Managing Tanium solutions

Tanium as a Service (TaaS) automatically manages installations and updates for Tanium solutions, which include modules, shared services, and content packs. TaaS also performs initial configuration for all the modules and services that your Tanium license specifies.

Tanium solutions overview

Tanium solutions include modules (such as Interact), shared services (such as Direct Connect), and content packs (such as Default Content). When you first sign in to the Tanium Console after Tanium Server installation, the Administration > Configuration > Solutions page opens. The Modules section displays a tile for each module and the Content section displays a row for each shared service or content pack. Table 1 describes the page buttons that you use to manage the solutions. Note that the Install, Re-install, Update, and Uninstall buttons appear in multiple places, and where you click a button determines the scope of its operation:

  • Solutions page footer: Performs the operation for all the selected modules, services, and content packs.
  • Modules section header: Performs the operation only for the selected modules.
  • Modules section tiles: Performs the operation only for a single module.
  • Content section header: Performs the operation only for the selected services and content packs.
 Table 1: Solutions page action buttons
Button Operation
Tanium Recommended Installation Initiates the workflow to import and automatically configure, in a single operation, all the modules and shared services that your Tanium license enables: see Import all modules and services. After you import any modules or services, the page stops displaying the Tanium Recommended Installation button.

Automatic configuration is not available for update or re-import operations.

When you initially set up your Tanium deployment, the best practice is to import all modules and shared services in a single operation because some cannot function unless you import dependent modules and shared services. For example, the Reveal module requires that you first import the Direct Connect service. For details about the dependencies see Dependencies, default settings, and tools deployment. The Tanium Server also automatically imports several content packs that are useful for many modules.

Update Initiates the workflow to update a solution to the latest version. The page uses bold orange text to indicate that an update is available for a solution. See Import, re-import, or update specific solutions.
Install Initiates the workflow to install a solution for which no version is currently installed. The workflow includes an option to configure modules and shared services with the recommended default settings. See Import, re-import, or update specific solutions.
Re-install Initiates the workflow to re-install the currently installed version. See Import, re-import, or update specific solutions.
Uninstall Initiates the workflow to uninstall a solution. See Uninstall solutions.
View documentation Accesses the user guides for modules and shared services and the release notes for content packs. See View solution documentation.
Copy URL Copies the URL of the source file for the currently installed version of a solution. See Export and import specific versions.

To perform all management tasks for Tanium solutions, users require the Administrator reserved role. Any user who has a role with the Import Signed Content permission can import solutions.

Tanium modules

Each Tanium module comprises content and a workbench. A workbench is the user interface that you use to perform module operations. Use the content and workbenches to manage, monitor, and protect the endpoints in your network. To see a list of modules, and a brief description of the purpose for each one, go to https://docs.tanium.com. The Tanium Console User Interface (UI) is also a module that you can update when a new version is available (see Import Console UI updates).

In the Solutions page, the Modules section displays a tile for each module. The tiles indicate the currently installed module version and whether updates are available.

Contact Tanium Support if the Solutions page does not display tiles for certain modules or if a tile indicates the module is available for purchase and you want to add it to your Tanium license.

Tanium shared services and content packs

Each Tanium shared service includes content and a workbench that you use to manage, monitor, and protect the endpoints in your network. To see a list of services, and a brief description of the purpose for each one, go to https://docs.tanium.com and scroll to the Tanium™ Shared Services section.

Tanium content is a set of configuration objects that Tanium develops and distributes for a particular purpose through content packs. For example, the Default Content pack includes the key configuration objects found on the Interact Overview page (categories, dashboards, and saved questions), Administration > Content pages (sensors, packages, saved questions), and Administration > Actions pages (scheduled actions).

The Tanium Server downloads a manifest of available Tanium content packs and shared services from content.tanium.com and displays them in the Content section of the Solutions page. If you specified a Tanium™ lab license when installing the Tanium Server, you can filter the Content grid by Source:

  • Manifest: This is production content that includes the essential set of objects for querying endpoints and deploying actions. It also lists the shared services that you can manage.
  • Labs: This is an experimental set of configuration objects. Labs content is available only if you specified a Tanium lab license.
  • All: Both Manifest and Labs content.

