Managing Tanium solutions

Tanium as a Service automatically manages installations and upgrades for Tanium modules, shared services, and content packs.

Tanium solutions include modules (such as Interact), shared services (such as Direct Connect), and content packs (such as Default Content). Each Tanium module and shared service includes content and a workbench. A workbench is the user interface that you use to perform module or service operations. Use the content and workbenches to manage, monitor, and protect the endpoints in your network. To see a list of modules and services, and a brief description of the purpose for each one, go to https://docs.tanium.com. The Tanium Console User Interface (UI) is also a module that you can upgrade when an updated version is available.

To perform all management tasks for Tanium modules, shared services, content packs, and console UI updates, users require the Administrator reserved role. Any user who has the Import Signed Content micro admin permission can import these content types.

Manage Tanium modules

To import, re-import, export, upgrade, or uninstall modules, go to the Main menu and click Solutions to open the Tanium Solutions page. When you first log into the Tanium Console after Tanium Server installation, this page opens by default. Clicking the Install with Recommended Configurations button at the top initiates the workflow to import and (optionally) configure, in a single operation, all the modules and shared services that you are licensed to use. You can also use the tiles below the button to import only specific modules. After you import any modules, the page stops displaying the Install with Recommended Configurations button. For the procedure, see Import and (optionally) configure the latest versions of all modules. Automatic configuration is not available for upgrade or re-import operations.

When you initially set up your Tanium deployment, the best practice is to import all the modules in a single operation because some cannot function unless you import dependent modules and shared services. For example, the Reveal module requires that you first import the Direct Connect service. For details about the dependencies see Module- and service-specific dependencies and default settings. The Tanium Server automatically imports one module at a time in order based on the dependencies and imports several content packs that are useful for many modules.

On the Tanium Solutions page, the tile for each module shows the currently Installed version, if any. The following table describes the buttons and links in each tile that enable you to perform actions on the module based on its status.

For Tanium Servers in a high availability (HA) deployment, you need to import, re-import, upgrade, or uninstall modules on only one server. The HA peer automatically attempts to perform the same operation. For details, see Module synchronization in an HA deployment.

To manage the Tanium Console UI module, see Import Tanium Console UI updates.

If the Tanium Solutions page does not display tiles for certain modules, contact your Technical Account Manager (TAM).

Table 1:   Tanium module actions and status
Action/Status Description
Export Export Export a URL for the module version that is currently installed on the Tanium Server. You can then log into the Tanium Console of another Tanium Server and import that version from the URL. For details, see Export and import a specific module version.
Import <version> If you purchased a module but did not yet import it, the module tile displays an Import <version> button that shows the latest version you can import. After you initiate an import, the operation must complete before you can import another module.

You can import a module version other than the latest if you previously exported the URL for that version: see Export and import a specific module version.

Re-import The latest version of the module is installed. You can re-import the module if necessary: see Import, re-import, or upgrade to the latest versions of specific modules.
Upgrade to <version> A new version of the module is available to which you can upgrade: see Import, re-import, or upgrade to the latest versions of specific modules. If you want the page to display tiles only for the modules that you can upgrade, click View Available Upgrades above the module tiles.
Available to Purchase Contact your TAM to purchase this module.
Documentation Click this link to see the user guide for the module.
Uninstall Click this link to uninstall the module: see Uninstall modules.

Module- and service-specific dependencies and default settings

Some Tanium modules and shared services cannot function unless you import dependent modules and services. To see a list of the dependencies for a module or service, go to the user guide for that solution. The user guides also list the default settings that are configured if you use the Install with Recommended Configurations button to import modules and services.

