Managing sensors

Sensors overview

A sensor is a script that runs on an endpoint to compute a response to a Tanium question. Tanium as a Service (TaaS) The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

  • Hardware and software inventory and configuration
  • Running applications and processes
  • Files and directories
  • Network connections

TaaS provides The installation process for the Tanium Server automatically imports the Tanium™ Default Content and Tanium™ Interact content packs that include sensors for a wide range of common questions. Other Tanium solutions that you import might provide more sensors, depending on which Tanium content packs or Tanium solution modules you import. If you cannot find a sensor that you need within Tanium-provided content, you can create custom sensors.

A sensor configuration includes settings, script content, and script parameters. Sensors use industry-standard scripting languages rather than proprietary coding syntax. The best practice is for sensors to use the scripting engine available on the largest number of managed endpoints. On Windows endpoints, VBScript typically provides the most comprehensive out-of-the-box coverage because it is installed by default in every desktop release of Microsoft Windows since Windows 98 and in every Windows Server release since Windows NT 4.0 Option Pack. On macOS and Linux endpoints, shell script generally provides the most comprehensive out-of-the-box coverage. Of course, you can develop sensors using any other scripting language that the operating system supports (such as PowerShell on Windows), as long as the associated scripting engine already exists on the endpoint, or you can deploy and configure the engine on the endpoints that do not have it installed. You cannot edit the configurations of Tanium reserved sensors, which are core system sensors that include Computer Name, Action Statuses, Computer ID, and Download Statuses.

For the role permissions required to manage sensors, see Content management permissions.

View sensor configurations and runtime metrics

To see sensor configuration attributes and runtime metrics:

  1. From the Main menu, go to Administration > Content > Sensors.

    The Sensors grid displays most of the sensor attributes that are described in Table 1.

  2. (Optional) To display attributes that the grid hides by default, click Customize Columns Customize columns and select the attributes.
  3. (Optional) For the Runtime option, click Show to display sensor runtime metrics or Hide (default) to conceal them.

    For each sensor, the Runtime column displays an icon that indicates whether the sensor has exceeded a runtime threshold and displays the runtime average in milliseconds. For details about the icons and the steps to configure runtime thresholds, see Managing sensor runtime thresholds.

  4. (Optional) Use the filters to find specific sensors:
    • Filter by text: To filter the grid by sensor Name, Category, or Description, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute, select an operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  5. (Optional) To see all the attributes that are described in Table 1, select a sensor and click Edit Edit.

Edit a sensor

As a best practice, do not edit predefined sensors that are provided through content packs imported from Tanium. For details, see Tip 4: Limit customizations to Tanium content. Contact Tanium Support if editing the Tanium-provided sensors is necessary. Alternatively, you can clone Tanium-provided sensors (see Clone a sensor) and edit the copies. You can also edit custom sensors that you created from scratch. To edit a sensor:

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to edit.
  3. Select the sensor row and click Edit.
  4. Configure the settings described in Table 1 and click Save.

Move sensors between content sets

You can move sensors between content sets as necessary to accommodate changes to the role-based access control (RBAC) configuration of your Tanium deployment. For example, you might want to move certain sensors to a content set that only highly privileged users can access.

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to move.
  3. Select the sensor row and select Move to Content Set > <content_set_name>.

Clone a sensor

Cloning is useful when you need to:

  • Create a modified version of a predefined sensor from a Tanium content pack. As a best practice, do not modify the original Tanium sensor.
  • Create a new sensor with settings that differ only slightly from an existing sensor; this is often easier than creating a new sensor from scratch.

Perform the following steps to clone a sensor:

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Use the search and column sorting features to find the sensor that you want to clone.
  3. Select the sensor row and click Clone.
  4. Configure the settings as described in Table 1 and click Save.