If you specified a Tanium production license, only Manifest content is available.

If the grid indicates that the Imported Version lags the latest Available Version for a content pack or shared service, you can update it.

When you sign in to the Tanium Console for the first time after installing the Tanium Server, the server automatically imports the Default Content and Default Computer Groups content packs. If you perform the Tanium Recommended Installation, the server automatically imports several other basic content packs but you must manually import any other content packs.

View solution documentation

The Solutions page provides links to user guides for modules and shared services and to release notes for some content packs:

  • Module user guides: Scroll to the Modules section and click View Documentation View documentation in a module tile.
  • Shared service user guides or content pack release notes: Scroll to the Content section and click View Documentation View documentation in the row of a service or content pack.

Dependencies, default settings, and tools deployment

If you later decide to add Tanium solutions to your Tanium license, note that some Some Tanium solutions cannot function unless you import dependent solutions. To see a list of the dependencies for a solution, click a link in Table 2 to go to the corresponding user guide. The user guides also list the default settings that are configured if you use the Tanium Recommended Installation button to import solutions.

During default configuration, solutions that employ tools on managed endpoints create their own action groups and automatically deploy the tools to those groups. By default, those action groups target the All Computers filter group. However, you can set the No Computers filter group as the target by enabling the restricted targeting option. This option enables you to control tools deployment by preventing automatic deployment. For example, you might want to test Tanium™ Comply tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset: see Managing action groups. To enable or disable restricted targeting:

  1. Sign in to the Tanium Console as a user who is assigned a role with the Global Settings write permission.
  2. From the Main menu, go to Administration > Configuration > Platform Settings.
  3. In the Name column, click restricted_targeting_recommended_configs.
  4. Set the Value to 1 to enable or 0 to disable restricted targeting and click Save.

After you enable or disable restricted targeting, the updated setting applies only to solutions that are subsequently installed, not to solutions that are already installed. Because TaaS imports and configures solutions automatically, you must configure restricted targeting before adding solutions to your license if you want the updated setting to apply to those solutions.

 Table 2: Solution-specific settings and dependencies
Solution Dependencies Default Settings
Asset Tanium dependencies Import and configure Asset with default settings
Client Management Tanium Client Management dependencies Import and configure Client Management with default settings
Comply Tanium dependencies Import and configure Comply with default settings
Connect Tanium dependencies Import and configure Connect with default settings
Deploy Tanium dependencies Import and configure Deploy with default settings
Direct Connect Tanium dependencies Import and configure Direct Connect with default settings
Discover Tanium dependencies Import and configure Discover with default settings
Endpoint Configuration Tanium dependencies Import and configure Endpoint Configuration with default settings
End-User Notifications Tanium dependencies Import and configure End-User Notifications with default settings
Enforce Tanium dependencies Import and configure Enforce with default settings
Health Check Tanium dependencies Import and configure Health Check with default settings
Impact Tanium dependencies Import and configure Impact with default settings
Integrity Monitor Tanium dependencies Import and configure Integrity Monitor with default settings
Interact Tanium dependencies Import and configure Interact with default settings
Map Tanium dependencies Import and configure Map with default settings
Network Quarantine Tanium dependencies Import and configure Network Quarantine with default settings
Patch Tanium dependencies Import and configure Patch with default settings
Performance Tanium dependencies Import and configure Performance with default settings
Reputation Tanium dependencies Import and configure Reputation with default settings
Reveal Tanium dependencies Import and configure Reveal with default settings
Threat Response Tanium dependencies Import and configure Threat Response with default settings
Trends Tanium dependencies Import and configure Trends with default settings

Import all modules and services

After you install the Tanium Server and sign in to the Tanium Console for the first time, the Solutions page opens and displays a Tanium Recommended Installation button. To initiate the workflow for importing and configuring all your licensed modules and shared services in a single operation, you must click that button instead of selecting tiles in the Modules section or rows in the Contents grid.

