Managing computer groups

Computer groups overview

A computer group defines a set of endpoints that you want to manage as a group with respect to operations that Tanium users and modules perform. For example, you can define a computer group that includes all endpoints that are in a data center, and assign the group only to users who will issue questions and deploy actions to data center endpoints. Computer groups are also the building blocks of action groups, which filter the target endpoints for actions (see Managing action groups). Furthermore, you can use computer groups to filter various lists in the Tanium Console, such as on the Administration > Users page. Based on the permissions that you want users to have when querying sets of endpoints, you can create the following types of computer groups:

Computer management group

A Tanium user can view question results from, and deploy actions to, only those endpoints that belong to a computer management group that is assigned to the user persona selected for the current session. Roles do not control access to computer management groups, but roles do control which content is available to the user for questions and actions. For example, you might want a user to see the processes running on endpoints in a data center. You must assign that user a role with Read Sensor permissions on the content set containing the Running Processes sensor, and also assign the user a computer management group that contains the data center endpoints. The following figure illustrates the relationship between computer management groups and other Tanium RBAC components.computer management groups

Computer filter group

Tanium users use computer filter groups as filters in questions (see Use filter groups) and question results (see Filter question results). Users acquire permissions for a filter group when you assign it to a content set, grant filter group permissions to that content set in an advanced role or module role, and assign the role to the personas of users or user groups. The following figure shows an example of an advanced role that grants Read Filter Group and Write Filter Group permissions to the Default Filter Groups content set:

computer filter groups

Users cannot receive question results from endpoints in a filter group unless those endpoints also belong to a computer management group and you assign that management group to users or user groups.

You can configure computer groups to function as both management groups and filter groups. The reserved computer groups All Computers and No Computers function as both types. These reserved groups are in the Reserved content set, and you cannot edit them. When you first sign into the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports Tanium as a Service (TaaS) provides additional predefined computer groups that function as both filter groups and management groups: see Default computer groups.

Use the Administration > Computer Groups page to view, create, clone, edit, and delete both management groups and filter groups. To manage only filter groups, you can also use the Content > Filter Groups page (see Managing filter groups). After creating a computer group of either type, you cannot change its membership definition.

For the role permissions required to manage computer groups, see RBAC management permissions.

In Tanium Core Platform 7.3 or earlier, all computer groups bestow both management and filtering permissions. After you upgrade to version 7.4 or later, the Tanium Server automatically creates a management group and filter group for each computer group that existed on the pre-upgrade server. However, this automatic duplication does not occur for computer groups of either type that you add after the upgrade.

To understand the interaction between computer management groups and filter groups, and how best to use them, it is important to understand how Tanium Clients process questions. Figure  1 illustrates an example of how computer group and role assignments control what question results a user can receive and filter. In this example, the user persona is assigned computer management groups that contain branch office endpoints, and therefore the user can issue a question that determines which of those endpoints has PowerShell version 2.0 installed. However, for security reasons, the management groups exclude headquarters endpoints because the user is not authorized to see information from those endpoints. The user issues the question Get Computer Name and PowerShell Version equals 2.0 from all machines with Country Code equals 44. All Tanium Clients that are online receive the question and process its components in the following order:

  1. Computer group management permissions

    Each Tanium Client first evaluates whether it belongs to a computer management group that is assigned to the user (persona) who issues the question. If no, the client does not process the question further, and does not add its answer to the answer message.

    In the example, only the clients in the UK and France management groups (UK_1 to UK_4 and FRA_1 to FRA_4) continue processing the question. Note that because Windows and macOS are filter groups, they are assigned to a content set (Default). Even though the user has a role (euro_admin) that provides access to that content set, filter groups bestow only filtering permissions, not the permission to receive answers from clients. Therefore, Windows and macOS clients HQ_1 to HQ4 do not continue processing the question. The other Windows and macOS clients continue to process the question, but only because they are also members of the UK and France management groups.

  2. Target filter (from) clause

    The from clause specifies whether question results are required from all Tanium Clients (from all machines) or only from clients that evaluate the filtering sensor to true. Optionally, you can use the Is <computer_group> sensor to base the filter on a filter group.

    In the example, only the UK clients match the target filter clause from all machines with Country Code equals 44 and continue to process the question.

