Managing Tanium solutions

Tanium solutions include modules (such as Interact) and content packs (such as Incident Response). The top section of the Tanium Solutions page displays a tile for each module that you can export, import, re-import, or upgrade. Below the module tiles, the Tanium Content section lists the content packs that you can import, re-import, or upgrade. The page header indicates whether Tanium Console UI updates are available to import.

To perform all actions for Tanium solution modules, content packs, and console UI updates, users require the Administrator reserved role. Any user who has the Import Signed Content micro admin permission can import these content types.

Manage Tanium modules

Each Tanium module includes content and a workbench, which is the user interface that you use to perform module operations. You use the content and workbenches to manage, monitor, and protect the endpoints in your network. To see a list of modules and a brief description of the purpose for each one, go to https://docs.tanium.com. To import, re-import, export, or upgrade modules, go to the Tanium Solutions page. The tile for each module shows the currently Installed version, if any. The following table describes the buttons and links in each tile that enable you to perform actions on the module based on its status. In a high availability (HA) deployment, you must perform the actions on each Tanium Server (see Module synchronization in an HA deployment).

If the Tanium Solutions page does not display tiles for certain modules, contact your Technical Account Manager (TAM).

Table 1:   Tanium module actions and status
Action/Status Description
Export Export Export a URL for the module version that is currently installed on the Tanium Server. You can then log into the Tanium Console of another Tanium Server and import that version from the URL. For details, see Export and import a specific module version.
Import <version> If you purchased a module but did not yet import it, the module tile displays an Import <version> button that shows the latest version you can import. After you initiate an import, the operation must complete before you can import another module.

You can import a module version other than the latest if you previously exported the URL for that version: see Export and import a specific module version.

Reimport The latest version of the module is installed. You can re-import the module if necessary: see Import, re-import, or upgrade to the latest versions of specific modules.
Upgrade to <version> A new version of the module is available to which you can upgrade: see Import, re-import, or upgrade to the latest versions of specific modules. If you want the page to display tiles only for the modules that you can upgrade, click View Available Upgrades above the module tiles.
Available to Purchase Contact your TAM to purchase this module.
Documentation Click this link to see the user guide for the module.
Uninstall Click this link to uninstall the module: see Uninstall modules.

When you initially set up your Tanium deployment, you can import all your licensed modules in a single operation or import a few (or one) at a time. For the initial setup, the best practice is to import all the modules in a single operation because some cannot function unless you import dependent modules. For example, the Reveal module requires that you first import the Direct Connect service. The Tanium Server automatically imports one module at a time in order based on the dependencies. When you select the option to import all modules in a single operation, the Tanium Server also automatically imports several content packs that are useful for many modules.

When you import modules, you can select to automatically configure all, some, or none with default settings. If you forego automatic configuration, you must manually configure the settings.

Module-specific dependencies and default settings

To see a list of the dependencies and default settings for a Tanium module or shared service, go to the user guide for that product:

Table 2:   Module-specific settings and dependencies
Product Dependencies Default Settings
Asset Tanium dependencies Import and configure Asset with default settings
Client Management Tanium dependencies Import and configure Client Management with default settings
Comply Tanium dependencies Import and configure Comply with default settings
Connect Tanium dependencies Import and configure Connect with default settings
Deploy Tanium dependencies Import and configure Deploy with default settings
Direct Connect Tanium dependencies Import and configure Direct Connect with default settings
Discover Tanium dependencies Import and configure Discover with default settings
End-User Notifications Tanium dependencies Import and configure End-User Notifications with default settings
Health Check Tanium dependencies Import and configure Health Check with default settings
Integrity Monitor Tanium dependencies Import and configure Integrity Monitor with default settings
Interact n/a n/a
Map Tanium dependencies Import and configure Map with default settings
Network Quarantine Tanium dependencies Import and configure Network Quarantine with default settings
Patch Tanium dependencies Import and configure Patch with default settings
Performance Tanium dependencies Import and configure Performance with default settings
Protect Tanium dependencies Import and configure Protect with default settings
Reputation Tanium dependencies Import and configure Reputation with default settings
Reveal Tanium dependencies Import and configure Reveal with default settings
Threat Response Tanium dependencies Import and configure Threat Response with default settings
Trends Tanium dependencies Import and configure Trends with default settings

Import and (optionally) configure the latest versions of all modules

After you install the Tanium Server, the Tanium Solutions page initially displays an Install with Recommended Configurations button, in addition to a tile for each module. To initiate the workflow for importing, and optionally configuring, all your licensed modules in a single operation, you must click that button instead of using the tiles. Automatically configuring default settings is the best practice. However, if your deployment requires configurations that differ from the recommended default settings, you can manually configure some or all modules after installing them.