Create a sensor

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Click New Sensor, complete the configuration as described in Table 1, and click Save.
Table 1:   Sensor configuration guidelines
Settings Guidelines
Name Specify a name to identify the sensor. The name appears in sensors lists on the Tanium Console. Observe the existing naming scheme so that you and other administrators can find it easily. Do not use an underscore character (_), which is a delimiter for sensor sub-columns. If the sensor name has an underscore, sensor-sourced packages cannot use the sensor as a sensor variable.

Important: If you change the sensor name, be sure to reconfigure content that references it. For example, you must update the sensor name in any saved questions that are configured with the previous name.

Description Enter a description. Include examples of formatted results. The description appears in the Sensors page and in the Browse Sensors dialog of the Question Builder.
Content Set Assign to a content set. The list is populated with all content sets for which you have Write Sensor permission.
Category Specify one of the categories that appears on the Sensors page and in the Browse Sensors dialog of the Question Builder.
Result Type The Question Results grid treats values that the sensor returns as the type of data you specify:
  • Date/Time (RFC822)
  • Date/Time (WMI)
  • File Size
  • Integer
  • IP Address
  • Numeric
  • Text
  • Time Duration
  • Version
Max Sensor Age Enter the maximum time for which the Tanium Client can use a cached result for this sensor when answering questions that use the sensor. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client receives a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client receives a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client receives a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

Use shorter ages for sensors that return values that change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory domain membership.

The Max Sensor Age affects only the results cache on the Tanium Client, not the results cache that the Tanium™ Data Service stores on the Tanium Server (see Manage sensor results collection).

Set Max String Age If you want to reduce the impact that question results have on Tanium Server disk space, select Enable and specify the maximum age that answer strings can reach before the server removes them. The default is one week. The string age is based on the number of minutes since the Tanium Server last used the string or received it from Tanium Clients. For details, see Manage sensor string growth.

The Max String Age does not apply to the results cache that the Tanium Data Service stores on the Tanium Server (see Manage sensor results collection).

Set Max Strings If you want to reduce the impact that question results have on Tanium Server disk space, select Enable and enter the maximum number of answer strings that the server stores for this sensor before removing the oldest strings. The server includes the string count for temporary sensors when calculating the string count for their source sensors. The default is 0, which specifies no limit. The string age is based on when the Tanium Server last used the string or received it from Tanium Clients.

Important: When limiting string growth, the best practice is to set the Max Strings Age instead of the Max Strings (see Manage sensor string growth). Contact Tanium Support before setting the Max Strings in extreme cases that might require a string count limit for individual sensors.

The Max Strings does not apply to the results cache that the Tanium Data Service stores on the Tanium Server (see Manage sensor results collection).

Ignore case in result values Group and count result values regardless of differences in upper-case and lower-case characters.
Hide this sensor from sensor lists and parse results Select this option if you want sensor lists throughout the user interface to exclude the object.
Split into multiple columns using delimiter (Multi-column sensors only) If the sensor script returns multiple results, display them in multiple columns on the Question Results grid. Specify the delimiter character used to separate result values in the script. Enter column names and corresponding result types, and arrange them in the order you want them displayed in the results grid. Select the Hide option to hide the column from the default view of the results grid. The following figure shows the settings for the Running Applications sensor.

Multi-column sensor settings

Note: When creating questions that filter multi-column sensors, single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:).