During the Tanium Recommended Installation workflow, the Tanium Server performs the following operations:

  1. Imports the following content packs:
    • Client Maintenance
    • Core Content
    • Core MSSQL Content
    • Initial Content - Python
  2. Imports the modules and shared services, and configures them with default settings. See Dependencies, default settings, and tools deployment.

    Because Tanium Servers write content to the shared Tanium database, services and content packs that you import on one server are automatically available to the other server in an active-active deployment. When you import a module on one Tanium Server, the peer automatically performs the same operation. For details, see Module synchronization.

  3. Sets the Default - All Computers action group as the target for all scheduled actions that previously targeted the Default action group. Default - All Computers specifies the All Computers computer group, whereas Default specifies the No Computers computer group. Five minutes after re-targeting the actions, the Tanium Server deploys them to Default - All Computers as a one-time event. The server bases future deployments of the actions on their configured reissue interval: see Manage scheduled actions. If automatically deploying actions to the Default - All Computers action group is not appropriate for your deployment, enable restricted targeting before importing solutions: see Dependencies, default settings, and tools deployment.

After you finish the workflow, the Solutions page stops displaying the Tanium Recommended Installation button. To re-import or update modules thereafter, see Import, re-import, or update specific solutions.

Before importing modules in an active-active deployment, replace the self-signed certificates on the Tanium Servers with certificates that a certificate authority (CA) has signed. For details, see Module synchronization.

After you read the release notes for your licensed modules and shared services, import and configure them as follows:

  1. Access the Tanium Console by entering the fully qualified domain name (FQDN) of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In a Tanium Appliance deployment, the default port is 8443 but you can also use 443.

  2. (Optional) To avoid automatically deploying solution-specific tools to the All Computers filter group during automatic configuration, see Dependencies, default settings, and tools deployment.
  3. From the Main menu, go to Administration > Configuration > Solutions.
  4. Click Tanium Recommended Installation and click Yes to proceed.

    The Tanium Console displays the progress of the import and configuration. Based on the number of licensed solutions to import and configure, the process might take up to 30 minutes.

  5. Click Close when the console indicates that the import and configuration succeeded.

    After you finish the operation, the Main menu displays the imported modules and services under Modules and Administration > Shared Services.

Import, re-import, or update specific solutions

Before you import, re-import, or update solutions, read the corresponding release notes. You can combine imports, re-imports, and updates in a single operation. After you initiate an operation, it must finish before you can start another operation.

Downgrading solutions is not recommended and might cause unexpected behavior on the Tanium Server or managed endpoints. Downgrade only if Tanium Support explicitly directs you: see Contact Tanium Support.

In an active-active deployment, shared services and content packs that you import, re-import, or update on any single Tanium Server are available in the peer because the servers write content to the shared Tanium database. When you import, re-import, or update a module on one Tanium Server, the peer automatically performs the same operation. For details, see Module synchronization.

Before performing these steps in an HA deployment, replace the self-signed certificates on the Tanium Servers with CA certificates. For details, see Module synchronization.

Finish installing or updating Tanium Interact, Tanium Trends, and Tanium Client Management, in that order, before installing or updating any other module.

  1. (Updates or re-imports only) Notify Tanium users not to use the modules or services that you are updating or re-importing until the update or re-import process finishes. Otherwise, users might lose work in progress.
  2. Access the Tanium Console by entering the fully qualified domain name (FQDN) of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

  3. (Optional) To avoid automatically deploying solution-specific tools to the All Computers filter group during automatic configuration, see Dependencies, default settings, and tools deployment.
  4. From the Main menu, go to Administration > Configuration > Solutions.
  5. In the Modules section, select the check box in the tile of each module that you want to include in the operation.

    To display only modules for which updates are available, set the Show option to Available Updates.

  6. In the Content section, select the services and content packs that you want to include in the operation.

    To display only services and content packs for which updates are available, set the Show option to Available Updates. If you have a Tanium lab license, you can also filter by Source to list only production (Manifest) or Labs content.