During the module import process, the Tanium Server also imports the following content packs:

  • Client Maintenance
  • Core Content
  • Core MSSQL Content
  • Initial Content - Python

After you complete the workflow, the Tanium Solutions page stops displaying the Install with Recommended Configurations button. To re-import or upgrade modules thereafter, see Import, re-import, or upgrade to the latest versions of specific modules.

After you read the release notes for your licensed modules, import and configure them as follows. In an HA deployment, you must import the modules on both Tanium Servers but configure the modules on just one (the servers synchronize configurations). This means that on one server you perform the Install with Recommended Configurations workflow and on the other server perform the workflow described under Import, re-import, or upgrade to the latest versions of specific modules. For the latter workflow, be sure to select all modules except Interact, which the Tanium Server imported automatically when you installed the server.

  1. Go to Tanium Solutions and click Install with Recommended Configurations. Perform this step regardless of whether you want to automatically configure default settings for all, some, or none of the modules.
  2. (Optional) Review the default settings for any module by clicking Expand Expand beside the module name.
  3. (Optional) Clear the Apply Tanium recommended configurations check box for any modules that you want to configure manually instead of using the default settings:
    • Manually configure all the listed modules: Clear the check box above the list of modules.
    • Manually configure specific modules: For each module that you want to configure manually, click Expand Expand beside the module name and clear the check box above its list of settings.

    The Configuration Setting column displays Manual Configuration for the specified modules.

  4. Click Begin Import.

    The Tanium Server imports and configures one module at a time. Based on the number of licensed modules to import, this might take several hours. A dialog displays the progress of the import and configuration processes.

  5. Click Close when the progress dialog indicates that the import and configuration succeeded.

Import, re-import, or upgrade to the latest versions of specific modules

After you read the release notes for the modules that you will import, re-import, or upgrade, perform the following steps to proceed with the operation. Note that you can combine imports, re-imports, and upgrades in a single operation.

  1. Go to Tanium Solutions, select the check box at the top right of the tile for each module that requires the action, and click the action button above the tiles (such as Import Selected or Upgrade Selected).

    To perform the action on a single module, you can also click the Import, Reimport, or Upgrade button within the module tile.

  2. (Optional) Review the default settings for any module by clicking Expand Expand beside the module name.
  3. (Optional) For any module that you want to configure manually instead of using the default settings, click Expand Expand beside the module name and clear the Apply Tanium recommended configurations check box.
  4. (Multiple modules only) Select or clear Automatically import modules & overwrite content:
    • Clear the check box (default): After you start the import, re-import, or upgrade, the Tanium Server prompts you to review the content and select conflict resolution options for one module at a time.
    • Select the check box: After you start the import, re-import, or upgrade, the Tanium Server performs the operation without prompting you to review module content or to select options for resolving conflicts with existing content. The server automatically overwrites or merges any existing content with the imported content, but does not overwrite existing content set assignments.
  5. Click Begin Import.
  6. If you cleared the Automatically import modules & overwrite content check box, perform the following tasks:
    • Review the content to import and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates or configurations).
    • If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is cleared and the Tanium Server preserves the existing content set assignments.
  7. Click Import, Reimport, or Upgrade.

    The Tanium Server performs the operation for one module at a time. Based on the number of modules that you selected for the operation, this might take several minutes or several hours. A dialog displays the progress of the import and configuration processes.

  8. Click Close when the progress dialog indicates that the import, re-import, or upgrade succeeded.

Export and import a specific module version

For each module, you can export a URL for the module version that is currently installed on the Tanium Server. You can then log into the Tanium Console of another Tanium Server and import that version from the URL. This option is useful for migrating a module version other than the latest between Tanium Servers. For example, after testing a specific module version in your lab environment, you can export the URL for that version and then import the module from that URL into your production deployment.

  1. Log into the Tanium Console of the Tanium Server that already has the desired module version.
  2. Go to Tanium Solutions and click Export Export in the module tile.
  3. Click Copy to add the URL to your clipboard, and click Close.