Scripts Perform the following steps for each target platform:
  1. Click + to add a target platform.
  2. Set the Query Type to the desired scripting engine.
  3. Enter the script text.
Parameter Inputs (Parameterized sensors only) Click + and then Add Parameter to configure a parameter. Options include:
  • Checkbox—User enables a setting by checking a box. 0 or 1 is entered into the variable. Returns 1 if checked and 0 if not checked.
  • Date, Date Time, Date Time Range—User selects a date and time or a range. The date time format is epoch with milliseconds. For a range, the user specifies two date times separated by a pipe.
  • Drop Down List—User selects only one option from a list.
  • List—User selects one or more values. Multiple values are separated by a pipe.
  • Numeric—User enters a number. The input can be controlled with minimum and maximums. You can specify a Step Size to require that the input be divisible by the specified value. Snap Interval is the amount that a number is increased or decreased by pressing the up or down button respectively. The value for Step Size should be a multiple of the value for Snap Interval unless Snap Interval is 0. The user-selected number is entered into the variable.
  • Numeric Interval—User selects a number and an item from a list. The list item has a numeric value. The value entered into the variable is the result of the multiplication. For example, if a user selects 2 and selects High (with high having a value of 3), the value is 6 in the variable.
  • Plugin—Not intended for use by most users. Contact Tanium Support for details about its use.
  • Separator—A separator is a graphical way to separate sections in the user input form.
  • Text Area—User enters a large amount of text. The text is entered into the variable.
  • Text Input—User enters text input. Allowed entries can be controlled with regular expressions. The user input is entered into the variable.
  • Time—User selects a time from a drop-down list. The input can be subject to restrictions.
Sensor Preview Select a computer group or click Add to build one and then click Preview to see test results for the sensor.

Export or import sensor configurations

The following procedures describe how to export and import the configurations of specific sensors or all sensors.

Develop and test content in your lab environment before importing that content into your production environment.

Users can export specific sensors for which they have Write Sensor permission on the associated content sets. Users require Import Signed Content and Read Sensor permissions to import sensors. Users with the Administrator or Content Administrator reserved role can export and import all sensors.

Export sensors

Export sensors as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export sensors as a JSON file to import them into another Tanium Server.

If you want to export other types of content in addition to sensors, see Manage Tanium shared services and content.

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Select rows in the grid to export only specific sensors. If you want to export all sensors, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name, which is in the format: export-sensors-<date>T<time>.csv<format>.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All sensors in the grid or just the Selected sensors.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import sensors

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy sensor configuration details

Copy information from the Sensors page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Sensors.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Manage sensor quarantines

Overview of sensor quarantines

Enforcing sensor quarantines prevents sensors from running on an endpoint for the current question or action if those sensors exceeded the runtime timeout during a previous question or action. Quarantines are useful for limiting the impact on endpoint resources, such as CPU utilization, when questions and actions use excessively long-running sensors. The non-configurable timeout is set to one minute.

By default, quarantines are not enforced: after a sensor exceeds the timeout and stops running, the sensor has quarantined status but stills run for future questions or actions until it completes or times out. In this case, the Tanium Client uses the quarantined status just to record that the sensor timed out.

Regardless of whether you enable enforcement, the Tanium Client stops any sensor at the moment it exceeds the timeout. You can enable or disable quarantine enforcement for all clients through a global setting. Each client quarantines sensors and enforces the quarantines independently. Consequently, a sensor might be quarantined on some endpoints and not on others.

When a Tanium Client quarantines a sensor, the Tanium Console displays the following message in the Question Results grid: TSE-Error: Sensor evaluation timed out. When you issue a question that uses a sensor that is already quarantined and enforcement is enabled, the Question Results grid displays TSE-Error: The sensor is quarantined. The Tanium Client adds entries to the client logs and sensor history logs when it quarantines a sensor or prevents an already quarantined sensor from running.

If temporary sensors exceed the one-minute timeout, the Tanium Client quarantines the original sensor as well as all current and future temporary sensors that are based on the original sensor.

When enforcement is enabled, quarantined sensors do not run when you use them for targeting endpoints, even if the sensors are members of computer groups. However, quarantined sensors might skew the targeting of a question that has a vague from clause, such as from all machines with Is Windows not equals true. In this case, Windows endpoints on which the Is Windows sensor is quarantined would match the condition not equals true because their response would be TSE-Error: The sensor is quarantined rather than true. To avoid such outcomes, make the target clause as specific as possible and do not use negative matching conditions such as not equals true.

View quarantined sensors

To see the attributes of quarantined sensors:

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.

    The Quarantined Sensors grid displays many of the sensor attributes that are described in Table 1.