Table 2:   Module- and service-specific settings and dependencies
Product Dependencies Default Settings
Asset Tanium dependencies Import and configure Asset with default settings
Client Management Tanium dependencies Import and configure Client Management with default settings
Comply Tanium dependencies Import and configure Comply with default settings
Connect Tanium dependencies Import and configure Connect with default settings
Deploy Tanium dependencies Import and configure Deploy with default settings
Direct Connect Tanium dependencies Import and configure Direct Connect with default settings
Discover Tanium dependencies Import and configure Discover with default settings
End-User Notifications Tanium dependencies Import and configure End-User Notifications with default settings
Health Check Tanium dependencies Import and configure Health Check with default settings
Integrity Monitor Tanium dependencies Import and configure Integrity Monitor with default settings
Interact Tanium dependencies Import and configure Interact with default settings
Map Tanium dependencies Import and configure Map with default settings
Network Quarantine Tanium dependencies Import and configure Network Quarantine with default settings
Patch Tanium dependencies Import and configure Patch with default settings
Performance Tanium dependencies Import and configure Performance with default settings
Protect Tanium dependencies Import and configure Protect with default settings
Reputation Tanium dependencies Import and configure Reputation with default settings
Reveal Tanium dependencies Import and configure Reveal with default settings
Threat Response Tanium dependencies Import and configure Threat Response with default settings
Trends Tanium dependencies Import and configure Trends with default settings

Import and (optionally) configure the latest versions of all modules

After you install the Tanium Server and log into the Tanium Console for the first time, the Tanium Solutions page opens and initially displays an Install with Recommended Configurations button. To initiate the workflow for importing, and optionally configuring, all your licensed modules and shared services in a single operation, you must click that button instead of using the module tiles.

Automatically configuring default settings is the best practice. However, if your deployment requires configurations that differ from the recommended default settings, you can manually configure some or all modules and services after installing them.

During the Install with Recommended Configurations workflow, the Tanium Server performs the following operations:

  1. Imports the following content packs:
    • Client Maintenance
    • Core Content
    • Core MSSQL Content
    • Initial Content - Python
  2. Imports and configures the modules and shared services.
  3. Creates a Default - All Computers action group and makes it the target for all scheduled actions that previously targeted the Default action group. The new action group specifies the All Computers computer group. Five minutes after re-targeting the actions, the Tanium Server deploys them as a one-time event. The server bases future deployments of the actions on their configured reissue interval: for details, see Manage scheduled actions.

After you complete the workflow, the Tanium Solutions page stops displaying the Install with Recommended Configurations button. To re-import or upgrade modules thereafter, see Import, re-import, or upgrade to the latest versions of specific modules. To re-import or upgrade shared services, see Manage Tanium shared services and content packs.

After you read the release notes for your licensed modules, import and (optionally) configure them as follows:

  1. Access the Tanium Console by entering the fully qualified domain name (FQDN) of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In HA deployments, automatic synchronization of the import operation between the HA peers works only if you specify the FQDN, not the IP address.

  2. From the Main menu, click Solutions.
  3. Click Install with Recommended Configurations. Perform this step regardless of whether you want to automatically configure default settings for all, some, or none of the solutions.
  4. (Optional) To review the default settings for any solution, click Expand Expand beside its name.
  5. (Optional) Deselect the Apply Tanium recommended configurations check box for any solutions that you want to configure manually instead of using the default settings:
    • Manually configure all the listed solutions: Deselect the check box above the list of solutions.
    • Manually configure specific solutions: For each solution that you want to configure manually, click Expand Expand beside its name and deselect the check box above its list of settings.

    The Configuration Setting column displays Manual Configuration for the specified solutions.

  6. Click Begin Import.

    The Tanium Server imports and configures one solution at a time. Based on the number of licensed solutions to import, this might take several hours. A dialog displays the progress of the import and configuration processes.

  7. Click Close when the progress dialog indicates that the import and configuration succeeded.

    After you finish the operation, the Main menu displays the imported solutions under Modules and Shared Services.

Import, re-import, or upgrade to the latest versions of specific modules

After you read the release notes for the modules that you will import, re-import, or upgrade, perform the following steps to proceed with the operation. You can combine imports, re-imports, and upgrades in a single operation.

  1. Access the Tanium Console by entering the fully qualified domain name (FQDN) of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In HA deployments, automatic synchronization of the import, re-import, or upgrade operations between the HA peers works only if you specify the FQDN, not the IP address.

  2. From the Main menu, click Solutions.
  3. Select the check box at the top right of the tile for each module that requires the action, and click the action button above the tiles (such as Import Selected or Upgrade Selected).

    To perform the action on a single module, you can also click the Import, Reimport, or Upgrade button within the module tile.

  4. (Fresh imports only, optional) Deselect the Apply Tanium recommended configurations check box for any modules that you want to configure manually instead of using the default settings:
    • Manually configure all the listed modules: Deselect the check box above the list of modules.
    • Manually configure specific modules: For each module that you want to configure manually, click Expand Expand beside the module name and deselect the check box above its list of settings.

