Managing computer groups

Using computer groups

A computer group is a configuration that defines a set of endpoints having a sensor result in common—for example, all endpoints that have a particular operating system or all endpoints that have a particular tag. Computer groups are used throughout the Tanium Core Platform.

Computer group management rights

You assign computer group management rights to a user directly in the user configuration. A user can inherit the rights through a user group assignment. When a user asks a question, the Tanium Server distributes a question message to the Tanium Clients, and all the clients that are online see the message. The message has three components:

  1. The computer group management rights of the user
  2. The target filter clause
  3. The select statement

When processing a question message, the Tanium Client first evaluates whether the user has management rights for the computer group to which the client belongs. If no, the client does not process the question further, and does not add its answer to the answer message. If yes, the client then evaluates all of the sensors in the target filter clause. If the target filter expression evaluates to true, the client evaluates the select statement sensors and adds the results to the answer message. Note that the client does not process any select statement filters. The answer messages include all results from select statement sensors, and the Tanium Server handles results filtering.

In the following example, the user has management rights for computer groups Windows, West branch, and Manual 12. The user asks the question Get Operating System contains 2008 from all machines with Is Windows contains true. The Tanium Server distributes the question message, and Tanium Clients A, B, and C are online to receive it. The user does not have management rights for any of the groups to which Tanium Client B belongs, so Tanium Client B does not process the question further. The user does have management rights for groups to which Tanium Client A and Tanium Client C belong, so these two clients do evaluate the question, starting with the target filter clause. Tanium Client A runs on a Windows endpoint, so the target filter clause evaluates to true, and the client then evaluates the Operating System sensor. The client does not process the contains 2008 filter because the Tanium Server handles select statement filters. Tanium Client C runs on a Solaris endpoint, so the target filter clause evaluates to false, and the client does not evaluate the Operating System sensor.

Figure  1:  Computer group management rights

Action groups

Computer groups are also the building blocks of the action groups that are used to target scheduled actions and one-time actions.

Result filters

You can also use computer groups to filter results:

User role requirements

You must be assigned a role with the Write Computer Group (Micro Admin) permission to create, modify, or delete computer group configurations. To create a configuration, you also need the Read Sensor permission on the Reserved content set. The Reserved content set includes content used to ask preview questions. Users that are assigned the Administrator or Content Administrator reserved roles have these permissions.

Create computer groups

You can define groups in two ways:

Filter-based computer groups

Recommended. Based on results of a sensor filter expression, such as is Windows equals true. The Tanium Client processes the specified sensor filter expression to determine whether the endpoint belongs to the group.

Manual computer groups

Not recommended. Based on a specified list of computer names or IP addresses. The Tanium Client obtains manual group configuration information during client registration.

If you need to create a new computer group with filtering conditions that differ only slightly from an existing group, cloning the existing group is often easier than creating a new group from scratch. For details, see Clone computer groups.

Use sensor filter expressions to define computer groups whenever possible. Computer groups are building blocks for the management rights assigned to users and for the action groups and targeting questions used throughout the system. By design, the configuration of a computer group cannot be modified. Filter-based computer groups dynamically keep up with changes as computers are added or removed from your network. Manual groups do not. For example, let's say you use a manual group called Critical Servers for three special servers. Then you add a fourth server to the cluster. To update your Tanium computer groups, you will have to create a new manual group and then update the management rights configurations and re-create pertinent action groups and saved questions that you want to target the new computer group. Save yourself the work. Use filter-based computer groups.

Create a filter-based computer group

  1. Go to Administration > Computer Groups.
  2. Click New Group and enter a Name to identify the group.
  3. Add a sensor filter. The Filter Bar takes input similar to the from clause in the Interact Ask a Question field. The Filter Builder takes input similar to the from computers with fields of the Interact Question Builder. For details, see Asking questions.
  4. Save the configuration.

Create a manual computer group

  1. Go to Administration > Computer Groups.
  2. Click New Manual Group and enter a Name to identify the group.
  3. Enter a list of computer names or IP addresses. Computer names must match the results that the Computer Name sensor returns. Short forms or alternate names do not work.
  4. Save the configuration.

Edit computer groups

You can edit only the display name of a computer group, not the definition. Editing the name does not change the object ID.

  1. Go to Administration > Computer Groups.
  2. Select the computer group and click Edit.
  3. Enter a new Name and save the configuration.

Clone computer groups

Cloning is useful when you need to create a new computer group with filtering conditions that differ only slightly from an existing group.

  1. Go to Administration > Computer Groups.
  2. Select the computer group you want to copy, and then click Clone.
  3. Enter a Name to identify the new computer group.
  4. Enter the filtering conditions that determine which endpoints are Members of the group. For details, see Create computer groups.
  5. Review the Preview list of members, and then save the configuration.

Delete computer groups

Deleting a computer group involves the following tasks and considerations:

  • Account for user and user group configurations that might reference the computer group to assign management rights to users. Be prepared to make changes to those configurations as needed.
  • Account for other configurations that might have referenced the computer group, such as action groups, scheduled actions, and saved questions. The scheduled actions and saved questions that are configured to target the computer group continue to do so because they do not depend on the computer group ID, just the information that the computer group provided at the time it was created.
  • Endpoints continue to match targeting questions as long as they match the sensor filter expression or manual group ID. The manual group ID obtained during registration is never erased from the Tanium Client configuration, so targeting questions based on a manual group ID continue to match as well.
  • If you intend to stop the scheduled activities that target those computers, you must disable, edit, or delete those configurations.

When you are ready to delete a computer group:

  1. Go to Administration > Computer Groups.
  2. Select the computer group, click Delete Selected , and click OK at the confirmation prompt.

Example: Create a computer group based on custom tags

Historically, customers have used manual groups for computers that require special handling, like critical servers or executive laptops. However, manual groups are not recommended because they cannot be modified to add or remove members. You can meet "special handling" and similar objectives with filter-based computer groups and a custom tag, such as Critical_Servers. You can manage the presence of the tags in the client configuration to manage membership in the group.

Here is the basic workflow:

  1. Use Interact to target the computers you want to tag.
  2. From the Question Results grid, deploy an action. Select the Custom Tagging - Add Tags package. In this example, the tag Critical_Servers is applied.
  3. Use Interact to ask a question and confirm the tag has been applied.
  4. Create a filter-based computer group based on the tag.

You can use actions to add or remove the tags from the endpoints, effectively changing group membership.

Last updated: 6/4/2019 4:33 PM | Feedback