Other versions

Managing computer groups

Using computer groups

A computer group is a configuration that defines a set of endpoints having a sensor result in common—for example, all endpoints that have a particular operating system or all endpoints that have a particular tag. Computer groups are used throughout the Tanium Core Platform.

Computer group management rights

You assign computer group management rights to a user directly in the user configuration. A user can inherit the rights through a user group assignment. When a user asks a question, the Tanium Server distributes a question message to the Tanium Clients, and all the clients that are online see the message. The message has three components:

  1. The computer group management rights of the user
  2. The target filter clause
  3. The select statement

When processing a question message, the Tanium Client first evaluates whether the user has management rights for the computer group to which the client belongs. If no, the client does not process the question further, and does not add its answer to the answer message. If yes, the client then evaluates all of the sensors in the target filter clause. If the target filter expression evaluates to true, the client evaluates the select statement sensors and adds the results to the answer message. Note that the client does not any process select statement filters. The answer messages include all results from select statement sensors, and the Tanium Server handles results filtering.

In the following example, the user has management rights for computer groups Windows, West branch, and Manual 12. The user asks the question Get Operating System contains 2008 from all machines with Is Windows contains true. The Tanium Server distributes the question message, and Tanium Clients A, B, and C are online to receive it. The user does not have management rights for any of the groups to which Tanium Client B belongs, so Tanium Client B does not process the question further. The user does have management rights for groups to which Tanium Client A and Tanium Client C belong, so these two clients do evaluate the question, starting with the target filter clause. Tanium Client A runs on a Windows endpoint, so the target filter clause evaluates to true, and the client then evaluates the Operating System sensor. The client does not process the contains 2008 filter because the Tanium Server handles select statement filters. Tanium Client C runs on a Solaris endpoint, so the target filter clause evaluates to false, and the client does not evaluate the Operating System sensor.

Figure  1:  Computer group management rights

Action groups

Computer groups are also the building blocks of the action groups that are used to target scheduled actions and one-time actions.

Result filters

You can also use computer groups to filter results:

Role requirements

You must be assigned a role with the Write Computer Group (Micro Admin) permission to create, modify, or delete computer group configurations. To create a configuration, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Users that are assigned the Administrator or Content Administrator reserved roles have these permissions.

Create computer groups

You can define groups in two ways:

Filter-based computer groups

Recommended. Based on results of a sensor filter expression, such as is Windows equals true. The Tanium Client processes the specified sensor filter expression to determine whether the endpoint belongs to the group.

Manual computer groups

Not recommended. Based on a specified list of computer names or IP addresses. The Tanium Client obtains manual group configuration information during client registration.

Use sensor filter expressions to define computer groups whenever possible. Computer groups are building blocks for the management rights assigned to users and for the action groups and targeting questions used throughout the system. By design, the configuration of a computer group cannot be modified. Filter-based computer groups dynamically keep up with changes as computers are added or removed from your network. Manual groups do not. For example, let's say you use a manual group called Critical Servers for three special servers. Then you add a fourth server to the cluster. To update your Tanium computer groups, you will have to create a new manual group and then update the management rights configurations and re-create pertinent action groups and saved questions that you want to target the new computer group. Save yourself the work. Use filter-based computer groups.

Create a filter-based computer group

  1. Go to Administration > Computer Groups.
  2. Click New Group.
  3. Specify a configuration name and add a sensor filter.
  4. Save the configuration.

Create a manual computer group

  1. Go to Administration > Computer Groups.
  2. Click New Manual Group.
  3. Specify a configuration name and list of computer names or IP addresses. If you specify computer name, the name must match the form of the name in results returned by the Computer Name sensor. Short forms or alternate names do not work.
  4. Save the configuration.

Edit computer groups

You can edit only the display name of a computer group, not the definition. Note that editing the name does not change the object ID. In effect, the only aspect of the configuration that can be edited is the display name.

Delete computer groups

When you delete a computer group:

  • Take account of the user and user group configurations that might reference it to assign management rights to users. Be prepared to make changes to those configurations as needed.
  • Take account of other configurations that might have referenced it, like action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information provided by the computer group at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the client configuration, so targeting questions based on manual group ID continue to match as well.
  • If you intend to stop the scheduled activities that target those computers, you must disable, edit, or delete those configurations.

Example: Create a computer group based on custom tags

Historically, customers have used manual groups for computers that require special handling, like critical servers or executive laptops. However, manual groups are not recommended because they cannot be modified to add or remove members. You can meet "special handling" and similar objectives with filter-based computer groups and a custom tag, such as Critical_Servers. You can manage the presence of the tags in the client configuration to manage membership in the group.

Here is the basic workflow:

  1. Use Interact to target the computers you want to tag.
  2. From the results grid, deploy an action. Select the Custom Tagging - Add Tags package. In this example, the tag Critical_Servers is applied.
  3. Use Interact to ask a question and confirm the tag has been applied.
  4. Create a filter-based computer group based on the tag.

You can use actions to add or remove the tags from the endpoints, effectively changing group membership.

Last updated: 11/28/2018 10:20 AM | Feedback