Managing sensor runtime thresholds

Sensor runtime thresholds overview

The time that a Tanium Client takes to run a question varies widely, based on which sensors, and how many, the question invokes. To help you assess the impact that running Tanium questions has on endpoint resources, you can customize sensor runtime thresholds that trigger indicator icons in the Tanium Console displays indicator icons that are based on sensor runtime thresholds.

Figure  1:  Sensor runtime indicators

Your user account requires the Administrator reserved role to see and use the Administration > Content > Sensor Thresholds page.

The Tanium Client tracks the runtime for each sensor when a question runs it, calculates the average of all the past runtimes for that sensor, and sends the updated runtime information to the Tanium Server every three hours. The Tanium Server calculates the average runtime based on the latest updates from all the endpoints that reported runtimes for the sensor.

The following table describes the threshold icons and their default labels and values.

 Table 1: Sensor runtime threshold icons
Threshold icon Description
Not Run The Tanium Server has not yet received runtime information from any endpoints for this sensor.

This icon also displays for built-in sensors regardless of their runtimes. The Tanium Server does not record runtime statistics for built-in sensors, and does not account for those sensors when calculating runtimes for questions that use them. The built-in sensors are:

  • Action Statuses
  • Download Statuses
  • Computer Name
  • Computer ID
  • Manual Group Membership
  • IP Address
Check Below any threshold The runtime average for a sensor does not exceed any threshold.
Low The runtime average exceeds the Low threshold but does not exceed the Medium threshold. By default, the Low threshold is 100 ms. You can customize the threshold and the label.
Medium Runtime Medium The runtime average exceeds the Medium threshold but does not exceed the High threshold. By default, the Medium threshold is 500 ms. You can customize the threshold and the label.
High Runtime High The runtime average exceeds the High threshold, which by default is 1,000 ms. You can customize the threshold and the label.

When viewing threshold indicators, note the following caveats:

  • The Tanium Server does not use cached responses to questions when calculating runtime averages.
  • Sensors that require data sampling are more likely to exceed runtime thresholds. However, the longer runtimes required for sampling do not necessarily indicate high resource usage when endpoints run these sensors. Contact Tanium Support for details. The affected sensors include:
    • CPU by Process
    • CPU Consumption
    • Disk IOPS
    • High CPU Consumption
    • High CPU Processes
    • Network Throughput Inbound
    • Network Throughput Outbound
    • SQL Server CPU Consumption
    • Tanium Client CPU

Before you begin

Work with your Tanium Support (see Contact Tanium Support) to determine the runtime thresholds that you expect will influence administrator decisions about whether to run a question, how often to run it, and which sensors to include in the question. The goal is to plan questions in a way that does not interfere with other, more critical tasks that endpoints perform.

Set thresholds that reflect decisions Tanium users must make, based on the endpoint management policies of your organization. For example, policies might dictate that users must never run a question that exceeds 10 seconds during peak traffic times on endpoints that perform tasks with a higher priority than responding to questions.

Configure sensor thresholds

The Tanium Console displays threshold indicators by default. However, you can change the default thresholds as follows.

  1. From the Main menu, go to Administration > Content > Sensor Thresholds.
  2. Select whether you want the Tanium Console to Display thresholds to only those Tanium users with predefined administrative roles (Admin) or to all users who are allowed to see questions and sensors (Admin and Users).
  3. Set the average runtime (in milliseconds) for each threshold (High, Medium, and Low) or accept the defaults, and then click Save.

Verify sensor thresholds

Threshold indicator icons appear wherever you view and select sensors in the Tanium Console. After modifying threshold values, verify that the Tanium Server applied your changes.

The Administration > Content > Sensors page displays runtime statistics for all sensors.

  1. Go to the Tanium Home page or Interact Overview page.
  2. In the Ask a Question field, enter a question that uses a sensor expected to have a short runtime, such as Computer Name, and a sensor expected to have a long runtime, such as Running Processes of User. For example: Get Computer Name and Applicable Patches from all machines. Press Enter to display a list of suggested questions.
  3. Verify that the list of suggested questions displays the expected threshold icons. If you see unexpected indicators, review the icon descriptions and caveats described in Sensor runtime thresholds overview.
  4. Hover over the icon for the suggested question that you want, and verify that the popup displays the expected runtime (in milliseconds) and the expected threshold icons for each sensor.