Other versions

Managing computer groups

You can use computer groups:

Role requirements

You must be assigned a role with the Write Computer Group (Micro Admin) permission to create, modify, or delete computer group configurations. To create a configuration, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Users that are assigned the Administrator or Content Administrator reserved roles have these permissions.

Create computer groups

You can define groups in two ways:

Filter-based groups

Recommended. Based on results of a sensor filter expression, such as is Windows equals true. The Tanium Client processes the specified sensor filter expression to determine whether the endpoint belongs to the group.

Manual groups

Not recommended. Based on a specified list of computer names or IP addresses. The Tanium Client obtains manual group configuration information during client registration.

Use sensor filter expressions to define computer groups whenever possible. Computer groups are building blocks for the management rights assigned to users and for the action groups and targeting questions used throughout the system. By design, the configuration of a computer group cannot be modified. Filter-based groups dynamically keep up with changes as computers are added or removed from your network. Manual groups do not. For example, let's say you use a manual group called Critical Servers for three special servers. Then you add a fourth server to the cluster. To update your Tanium computer groups, you will have to create a new manual group and then update the management rights configurations and re-create pertinent action groups and saved questions that you want to target the new computer group. Save yourself the work. Use filter-based groups.

Create a filter group

  1. Go to Administration > Computer Groups.
  2. Click New Group.
  3. Specify a configuration name and add a sensor filter.
  4. Save the configuration.

Create a manual group

  1. Go to Administration > Computer Groups.
  2. Click New Manual Group.
  3. Specify a configuration name and list of computer names or IP addresses. If you specify computer name, the name must match the form of the name in results returned by the Computer Name sensor. Short forms or alternate names do not work.
  4. Save the configuration.

Edit computer groups

You can edit only the display name of a computer group. Editing the name does not change the object ID.

Delete computer groups

When you delete a computer group:

  • Take account of the user and user group configurations that might reference it to assign management rights to users. Be prepared to make changes to those configurations as needed.
  • Take account of other configurations that might have referenced it, like action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information provided by the computer group at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the client configuration, so targeting questions based on manual group ID continue to match as well.
  • If you intend to stop the scheduled activities that target those computers, you must disable, edit, or delete those configurations.

Example: Create a computer group based on Custom Tags

Historically, customers have used manual groups for computers that require special handling, like critical servers or executive laptops. However, manual groups are not recommended because they cannot be modified to add or remove members. You can meet "special handling" and similar objectives with filter-based computer groups and a custom tag, such as Critical_Servers. You can manage the presence of the tags in the client configuration to manage membership in the group.

Here is the basic workflow:

  1. Use Interact to target the computers you want to tag.
  2. From the results grid, deploy an action. Select the Custom Tagging - Add Tags package. In this example, the tag Critical_Servers is applied.
  3. Use Interact to ask a question and confirm the tag has been applied.
  4. Create a filter-based computer group based on the tag.

You can use actions to add or remove the tags from the endpoints, effectively changing group membership.

Last updated: 5/16/2018 1:13 PM | Feedback