Configuring Risk
If you did not install Risk with the Apply All Tanium recommended configurations option, you must enable and configure certain features.
When you import Risk with automatic configuration, the following default setting is configured:
The following default setting is configured:
Setting | Default value |
---|---|
Action group |
|
Install and configure
Configure Tanium Endpoint Configuration
Manage solution configurations with Tanium Endpoint Configuration
Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.
Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.
Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Risk, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.
and select Global.
For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.
Configure Risk
(Optional) Configure the Risk action group
Importing the Risk module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Risk, the action group targets No Computers.
If you used automatic configuration and restricted targeting was disabled when you imported Risk, configuring the Risk action group is optional.
Select the computer groups to include in the Risk action group.
- From the Main menu, go to Administration > Actions > Action Groups.
- Click Tanium Risk.
- Select the computer groups that you want to include in the action group and click Save.
If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.
(Optional) Configure computer groups
By default, Risk uses the All Computers computer group. If needed, you can change this default computer group. You can also configure the computer groups that are available to select when you analyze risk scores. These computer groups are available in the Computer Groups dropdown list on all Risk pages.
- On the Risk Overview page, click Settings
, then click Computer Groups.
- If you want to change the default computer group to use as the default for all pages, select that computer group in the Default column.
- If you want to add computer groups, click Select Computer Groups and select additional computer groups. Click Save.
- If you want to remove computer groups from the list, click Remove
.
(Optional) Assign endpoint criticality
Endpoint criticality is a level on an individual endpoint that is used to add context about the endpoint in the organization. A higher criticality for a particular endpoint multiples the risk score.
Risk uses Tanium Criticality to manage criticality levels for endpoints. Risk receives the levels from Criticality and factors the criticality into the risk scores for endpoints. For more information, see Tanium Criticality User Guide: Criticality overview.
If you previously uploaded a CSV file to assign endpoint criticality in the Asset Criticality tab, the endpoint criticality data has been migrated to Tanium Criticality. For more information, see Tanium Criticality User Guide: Create rules to assign criticality to specific endpoints.
(Optional) Configure data collection frequency
Risk collects data from endpoints every two hours by default. If needed, you can modify this frequency.
If you make changes to endpoint criticality rules, be aware that Tanium Criticality uses a different update frequency than Risk. Criticality updates each hour, whereas Risk can update from every 15 minutes or once a day, depending on your configuration. If it is 10:00, for example, and you modify the Risk data collection time period to be 15 minutes, Risk does not receive updated criticality levels until 11:00, even though Risk collects data at 10:15, 10:30, and 10:45.
- On the Risk Overview page, click Settings
, then click Data Collection.
- Specify a time period and select Minutes or Hours.
The time period must be over 15 minutes and under 24 hours.
Set up Risk users
You can use the following set of predefined user roles to set up Risk users.
To review specific permissions for each role, see User role requirements.
On installation, Risk creates a Risk user to automatically manage the Risk service account. Do not edit or delete the Risk user.
For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.
Do not assign the Risk Service Account and Risk Service Account - All Content Sets roles to users. These roles are for internal purposes only.
Risk Administrator
Assign the Risk Administrator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:
- Configure Risk service settings
- View and modify Risk endpoint criticality configurations
Risk Operator
Assign the Risk Operator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:
- Configure Risk service settings
- View and modify Risk endpoint criticality configurations
Risk User
Assign the Risk User role to users who need visibility into Risk data.
This role can view Risk.
Risk Endpoint Configuration Approver
Assign the Risk Endpoint Configuration Approver role to a user who approves or rejects Risk configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Risk is installed.
Sensors that are registered by default
- Sensors used to gather information about compensating controls:
- CredGuard Status
- Data Execution Prevention Enabled
- DeviceGuard Status
- Enforce - Host Firewall Enabled
- Enforce - TPM Status
- Storage Encryption Status
- Tanium PowerShell Execution Policy
- USB Write Protected
- Windows Credential Security Settings
- Windows Security Center Registered Antivirus Software
- Sensors used to gather information about health status:
- Comply - Coverage Status
- Impact - Coverage Status
- Reveal - Coverage Status
- SSL Server Audit Tools Required
- Sensors used to gather information for reports and calculations:
- Comply - Compliance Findings
- Comply - CVE Findings
- SSL Server Certificate CA Short Name
- SSL Server Certificate Details
- Endpoint Criticality
- Sensors used to gather information about vectors:
- Reveal - Background Scan Results
- SSL Server Cipher Suite
- SSL Server Certificate Expiry
- Risk - Vector Base Score
- Impact Rating
To manage which sensors are registered in the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.
Do not modify the default collection settings for these sensors.
Last updated: 2/3/2023 3:18 PM | Feedback