Reporting overview

Use Tanium™ Reporting to explore real-time visualizations of your endpoint data, create custom reports and charts from the data, and export data to share with key stakeholders. Tanium Reporting includes the following features:

  • Explore data across Tanium solutions (modules, shared services, and content-only solutions)
  • Create custom reports with data that you select
  • Build dashboards of charts from reports to quickly visualize the data
  • Filter data directly in the reports and dashboards
  • Revisit reports and dashboards to see updated data
  • Share reports and dashboards with others
  • Deploy actions and operating system (OS) patches to endpoints that provide report data
  • View comprehensive details for a single endpoint
  • Manage and explore a single endpoint through advanced operations such as deploying actions and opening Screen Sharing sessions

Explore data

Tanium Reporting provides an Explore Data page that you use to view endpoint data in a grid format and add charts to help visualize the data. You can then save the view as a custom report. You construct the report by adding data sources (see Data sources) and optionally configuring filters to limit the data. After you save the report, you can view it later with the latest data from endpoints. For details, see Explore data and create reports.

Explore Data

Data sources

Data sources provide data that you can use to build reports and then build dashboards based on the reports. Reporting uses data that is stored in Tanium Data Service, which is included with Tanium™ Interact 2.1 and later. To use sensor-provided data in Reporting, you register sensors from other Tanium solutions in Tanium Data Service.

1 After installation completes, Tanium Data Service automatically registers multiple sensors for collection.
2 Users and other Tanium solutions can register sensors with Tanium Data Service.
3 A user opens a report in Reporting.
4 Reporting retrieves the latest report data from Tanium Data Service.

Tanium Data Service

Tanium Data Service stores sensor results for endpoints when you issue a question. After you register sensors for collection, the service queries all managed endpoints to collect the results of those sensors and stores the data. To keep the results current, Tanium Data Service periodically reissues questions that contain the registered sensors.

Data is added to Tanium Data Service through the following methods:

  • Preregistered sensors

    Tanium Data Service automatically registers certain sensors for collection. For example, the service automatically registers sensors that identify endpoints or define membership in computer management groups.

  • Sensors that Tanium solutions register

    Tanium solutions, including Reporting, register sensors with Tanium Data Service.

  • User-registered sensors

    Users can register sensors to use in reports. When you choose sensors to register, consider that results collection consumes resources such as network bandwidth, Tanium Server disk space, and processing on endpoints.

  • Virtual sensors

    Tanium solutions can send endpoint data directly to Tanium Data Service without the need for a sensor. The data is then available to use through Tanium Data Service and Reporting. This concept is called virtual sensors; a virtual sensor extrapolates endpoint data from known data and other sensors. Examples in Reporting include the data sources Tanium > EID Last Seen and Miscellaneous > Risk Vectors > Asset Criticality.

Certain sensors, such as sensors that provide duplicate data, are intentionally unavailable in Reporting, even if you register the sensors in Tanium Data Service. For a list of unavailable sensors, see Unable to view or select content.

Reports

You can use Reporting to create and view reports with data that Tanium Data Service collects. Select the data that you want to include in the reports, and then add filters to limit the data in the report to endpoints in specific management groups or endpoints with specific operating systems.

Tanium-managed reports

Reporting provides predefined Tanium Managed reports that you can use in your environment but cannot edit or delete. However, you can assign reports to a different content set to limit access, and you can clone a report and edit the clone.

To view Tanium-managed reports in the Tanium™ Console, go to Data > Reports and select one or more Tanium Managed options for the Author filter. To view Tanium-managed reports that other Tanium solutions provide, set the Author to Tanium Managed - <Solution>. For example, to see the reports that Tanium™ Patch provides, select the Tanium Managed - Patch author. When you open a Tanium-managed report, its header shows the label Tanium Managed Tanium Managed.

To access all content in Tanium Managed reports, you must install all feature-specific solution dependencies. For information, see Solution dependencies.

Flattened data

Reporting flattens grid data that appears in reports and on the Explore Data page. Flattening dedicates one row for each result that a data source provides. For example, consider a report that contains a column for Installed Applications - Name and a column for Computer Name. The Installed Applications - Name source can return multiple applications for each endpoint. If you flatten the report by Computer Name, each row contains the computer name of the endpoint with all its installed applications.

You select the column (data source) to use for flattening when you Explore data and create reports. You can select only one column for flattening. If you select a source that is a multi-column sensor, flattening applies to the data for all the columns in that sensor. By default, flattening applies to the first column that you add, but you can change the flattened column.

You must edit an existing report to change its flattened column (see Edit reports). If you remove the source for a flattened column from a report, the first column in the report becomes the flattened column. If a report provides chart data to any dashboards, you cannot change the flattened column in that report. If any dashboards use the report, you cannot save the report after you change the flattened column.

