Managing Tanium Data Service

Overview of sensor results collection

With Tanium Data Service, you can see the cached results that endpoints return for registered sensors. Tanium CloudThe Tanium Server automatically collects results from registered sensors by issuing questions to all managed endpoints. Tanium Data Service and Tanium solutions automatically register certain sensors (see Sensors that are registered by default) and you can manually register other sensors (see Register or unregister sensors for collection). By default, Tanium Data Service caches the results from each endpoint for 30 days after the last successful collection (see Configure removal of expired results). You can view the cached results for both online and offline endpoints in:

Interact Question Results: On the Question Results page, select the Cached option. See Display results for online and offline endpoints.
Explore Data page: See Tanium Reporting User Guide: Explore Data.
Reports: See Tanium Reporting User Guide: Reports.
Dashboards: You can view dashboards in Tanium Console, Reporting, and other Tanium solutions. See Tanium Reporting User Guide: Dashboards.

For the user role permissions required to manage sensor results collection, see Tanium Data Service permissions.

Sensor registration and results collection process

The following figure illustrates the process of sensor registration, results collection, and viewing results.

	Tanium Data Service automatically registers multiple sensors for collection when you deploy Tanium Cloudafter you install Tanium Interact. Other Tanium solutions also automatically register sensors upon installation. Tanium Data Service stores additional data from sources other than the sensors that run on endpoints (see Endpoint data sources that are not on endpoints).
	You can manually register additional sensors through the Console workbench.
	Tanium Cloud The Tanium Server periodically issues questions to collect results for registered sensors. Tanium Data Service caches the results.
	Access Console, Reporting, or other solutions through Tanium Console to view question results, reports, or dashboards.
	Tanium solutions retrieve and show the latest data from Tanium Data Service. The service provides current data for online endpoints and cached data for offline endpoints.

Sensor results caching and updates

Tanium Cloud The Tanium Server reissues the questions for registered sensors every 30 minutes to update the results in the Tanium Data Service cache. The questions remain open (not expired) on endpoints for the entire 30-minute reissue interval. However, the Tanium Client updates its own results cache at intervals that might differ from the question interval. The freshness of the result that the client returns for any particular sensor depends on the Max Sensor Age setting in the sensor configuration. The setting determines the maximum time for which the client returns a cached result when answering questions, instead of rerunning the sensor for a fresh result.

For example, the Max Sensor Age for the CPU Consumption sensor is 10 minutes. When Tanium Cloudthe Tanium Server issues a question with that sensor to collect results for Tanium Data Service, the client runs the sensor, stores the result in its cache, and returns the result to Tanium Cloudthe server. If the client receives any other question with the CPU Consumption sensor in the next 10 minutes, the client returns its cached result. When 10 minutes pass, the client reruns the sensor because the original question is still open. The client then updates its cache and returns the fresh result to Tanium Cloudthe server, which updates the Tanium Data Service cache. This update cycle ensures that the Tanium Data Service results for the CPU Consumption sensor are never more than 10 minutes old for online endpoints. Conversely, the client returns a fresh result for the AD Domain sensor only once every 24 hours because that sensor has a Max Sensor Age of 1 day. If an endpoint is currently offline, the age of its results in the Tanium Data Service cache reflect the last time the endpoint was online and returned a result.

For details about the Max Sensor Age setting and how to configure it, see Tanium Console User Guide: Max Sensor Age.

The expiration interval is 10 minutes instead of 30 for questions that are not associated with results collection for Tanium Data Service. For details, see Question expiration.

Endpoint data sources that are not on endpoints

Tanium solutions can send endpoint data directly to Tanium Data Service without the need for a sensor that runs on endpoints. For example, if you add the Risk Score column to reports, Reporting calculates its values without using a source on endpoints. Another example is a virtual sensor, such as EID Last Seen, that extrapolates endpoint data from known data and other sensors.

View sensor registration details

Display the registration status and other details of each sensor:

Go to the Interact Overview page and click Settings

In the Registration and Collection tab, the Status column contains a status for all sensors. Status icons include the following:

Status	Description
	The sensor is registered and enabled for collection.
	The sensor is registered but collection is disabled.
	The sensor is blocked due to high cardinality and cannot be registered.
(no icon)	The sensor is not registered.

You can hover the mouse cursor over any icon to see additional information.

In the far right column, the Actions drop-down contains the available operations for each sensor: register (Add), unregister (Release), pause collection (Disable), resume collection (Enable), and purge results (Purge). Note that you cannot unregister, pause collection, or purge results for the sensors listed under Sensors that are registered by default.

By default, the sensor grid is filtered to exclude hidden sensors. For details about hidden sensors, see the Hide this sensor from sensor lists and parse results setting in Tanium Console User Guide: Sensor configuration guidelines.

