

Review and remediate Deploy coverage

  1. From the Main menu, go to Modules > Deploy > Overview.

  2. Scroll to the Health dashboard to verify that the Deploy process is running on all endpoints.

  3. To investigate endpoints that are not running the process, click the number above False in the Running Deploy panel. Tanium CloudThe Tanium Server opens the Deploy - Endpoint Deployment Process Running report for the affected endpoints.

  4. To investigate Deploy coverage issues, scroll up to the Summary dashboard and click the number above Needs Attention in the Deploy Coverage panel. Tanium CloudThe Tanium Server opens the Deploy - Coverage Status Details report for the affected endpoints.

  5. To troubleshoot issues related to the Deploy process or coverage, see .Tanium Deploy User Guide: Troubleshoot Deploy Process Not Running.

Remove unused Deploy software packages

  1. Go to Modules > Deploy > Software.

  2. Review the Software Packages and delete unused packages.

    For example, delete software packages that are not the latest version or software that you are no longer using. For more information, see .Tanium Deploy User Guide: Managing software.

Stop unneeded ongoing deployments

  1. Go to Modules > Deploy > Deployments > Active.

  2. Review the deployments and stop any deployments that are no longer needed.

Review and remediate Tanium™ Direct Connect issues

To troubleshoot connection or screen sharing issues for Direct Connect, see Tanium Direct Connect User Guide: Troubleshooting Direct Connect.

Review and remediate Tanium™ Directory Query issues

  1. From the Main menu, go to Administration > Shared Services > Directory Query.
  2. Review the Domains grid for errors. Hover over an Error icon Error to display a popup with the error message.
  3. To troubleshoot errors, see Tanium Directory Query User Guide: Troubleshooting satellite configuration.

Review and remediate Tanium Discover issues

  1. From the Main menu, go to Modules > Trends > Boards.

  2. Click the Discover - Module Health board and

    review the panels for resource usage issues.
  3. To troubleshoot resource usage issues, see Tanium Discover User Guide: Troubleshooting Discover.

Review and remediate Tanium™ Endpoint Configuration issues

Review and remediate tools deployment

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration.

  2. Review the deployment status of tools:
  3. To troubleshoot deployment issues for tools, see Tanium Endpoint Configuration User Guide: Identify and resolve issues with endpoint tools or client extensions.

Verify whether endpoints have the latest manifest

Verify that endpoints have the latest Endpoint Configuration manifest, which is a file that determines the versions of solution tools to install on endpoints. If endpoints do not have the latest manifest because of action locks or some other issue, the endpoints do not install the latest tools versions.

  1. From the Endpoint Configuration menu, go to the Overview page, and note the Manifest Revision (version) in the Summary section..
  2. Go to the Tanium Home page and ask the following question:

    Get Endpoint Configuration - Manifest Metadata?maxAge=60 and Action Lock Status from all machines

    The manifest changes whenever a configuration or tool change occurs. Therefore, use the maxage=60 option for the Manifest Metadata sensor to ensure that you retrieve the latest data from endpoints.

    Sort the Question Results grid by Revision to list the versions in descending numerical order, which makes it easier to identify endpoints with an earlier manifest version.

  3. If the Question Results indicate Action Lock Status is on for some endpoints that do not have the latest manifest:

    1. Consult whoever turned on the action locks to verify that it is now safe to run actions on those endpoints.

    2. Disable action locks on the endpoints that require an updated manifest. See Tanium Console User Guide: Turn off action locks. Perform one of the following tasks:
  4. Update the manifest on any endpoints that require an updated version.

Update the manifest

Windows and non-Windows endpoints require separate packages to update the manifest. Therefore, perform the following steps for each type of endpoint:

  1. Go to the Tanium Home page and ask the following question:

    Get Endpoint Configuration - Manifest Metadata?maxAge=60 from all machines

  2.  Select the endpoints that have an outdated manifest and click Deploy Action.

  3. Select the Deployment Package that matches the target endpoints:
    • Windows endpoints: Endpoint Configuration - Manifest [Windows] (v. <latest_manifest_version>)
    • Non-windows endpoints: Endpoint Configuration - Manifest [Non-Windows] (v. <latest_manifest_version>)
  4. Configure the remaining action settings and deploy the action. See Tanium Console User Guide: Deploying actions.