    If you do not want to import the module immediately, paste the URL to a text file to store it for later.

  4. Log into the Tanium Console of the Tanium Server to which you want to migrate the module version.
  5. Click Import From URL at the top right of the page, paste the URL in the Import URL field, and click Import.

    The module tile turns green and its Upgrade to <version> button indicates the version that you imported.

  6. Upgrade to the imported version. The steps are the same as those described under Import, re-import, or upgrade to the latest versions of specific modules.

Uninstall modules

To uninstall a single module, click Uninstall at the bottom right of the module tile.

To uninstall multiple modules:

  1. Go to Tanium Solutions.
  2. Select the check box at the top right of the tile for each module that you want to uninstall, or click Select All above the tiles.
  3. Click Uninstall above the tiles.
  4. Click Close when the progress dialog indicates that the uninstallation succeeded.

Module synchronization in an HA deployment

The import, re-import, and upgrade process for each module writes its workbench configuration to files on the Tanium Server host and adds an entry in the shared database logs. In an HA deployment, you must perform the process for each module on both Tanium Servers for the workbench to be available in the Tanium Console of each server. When module versions differ between HA servers, or one server does not have the module, a message indicates the discrepancies when you access the Tanium Solutions page (Figure  1). Note that the message appears only in the Tanium Console of the server that has discrepancies based on the database log entries. For example, you might install Tanium™ Asset on Tanium Server ts1.example.com but not on Tanium Server ts2.example.com. In this case, the database logs will have an entry only for ts1.example.com and the Tanium Console for ts2.example.com will display a discrepancy message. To resolve the discrepancies, upgrade or downgrade the modules to the same version on each Tanium Server.

Consult your TAM for the procedure to downgrade modules.

Figure  1:  Mismatched module versions

Manage Tanium content packs

Tanium content is a set of configuration objects that Tanium develops and distributes for a particular purpose through content packs. For example, the Default Content pack includes the key configuration objects found on the Interact pages (categories, dashboards, and saved questions) and on the Sensors, Packages, Saved Questions, and Scheduled Actions pages.

The Tanium Server downloads a manifest of available Tanium content packs from content.tanium.com and displays them in the Tanium Content section of the Tanium Solutions page. The page displays separate grids for the two classes of content:

  • Supported Solutions: This is production content that includes the essential set of objects for querying endpoints and deploying actions.
  • Labs: This is an experimental set of configuration objects. Labs content is available only if you specified a Tanium™ lab license when installing the Tanium Server. The best practice is to test the objects in a lab environment before importing into them into a production environment.

If the grids show that the Imported Version lags the latest Available Version for a content pack, you can upgrade it.

When you access the Tanium Console for the first time after installing the Tanium Server, the server automatically imports the Default Content and Interact content packs. If you clicked the Install with Recommended Configurations button to import modules, the server automatically imports several other basic content packs.

Tanium Servers write content to the shared Tanium database. Therefore, after you import content on any single Tanium Server in an HA deployment, the content is available in all Tanium Console instances.

Perform the following steps to manage Tanium content packs:

  1. Go to Tanium Solutions.
  2. Scroll to the Tanium Content section.
  3. Select the content packs for the action you want to perform or click Select All.

    To filter the grid so that it includes only content packs for which upgrades are available, click View Available Upgrades.

  4. Click the button above the grid for the action you want to perform: import, re-import, upgrade, uninstall , or copy (copies the grid information to the clipboard).

    For imports or upgrades, the Tanium Console prompts you to resolve any conflicts before proceeding. For details, see Resolve conflicts when importing updates or configurations.

Import Tanium Console UI updates

Tanium might provide periodic updates to the Tanium Console User Interface (UI) module. The Tanium Console checks content.tanium.com for updates and, if one is available, displays a message under the Tanium Console header that indicates Upgrade Available: Common UI Components. The message also indicates the currently Installed UI version. Click the adjacent Upgrade button, which displays the update version, to install the update. Restarting the Tanium Server or your browser session is not necessary to initialize updates. As a best practice, always accept the updates.

Resolve conflicts when importing updates or configurations

When you import updates to Tanium solution modules and content packs, or import a file that contains content (such as sensors or packages), conflicts might occur with existing content. After you review the Best practices for resolving import conflicts, perform the following steps:

  1. Start the import, re-import, or upgrade workflow for one of the following:

    A dialog itemizes any conflicts.