(Optional) To show only specific sensors, click to expand Filters and select from the following options:
- Category: Show only the sensors that are used in questions that are assigned to dashboards contained in a specific category.
- Registered: Show only the sensors that are registered and enabled for collection (True), or are not registered (False) for collection.
- Show Hidden Sensors: Show only the sensors that are hidden (True) or are not hidden (False).
- Has Parameters: Show only parameterized sensors (True) or non-parameterized sensors (False).
- Status: Show only sensors that match the corresponding status.
To clear a filter, select Any in the corresponding field.
(Optional) Enter a text string in the Filter Items field above the grid to filter it by sensor Name or Category.

Register or unregister sensors for collection

Resource consumption for registered sensors

When you decide which sensors to register with Tanium Data Service, consider that results collection consumes resources such as network bandwidth, processing on endpoints, and resources on Tanium Clouddisk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage than the Operating System sensor.

To optimize resource consumption, configure collection only for low cardinality sensors that produce frequently accessed results, such as for daily reports. For example, you might generate reports based on the results of the Applicable Patches sensor to assess the hygiene or security posture of both online and offline endpoints. Conversely, the results of the High CPU Processes sensor fluctuate too much to be reliable for gauging activity on offline endpoints.

For details on monitoring the resource consumption associated with results collection, see Monitor resource usage for sensor results collection.

Manage sensor registration

After you register or unregister sensors for collection, Tanium Data Service automatically applies the changes for the next collection, when it issues questions to update the sensor results. Additionally, after you register a sensor for collection, Tanium Cloudthe Tanium Server immediately starts collecting results for the sensor. Registration changes also apply if you manually start collection.

You cannot unregister sensors that are registered by default. See Sensors that are registered by default.

After you unregister a sensor, Tanium Data Service purges results for the sensor after 30 days by default. To purge results sooner, see Purge results for specific sensors and Configure removal of expired results.

Certain sensors are intentionally unavailable in Reporting even if you register them in Tanium Data Service. For a list of these sensors, see Tanium Reporting User Guide: Unavailable sensors in Reporting.

Go to the Interact Overview page and click Settings .
(Optional) Filter the Registration and Collection tab to find specific sensors. See View sensor registration details.
Perform one of the following actions on the Registration and Collection tab:
- Register sensors: Select Actions > Add to register a sensor.
  The Sensor Preview page opens with a preview of the results while Tanium Data Service checks the cardinality (uniqueness) of the sensor results. For example, a sensor would have high cardinality if it returns an event date/time that typically varies on each endpoint. The Online sensor has low cardinality because it returns only one possible value (True) from all responding endpoints. After the service checks the cardinality, a message indicates if you can register the sensor or if the service blocks registration due to high cardinality. If you can register the sensor, click Confirm and then click Yes to confirm the registration.
  For each parameterized sensor, you can register multiple instances. For each instance, specify the parameters and click Apply.
  Tanium recommends that you do not disable the cardinality check because high cardinality sensors can negatively impact Tanium Server performance. Contact Tanium Support for guidance if you want to disable the cardinality check. See Contact Tanium Support.
- Unregister sensors: Select Actions > Release to unregister a sensor.

Pause or resume collection

When Tanium Cloudthe Tanium Server issues questions to update sensor results, it excludes any paused sensors. You can pause or resume collection for individual sensors without unregistering or re-registering them. When you pause a sensor, the Question Results page, reports, and dashboards continue showing the last results (if any) that Tanium Cloudthe server collected for that sensor before you paused it. You cannot pause sensors that are registered by default.

Go to the Interact Overview page and click Settings .
(Optional) Filter the Registration and Collection tab to find specific sensors. See View sensor registration details.
Select Actions > Disable to pause collection or Actions > Enable to resume collection for a sensor.

After you resume collection for a sensor, Tanium Cloudthe Tanium Server immediately starts collecting the sensor results.

Manually start collection

To keep sensor results up-to-date, Tanium Cloudthe Tanium Server automatically reissues questions to all endpoints and retrieves results continuously. Tanium CloudThe Tanium Server also collects results immediately for sensors that you register or for which you resume collection.

Go to the Interact Overview page and click Settings .
In the Registration and Collection tab, click Collect Now above the grid.

Purge results for specific sensors

You can purge the results of selected sensors from storage so that the Question Results page, reports, and dashboards do not display them.

To purge sensor results that Tanium Data Service collects from specific endpoints, see Tanium Reporting User Guide: Purge endpoint data.

You cannot purge the results of sensors that are registered by default. See Sensors that are registered by default.

Tanium Data Service automatically removes results for endpoints that do not answer questions within the Max Endpoint Age interval. To configure this garbage collection process, see Configure removal of expired results.

Go to the Interact Overview page and click Settings .
(Optional) Filter the Registration and Collection tab to find specific sensors. See View sensor registration details.
Unregister or pause collection for the sensors that you want to purge:
- Pause collection: Select Actions > Disable.
- Unregister: Select Actions > Release.
For each sensor that you want to purge, select Actions > Purge and click Confirm.

