Managing computer groups

Computer groups overview

A computer group defines a set of endpoints that you want to manage as a group with respect to operations that Tanium users and modules perform. For example, you can define a computer group that includes all endpoints that are in a data center, and assign the group only to users who will issue questions and deploy actions to data center endpoints. Use computer groups for the following tasks:

Control endpoint management rights

A Tanium user can issue questions and deploy actions only to endpoints for which that user has computer group management rights. Roles do not control access to computer groups, but roles do control which content is available to the user for questions and actions. For example, if you want a user to see the processes running on endpoints in a data center, you must assign the user a role with Read Sensor permissions on the content set containing the Running Processes sensor, and also assign a computer group containing the data center endpoints. For details, see Computer group management rights.

Filter questions, results, lists, and action targets

You can use computer groups to filter question results (see Filter question results), filter which endpoints process a question (see Use computer group filters), and filter various lists in the Tanium Console (such as the Administration > Users page). Computer groups are also the building blocks of action groups, which you use to filter the target endpoints for actions. For details, see Managing action groups.

You must be assigned a role with the Write Computer Group (micro admin) permission to create, modify, or delete computer group configurations. To create a configuration, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Users that are assigned the Administrator or Content Administrator reserved roles have these permissions.

Computer group management rights

You assign computer group management rights by assigning computer groups to user configurations. A user can also inherit the rights through a user group assignment. When a user asks a question, the Tanium Server distributes a question message to the Tanium Clients, and all the clients that are online see the message. The message has three components:

  1. The computer group management rights of the user
  2. The target filter clause
  3. The select statement

When processing a question message, the Tanium Client first evaluates whether the user has management rights for the computer group to which the client belongs. If the answer is no, the client does not process the question further, and does not add its answer to the answer message. If the answer is yes, the client then evaluates all of the sensors in the target filter clause. If the target filter expression evaluates to true, the client evaluates the select statement sensors and adds the results to the answer message. Note that the client does not process any select statement filters. The answer messages include all results from select statement sensors, and the Tanium Server handles results filtering.

In the following example, the user has management rights for the Windows, West branch, and Manual 12 computer groups. The user asks the question Get Operating System contains 2008 from all machines with Is Windows contains true. The Tanium Server distributes the question message, and Tanium Clients A, B, and C are online to receive it. The user does not have management rights for any of the groups to which Tanium Client B belongs, so Tanium Client B does not process the question further. The user does have management rights for groups to which Tanium Client A and Tanium Client C belong, so these two clients do evaluate the question, starting with the target filter clause. Tanium Client A runs on a Windows endpoint, so the target filter clause evaluates to true, and the client then evaluates the Operating System sensor. The client does not process the contains 2008 filter because the Tanium Server handles select statement filters. Tanium Client C runs on a Solaris endpoint, so the target filter clause evaluates to false, and the client does not evaluate the Operating System sensor.

Figure  1:  Computer group management rights

Create computer groups

You can define groups in two ways:

Filter-based computer groups

These computer groups define membership based on the results of a sensor filter expression, such as is Windows equals true. Tanium Clients process the expression to determine whether their endpoints belongs to the group.

Whenever possible, define computer groups based on sensor filters instead of manual groups. Computer groups are building blocks for the management rights assigned to users and for the action groups and targeting questions used throughout the system. After creating a computer group, you cannot change how it defines membership. Unlike manual computer groups, filter-based groups dynamically adjust to changes as endpoints are added or removed from your network. For example, say you use a manual group called Critical Servers for three special servers. Then you add a fourth server to the cluster. To update your computer groups, you will have to create a new manual group and then update the management rights configurations and re-create pertinent action groups and saved questions that you want to target the new computer group. A better approach would be to define the computer group based on a sensor that identifies which servers qualify as critical.

Manual computer groups

These computer groups define membership based on a specified list of computer names or IP addresses. The Tanium Client obtains manual group configuration information when registering with the Tanium Server.

If you need to create a new computer group with membership that differ only slightly from an existing group, cloning the existing group is often easier than creating a new group from scratch. For details, see Clone computer groups.

Create a filter-based computer group

  1. Go to Administration > Computer Groups.
  2. Click New Group and enter a Name to identify the group.
  3. Add a sensor filter. The Filter Bar takes input similar to the from clause in the Interact Ask a Question field. The Filter Builder takes input similar to the from computers with fields of the Interact Question Builder. For details, see Asking questions.
  4. Save the configuration.

Create a manual computer group

  1. Go to Administration > Computer Groups.
  2. Click New Manual Group and enter a Name to identify the group.
  3. Enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternative names do not work.
  4. Save the configuration.

Edit computer groups

You can edit only the display name of a computer group, not the definition. Editing the name does not change the object ID.

  1. Go to Administration > Computer Groups.
  2. Select the computer group and click Edit.
  3. Enter a new Name and save the configuration.

Clone computer groups

Cloning is useful when you need to create a new computer group with filtering conditions that differ only slightly from an existing group.

  1. Go to Administration > Computer Groups.
  2. Select the computer group you want to copy, and then click Clone.
  3. Enter a Name to identify the new computer group.
  4. Enter the filtering conditions that determine which endpoints are Members of the group. For details, see Create computer groups.
  5. Review the Preview list of members, and then save the configuration.

Delete computer groups

Deleting a computer group involves the following tasks and considerations:

  • Account for user and user group configurations that might reference the computer group to assign management rights to users. Be prepared to make changes to those configurations as needed.
  • Account for other configurations that might have referenced the computer group, such as action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information that the computer group provided at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the Tanium Client configuration, so targeting questions based on a manual group ID continue to match as well.
  • If you intend to stop the scheduled activities that target those computers, you must disable, edit, or delete those configurations.

When you are ready to delete a computer group:

  1. Go to Administration > Computer Groups.
  2. Select the computer group, click Delete Selected , and click OK at the confirmation prompt.

Last updated: 11/12/2019 3:19 PM | Feedback