ClosedFlattening examples

Consider a table that contains columns from two data sources: Computer Name and Installed Applications - Name. The following table shows the data for three endpoints, where the data is flattened by the Computer Name:

Example of data flattened by Computer Name
Computer Name Installed Applications - Name Count
BOB-PC Microsoft Edge
Google Chrome
Mail
1
MARY-LAPTOP Microsoft Edge
Google Chrome
VMWare Tools
1
TEST-PC Microsoft Edge
VMWare Tools
Mail
1

The following table shows the same data flattened by Installed Applications - Name. Because the Installed Applications source contains multiple columns, each result appears in a dedicated row. Note that each unique combination of Computer Name and Installed Application - Name now appears in a dedicated row as a result.

Example of data flattened by Installed Application - Name
Computer Name Installed Applications - Name Count
BOB-PC Microsoft Edge 1
MARY-LAPTOP Microsoft Edge 1
TEST-PCMicrosoft Edge1
BOB-PC Google Chrome 1
MARY-LAPTOPGoogle Chrome1
MARY-LAPTOPVMWare Tools1
TEST-PCVMWare Tools1
BOB-PCMail1
TEST-PCMail1

The following shows the same data in a table with just the Installed Applications - Name source, with a filter added to show only Installed Applications - Name results that match “Google Chrome”.

Example of data flattened by Installed Application - Name with "Installed Applications Name contains Google Chrome" filter
Installed Applications - Name Count
Google Chrome 2

Charts

In Reporting, you can add a chart (visualization) to each report and add multiple charts to dashboards. Charts are built on report data. You can customize the chart type, date range, color scheme, and more.

On dashboards, charts are contained in panels. The panels on Tanium™ Trends boards are similar to the chart panels on dashboards in Reporting.

Dashboards

In Reporting, a dashboard organizes a collection of panels. A panel can contain a chart or text. A dashboard can have one or more collapsible sections to organize related panels. For example, a section labeled Comply can contain all the panels with charts that are based on reports that Tanium Comply provides.

For related tasks and more information about dashboards, see Working with dashboards.

Tanium-managed dashboards

Reporting contains predefined Tanium-managed dashboards that you can use in your environment but cannot edit or delete. However, you can assign dashboards to a different content set to limit access, and you can clone a dashboard and edit the clone.

To list Tanium-managed dashboards in the Tanium™ Console, go to Data > Dashboards and select Tanium Managed for the Author filter. When you open a Tanium-managed dashboard, its header shows the label Tanium Managed Tanium Managed.

Tanium-managed dashboards use data that Tanium solutions provide. To access all content in Tanium-managed dashboards, you must install all feature-specific solution dependencies. For information, see Solution dependencies.

Emerging issue dashboards

An emerging issue dashboard contains details for a specific vulnerability, including the latest information about the threat and customized information about the potential exposure based on real-time telemetry of your environment. Emerging issue dashboards contain the following sections:

  • Overview and Contributing Factors: Highlights of the latest industry information and Tanium insights on the vulnerability.
  • Status: Current and temporal view of endpoints that are vulnerable, not vulnerable, or not applicable to the emerging issue.
  • Tanium/Related Content and References: Consolidated research and packages from reputable sources for reference and assessment.
  • Deploy Action: If applicable mitigation or remediation steps are available, you can pivot directly to deploying packages that Tanium has developed to help you lower your risk profile through targeted actions against vulnerable endpoints.

Tanium-managed dashboards include several emerging issue dashboards that you can access through Reporting (see View dashboards) and through Tanium™ Feed notifications (see Tanium Feed User Guide: View notifications). For details about these dashboards, see Tanium Community article: Introducing Tanium Alerts and Recommendations for Critical Vulnerabilities (registration is required).

To create a custom emerging issue dashboard, create a dashboard (see Create dashboards) that includes the following panel types:

  • Text panel: Add text, links, and metrics that contain the overview, Tanium/related content, and references. See Add text panels.

  • Action panel: Add the count of affected endpoints and corrective actions. See Add action panels.

The following example of an emerging issue dashboard addresses the HiveNightmare vulnerability:

Emerging issue dashboard

Interoperability with other Tanium products

Reporting works with other Tanium solutions for additional reporting of related data.

API Gateway

You can use Tanium™ API Gateway to:

  • Filter reports: You can filter reports based on their name, description, author (creator), content set, creation date/time, labels, and associated Tanium solution. See Reporting query filter syntax.

  • Retrieve, export, or import reports: See Reporting examples.

For additional information about features that are available through API Gateway, see Tanium API Gateway User Guide: Schema reference.

Connect

Configure a Tanium™ Connect destination to export reports outside of Tanium. For more information, see Export reports through Tanium Connect.

Interact

Reporting uses data that is stored in the Tanium Data Service, which is included with Tanium Interact. For information, see Data sources.