Managing filter groups

Filter groups are a type of computer group that you use as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set that is associated with a custom role, assign the role to personas, and assign the personas to users or user groups. The following figure shows an example of a custom role that grants Read Filter Group and Write Filter group permissions to the Default Filter Groups content set:

Figure  1:  Filter group assignment

computer filter groups

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group that is assigned to the persona that the user used to issue the question. For details about the interaction between computer management groups and filter groups, and how best to use them, see Computer groups overview.

Use the Administration > Permissions > Filter Groups page to view, create, clone, edit, and delete filter groups, as described in the following procedures. After creating a filter group, you cannot change its membership definition.

To manage computer groups that are both filter groups and management groups, use the Administration > Permissions > Computer Groups page (see Managing computer groups). The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first sign in to the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports Tanium as a Service (TaaS) provides default computer groups that are both filter groups and management groups: see Default computer groups.

For the role permissions required to manage filter groups, see Content management permissions.

In Tanium Core Platform 7.3 or earlier, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

View filter group details

  1. From the Main menu, go to Administration > Permissions > Filter Groups.

    The Filter Groups grid displays the following attributes for each filter group:

     Table 1: Filter group attributes
    NameThe name that identifies the filter group.
    TypeIndicates how membership is defined for the group:
    • Standard: Dynamic membership based on a sensor filter
    • Manual: Manually defined membership

    For details, see Computer group membership.

    Content SetThe content set to which the group is assigned.
    ExpressionFor standard filter groups, the expression is a sensor-based filter that defines group membership. For manual filter groups, the value is [Manual List].
  2. (Optional) Use the filters to find specific filter groups:
    • Filter by text: To filter the grid by filter group Name or membership Expression, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. To see the members of a particular filter group, click the group Name and scroll to the Members section.

Create a filter group

Before you create a filter group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership).

  1. From the Main menu, go to Administration > Permissions > Filter Groups and click New Group.
  2. Enter a Name to identify the group.
  3. Assign the group to a Content Set.
  4. Define which endpoints are Members of the filter group:
    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Select Manual Group and enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  5. Review the list of endpoints that are members of the group and click Save.

Clone a filter group

Cloning is useful when you need a new filter group with membership conditions that differ only slightly from an existing group.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Select the filter group and click Clone.
  3. Enter a Name to identify the group.
  4. Assign the group to a Content Set.
  5. Define which endpoints are Members of the group. For details, see Create a filter group.
  6. Review the list of endpoints that are members of the group and click Save.

Edit a filter group

You can edit the display name and content set assignment of a filter group. However, changing the display name does not change the object ID of a filter group. Also, you cannot change the group membership definition.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Click the filter group Name and click Edit Mode.
  3. (Optional) Enter a new Name.
  4. (Optional) Change the Content Set assignment.
  5. Review the list of endpoints that are members of the group and click Save.

Export or import filter groups

The following procedures describe how to export and import the configurations of specific filter groups or all filter groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export filter groups

Export filter groups as a CSV file to view their settings in an application that supports that format. If your user account has a role with the Export Content permission, you can also export filter groups as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Select rows in the grid to export only specific filter groups. If you want to export all filter groups, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All filter groups in the grid or just the Selected filter groups.
  6. Select the file Format: JSON or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import filter groups

You can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy filter group configuration details

Copy information from the Filter Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete filter groups

Before you delete filter groups, be sure to understand the consequences for scheduled actions and questions: see Delete computer groups. If you delete a filter group that also functions as a management group, it remains on the Tanium Server as a management group with filtering disabled; the Administration > Permissions > Computer Groups page continues displaying the group but the Administration > Permissions > Filter Groups page does not.

  1. From the Main menu, go to Administration > Permissions > Filter Groups.
  2. Select the filter group, click Delete Selected , and click Confirm.