  7. Click an action button (Import, Re-import, or Update) based on which solution types to include in the operation:
    • All solution types: To perform the operation for all the modules, services, and service packs that you selected, click the action button in the Solutions page footer.
    • Modules: To perform the operation only for selected modules, click the action button in the header of the Modules section. To perform the operation only for a single module, you can also click the action button in the module tile.
    • Services and content packs: To perform the operation only for selected services and content packs, click the action button in the header of the Content section.
  8. (Fresh installations only) Optionally, deselect the Apply All Tanium recommended configurations check box for any modules or services that you want to configure manually instead of using the default settings:
    • Manually configure all the listed solutions: Deselect the check box above the list of solutions.
    • Manually configure specific solutions: Expand Expand the solution entry and deselect the check box below its list of content.
  9. Expand Expand each solution, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  10. (Optional) For each solution for which you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, expand Expand the solution entry and select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  11. Click Begin Install.

    Based on the number of solutions that you selected for the operation, the Tanium Server might take up to 30 minutes to complete it. The Tanium Console displays the progress of the operation.

    If you selected Apply All Tanium recommended configurations for any imports, click Close when the console indicates that the operation succeeded. Otherwise, the page automatically refreshes when the operation finishes. The Main menu then displays imported modules in the Modules menu and imported services in the Administration > Shared Services menu.

  12. (Updates only) If the release notes for the updated solutions list changes to the Tanium™ Trends data, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to re-import them.

Import Console UI updates

In the Main menu, the Console: <version> field displays the current version of the Tanium Console UI module. Tanium periodically provides updates to the module and the Tanium Server checks content.tanium.com for the updates. To check for updates:

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Examine the Modules section to see if a Console tile appears. If an update is available, the Console tile appears with an option to update. Configure End-User Notifications action group
  3. Click Update to <version> to install the update.

Restarting the Tanium Server or your browser session is not necessary to initialize updates.

Update the Tanium Console UI whenever a new version is available.

Export and import specific versions

For each solution, you can export a URL for the version that is currently installed on the Tanium Server. You can then sign in to the Tanium Console of another Tanium Server and import that version from the URL. This option is useful for migrating a version other than the latest between Tanium Servers. For example, after testing a specific module version in your lab environment, you can export the URL for that version and then import the module from that URL into your production deployment.

In an active-active deployment, shared services and content packs that you import on any single Tanium Server are available in the peer because the servers write content to the shared Tanium database. When you import a module on one Tanium Server, the peer automatically performs the same operation. For details, see Module synchronization.

Before importing solutions in an active-active deployment, replace the self-signed certificates on the Tanium Servers with CA certificates. For details, see Module synchronization.

After you read the release notes for the solution versions, export and import them as follows:

  1. Sign in to the Tanium Console of the Tanium Server that already has the desired solution version.
  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Modules or Content section, click Copy URL Copy URL in the tile or row of the solution that you want to export.

    If you do not want to import the solution immediately, paste the URL into a text file to store it for later.

  4. If you will replace an existing version of a module or service with another version, notify Tanium users not to use that module or service until the import process finishes. Otherwise, users might lose work in progress.
  5. Sign in to the Tanium Console of the Tanium Server to which you want to migrate the solution version. When you access the console, enter the FQDN of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

  6. Scroll to the Content section, select Import > Import URL, paste the URL in the Import URL field, and click Import.
  7. Expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  8. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  9. Click Begin Install to proceed with the import.

Uninstall solutions

Before performing these steps in an active-active deployment, replace the self-signed certificates on the Tanium Servers with CA certificates. For details, see Module synchronization.

  1. Access the Tanium Console by entering the FQDN of the Tanium Server in the browser URL field (https://ts1.example.com, for example).

    In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN, not the IP address, and use the default port. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

  2. From the Main menu, go to Administration > Configuration > Solutions.
  3. In the Modules section, select the check box in the tile of each module that you want to uninstall, or click Select All above the tiles.
  4. In the Content section, select the services and content packs that you want to uninstall.
  5. Click an Uninstall button based on which solution types to include in the operation:
    • All solution types: To uninstall all the modules, services, and service packs that you selected, click Uninstall in the Solutions page footer.
    • Modules: To uninstall only the selected modules, click Uninstall in the header of the Modules section.
    • Services and content packs: To uninstall only the selected services and content packs, click Uninstall in the header of the Content section.