    The Configuration Setting column displays Manual Configuration for the specified modules.

  5. (Multiple modules only) Select or deselect Automatically import modules & overwrite content:
    • Select the check box (default): After you start the import, re-import, or upgrade, the Tanium Server performs the operation without prompting you to review module content or to select options for resolving conflicts with existing content. The server automatically overwrites or merges any existing content with the imported content.
    • Deselect the check box: After you start the import, re-import, or upgrade, the Tanium Server prompts you to review the content and select conflict resolution options for one module at a time.
  6. Click Begin Import.
  7. If you deselected the Automatically import modules & overwrite content check box, perform the following tasks:
    1. Review the content to import and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates or configurations).
    2. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  8. Click Import, Reimport, or Upgrade.

    The Tanium Server performs the operation for one module at a time. Based on the number of modules that you selected for the operation, this might take several minutes or several hours. A dialog displays the progress of the operation.

  9. Click Close when the progress dialog indicates that the import, re-import, or upgrade succeeded.

    Any imported modules appear under Modules in the Main menu.

  10. (Upgrades only) If the release notes for the upgraded modules list changes to the Tanium™ Trends boards, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to re-import them.

Export and import a specific module version

For each module, you can export a URL for the module version that is currently installed on the Tanium Server. You can then log into the Tanium Console of another Tanium Server and import that version from the URL. This option is useful for migrating a module version other than the latest between Tanium Servers. For example, after testing a specific module version in your lab environment, you can export the URL for that version and then import the module from that URL into your production deployment.

  1. Log into the Tanium Console of the Tanium Server that already has the desired module version.
  2. From the Main menu, click Solutions.
  3. Click Export Export in the module tile.
  4. Click Copy to add the URL to your clipboard, and click Close.

    If you do not want to import the module immediately, paste the URL to a text file to store it for later.

  5. Log into the Tanium Console of the Tanium Server to which you want to migrate the module version.
  6. Click Import From URL at the top right of the page, paste the URL in the Import URL field, and click Import.

    The module tile turns green and its Upgrade to <version> button indicates the version that you imported.

  7. Upgrade to the imported version. The steps are the same as those described under Import, re-import, or upgrade to the latest versions of specific modules.

Uninstall modules

To uninstall a single module:

  1. Access the Tanium Console by entering the FQDN of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In HA deployments, automatic synchronization of the uninstallation operation between the HA peers works only if you specify the FQDN, not the IP address.

  2. From the Main menu, click Solutions.
  3. Click Uninstall at the bottom right of the module tile.

To uninstall multiple modules:

  1. Access the Tanium Console by entering the FQDN of the Tanium Server in the browser URL field (https://ts1.example.com, for example).
  2. From the Main menu, click Solutions.
  3. Select the check box at the top right of the tile for each module that you want to uninstall, or click Select All above the tiles.
  4. Click Uninstall above the tiles.
  5. Click Close when the progress dialog indicates that the uninstallation succeeded.

Module synchronization in an HA deployment

The import, re-import, or upgrade operation for each module writes a workbench configuration to files on the Tanium Server host and adds an entry in the shared database logs. When you perform an operation involving a workbench on one Tanium Server in an HA deployment, its HA peer automatically attempts to perform the same operation. This automatic duplication on the HA peer also applies to uninstalling modules.

Automatic synchronization of the operations between the HA peers works only if you specify the FQDN, not the IP address, when accessing the Tanium Console to perform the operations. Furthermore, you must use the default port (443) when accessing the console, not a custom port.

If a network issue occurred during any of these processes such that module versions differ between HA servers, or one server does not have the module, a message indicates the discrepancies when you access the Tanium Solutions page (Figure  1). Note that the message appears only in the Tanium Console of the server that has discrepancies based on the database log entries. For example, importing Tanium™ Asset might succeed on Tanium Server ts1.example.com but not on Tanium Server ts2.example.com. In this case, the database logs will have an entry only for ts1.example.com and the Tanium Console for ts2.example.com will display a discrepancy message. To resolve the discrepancies, repeat the import, upgrade, downgrade, or uninstallation process on the Tanium Server that has the discrepancies.

Consult your TAM for the procedure to downgrade modules.

