Managing filter groups

Filter groups are a type of computer group that you use as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set that is associated with an advanced role or module role, assign the role to personas, and assign the personas to users or user groups. The following figure shows an example of an advanced role that grants Read Filter Group and Write Filter group permissions to the Default Filter Groups content set:

Figure  1:  Filter group assignment

computer filter groups

Note that users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group that is assigned to the persona that the user used to issue the question. For details about the interaction between computer management groups and filter groups, and how best to use them, see Computer groups overview.

Use the Content > Filter Groups page to view, create, clone, edit, and delete filter groups, as described in the following procedures. After creating a filter group, you cannot change its membership definition.

To manage computer groups that are both filter groups and management groups, use the Administration > Computer Groups page (see Managing computer groups). The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first log into the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports Tanium as a Service (TaaS) provides default computer groups that are both filter groups and management groups: see Default computer groups.

For the role permissions required to manage filter groups, see Content management permissions.

In Tanium Core Platform 7.3 or earlier, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

Create filter groups

Before you create a filter group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership).

  1. From the Main menu, select Administration > Content > Filter Groups and click New Group.
  2. Enter a Name to identify the group.
  3. Assign the group to a Content Set.
  4. Define which endpoints are Members of the filter group:
    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  5. Click Save and confirm the operation when prompted.

Clone filter groups

Cloning is useful when you need a new filter group with membership conditions that differ only slightly from an existing group.

  1. From the Main menu, select Administration > Content > Filter Groups.
  2. Select the filter group and click Clone.
  3. Enter a Name to identify the group.
  4. Assign the group to a Content Set.
  5. Define which endpoints are Members of the group. For details, see Create filter groups.
  6. Click Save and confirm the operation when prompted.

Edit filter groups

You can edit the display name and content set assignment of a filter group. However, changing the display name does not change the object ID of a filter group. Also, you cannot change the group membership definition.

  1. From the Main menu, select Administration > Content > Filter Groups.
  2. Select the filter group and click View.
  3. (Optional) Enter a new Name.
  4. (Optional) Change the Content Set assignment.
  5. Click Save and confirm the operation when prompted.

Export or import filter groups

You can export and import filter groups to copy them between Tanium Servers. As a best practice, develop and test content in your lab environment before distributing it to your production servers. The Tanium Console import and export feature supports this practice.

Export filter groups

Perform the following steps to export filter groups and computer management groups (you cannot export each type of group separately):

  1. Go to any Administration > Content or Permissions page.
  2. Click Export Content at the top right of the Tanium Console.
  3. Select Computer Groups, select the Export Format (JSON or XML), and click Export.
  4. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the content file to the Downloads folder on the system you use to access the Tanium Console.

Import computer groups

You can import files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature, as described under Authenticating content files.
  2. From the Main menu, select any Administration > Content or Administration > Permissions page and click Import Content at the top right of the page.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
  6. Click Import again, and click Close when the import finishes.

Delete filter groups

Before you delete filter groups, be sure to understand the consequences for scheduled actions and questions: see Delete computer groups. If you delete a filter group that also functions as a management group, it remains on the Tanium Server as a management group with filtering disabled; the Administration > Computer Groups page continues displaying the group but the Content > Filter Groups page does not.

  1. From the Main menu, select Administration > Content > Filter Groups.
  2. Select the filter group and click Delete Selected .
  3. Click OK and confirm the operation when prompted.