  2. (Optional) To display attributes that the grid hides by default, click Customize Columns Customize columns and select the attributes.
  3. (Optional) Use the filters to find specific sensors:
    • Filter by text: To filter the grid by sensor Name or Description, enter a text string in the Filter By Text field.
    • Filter by attributeExpand: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Row or Add Grouping (to group by Boolean operators), click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. After you finish specifying attributes, click Apply All to filter the grid.
  4. (Optional)  To see all the attributes that are described in Table 1, select a sensor and click Edit.

Add a sensor to quarantine

You can manually quarantine a sensor on an endpoint if you anticipate that running the sensor will negatively affect the endpoint.

Quarantining a sensor does not automatically enable quarantine enforcement. See Enable or disable enforcement of quarantined sensors.

  1. In the URL field of the browser that you use to access the Tanium Console, enter https://<Tanium_Server>/hash/<sensor>. For the <Tanium_Server>, enter the FQDN or IP address of the Tanium Server. The <sensor> must match the sensor name that the Tanium Console displays with respect to capitalization and spaces.

    The browser displays the hash value associated with the sensor.

  2. Access the operating system CLI on the endpoint and change directory (cd) to the Tanium Client installation folder.
  3. Enter the following command.

    TaniumClient quarantine add <sensor_hash>

Remove sensors from quarantine

You can use the Tanium Console to unquarantine a sensor on some or all endpoints if you imported Default Content (previously Initial Content - Base) version 7.1.10.0000 or later (see Manage Tanium shared services and content). After you unquarantine a sensor, the Tanium Client allows it to run for subsequent questions and actions, but will stop and quarantine the sensor again if it exceeds the timeout.

If you modify a sensor, Tanium Clients that receive its new definition will automatically unquarantine that sensor.

TaaS The Tanium Server cannot unquarantine sensors on endpoints that are offline. If you know that some endpoints might come online only at a later time, consider scheduling an action that uses the Un-Quarantine Sensor or Un-Quarantine Sensor (Non-Windows) package (see Deploying actions).

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.
  2. Select the sensors and click Unquarantine.
  3. Select the Action Group that includes the endpoints where you want to unquarantine the sensors.
  4. Preview the affected endpoints and then click Unquarantine.

Enable or disable enforcement of quarantined sensors

After you enable quarantine enforcement, Tanium Clients do not answer questions that use quarantined sensors and those sensors do not run for actions. After you disable enforcement, clients still quarantine sensors and log quarantine events, but do not prevent those sensors from running.

Your user account must have a role with the Write Global Settings (micro admin) permission to enable or disable quarantine enforcement. Users with the Administrator reserved role have this permission.

The first time you enable enforcement, you must add the EnableSensorQuarantine setting to the global settings on the Tanium Server as follows. By default, enforcement is disabled and the setting does not appear in the Tanium Console. After you add the setting, the Tanium Server applies it to all Tanium Clients.

  1. Access the Tanium Console.
  2. From the Main menu, go to Administration > Management > Global Settings, and click New Setting.
  3. Enter the following values and click Save.
    • Setting Name = EnableSensorQuarantine
    • Setting Value = 1
    • Affects = Client
    • Value Type = Numeric

Perform the following steps if you want to change the enforcement setting after adding it to the global settings:

  1. From the Main menu, go to Administration > Management > Global Settings.
  2. Select EnableSensorQuarantine, click Edit, set the value to 1 to enable enforcement or 0 to disable enforcement, and click Save.

If you want to change the enforcement setting in specific Tanium Clients instead of all clients, add or edit the EnableSensorQuarantine setting in the local configuration of those clients (see Tanium Client User Guide: Tanium Client settings).

Export quarantined sensor details

Export information about quarantined sensors as a CSV file to view in an application that supports that format.

Users can export the details of specific quarantined sensors if they have Write Sensor permission on the content sets for those sensors. Users with the Administrator or Content Administrator reserved role can export the details of all quarantined sensors.

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.
  2. Select one of the following export options:
    • To export the details of specific quarantined sensors, select the corresponding check boxes and click Export.
    • To export the details of specific quarantined sensors, click Export Export
  3. Enter a File Name for the CSV file.
  4. To include grid column headers in the CSV file, select Include headers in export.