  3. Select statement (get) clause

    The get clause specifies the sensors that Tanium Clients run to answer the question. If the select statement has a filter, clients do not process it; only the Tanium Server processes select statement filters after receiving the answers. The Tanium Console then displays the answers in the Question Results grid.

    In the example, the UK clients run the select statement sensors Computer Name and PowerShell Version, and add their output to the answer message. Because equals 2.0 is a filter for the select statement PowerShell Version, the Tanium Server processes that filter after receiving the answers from all the UK clients. The Tanium Console then displays results only for UK clients that have PowerShell version 2.0 installed.

In the example, the user then decides to display results only for endpoints that run Windows, and therefore selects the Windows filter group in the Computer Group drop-down list. The Tanium Server reissues the question using both Country Code equals 44 and Is Windows in the target filter clause. Only Tanium Clients UK_1 and UK_3 match both filters, and so the Tanium Console then displays results only for those clients.

Figure  1:  Computer management groups and filter groups

Computer group membership

Before you create a computer management group or filter group, be sure to understand the following options for defining which endpoints are members. After creating a group, you cannot change its membership definition.

Dynamic membership

Membership is based on the results of a sensor filter expression, such as is Windows equals true. Tanium Clients process the expression to determine whether their endpoints belong to the group.

Manually defined membership

Membership is based on a manually entered list of computer names or IP addresses. The Tanium Client obtains configuration information for the computer groups when registering with the Tanium Server.

Whenever possible, define computer group membership based on sensors. Only groups based on a sensor dynamically adjust their membership as endpoints join or leave your network. For example, you might create a manual group called Critical Servers for three special servers. If you later add a fourth server to the cluster, you cannot change the Critical Servers membership. Instead, you would have to: create a new manual computer group; assign it to personas; and re-create pertinent action groups and saved questions that you want to target the new computer group. A better approach is to define the computer group based on a sensor that identifies which servers qualify as critical, so that the fourth server automatically becomes a member.

Default computer groups

TaaS When you first sign into the Tanium Console after a fresh installation of the Tanium Server, the server automatically imports the following computer groups. They all function as both management groups and filter groups, and are assigned to the Default Filter Groups content set.

The Tanium Server does not import these default computer groups when you upgrade.

Table 1:   Default computer groups
Platform Computer Group Name
AIX All AIX
Linux
  • All Amazon
  • All Amazon Linux 2
  • All Linux
  • All CentOS
  • All CentOS 8
  • All CentOS 7
  • All CentOS 6
  • All Oracle
  • All Oracle 8
  • All Oracle 7
  • All Oracle 6
  • All Red Hat
  • All Red Hat 8
  • All Red Hat 7
  • All Red Hat 6
  • All Ubuntu 20
  • All Ubuntu 19
  • All Ubuntu 18
  • All Ubuntu 16
  • All Ubuntu 14
macOS
  • All Mac
  • All macOS 10.15
  • All macOS 10.14
  • All macOS 10.13
Solaris All Solaris
Windows
  • All Windows
  • All Windows Servers
  • All Windows Server 2019
  • All Windows Server 2016
  • All Windows Server 2012 R2
  • All Windows Server 2012
  • All Windows Server 2008 R2
  • All Windows Server 2008
  • All Windows Server 2003
  • All Windows Servers - x86
  • All Windows Servers - x64
  • All Windows Servers - Virtual
  • All Windows Servers - Physical
  • All Windows Workstations
  • All Windows Workstations - x86
  • All Windows Workstations - x64
  • All Windows Workstations - Physical
  • All Windows Workstations - Virtual
  • All Windows 10
  • All Windows 10 release 1909
  • All Windows 10 release 1903
  • All Windows 10 release 1809
  • All Windows 10 release 1803
  • All Windows 10 release 1709
  • All Windows 10 release 1703
  • All Windows 10 release 1607
  • All Windows 10 release 1511
  • All Windows 8.1
  • All Windows 8
  • All Windows 7
  • All Windows XP
Other
  • All Workstations
  • All Servers
  • All Laptops
  • All Virtual Machines
  • All Physical Machines

View computer group configurations

  1. From the Main menu, go to Administration > Management > Computer Groups.

    The Computer Groups grid displays the following attributes for each computer group:

    Table 2:   Computer group attributes
    SettingDescription
    NameThe name that identifies the computer group.
    TypeIndicates how membership is defined for the group:
    • Standard: Dynamic membership
    • Manual: Manually defined membership

    For details, see Computer group membership.

