Managing filter groups

Filter group overview

Filter groups are a type of computer group that you use as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set that is associated with a custom role, assign the role to personas, and assign the personas to users or user groups. The following figure shows an example of a custom role that grants Read Filter Group and Write Filter group permissions to the Default Filter Groups content set:

Figure  1:  Filter group assignment
computer filter groups

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group that is assigned to the persona that the user used to issue the question. For details about the interaction between computer management groups and filter groups, and how best to use them, see Computer groups overview.

Use the Administration > Permissions > Filter Groups page to view, create, clone, edit, and delete filter groups, as described in the following procedures. After creating a filter group, you cannot change its membership definition.

To manage computer groups that are both filter groups and management groups, use the Administration > Permissions > Computer Groups page (see Managing computer groups). The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first sign in to Tanium Console after a fresh installation of the Tanium Server, the server automatically imports Tanium Cloud provides default computer groups that are both filter groups and management groups (see Default computer groups).

For the role permissions required to manage filter groups, see Content management permissions.

In Tanium Core Platform 7.3, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

View filter group details

  1. From the Main menu, go to Administration > Permissions > Filter Groups.

    The Filter Groups grid displays the following attributes for each filter group:

     Table 1: Filter group attributes
    NameThe name that identifies the filter group.
    TypeIndicates how membership is defined for the group:
    • Standard: Dynamic membership based on a sensor filter
    • Manual: Manually defined membership

    For details, see Computer group membership.

    Content SetThe content set to which the group is assigned.
    ExpressionFor standard filter groups, the expression is a sensor-based filter that defines group membership. For manual filter groups, the value is [Manual List].
    Modified By (Persona)The name of the user (persona) who last modified the filter group.
    Last ModificationThe date-time when a user (persona) last modified the filter group.
  2. (Optional) Use the filters to find specific filter groups:
    • Filter by text: To filter the grid by filter group Name or membership Expression, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. To see the members of a particular filter group, click the group Name and scroll to the Members section.

Create a filter group

Before you create a filter group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership).

  1. From the Main menu, go to Administration > Permissions > Filter Groups and click New Group.
  2. Enter a Name to identify the group.
  3. Assign the group to a Content Set.
  4. Define which endpoints are Members of the filter group.

    You cannot change the Members definition after you save the filter group. However, if you configure dynamic membership and base it on a custom tag, you can change tag assignments on endpoints to adjust the group membership. See Manage custom tags for computer groups.

    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Select Manual Group and enter a list of endpoint identifiers, which can be one of the following:
      • Computer names that match the results of the Computer Name sensor. Short forms or alternative names do not work.
      • Fully qualified domain names (FQDNs).
      • IP addresses that match the entries in the Administration > Configuration > Client Status page, Network Location (from server) column.
  5. Review the list of endpoints that are members of the group and click Save.

Clone a filter group

Cloning is useful when you need a new filter group with membership conditions that differ only slightly from an existing group.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Select the filter group and click Clone.
  3. Enter a Name to identify the group.
  4. Assign the group to a Content Set.
  5. Define which endpoints are Members of the group. For details, see Create a filter group.
  6. Review the list of endpoints that are members of the group and click Save.

Edit a filter group

You can edit the display name and content set assignment of a filter group. However, changing the display name does not change the object ID of a filter group. Also, you cannot change the group membership definition.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Click the filter group Name and click Edit Mode.
  3. (Optional) Enter a new Name.
  4. (Optional) Change the Content Set assignment.
  5. Review the list of endpoints that are members of the group and click Save.

Export or import filter groups

The following procedures describe how to export and import specific filter groups or all filter groups.

Develop and test custom content in your lab environment before importing that content into your production environment.

Export filter groups

Export filter groups as a file in one of the following formats:

  • CSV: When you open the file in an application that supports CSV format, it lists the filter groups with the same attributes (columns) as the Filter Groups page displays.

  • JSON: If you are assigned a role with the Export Content permission, you can export filter group configurations as a JSON file. You can then import the file into another Tanium Server. The Administrator reserved role has the Export Content permission.

Perform the following steps to export filter groups:

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. (Optional, CSV exports only) To add or remove attributes (columns) for the CSV file, click Customize Columns Customize Columns in the grid and select ID.
  3. Select rows in the grid to export only specific filter groups. If you want to export all filter groups, skip this step.
  4. Click Export Export.
  5. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  6. Select an Export Data option: All filter groups in the grid or just the Selected filter groups.
  7. Select the file Format:

    • List of Filter Groups - CSV
    • Filter Group Definitions - JSON (requires Export Content permission)

  8. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access Tanium Console.

Import filter groups

Users who are assigned a role with Import Signed Content permission can import content files (such as for Tanium solutions or package configurations) that are in JSON or XML format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

    If you plan to import a file that another user signed, you can first perform an integrity check on the file. See Verify content file signatures.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content. See Resolve import conflicts.
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is cleared and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy filter group configuration details

Copy information from the Filter Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete filter groups

Before you delete filter groups, be sure to understand the consequences for scheduled actions and questions (see Delete computer groups). If you delete a filter group that also functions as a management group, it remains on the Tanium Server as a management group with filtering disabled; the Administration > Permissions > Computer Groups page continues displaying the group but the Administration > Permissions > Filter Groups page does not.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Select the filter group, click Delete Selected , and click Confirm.