Configuring profiles

Profiles define events for targeted computer groups. For each profile, configure event rules and select the target computer groups to which the event rules apply.

Profiles and the event rules that they contain do not determine what data is collected on endpoints. The same data is monitored on all endpoints that a profile targets. Profiles determine which conditions on the endpoint generate a negative performance event.

Minimize the total number of profiles in your environment. For example, you might want to have two profiles: one for standard workstations and one for high-profile workstations because you want to set stricter thresholds for the heuristics on high-profile workstations. As a best practice, do not create multiple profiles with the same event rules and thresholds as a way to organize the endpoints that you are monitoring. Instead, on the Events page, you can filter results by computer groups to analyze the data.

In Performance 1.3.0 and later, you can configure Retention Settings to specify the Database maximum size and Database maximum days. Profiles created in Performance 1.2.1 and earlier do not include this setting. After you upgrade to Performance 1.3.0 or later, you can add this setting to a profile that you created in an earlier version by editing the profile, specifying the Retention Settings, and saving the profile.

If you enabled configuration approvals in Endpoint Configuration, profile changes must be approved in Endpoint Configuration before they deploy to endpoints.

Create a profile

  1. From the Performance menu, go to Profiles > Create New Profile.
  2. In the Details section, specify the Profile Name and optional Description.
  3. In the Target section, select the computer groups to which the event rules in the profile apply.

    Ensure that the computer groups in your profiles cover all of your endpoints.

    Manual computer groups are not supported. For more information, see Tanium Core Platform User Guide: Managing computer groups.

  4. In the Retention Settings section, specify the Database maximum size and Database maximum days.

    These settings determine the maximum amount of space that the Performance database can use on the endpoint and the maximum number of days of historical data that can be stored on an endpoint.

    • The data storage on the endpoint is limited by size or by time, whichever is reached first.
    • The database maximum size setting limits only the size of the metrics time-series database. Due to the overhead of tools and other supporting files, the total storage used will be slightly higher than this value.
    • The minimum allowed value for the Database maximum size is 100 MB and the minimum allowed value for the Database maximum days is 1 day. The default values are 1000 MB and 15 days.
  5. In the Event Rules section, all event rules are selected by default: Application Crashes, Available Memory, CPU Critical, Disk Capacity, Disk Latency, and System Crashes. Clear the selection for any event rules that you do not want to monitor.
  6. Select and configure the heuristics for each event rule, and click Save.

    For more information, see Reference: Event Rules.

When you save a profile, the changes are sent to Endpoint Configuration to distribute the profile to endpoints. The profiles should be distributed within an hour, and metric monitoring and collection begins after the profile is placed on an endpoint. Any events that occur on the targeted endpoints based on the configured profile appear on the Events page. For more information, see Analyzing events.

Set the priority of profiles

All profiles are exclusive, meaning that only one profile can be in effect on an endpoint at a given time. If you target multiple profiles with the same event rules to a particular endpoint, Performance must resolve the conflict to decide which profile to apply.

If two or more profiles target an endpoint with the same event rules, only the highest priority profile is applied.

Set the prioritization of profiles to determine which profile is applied if a conflict exists. The Profiles page shows the current priority for each profile.

  1. From the Performance menu, go to Profiles > Prioritize Profiles.

    The Prioritize Profiles button appears only when you have two or more profiles configured.

  2. Drag and drop the profiles into the order that you want. The profile with the highest priority is at the top of the list. Click Save.

Modify a profile

  1. From the Performance menu, select Profiles.
  2. Click the name of the profile that you want to edit.
  3. Modify the profile.
    1. Edit existing event rules as needed.
    2. Clear the selection for an event rule to delete it from the profile.

      You cannot delete the Application Crashes or System Crashes rules.

    3. To add a previously deleted event rule to the profile, select the event rule.
  4. Click Save.

Delete a profile

  1. From the Performance menu, select Profiles.
  2. Select the profile that you want to delete. Click Delete.

Endpoint Configuration is notified and removes the profile from the endpoint. For more information about Endpoint Configuration, see Manage solution configurations with Tanium Endpoint Configuration.