If the manifest update fails, investigate environmental factors, such as security exclusions, file locks, CPU usage, RAM usage, and disk failures. Contact Tanium Support for additional help.

Review and remediate Tanium™ End-User Notifications coverage

  1. From the Main menu, go to Administration > Shared Services > End-User Notifications.

  2. Scroll to the Health dashboard to verify whether the latest End-User Notifications tools are installed and active on all endpoints.
  3. To investigate endpoints that do not have the latest tools installed, click the number above No or Unsupported. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, tools installation status, and installed tools version.

  4. To troubleshoot installation issues for End-User Notifications tools, see Tanium End-User Notifications User Guide: Problem: End user notifications are not displayed..

Review and remediate Tanium™ Enforce coverage

  1. From the Main menu, go to Modules > Enforce > Overview.

  2. Scroll to the Health dashboard to verify whether Enforce tools are installed and active on all endpoints.
  3. To investigate endpoints that do not have Enforce tools installed, click the number above Not Installed. Tanium CloudThe Tanium Server issues the following question:

    Get?forceComputerIdFlag=1 Endpoint Configuration - Tools Status?ignoreCase=0&maxAge=600 contains Enforce from all machines

  4. To troubleshoot installation issues for Enforce tools, see Tanium Enforce User Guide: Monitor and troubleshoot Enforce coverage status (% of total).

Review and remediate Tanium™ Feed issues

To monitor and troubleshoot Feed health issues, see Tanium Feed User Guide: Troubleshooting Feed.

Review and remediate Tanium Health Check issues

To monitor and troubleshoot Health Check issues, see Tanium Health Check User Guide: Troubleshooting Health Check.

Review and remediate Tanium™ Impact coverage

  1. From the Main menu, go to Modules > Trends > Boards.
  2. Click the Impact board and review the Impact Coverage Status panel for endpoints with the following status:
    • Needs Attention: Python tools that are required for Impact sensors are not installed.
    • Unsupported: Impact does not support the operating system.
  3. To investigate endpoints that need attention, click the Needs Attention bar in the chart and select View Current Endpoint Details filtered by Needs Attention. Tanium CloudThe Tanium Server issues the following question:

    Get Computer Name and Operating System and IP Address and Impact - Coverage Status equals Needs Attention from all machines with Impact - Coverage Status equals Needs Attention

  4. To investigate endpoints that do not support Impact, click the Unsupported bar in the chart and select View Current Endpoint Details filtered by Unsupported. Tanium CloudThe Tanium Server issues the following question:

    Get Computer Name and Operating System and IP Address and Impact - Coverage Status equals Unsupported from all machines with Impact - Coverage Status equals Unsupported

  5. To troubleshoot Impact coverage, see Tanium Impact User Guide: Monitor and troubleshoot Impact Coverage.

Review and remediate Tanium Interact issues

To troubleshoot Interact issues, see Tanium Interact User Guide: Troubleshooting Interact.

Review and remediate Tanium™ Patch issues

Review Patch coverage, scan configurations, deployments, and maintenance windows. Update the configurations if necessary.

Review and remediate Patch coverage

  1. From the Main menu, go to Modules > Patch > Overview.

  2. Scroll to the Health dashboard to verify that the Patch process is running on all endpoints.
  3. To investigate endpoints that are not running the process, click the number above No or Error in the Running Patch panel. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Patch process status for the affected endpoints.

  4. To investigate Patch coverage issues, click the number above Needs Attention in the Patch Coverage panel. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Patch coverage status details for the affected endpoints.

    You can also see this information in the predefined Patch Coverage Status report, which is available in the Tanium Reporting workbench.

  5. To troubleshoot issues related to the Patch process or coverage, see Tanium Patch User Guide: Monitor and troubleshoot Patch coverage.

Review and update scan configurations

  1. From the Patch menu, go to Scan Management.

  2. Review the Scan Configurations for each operating system (OS) to verify that they conform to the practices of your organization.
  3. Select the Tanium Scan for Windows tab and click Edit.
  4. Review the Products to Include in Scan, add any products that you want to include, and click Submit.
  5. From the Main menu, go to Modules > Trends > Boards and click the Patch board.