Figure  1:  Mismatched module versions

Manage Tanium shared services and content packs

In the Tanium Solutions page, the Tanium Content section lists the content packs and shared services that you can import, re-import, upgrade, or uninstall. Tanium content is a set of configuration objects that Tanium develops and distributes for a particular purpose through content packs. For example, the Default Content pack includes the key configuration objects found on the Interact pages (categories, dashboards, and saved questions), Console > Content pages (sensors, packages, saved questions, and filter groups), and Console > Actions > Scheduled Actions page.

The Tanium Server downloads a manifest of available Tanium content packs and shared services from content.tanium.com and displays them in the Tanium Content section. The section displays separate grids for two classes of content:

  • Supported Solutions: This is production content that includes the essential set of objects for querying endpoints and deploying actions. It also lists the shared services that you can manage.
  • Labs: This is an experimental set of configuration objects. Labs content is available only if you specified a Tanium™ lab license when installing the Tanium Server.

    The best practice is to test configuration objects in a lab environment before importing them into a production environment.

If the grids show that the Imported Version lags the latest Available Version for a content pack or shared service, you can upgrade it.

Tanium Servers write content to the shared Tanium database. Therefore, after you import content on any single Tanium Server in an HA deployment, the content is available in the HA peer.

When you log into the Tanium Console for the first time after installing the Tanium Server, the server automatically imports the Default Content and Default Computer Groups content packs. During this initial login session, you can import and (optionally) configure the latest versions of all shared services in a single operation by clicking Install with Recommended Configurations. This operation imports several basic content packs but you must import any other content packs separately.

During the Install with Recommended Configurations workflow, the best practice is to select the option to automatically configure shared services with default settings. However, if your deployment requires configurations that differ from the recommended default settings, you can manually configure some or all services after installing them. For a list of the default settings for each service, see Module- and service-specific dependencies and default settings.

For the procedure to Install with Recommended Configurations, see Import and (optionally) configure the latest versions of all modules.

You also have the option to import only a few shared services, or just one, at a time.

Import, re-import, or upgrade to the latest versions of specific shared services and content packs

  1. From the Main menu, click Solutions and scroll to the Tanium Content section.
  2. Select the content packs or services for the action you want to perform or click Select All.

    To filter the grid so that it includes only content packs and services for which upgrades are available, click View Available Upgrades.

  3. Click the button above the grid for the action you want to perform: import, re-import, upgrade, uninstall , or copy Copy (copies the grid information to the clipboard).

    To export Export a URL for downloading content, see Export and import a specific version of a shared service or content pack.

    For imports or upgrades, the Tanium Console prompts you to resolve any conflicts before proceeding: see Resolve conflicts when importing updates or configurations.

  4. (Shared service upgrades only) If the release notes for the upgraded services list changes to the Tanium Trends boards, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to re-import them.

Export and import a specific version of a shared service or content pack

For each shared service or content pack, you can export a URL for the version that is currently installed on the Tanium Server. You can then log into the Tanium Console of a Tanium Server in another environment and import that version from the URL. This option is useful for migrating a version other than the latest between Tanium environments. For example, after testing a specific service version in your lab environment, you can export the URL for that version and then import the service from that URL into your production deployment. You can export and import only one service or content pack at a time.

  1. Log into the Tanium Console of the Tanium Server that already has the desired service or content pack version.
  2. From the Main menu, click Solutions.
  3. Scroll to the Tanium Content section and select the Supported Solutions tab or (if you have a Tanium lab license) Labs tab.
  4. Select the service or content pack in the grid and click Export Export in the grid toolbar.
  5. Click Copy Copy to add the URL to your clipboard, and click Close.

    If you do not want to import the service or content pack immediately, paste the URL to a text file to store it for later.

  6. Log into the Tanium Console in the environment to which you want to migrate the service or content pack version.
  7. Click Import From URL at the top right of the Tanium Solutions page, paste the URL in the Import URL field, and click Import.

    The Tanium Console prompts you to resolve any conflicts before proceeding: see Resolve conflicts when importing updates or configurations.

  8. (Shared service upgrades only) If the release notes for the upgraded services list changes to the Tanium Trends boards, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to re-import them.