    Skip the Flatten rows option. It does not apply to quarantined sensors.

  5. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy quarantined sensor details

Copy information from the Quarantined Sensors page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Quarantined Sensors.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Manage sensor results collection

The Tanium Data Service enables you to see stored sensor results for endpoints that are offline at the moment you issue a question. After you register sensors for collection, the service queries all managed endpoints to collect the results of those sensors and store them in the Tanium database. To keep the results current, the service periodically reissues questions that contain the registered sensors. The Interact Question Results grid displays only the latest collected results. For details on displaying the results, see Display results for online and offline endpoints.

When you decide which sensors to register, consider that results collection consumes resources such as network bandwidth, processing on endpoints, and disk space on the Tanium Server. Resource consumption increases with the cardinality of sensors. For example, the IP Address sensor produces a unique result string for each endpoint, whereas the Operating System (OS) sensor produces the same string for all endpoints that have the same OS. In this case, the high cardinality IP Address sensor requires more bandwidth, CPU usage, and storage than the Operating System sensor.

To optimize resource consumption, configure collection only for low cardinality sensors that produce frequently accessed results, such as for daily reports. For example, you might generate reports based on the results of the Applicable Patches sensor to assess the hygiene or security posture of both online and offline endpoints. Conversely, the results of the High CPU Processes sensor fluctuate too much to be reliable for gauging activity on offline endpoints.

For details on monitoring the resource consumption associated with results collection, see Monitor resource usage for sensor results collection.

The Tanium Server automatically registers certain sensors for collection. For example, the server automatically registers sensors that identify endpoints or define membership in computer management groups. For the full list, see Sensors that are registered by default.

For the user role permissions required to manage sensor collection, see Tanium Data Service permissions.

To modify the service account that the Tanium Data Service uses to collect sensor results, see Tanium Interact User Guide: Configure the service account.

The Max Sensor Age, Max String Age, and Max Strings settings in sensor configurations do not apply to the sensor results that the Tanium Data Service collects and stores. For details about these settings, see Table 1.

Display sensor collection registration details

Display the registration status and other details of each sensor:

  1. Go to the Interact Home page and click Settings Settings.

    In the Registration & Collection tab, the Registered column displays True for sensors that are registered and enabled for collection. The column displays False for sensors that are not registered or that are registered but disabled (collection is paused).

    In the far right column, the Actions drop-down displays the available operations for each sensor: register (Add), unregister (Release), pause collection (Disable), resume collection (Enable), and purge results (Purge). Note that you cannot unregister, pause collection, or purge results for the sensors listed under Sensors that are registered by default.

    By default, the sensor grid is filtered to exclude hidden sensors. For details about hidden sensors, see the Hide this sensor from sensor lists and parse results setting in Table 1.

    Click the Name of a sensor to edit its configuration.

  2. (Optional) To display only specific sensors, click Advanced Filters and select from the following options:
    • Category: Display only the sensors that are used in questions that are assigned to dashboards contained in a specific category.
    • Registered: Display only the sensors that are registered and enabled for collection (True), or are not registered (False) for collection.
    • Hidden: Display only the sensors that are hidden (True) or are not hidden (False).
    • Has Parameters: Display only parameterized sensors (True) or non-parameterized sensors (False).
  3. (Optional) Enter a text string in the Filter Items field above the grid to filter it by sensor Name or Category.

Register or unregister sensors for collection

After you register or unregister sensors for collection, the Tanium Data Service automatically applies the changes for the next Collection Interval (see Configure advanced settings for sensor collection), when it issues questions to update the sensor results. Additionally, after you register a sensor for collection, the server immediately begins collecting results for the sensor. Registration changes also apply if you Manually start collection. You cannot unregister sensors that are registered by default.

Unregistering a sensor does not remove its existing results from the Tanium Data Service storage. To purge results from storage so that the Question Results page does not display them, see Purge results for specific sensors.