    FilterIndicates whether you can (true) or cannot (false) use the group as a filter group.
    ManagementIndicates whether you can (true) or cannot (false) use the group as a computer management group.
    Content Set(Filter groups only) The content set to which the group is assigned.
    ExpressionThe filter used to define membership in the computer group. The value is [Manual List] for groups with manually defined membership.

    To see which specific endpoints are members of a computer group, you must display its configuration.

  2. (Optional) Use the filters to find specific computer groups:
    • Filter by text: To filter the grid by computer group Name or membership Expression, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  3. (Optional) To see the computer group attributes that are described in Table 2, as well as a list of endpoints that are members of a group, select the computer group and click View.

Create computer groups

Before you create a computer group, be sure to understand the difference between dynamic membership and manually defined membership (see Computer group membership). Perform the following steps to create a group that functions exclusively as a management group or that functions as both a management group and filter group.

To create a computer group that functions exclusively as a filter group, see Create filter groups.

  1. From the Main menu, go to Administration > Management > Computer Groups and click New Computer Group.
  2. Enter a Name to identify the group.
  3. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the filter group, users require a role that specifies permissions for that content set.
  4. Define which endpoints are Members of the computer group:
    • Dynamic membership (best practice): Select a method for defining the membership filter:
    • Manually defined membership: Enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  5. Click Save.

Edit computer groups

You can change the name and filter settings of computer groups. However, changing the display name does not change the object ID of a computer group. Also, you cannot change the group membership definition.

  1. From the Main menu, go to Administration > Management > Computer Groups.
  2. Select the computer group and click View Computer Group.
  3. (Optional) Enter a new Name.
  4. (Management groups only) Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
  5. Click Save.

Clone computer groups

Cloning is useful when you need a new computer group with a membership filter that differs only slightly from an existing group.

  1. From the Main menu, go to Administration > Management > Computer Groups.
  2. Select the computer group you want to copy, and then click Clone.
  3. Enter a Name to identify the new computer group.
  4. Under Additional Options, select whether users can (Enable) or cannot (Disable) use this group as a filter group. If you Enable the filter group function, select a content set. To use the group as a filter, users require a role that specifies permissions for that content set.
  5. Define which endpoints are Members of the group. For details, see Create computer groups.
  6. Review the Preview list of members and click Save.

Export or import computer groups

The following procedures describe how to export and import the configurations of specific computer groups or all computer groups.

Develop and test content in your lab environment before importing that content into your production environment.

Export computer groups

Export computer groups as a CSV file to view their settings in an application that supports that format. If you have the Administrator reserved role, you can also export computer groups as a JSON file to import them into another Tanium Server.

If you want to export or import other types of content in addition to computer groups, see Manage Tanium shared services and content.

  1. From the Main menu, go to Administration > Management > Computer Groups.
  2. Select rows in the grid to export only specific computer groups. If you want to export all computer groups, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All computer groups in the grid or just the Selected computer groups.
  6. Select the file Format: JSON (Administrator reserved role only) or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import computer groups

You can import content files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. Scroll to the Content section and click Import Import Content.
  4. Click Choose File, select the content file, and click Open.
  5. Click Import.

    If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.

  6. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices.
  7. Click Import again, and click Close when the import finishes.

Copy computer group configuration details

Copy information from the Computer Groups page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Management > Computer Groups.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.

Delete computer groups

Deleting a computer management group or filter group involves the following tasks and considerations:

  • Account for user and user group configurations that might reference the computer management group through personas. Be prepared to modify those configurations as needed.
  • Account for other configurations that might have referenced the computer group, such as action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information that the computer group provided at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the Tanium Client configuration, so targeting questions based on a manual group ID continue to match as well.
  • If you intend to stop the scheduled activities (such as scheduled actions and saved questions) that target those computers, you must disable, edit, or delete the corresponding configurations.
  • Deleting a computer management group through the Administration > Computer Groups page removes all instances of the group from the Tanium Server even if the group also functions as a filter group. However, if you use the Content > Filter Groups page to delete a filter group that also functions as a management group, the group remains on the server as a management group with filtering disabled.

When you are ready to delete the computer management group, perform the following steps. To delete a filter group, see Delete filter groups.

  1. From the Main menu, go to Administration > Management > Computer Groups.
  2. Select the computer group and click Delete Selected .
  3. Confirm the operation when prompted, then click OK.