Managing Tanium solutions

The top section of the Tanium Solutions page displays the Tanium modules that you can import, reimport, or upgrade. Below the modules, the Tanium Content section lists the content packs that you can import or upgrade. The page header indicates whether Tanium Console UI updates are available.

Users require the Administrator reserved role to import a Tanium solution module or content pack.

Import or upgrade Tanium modules

Tanium modules include content and workbenches that facilitate many operational and security use cases. To see a list of the modules and a brief description of the purpose for each one, go to https://docs.tanium.com.

To import or upgrade modules, go to the Tanium Solutions page. The tile for each module shows the currently Installed version, if any, and an action button that varies by module status.

Action/Status Description
Import You have purchased this module, but have not yet installed it. The Import button displays the latest version you can import.
Reimport The latest version of the module is installed, but you can reimport it if necessary.
Upgrade to <version> A new version of the module is available, and you can upgrade.
Available for Purchase Contact your Tanium Technical Account Manager (TAM) to purchase this module.

When you click Import, Reimport, or Upgrade to <version>, the Tanium Console prompts you to resolve any conflicts before proceeding. For details, see Resolve conflicts when importing updates or configurations. After you import a module, the Tanium Console displays it in the Main menu.

Module synchronization in an HA deployment

The installation process for each module writes its workbench configuration to files on the Tanium Server host. In a high availability (HA) deployment, you must import the module on all Tanium Servers in the HA cluster for the workbench to be available in all Tanium Console instances. When module versions differ among the servers in an HA cluster, a message indicates the discrepancies when you access the Tanium Solutions page. Note that the message appears only in the Tanium Console of the server that has the discrepancies. To resolve the discrepancies, upgrade or downgrade the modules to the same version on each Tanium Server.

Manage Tanium content packs

Tanium content is a set of configuration objects that Tanium develops and distributes for a particular purpose. For example, Tanium Initial Content includes the key configuration objects found on the Categories, Dashboards, Saved Questions, Sensors, Packages, and Scheduled Actions pages. Tanium publishes two classes of content:

Production Content

The essential set of configuration objects you use to query endpoints and take actions. The Tanium Server downloads a manifest of available Tanium content packs from content.tanium.com. This manifest populates the Supported Solutions grid on the Tanium Solutions page.

Labs Content

An experimental set of configuration objects that, as a best practice, you test and qualify for your deployment in a lab environment before importing into production. If you specified a lab license when installing the Tanium Server, the Tanium Solutions page displays a Labs grid that lists the labs content packs. The manifest that the Tanium Server downloads from content.tanium.com populates this grid.

The Tanium Server automatically imports the Initial Content - Base and Client Maintenance content packs when you start the Tanium Console for the first time after installing the Tanium Server. If the Imported Version lags the latest Available Version for a content pack, you can upgrade. Because content is written to the shared database, it is available to all Tanium Console instances in an HA deployment after you import the content on any single Tanium Server.

To perform actions related to Tanium content packs:

  1. Go to Tanium Solutions.
  2. Scroll down to the Tanium Content section.
  3. Select a content pack for the action you want to perform.
  4. Click the button above the grid for the action you want to perform: import, reimport, upgrade, uninstall, or copy (copies the grid information to the clipboard).

    For imports or upgrades, the Tanium Console prompts you to resolve any conflicts before proceeding. For details, see Resolve conflicts when importing updates or configurations.

Import Tanium Console UI updates

Tanium might provide periodic updates to the Tanium Console User Interface (UI) module. The Tanium Console checks content.tanium.com for updates and, if one is available, displays a message under the Tanium Console header that indicates Upgrade Available: Common UI Components. The message also indicates the currently Installed UI version. Click the adjacent Upgrade button, which displays the update version, to install the update. You do not need to restart the Tanium Server or your browser session to initialize updates. As a best practice, always accept the updates.

Resolve conflicts when importing updates or configurations

When you import updates to Tanium solution modules and content packs, or import an XML file that contains content, conflicts might occur with existing content. After you review the Best practices for resolving import conflicts, perform the following steps:

  1. Start the import, reimport, or upgrade workflow for one of the following:

    A dialog box itemizes any conflicts.

  2. Select an Import Option to resolve each conflict:
    • Overwrite: Replaces existing content with the imported content.
    • Skip: Skips the import for that item.
    • (Categories only) Merge: Unites objects included in the categories. As a best practice, select Merge and then go to categories to review the resulting configuration.
    • (Saved actions only) Overwrite and Disable Action: This option is useful if you want the new action disabled by default. You can go to the Actions > Scheduled Actions page, review the action, and enable it when you are prepared to test it.

    The solution or content XML file might include content set definitions. When you first establish your content sets, selecting Include content set overwrite is a best practice to ensure that content is assigned to the content sets that the content pack designer intended. After you implement your own role-based access control (RBAC) plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported XML file will overwrite your content set assignment.

  3. Click Import to proceed after selecting all the conflict resolution options.
  4. Click Close when the dialog box indicates the Import completed successfully.

Best practices for resolving import conflicts

The following tips can inform your decisions regarding conflicts when you import content.

Tip 1: Read the release notes

Always read the release notes for every version that was release since your last update. The release notes alert your to the scope of changes and may include notes that can help you avoid issues.

Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.

Tip 2: Confirm you have good restore points

Before you update a Tanium solution module or content pack, confirm you have a recent restore points you can use in case something goes wrong.

The configuration objects for content are stored in the tanium database. You should schedule regular database backups.

The Tanium Server and Tanium Module Server installation directories include important files, such as encryption keys, a license file, string files, and other data files. You should schedule regular file system backups.

Before you import content, make sure you have backups you can use.

Tip 3: Update your lab deployment first

Always update your lab servers first and evaluate the impact changes might have on endpoints before updating your production servers.

During your lab phase:

  • Assess the impact on network utilization when the content gets distributed to endpoints. Depending on the type of content, an update can result in additional network traffic. In most cases, this is negligible.
  • Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test by issuing questions and reviewing results. If it includes packages, deploy them. If it includes saved actions, be sure to edit the configuration to assign them to a proper action group.

After you have qualified the update, import the updates on the production server and spot-test the behavior of new or changed content.

Tip 4: Limit customizations to Tanium content

When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the tools more useful.

Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to a sensor Max Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects (see Clone a sensor and Clone a package). When a content pack update becomes available, the best practice is to import it and then redo the customizations that the import overwrote.

Tip 5: Re-create saved questions and scheduled actions that are based on parameterized objects

When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temp package. On the endpoint, the Tanium Client runs the temp package when it has a directive to run the scheduled action that calls it. A scheduled action continues to use the temp package even if the package from which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.

Tip 6: Avoid bulk overwrites to Tanium content

Do not simply export the current configuration and then re-import it after the content upgrade is finished. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, reported by the Has Patch Tools sensor, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than expected by the Has Patch Tools sensor, the patch tools will continuously be distributed until the Has Patch Tools sensor is using the correct version.

Last updated: 11/12/2019 3:19 PM | Feedback