A computer group is a configuration that defines a set of endpoints having a sensor result in common—for example, all endpoints that have a particular operating system or all endpoints that have a particular tag.
The computer group configuration is used throughout the platform.
A user is assigned "management rights" for computer groups directly in the user configuration, and a user can inherit them through a user group assignment.
When a user asks a question, the Tanium Server forms a question message that gets distributed through the Tanium Client linear chains, and all Tanium Clients that are online see the message. The question message has three components:
- The user's computer group management rights.
- The target filter clause.
- The select statement.
When the endpoint processes the question message, it first evaluates whether the user has management rights for the computer group to which it belongs. If no, the endpoint does not process the question further, and it does not add its answer to the answer message. If yes, the endpoint then evaluates all of the sensors in the target filter clause. If the target filter expression evaluates to true, the endpoint evaluates the select statement sensor(s) and adds its results to the answer message. Note, the endpoint does not process select statement filters (if any). All results from select statement sensors are included in the answer messages, and results filtering is handled by the Tanium Server.
In the following example, the user has management rights for computer groups Windows, West branch, and Manual 12. The question is distributed to all endpoints, and Tanium Client A, B, and C receive the question message. The user does not have management rights for any of the groups to which Tanium Client B belongs, so Tanium Client B does not process the question further. The user does have management rights for groups to which Tanium Client A and Tanium Client C belong, so these two endpoints do evaluate the question, beginning with the target filter clause. Tanium Client A is deployed on a Windows host, so the target filter clause evaluates to true, and the endpoint then evaluates the Operating System sensor. The endpoint does not process the "contains 2008" filter because select statement filters are handled by the Tanium Server. Tanium Client C is deployed on a Solaris host, so the target filter clause evaluates to false, and the endpoint does not evaluate the Operating System sensor.
Computer groups are also the building blocks of the action groups that are used to target scheduled actions and one-time actions.
You can also use computer groups to filter results:
You must be assigned a role with the Write Computer Group (Micro Admin) permission to create, modify, or delete computer group configurations. To create a configuration, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Users that are assigned the Administrator or Content Administrator reserved roles have these permissions.
You can define groups in two ways:
Filter-based computer groups
Recommended. Based on results of a sensor filter expression, such as is Windows equals true. The Tanium Client processes the specified sensor filter expression to determine whether the endpoint belongs to the group.
Not recommended. Based on a specified list of computer names or IP addresses. The Tanium Client obtains manual group configuration information during client registration.
Use sensor filter expressions to define computer groups whenever possible. Computer groups are building blocks for the management rights assigned to users and for the action groups and targeting questions used throughout the system. By design, the configuration of a computer group cannot be modified. Filter-based computer groups dynamically keep up with changes as computers are added or removed from your network. Manual groups do not. For example, let's say you use a manual group called Critical Servers for three special servers. Then you add a fourth server to the cluster. To update your Tanium computer groups, you will have to create a new manual group and then update the management rights configurations and re-create pertinent action groups and saved questions that you want to target the new computer group. Save yourself the work. Use filter-based computer groups.
Create a filter-based computer group
- Go to Administration > Computer Groups.
- Click New Group.
- Specify a configuration name and add a sensor filter.
- Save the configuration.
Create a manual group
- Go to Administration > Computer Groups.
- Click New Manual Group.
- Specify a configuration name and list of computer names or IP addresses. If you specify computer name, the name must match the form of the name in results returned by the Computer Name sensor. Short forms or alternate names do not work.
- Save the configuration.
You can edit only the display name of a computer group, not the definition. Note that editing the name does not change the object ID. In effect, the only aspect of the configuration that can be edited is the display name.
When you delete a computer group:
- Take account of the user and user group configurations that might reference it to assign management rights to users. Be prepared to make changes to those configurations as needed.
- Take account of other configurations that might have referenced it, like action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information provided by the computer group at the time it was created.
- Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the client configuration, so targeting questions based on manual group ID continue to match as well.
- If you intend to stop the scheduled activities that target those computers, you must disable, edit, or delete those configurations.
Historically, customers have used manual groups for computers that require special handling, like critical servers or executive laptops. However, manual groups are not recommended because they cannot be modified to add or remove members. You can meet "special handling" and similar objectives with filter-based computer groups and a custom tag, such as Critical_Servers. You can manage the presence of the tags in the client configuration to manage membership in the group.
Here is the basic workflow:
- Use Interact to target the computers you want to tag.
- From the results grid, deploy an action. Select the Custom Tagging - Add Tags package. In this example, the tag Critical_Servers is applied.
- Use Interact to ask a question and confirm the tag has been applied.
- Create a filter-based computer group based on the tag.
You can use actions to add or remove the tags from the endpoints, effectively changing group membership.
Last updated: 7/31/2018 5:04 PM | Feedback