Import Tanium Console UI updates

In the Main menu, the Console: <version> field displays the current version of the Tanium Console UI module. Tanium periodically provides updates to the module and the Tanium Server checks content.tanium.com for the updates. If an update is available, the Tanium Console displays a message under the Main menu, Upgrade Available: Common UI Components, and the adjacent Upgrade button displays the update version. Click Upgrade to install the update. Restarting the Tanium Server or your browser session is not necessary to initialize updates.

As a best practice, always accept console UI updates.

Resolve conflicts when importing updates or configurations

When you import updates to Tanium modules, shared services, or content packs, or import a file that contains content (such as sensors or packages), conflicts might occur with existing content. After you review the Best practices for resolving import conflicts, perform the following steps:

  1. Start the import, re-import, or upgrade workflow for one of the following:
    • Modules: You must deselect the Automatically import modules & overwrite content check box to review and manually resolve conflicts. Otherwise, the Tanium Server automatically overwrites or merges any existing content with the imported content. For details, see Manage Tanium modules.
    • Content packs: See Manage Tanium shared services and content packs.
    • JSON/XML content file: First, use KeyUtility.exe to sign the file before you import it, and copy the associated public key to the correct folder (see Authenticating content files). Then go to any Console > Content or Console > Permissions page and click Import Content at the top right of the Tanium Console.

    A dialog itemizes any conflicts.

  2. Select an Import Option to resolve each conflict:
    • Overwrite: Replaces existing content with the imported content.
    • Skip: Skips the import for that item.
    • (Categories only) Merge: Unites objects included in the categories. As a best practice, select Merge and then go to categories to review the resulting configuration.
    • (Saved actions only) Overwrite and Disable Action: This option is useful if you want the new action disabled by default. Later, when are ready to test the action, go to the Main menu, select Console > Actions > Scheduled Actions, review the action, and enable it.

    The solution or content file might include content set definitions. When you first establish your content sets, selecting Include content set overwrite is a best practice to ensure that content is assigned to the content sets that the content pack designer intended. After you implement your own role-based access control (RBAC) plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported file will overwrite your content set assignment.

  3. Click Import, Reimport, or Upgrade.
  4. Click Close when the dialog indicates the Import completed successfully.
  5. (Upgrades only) If the release notes for the upgraded modules or shared services list changes to the Tanium Trends boards, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to re-import them.

Best practices for resolving import conflicts

The following tips can inform your decisions regarding conflicts when you import content.

Tip 1: Read the release notes

Always read the release notes for every solution or content version that was released since your last update. The release notes alert you to the scope of changes and might include notes that can help you avoid issues. Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.

Tip 2: Confirm you have good restore points

Before you update a Tanium module, shared service, or content pack, confirm that you have recent restore points and backups in case something goes wrong.

The Tanium database stores content configuration objects. As a best practice, schedule regular database backups.

The installation folders for the Tanium Server and Tanium Module Server include important files, such as encryption keys, a license file, string files, and other data files. As a best practice, schedule regular file system backups.

Tip 3: Update your lab deployment first

Always update your lab servers first and evaluate the impact that changes might have on endpoints before updating your production servers. Perform the following tasks when updating your lab deployment:

  • Assess the impact on network utilization when the Tanium Server distributes content to endpoints. For certain content types, an update might result in additional network traffic. Usually, this additional traffic is negligible.
  • Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test them by issuing questions and reviewing results. If it includes packages, deploy them. If the update includes saved actions, edit their configurations to assign them to the correct action groups.

After you qualify the updates on lab servers, import the updates on production servers and spot test the behavior of new or changed content.

Tip 4: Limit customizations to Tanium content

When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the associated tools more useful.

Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to the Max Sensor Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects. When a content pack update becomes available, the best practice is to import it and then redo the customizations that the import overwrote.

Tip 5: Re-create content that uses parameterized objects

When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that the Tanium Server reissues based on a schedule continues to use the temp sensor even if the sensor on which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temp package. On the endpoint, the Tanium Client runs the temp package when it has a directive to run the scheduled action that calls it. A scheduled action continues to use the temp package even if the package on which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.

Tip 6: Avoid bulk overwrites to Tanium content

Do not simply export the current configuration and then re-import it after the content upgrade finishes. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, which the Has Patch Tools sensor reports, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than the Has Patch Tools sensor expects, the Tanium Server continuously distributes the patch tools until the Has Patch Tools sensor uses the correct version.