Other versions

Importing Tanium Solutions

The Tanium Solutions page has two sections: Tanium Modules and Tanium Content.

You must be assigned the Administrator reserved role to import a Taniumâ„¢ solution module or content pack.

Import Tanium modules

Tanium modules include content and workbenches that facilitate many operational and security use cases.

To display the Tanium Solutions page, click the navigation menu icon and then select Tanium Solutions.

The following figure shows the Tanium Modules section.

Figure  1:  Tanium solutions page

The box for each module shows the current version installed along with its status.

Status Description
Import You have purchased this module; you need to install it.
Reimport Module is installed, but you can reimport it if necessary.
Upgrade to x.x.x.x A new version of this module is available, and you can upgrade.
Available for Purchase Contact your Tanium technical account manager (TAM) to purchase this module.

When you import a module, it is added to the Tanium Console navigation menu. The following figure shows Tanium Connect added to the navigation menu.

Figure  2:  Navigating to Modules

When you install a solution module, the solution workbench configuration is written to files that reside on the host computer. In an HA deployment, you must import the solution on both nodes for the solution workbench to be available in both Tanium Console instances. Solution content, such as saved questions and packages, however, is written to the shared database, so it is available to both instances at once.

Import Tanium content packs

In Tanium, content is a set of configuration objects that have been developed and distributed for a particular purpose. For example, Tanium Initial Content includes the key configuration objects found on the Categories, Dashboards, Saved Questions, Sensors, Packages, and Scheduled Actions pages.

Tanium Content is authored by Tanium. Tanium publishes two classes of content:

Production Content

The essential set of configuration objects you use to query endpoints and take actions.

Labs Content

An experimental set of configuration objects that you should test and qualify for your deployment in a lab environment before importing it into production.

The Tanium Console downloads a manifest of available Tanium Content packs from content.tanium.com. This manifest populates the Tanium Content table on the Tanium Solutions page. If a lab license was specified during installation, an additional table appears, listing Labs Content.

The content packs named Initial Content - Base and Client Maintenance are imported automatically when the Tanium Console is started for the first time after the Tanium Server installation. Compare the data in the Imported Version and Available Version columns. If the imported version lags the available version, you can make the necessary update.

To import Tanium Content:

  1. Click the navigation menu icon and then select Tanium Solutions.
  2. Scroll down past the Tanium Modules section to the Tanium Content section.
  3. Select the row for the content you want to import.
  4. Click Import Solution.

Import UI updates

The console UI module may be updated periodically. The Tanium Console checks content.tanium.com for updates and prompts you to install them. It is not necessary to restart Tanium Server or to restart your browser session to initialize updates. We recommend you always accept them.

Figure  3:  UI updates

Conflicts

When you import updates to Tanium solution modules or content packs, or import an XML file that contains content, the Tanium Console shows any conflicts.

In general, select Overwrite. You can select Skip if you have made customizations you want to preserve.

Figure  4:  Overwrite

The solution or content XML file might include content set definitions. When you are first setting up your 7.1 content sets, we recommend you select the Include content set overwrite option so that content is assigned to the content sets developed by the content pack designer. After you have implemented your own RBAC plan and have moved content to the content sets you plan to use, be sure to not select this option so that your content set assignments are not overwritten by the assignments defined in the XML file being imported.

Figure  5:  Include content set overwrite

For categories only, the dialog box includes a Merge option. The result is the union of objects included in the categories. We recommend that you select Merge and then go to categories to review the resulting configuration.

Figure  6:  Merge

For saved actions only, the dialog box includes an Overwrite and Disable Action option. This option is useful if you want the new action disabled by default. You can go to the Scheduled Action page, review the action, and enable it when you are prepared to test it.

Figure  7:  Overwrite and Disable Action

Best practices

The following tips can inform your decisions regarding conflicts when you import content.

Tip 1: Read the release notes

Always read the release notes for every version that was release since your last update. The release notes alert your to the scope of changes and may include notes that can help you avoid issues.

Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.

Tip 2: Confirm you have good restore points

Before you update a Tanium solution module or content pack, confirm you have a recent restore points you can use in case something goes wrong.

The configuration objects for content are stored in the tanium database. You should schedule regular database backups.

The Tanium Server and Tanium Module Server installation directories include important files, such as encryption keys, a license file, string files, and other data files. You should schedule regular file system backups.

Before you import content, make sure you have backups you can use.

Tip 3: Update your lab deployment first

Always update your lab servers first and evaluate the impact changes might have on endpoints before updating your production servers.

During your lab phase:

  • Assess the impact on network utilization when the content gets distributed to endpoints. Depending on the type of content, an update can result in additional network traffic. In most cases, this is negligible.
  • Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test by issuing questions and reviewing results. If it includes packages, deploy them. If it includes saved actions, be sure to edit the configuration to assign them to a proper action group.

After you have qualified the update, import the updates on the production server and spot-test the behavior of new or changed content.

Tip 4: Limit customizations to Tanium content

When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, you want to overwrite. Updates from Tanium include important changes that are designed to optimize performance, avoid issues, and make the tools more useful.

Limit customizations to Tanium content so that updates are minimally disruptive.

Maintain notes of any changes you make. For example, keep a log of any changes to a sensor Max Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects you "clone" as a source for your custom objects.

When a content pack update is available, Tanium recommends you import it, overwriting your customizations with the import; then redo your customizations.

Tip 5: Re-create saved questions and scheduled actions that are based on parameterized objects

When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temp package. On the endpoint, the Tanium Client runs the temp package when it has a directive to run the scheduled action that calls it. A scheduled action continues to use the temp package even if the package from which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.

Tip 6: Do not do bulk overwrites to Tanium content

Do not simply export the current configuration and then re-import it after the content upgrade is finished. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, reported by the Has Patch Tools sensor, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than expected by the Has Patch Tools sensor, the patch tools will continuously be distributed until the Has Patch Tools sensor is using the correct version.

Last updated: 5/16/2018 1:11 PM | Feedback