  2. Select an Import Option to resolve each conflict:
    • Overwrite: Replaces existing content with the imported content.
    • Skip: Skips the import for that item.
    • (Categories only) Merge: Unites objects included in the categories. As a best practice, select Merge and then go to categories to review the resulting configuration.
    • (Saved actions only) Overwrite and Disable Action: This option is useful if you want the new action disabled by default. You can go to the Actions > Scheduled Actions page, review the action, and enable it when you are prepared to test it.

    The solution or content file might include content set definitions. When you first establish your content sets, selecting Include content set overwrite is a best practice to ensure that content is assigned to the content sets that the content pack designer intended. After you implement your own role-based access control (RBAC) plan and move content to the content sets that you plan to use, do not select this option; otherwise, the assignments defined in the imported file will overwrite your content set assignment.

  3. Click Import to proceed after selecting all the conflict resolution options.
  4. Click Close when the dialog indicates the Import completed successfully.

Best practices for resolving import conflicts

The following tips can inform your decisions regarding conflicts when you import content.

Tip 1: Read the release notes

Always read the release notes for every version that was release since your last update. The release notes alert your to the scope of changes and may include notes that can help you avoid issues.

Release notes also indicate the release date, which is important if you plan to import multiple content packs. Different content packs might include updates to the same basic sensors or packages. In this case, it is best to install the older content packs before the newer ones.

Tip 2: Confirm you have good restore points

Before you update a Tanium solution module or content pack, confirm you have a recent restore points you can use in case something goes wrong.

The configuration objects for content are stored in the tanium database. You should schedule regular database backups.

The Tanium Server and Tanium Module Server installation directories include important files, such as encryption keys, a license file, string files, and other data files. You should schedule regular file system backups.

Before you import content, make sure you have backups you can use.

Tip 3: Update your lab deployment first

Always update your lab servers first and evaluate the impact changes might have on endpoints before updating your production servers.

During your lab phase:

  • Assess the impact on network utilization when the content gets distributed to endpoints. Depending on the type of content, an update can result in additional network traffic. In most cases, this is negligible.
  • Test the functionality. If the content update includes sensors, saved questions, dashboards, or categories, test by issuing questions and reviewing results. If it includes packages, deploy them. If it includes saved actions, be sure to edit the configuration to assign them to a proper action group.

After you have qualified the update, import the updates on the production server and spot-test the behavior of new or changed content.

Tip 4: Limit customizations to Tanium content

When you import Tanium updates, the configuration specified in the import overwrites the current configuration. In almost every case, overwriting is preferable to maintaining the current configuration because the updates include important changes that optimize performance, avoid issues, and make the tools more useful.

Limit customizations to Tanium content so that updates are minimally disruptive. Maintain notes of any changes you make. For example, keep a log of any changes to a sensor Max Age setting, a package timeout, or a saved question reissue interval. Keep a log of the Tanium objects that you clone as a source for your custom objects (see Clone a sensor and Clone a package). When a content pack update becomes available, the best practice is to import it and then redo the customizations that the import overwrote.

Tip 5: Re-create saved questions and scheduled actions that are based on parameterized objects

When an import overwrites a parameterized sensor or parameterized package, it does not affect previously created saved questions or scheduled actions that reference them.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Likewise, when a scheduled action is based on a parameterized package, the package definition, including the substituted values, is saved in an object called a temp package. On the endpoint, the Tanium Client runs the temp package when it has a directive to run the scheduled action that calls it. A scheduled action continues to use the temp package even if the package from which it was based is updated. Therefore, if a package is updated, and you want the scheduled action to use the updated code, you must re-create the scheduled action.

Tip 6: Avoid bulk overwrites to Tanium content

Do not simply export the current configuration and then re-import it after the content upgrade is finished. This practice overwrites the sensor code with old versions and often has unexpected consequences. For example, a Tanium content pack includes a scheduled action to distribute patch tools when the patch tools version, reported by the Has Patch Tools sensor, does not match a particular value. If the package that provides the patch tools and updates the version uses a different version than expected by the Has Patch Tools sensor, the patch tools will continuously be distributed until the Has Patch Tools sensor is using the correct version.