  6. Review the Days Since Last Patch Scan and Scan Errors - Last 7 Days panels for any errors. Click a panel name to see more details.
  7. Troubleshoot scan errors if necessary. See Tanium Patch User Guide: Troubleshooting Patch.
  8. Edit scan configurations if necessary to resolve errors. See Tanium Patch User Guide: Edit a scan configuration.
  9. Delete scan configurations if any are no longer useful. See Tanium Patch User Guide: Delete a scan configuration.

Review and update deployments

  1. From the Patch menu, go to Deployments.
  2. Review the deployments to determine if any are misconfigured, no longer useful, or do not comply with the practices of your organization.

    For example, if the number of targeted endpoints is low relative to the number of deployments, you might be able to make the patching process more efficient by configuring fewer deployments to target more endpoints.

  3. Check the deployment summaries for error messages. See Tanium Patch User Guide: Review deployment summary.
  4. From the Main menu, go to Modules > Trends > Boards and click the Patch board.

  5. Review the panels in the Summary, Missing Patches, and SLA Based Compliance Reporting sections for any errors. Click a panel name to see more details.
  6. Troubleshoot deployments if necessary. See Tanium Patch User Guide: Troubleshooting.
  7. Add targets to the deployments if necessary to resolve errors. See Tanium Patch User Guide: Add targets to an existing deployment.

    For an existing deployment, you cannot perform edits other than adding targets.

  8. Stop any deployments that are no longer useful. See Tanium Patch User Guide: Stop a deployment.

Review and update maintenance windows

  1. From the Patch menu, go to Deployments.
  2. Review the maintenance windows to determine if any are misconfigured or no longer useful.

    For example, maintenance windows that have end dates in the past are useful only as blocking maintenance windows. See Tanium Patch User Guide: Setting maintenance windows.

    Deployments can run anytime if no maintenance windows are configured. PatchIf you imported Patch with default settings, it provides predefined maintenance windows that are not enforced on any computer groups. See Tanium Patch User Guide: Configuring Patch.

  3. From the Main menu, go to Modules > Trends > Boards and click the Patch board.

  4. If the Endpoints Missing Critical or Important Patches Released Over 30 Days Ago panel shows a higher than expected number, check whether maintenance windows are a contributing factor. See Tanium Patch User Guide: Monitor and troubleshoot mean time to patch.
  5. Edit maintenance windows if necessary to resolve issues. See Tanium Patch User Guide: Edit a maintenance window.
  6. Remove any maintenance windows that are no longer useful. See Tanium Patch User Guide: Delete a maintenance window.

Review and remediate Tanium™ Performance coverage

  1. From the Main menu, go to Modules > Performance > Overview.

  2. Scroll to the Health dashboard to verify that Performance tools are installed on all endpoints and to review which profiles are applied to endpoints.
  3. To investigate endpoints that do not have Performance tools installed, click the number above Needs Attention or Unsupported in the Performance Coverage panel. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Performance coverage status for the affected endpoints.

    You can also issue the question Get Performance - Configured from all machines through the Ask a Question field in Interact and then drill down on results to investigate endpoints that have issues with Performance tools or configuration. See Managing question results.

  4. To review the status, priority, and endpoint targeting of all profiles, click Active Profiles: see Tanium Performance User Guide: Managing profiles.
  5. To review the entire configuration of a specific profile, click its name in the Active Profiles panel.
  6. To troubleshoot installation issues related to Performance tools or profiles, see Tanium Performance User Guide: Monitor and troubleshoot Performance coverage.

Review and remediate Tanium™ Provision coverage

  1. From the Main menu, go to Modules > Provision > Overview.
  2. Scroll to the Health dashboard to verify that the Provision service is running as expected Healthy on Provision endpoints.
  3. If the Health dashboard indicates that the Provision service is not running on Provision endpoints:
    1. Click Provision Endpoints to see details about the service status and versions for all Provision endpoints.
    2. To see additional details about a particular endpoint, click Additional Data beside that endpoint.
  4. To investigate deployment issues, see Tanium Provision User Guide: Monitor a deployment.
  5. To troubleshoot other Provision issues, see Tanium Provision User Guide: Troubleshooting Provision.