Configure advanced collection settings

To collect results for registered sensors, Tanium Data Service issues questions that contain the sensors. The service issues one batch of questions at a time, downloads the results from Tanium Cloudthe Tanium Server, and writes the results to the Tanium database. The default collection settings prevent the questions from consuming too much network bandwidth and endpoint processing. The default settings also prevent the service from consuming too much Tanium Server memory when downloading and writing results. You can edit the settings as necessary based on the number of sensors that you registered for collection and on the resource limits of your network, Tanium Server, and endpoints.

Contact Tanium Support before modifying the collection settings. Only users with the Administrator reserved role can modify the settings. See Contact Tanium Support.

Go to the Interact Overview page and click Settings .

Select the Service Configuration > Collection tab and configure the following settings:

Table 0: Sensor collection process settings
Setting	Description
Max Sensors Per Question	Specify the maximum number of single-column sensors in each question that Tanium Data Service issues to collect results. A single-column sensor returns an answer that the Question Results page and reports display in a single column. The default is 30 sensors per question. The service applies a non-configurable limit of one multi-column sensor per question.

Configure removal of expired results

When Tanium Data Service stores results, it maps them to each endpoint and evaluates their expiration age relative to when the endpoint last returned updates. This means that if multiple endpoints returned the same results but at different times, the garbage collection process removes only the results for endpoints that did not return updates within the expiration interval (Max Endpoint Age). You can edit garbage collection settings as necessary based on the growth rate for result strings and the available resources (storage space and memory) in your deployment. To monitor string growth and determine which sensors are generating the most strings, see Monitor resource usage for sensor results collection.

Contact Tanium Support before modifying garbage collection settings. Only users with the Administrator reserved role can modify the settings. See Contact Tanium Support.

Go to the Interact Overview page and click Settings .

Select the Service Configuration > Garbage Collection tab and configure the following settings:

Table 1: Garbage collection settings for sensor results
Setting	Description
Garbage Collection Interval	Specify how frequently Tanium Data Service checks which results have expired and removes them. The units are minutes and the default is 15.
Garbage Collection Timeout	Specify how long the garbage collection process runs before timing out. The units are minutes and the default is 30. While the process is running, Tanium Data Service delays any pending updates to the stored results. Be sure to specify enough time to remove all the expired results without delaying updates to a degree that significantly affects users who need to see the latest results. If the garbage collection process times out before removing all the expired results, it resumes the removal at the next Garbage Collection Interval.
Max Endpoint Age	Specify the expiration age of the collected results. For each endpoint, Tanium Data Service evaluates the age of its results based on when the endpoint last returned updates for any sensors. The units are days and the default is 30. The garbage collection process removes the entries for any endpoints and their associated results from storage if those endpoints have not answered sensor collection questions within the Max Endpoint Age interval.
Computer Group Max Endpoint Age	For each computer group, you can specify the expiration age of the collected results. Use this option to set lower expiration ages than the default value of 30 daysvalue specified in Max Endpoint Age. Note that any values that you set in Computer Group Max Endpoint Age do not override the default value set in Max Endpoint Age; whichever value is lower triggers the garbage collection process. The units are hours. Click Add Group and Select Computer Group. Select a computer group and click Save. Enter the Max Endpoint Age and click Save.

Troubleshoot sensor collection

To determine whether sensor collection is consuming too much network bandwidth, processing on endpoints, or Tanium CloudTanium Server resources, see Monitor resource usage for sensor results collection.

To troubleshoot other sensor collection issues, see:

Tanium Core Platform Deployment Reference Guide: Logs and troubleshooting: The Tanium Data Service logs indicate when the Tanium Server issued each question to collect results, the question ID, and information about each sensor in the question.
Tanium Console User Guide: Question history: In the Administration > Content > Question History page, use the question ID (Harvesting qid) from the Tanium Data Service logs to find specific questions that the Tanium Server issued to collect sensor results.

Sensors that are registered by default

Certain Tanium Core Platform sensors are registered for collection by default, including the following examples. After you deploy Tanium Cloudinstall Interact, Tanium Data Service immediately begins collecting and storing results for the registered sensors. You cannot unregister, pause collection, or purge results for these sensors.

Endpoint identifier (EID) sensors:
- Computer ID
- Computer Name
- Computer Serial Number
Sensors that define membership in computer management groups:
- Chassis Type
- Computer Name
- Is AIX
- Is Linux
- Is Mac
- Is Solaris
- Is Virtual
- Is Windows
- Operating System
- Operating System Generation
- Windows OS Release ID
- Windows OS Type

Certain Tanium modules include additional sensors that are registered by default when you import the modules.

If some sensors that define computer group membership are not yet available in your deployment, you can import them through the content-only solution Default Computer Groups. See Tanium Console User Guide: Content-only solutions.