Module synchronization

The import, re-import, or update operation for each module writes a workbench configuration to files on the Tanium Server host and adds an entry in the shared Tanium database logs. When you perform the operation on one Tanium Server in an active-active deployment, its peer automatically attempts the same operation. This duplication also applies to uninstalling modules.

In an active-active deployment, Tanium Servers automatically synchronize module operations only if you specify the FQDN (not the IP address) and use the default port when accessing the Tanium Console. In a Windows deployment, the default port is 443. In an Appliance deployment, the default port is 8443 but you can also use 443.

Manage certificates for module synchronization

During module synchronization, the browser on each Tanium Server must trust and access the peer server. The servers use their SOAPServer.crt certificates to establish that trust. If the certificates are CA signed, the servers establish trust automatically. If the servers use the self-signed certificates that they generated by default during installation, you must manually enable trust to avoid synchronization errors

To facilitate synchronization, replace the self-signed certificates with CA certificates before importing modules. For the steps to replace certificates, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.

To prevent module synchronization errors on Tanium Servers that use self-signed certificates:

  1. Access the Tanium Console of each Tanium Server and, when the browser displays a certificate validation error, select the option to ignore the error and proceed to the server URL.

    This action enables the servers to trust each other for the duration of the current browser session.

  2. Complete the module operations (imports, updates, or uninstallations) within the current browser session.

    If the session times out during an operation, automatic synchronization fails and you must repeat the first step to re-enable trust.

Resolve module synchronization errors

Module operations might succeed on one Tanium Server but fail to synchronize on the peer server due to network or certificate issues. For example, in air-gapped deployments, deployments where the console is accessed through a CNAME alias, or deployments with unexpected certificate names, the browser on each Tanium Server might be unable to access the peer for Cross-Origin Resource Sharing (CORS). When such issues cause discrepancies in the module versions on the servers, a message indicates the discrepancies when you access the Solutions page. The message appears only in the Tanium Console of the server that has discrepancies based on the database log entries. For example, updating Tanium™ Patch might succeed on Tanium Server ts1.example.com but not on Tanium Server ts2.example.com. In this case, the database logs will have an updated entry for ts1.example.com and the Tanium Console for ts2.example.com will display a discrepancy message.

Figure  1:  Mismatched module versions
Mismatched solutions

Perform the following steps to resolve module discrepancies between Tanium Servers:

  1. In the browser that you are using to access the Tanium Console, verify that the URL field specifies the Tanium Server FQDN, not the server IP address.
  2. Verify that the Tanium Server uses the default port for Tanium Console access. If you specify a custom port, module operations are not automatically synchronized and you must repeat the operations on each active-active server. The steps to view and edit the port (ServerSOAPPort setting) depend on your infrastructure:
  3. Ensure that the browser on each Tanium Server trusts the SOAPServer.crt certificate of the peer server: see Manage certificates for module synchronization.
  4. Configure the access_control_origin_servers platform setting to ensure that the Tanium Servers support CORS.

    In most deployments, Tanium Servers automatically enable CORS. However, if module synchronization fails, manually configure access_control_origin_servers with the FQDNs or IP addresses that you use to access the Tanium Console on each Tanium Server.

    1. From the Main menu, go to Administration > Configuration > Platform Settings and click Create Setting.
    2. For the Setting Type, select Server.
    3. For the Name, enter access_control_origin_servers.
    4. Set the Value Type to Text.
    5. For the Value, enter the Tanium Server FQDNs or IP addresses with a comma to separate each, such as ts1.example.com,ts2.example.com or 192.0.2.1,192.0.2.2.
    6. Click Save.
  5. If no access_control_origin_servers value can enable CORS to work in your deployment, disable module synchronization:

    1. From the Main menu, go to Administration > Configuration > Platform Settings and click Create Setting.
    2. For the Setting Type, select Server.
    3. For the Name, enter console_disable_ha_workbench_install.
    4. Set the Value Type to Numeric.
    5. For the Value, enter 1.
    6. Click Save.

    After disabling module synchronization, you must perform all future module operations on both Tanium Servers in an active-active cluster.

  6. Repeat the import, update, downgrade, or uninstallation operation on the Tanium Server where the module operation initially failed.