  1. Go to the Interact Home page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors: see Display sensor collection registration details.
  3. Perform one of the following actions:
    • Register sensors: Select Actions > Add to register a sensor.

      For each parameterized sensor, you can register multiple instances. For each instance, specify the parameters and click Apply.

    • Unregister sensors: Select Actions > Release to unregister a sensor.

Pause or resume collection for sensors

When the Tanium Server issues questions to update sensor results, it excludes any paused sensors. You can pause or resume collection for individual sensors without unregistering or re-registering them. When you pause a sensor, the Interact Question Results page continues displaying the last results (if any) that the server collected for that sensor before you paused it. You cannot pause sensors that are registered by default.

  1. Go to the Interact Home page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors: see Display sensor collection registration details.
  3. Select Actions > Disable to pause collection or Actions > Enable to resume collection for a sensor.

After you resume collection for a sensor, the server immediately begins collecting results for the sensor.

Manually start collection

To keep sensor results up-to-date, the Tanium Server automatically reissues questions to all endpoints at every Collection Interval (hourly by default). The server also collects results immediately for sensors that you register or for which you resume collection. Note that manual collections do not affect the Collection Interval schedule (see Configure advanced settings for sensor collection).

  1. Go to the Interact Home page and click Settings Settings.
  2. In the Registration & Collection tab, click Collect Now above the grid.

Purge results for specific sensors

You can purge the results of selected sensors from storage so that the Question Results page does not display them.

You cannot purge the results of sensors that are registered by default.

The Tanium Data Service automatically removes results for endpoints that do not answer questions within the Max Endpoint Age interval. To configure this garbage collection process, see Configure removal of expired sensor results.

  1. Go to the Interact Home page and click Settings Settings.
  2. (Optional) Filter the Registration & Collection tab to find specific sensors: see Display sensor collection registration details.
  3. Unregister or pause collection for the sensors that you want to purge:
    • Pause collection: Select Actions > Disable.
    • Unregister: Select Actions > Release.
  4. For each sensor that you want to purge, select Actions > Purge and click Confirm.

Configure advanced settings for sensor collection

To collect results for registered sensors, the Tanium Data Service issues questions that contain the sensors. The service issues one batch of questions at a time, downloads the results from the Tanium Server, and writes the results to the Tanium database. The default collection settings prevent the questions from consuming too much network bandwidth and endpoint processing. The default settings also prevent the service from consuming too much Tanium Server memory when downloading and writing results. You can edit the settings as necessary based on the number of sensors that you registered for collection and on the resource limits of your network, endpoints, and Tanium Server.

Contact Tanium Support before modifying the collection settings. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the sensor collection process, select Interact > Info and view the Data Collection metrics in the Data Service Status chart.

  1. Go to the Interact Home page and click Settings Settings.
  2. Select Service Configuration and configure the following settings in the Collection tab:
    Table 2:   Sensor collection process settings
    SettingDescription
    Collection IntervalSpecify how frequently the Tanium Data Service runs the process to collect results for registered sensors. The units are minutes and the default is 60 (one hour).
    Poll IntervalSpecify how frequently the Tanium Data Service checks for results for each issued question. The units are seconds and the default is 30.
    Poll TimeoutSpecify the amount of time that must pass, starting from when the Tanium Data Service last received new results for questions, before it stops checking for new results. The units are seconds and the default is 60 (1 minute).
    Max Sensors per QuestionSpecify the maximum number of single-column sensors in each question that the Tanium Data Service issues to collect results. A single-column sensor returns an answer that the Question Results grid displays in a single column. The default is 30 sensors per question. When you configure this setting, consider how it combines with the Max Concurrent Questions to affect resource consumption during collection.

    The service applies a non-configurable limit of one multi-column sensor per question.