Review and remediate Tanium™ Reporting issues

To monitor and troubleshoot Reporting health issues, see Tanium Reporting User Guide: Troubleshooting Reporting.

Review and remediate Tanium™ Reputation issues

  1. From the Main menu, go to Modules > Trends > Boards.
  2. Click the Reputation board and review the panels for issues that need attention.
  3. If the Failed Outbound API Requests panel displays failures, verify that the reputation sources are configured correctly. See Tanium Reputation User Guide: Configuring reputation sources.
  4. If data shows up faster in the Inbound Items panel than in the Outbound Items panel and the Outbound Processing Queue panel is consistently high, configure the reputation sources to send fewer hashes by lowering the Maximum Hashes Processed Per Day value.
  5. To troubleshoot other Reputation issues or collect logs for a support package, see Tanium Reputation User Guide: Troubleshooting Reputation.

Review and remediate Tanium™ Reveal issues

  1. From the Main menu, go to Modules > Reveal > Overview.

  2. Scroll to the Health dashboard to review:

    • Reveal Coverage: To investigate endpoints that do not have Reveal tools installed, click the number above Needs Attention. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Reveal coverage (installation) status for the affected endpoints. See Tanium Reveal User Guide: Monitor and troubleshoot Reveal coverage.

    • Endpoint Status: To investigate endpoints that have issues related to Reveal operations, click Attention Needed. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Reveal tools status for the affected endpoints. See Tanium Reveal User Guide: Remediating "Needs Attention" messages from Reveal Status.

    • Scan Failure: To investigate endpoints that have Reveal scan errors in the last 30 days, click Scan Failure to issue a question that returns the scan status for the affected endpoints. To investigate endpoints that have errors within another interval, click the interval (such as <1 hour) in the Scan Failure panel to issue a question that returns the computer name, operating system, IP address, and scan status for endpoints within that interval.

    • Data Size: To review the storage that Reveal consumes on endpoints, click Data Size to issue a question that returns data size values. To review endpoints on which Reveal consumes storage within a specific range, click that range (such as 100-500 MB) in the Data Size panel to issue a question that returns the computer name, operating system, and IP address for the matching endpoints.

    • Undersized Reveal Databases: To investigate endpoints on which Reveal tools have dropped files, click True to issue a question that returns the computer name, operating system, and IP address for the affected endpoints. See Tanium Reveal User Guide: Remediating "Needs Attention" messages from Reveal Status.

Review and remediate Tanium™ Threat Response issues

  1. From the Main menu, go to Administration > Shared Services > Client Management.

  2. From the Client Management menu, select Client Health and click the Deployment tab.
  3. Review the Health Failures panel for issues that relate to Threat Response domains:
    • dec (Direct Connect)

    • index (Tanium Index)
    • recorder (Tanium Recorder)
    • stream (Tanium™ Stream)
    • threatresponse (Tanium™ Threat Response Client Extension)
  4. Investigate health failures and review the status and configurations of endpoint tools for Threat Response, including:
    • Non-default configuration settings on clients
    • Tools versions
    • Client extension versions
    • (Windows only) Tanium™ Driver status and version
    • Berkeley Packet Filter (BPF) support

    For the specific steps, see Tanium Threat Response User Guide: Get Threat Response endpoint tools status and configurations.

  5. From the Main menu, go to Modules > Threat Response > Overview.

  6. Scroll to the Metrics panel and check the Threat Response Coverage.
  7. If the Coverage is lower than expected, investigate and remediate coverage as described under Tanium Threat Response User Guide: Monitor and troubleshoot Threat Response coverage. If coverage issues might result from missing or misconfigured Threat Response profiles, click the Coverage value to open the Profiles page and review profile configurations. For details about profile issues, see Tanium Threat Response User Guide: My device has no profile or the wrong profile.
  8. To investigate and remediate other Threat Response issues, see the following sections in the Tanium Threat Response User Guide:

Review and remediate Tanium™ Trends issues

To troubleshoot Trends issues, see Tanium Trends User Guide: Troubleshooting Trends.