    Downgrading solutions is not recommended and might cause unexpected behavior on the Tanium Server or managed endpoints. Downgrade only if Tanium Support explicitly directs you: see Contact Tanium Support.

Import content files

Import content (such as solutions or sensor configurations) from a JSON or XML file that you exported from another Tanium Server.

Develop and test content in your lab environment before importing that content into your production environment .

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve import conflicts).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Resolve import conflicts

When you import solution updates, or import a file that contains content (such as sensors), conflicts might occur with existing content. After you review the Best practices for resolving import conflicts, perform the following steps:

  1. Perform the import workflow up to the point where the Tanium Console lists the New Items and Existing Items to import:Content conflict resolution
  2. Expand Expand the items that you are importing and select a resolution for each conflict:
    • Overwrite: Replaces existing content with the imported content.
    • Skip: Skips the import for that item.
    • (Categories only) Merge: Unites objects that are included in the categories.

      Select Merge and, after finishing the import, review the resulting configuration in the Categories panel on the Interact Home page.

    • (Actions only) Overwrite and Disable Action: This option is useful if you want the new action to be disabled by default. Later, when are ready to test the action, re-enable it: from the Main menu, go to Administration > Actions > Scheduled Actions, select the action, and select More > Enable Action(s).

    The solution or content file might include content set definitions. When you first establish your content sets, selecting Include content set overwrite ensures that content is assigned to the content sets that the content pack designer intended. After you implement your own role-based access control (RBAC) plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported file will overwrite your content set assignment.

  3. Click Begin Install. When the operation finishes, click Close.
  4. (Updates only) If the release notes for the updated solutions list changes to the Tanium Trends data, panels, or sources, perform the steps under Tanium Trends User Guide: Importing the initial gallery to reimport them.

Best practices for resolving import conflicts

The following tips can inform your decisions regarding conflicts when you import content.

Tip 1: Read the release notes

Always read the release notes for every solution version that was released since your last update. The release notes alert you to the scope of changes and might include notes that can help you avoid issues. Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.

Tip 2: Confirm you have good restore points

Before you update a Tanium solution, confirm that you have recent restore points and backups in case something goes wrong. The Tanium database stores content configuration objects. The installation folders for the Tanium Server and Tanium Module Server include important files, such as encryption keys, a license file, string files, and other data files.

Schedule regular file system and database backups.

To schedule backups for a Tanium Appliance deployment, see Tanium Appliance Deployment Guide: Backup overview.

To back up a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Back up Tanium Core Platform servers and databases.

Tip 3: Update your lab deployment first

Always update Tanium Core Platform servers in your lab first and evaluate the impact that changes might have on endpoints before updating your production servers. Perform the following tasks when updating your lab deployment:

  • Assess the impact on network utilization when the Tanium Server distributes content to endpoints. For certain content types, an update might result in additional network traffic. Usually, this additional traffic is negligible.
  • Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test them by issuing questions and reviewing results. If it includes packages, deploy them. If the update includes saved actions, edit their configurations to assign them to the correct action groups.

After you qualify the updates on lab servers, import the updates on production servers and spot test the behavior of new or changed content.

Tip 4: Limit customizations to Tanium content

When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the associated tools more useful.

Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to the Max Sensor Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects.

When a content pack update becomes available, import it and redo the customizations that the import overwrote.

Tip 5: Re-create content that uses parameterized objects

When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temporary sensor. On the endpoint, the Tanium Client runs the temporary sensor when it computes answers to a saved question that calls it. A saved question that the Tanium Server reissues based on a schedule continues to use the temporary sensor even if the sensor on which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temporary package. On the endpoint, the Tanium Client runs the temporary package when it has a directive to run the scheduled action that calls the package. A scheduled action continues to use the temporary package even if the package on which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.

Tip 6: Avoid bulk overwrites to Tanium content

Do not simply export the current configuration and then reimport it after the content update finishes. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, which the Has Patch Tools sensor reports, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than the Has Patch Tools sensor expects, the Tanium Server continuously distributes the patch tools until the Has Patch Tools sensor uses the correct version.