    Max Concurrent QuestionsSpecify the maximum number of questions that the Tanium Data Service issues simultaneously in each batch to collect results. The default is 10 questions. When you configure this setting, consider how it combines with the Max Sensors per Question to affect resource consumption during collection.
    Results Download Page SizeSpecify the maximum number of endpoints for which the Tanium Data Service downloads results from the Tanium Server during collection. The default is 10,000. The purpose of this setting is to optimize memory usage for the service and server by preventing them from processing too large a data set for any single download.

Configure removal of expired sensor results

When the Tanium Data Service stores results, it maps them to each endpoint and evaluates their expiration age relative to when the endpoint last returned updates. This means that if multiple endpoints returned the same results but at different times, the garbage collection process removes only the results for endpoints that did not return updates within the expiration interval (Max Endpoint Age). You can edit garbage collection settings as necessary based on the growth rate for result strings and the available resources (storage space and memory) in your deployment. To monitor string growth and determine which sensors are generating the most strings, see Monitor resource usage for sensor results collection.

Contact Tanium Support before modifying garbage collection settings. Only users with the Administrator reserved role can modify the settings.

To monitor or troubleshoot the garbage collection process, select Interact > Info and view the Garbage Collection metrics in the Data Service Status chart. For example, the chart displays an error Error for the process if it times out before removing all the expired results.

  1. Go to the Interact Home page and click Settings Settings.
  2. Select Service Configuration > Garbage Collection and configure the following settings:
    Table 3:   Garbage collection settings for sensor results
    SettingDescription
    Garbage Collection IntervalSpecify how frequently the Tanium Data Service checks which results have expired and removes them. The units are minutes and the default is 15.
    Garbage Collection TimeoutSpecify how long the garbage collection process runs before timing out. The units are minutes and the default is 30. While the process is running, the Tanium Data Service delays any pending updates to the stored results. Be sure to specify enough time to remove all the expired results without delaying updates to a degree that significantly affects users who need to see the latest results.

    If the garbage collection process times out before removing all the expired results, it resumes the removal at the next Garbage Collection Interval.

    Max Endpoint AgeSpecify the expiration age of the collected results. For each endpoint, the Tanium Data Service evaluates the age of its results based on when the endpoint last returned updates for any sensors. The units are days and the default is 30. The garbage collection process removes the entries for any endpoints and their associated results from storage if those endpoints have not answered sensor collection questions within the Max Endpoint Age interval.
    Reference Sensor NameSpecify the sensor that the Tanium Data Service uses to identify endpoints when evaluating which results have expired based on the Max Endpoint Age. The default sensor is Computer ID. The best practice is to use one of the following endpoint identification (EID) sensors because they are updated most frequently: Computer ID, Computer Name, or Computer Serial Number.

Troubleshoot sensor collection

To determine whether sensor collection is consuming too much network bandwidth, processing on endpoints, or Tanium Server resources, see Monitor resource usage for sensor results collection.

To troubleshoot other sensor collection issues, see:

  • Tanium Core Platform Deployment Reference Guide: Tanium Data Service logs: The logs indicate when the Tanium Server issued each question to collect results, the question ID, and information about each sensor in the question.
  • Question history: In the Administration > Question History page, use the question ID (Harvesting qid) from the Tanium Data Service logs to find specific questions that the Tanium Server issued to collect sensor results.

Sensors that are registered by default

The following Tanium Core Platform sensors are registered for collection by default. After you install Interact, the Tanium Data Server immediately begins collecting and storing results for the registered sensors. You cannot unregister, pause collection, or purge results for these sensors.

Certain Tanium modules include additional sensors that are registered by default when you import the modules.

If some sensors that define computer group membership are not yet available in your deployment, you can import them through the Default Computer Groups content pack: see Manage Tanium shared services and content.

  • Endpoint identifier (EID) sensors:
    • Computer ID
    • Computer Name
    • Computer Serial Number
  • Sensors that define membership in computer management groups:
    • Chassis Type
    • Computer Name
    • Is AIX
    • Is Linux
    • Is Mac
    • Is Solaris
    • Is Virtual
    • Is Windows
    • Operating System
    • Operating System Generation
    • Windows OS Release ID
    • Windows OS Type