Configuring Risk

If you did not install Risk with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Risk action group to target the No Computers filter group by enabling restricted targeting before adding Risk to your Tanium licenseimporting Risk. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Risk action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Risk with automatic configuration, the following default setting is configured:

The following default setting is configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Risk, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Risk

(Optional) Configure the Risk action group

Importing the Risk module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Risk, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Risk, configuring the Risk action group is optional.

Select the computer groups to include in the Risk action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Risk are included in the Risk action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Risk.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

(Optional) Configure computer groups

By default, Risk uses the All Computers computer group. If needed, you can change this default computer group. You can also configure the computer groups that are available to select when you analyze risk scores. These computer groups are available in the Computer Groups dropdown list on all Risk pages.

  1. On the Risk Overview page, click Settings , then click Computer Groups.
  2. If you want to change the default computer group to use as the default for all pages, select that computer group in the Default column.
  3. If you want to add computer groups, click Select Computer Groups and select additional computer groups. Click Save.
  4. If you want to remove computer groups from the list, click Remove .

(Optional) Assign endpoint criticality

Endpoint criticality is a level on an individual endpoint that is used to add context about the endpoint in the organization. A higher criticality for a particular endpoint multiples the risk score.

Risk uses Tanium Criticality to manage criticality levels for endpoints. Risk receives the levels from Criticality and factors the criticality into the risk scores for endpoints. For more information, see Tanium Criticality User Guide: Criticality overview.

If you previously uploaded a CSV file to assign endpoint criticality in the Asset Criticality tab, the endpoint criticality data has been migrated to Tanium Criticality. For more information, see Tanium Criticality User Guide: Create rules to assign criticality to specific endpoints.

(Optional) Configure data collection frequency

Risk collects data from endpoints every two hours by default. If needed, you can modify this frequency.

If you make changes to endpoint criticality rules, be aware that Tanium Criticality uses a different update frequency than Risk. Criticality updates each hour, whereas Risk can update from every 15 minutes or once a day, depending on your configuration. If it is 10:00, for example, and you modify the Risk data collection time period to be 15 minutes, Risk does not receive updated criticality levels until 11:00, even though Risk collects data at 10:15, 10:30, and 10:45.

  1. On the Risk Overview page, click Settings , then click Data Collection.
  2. Specify a time period and select Minutes or Hours.

    The time period must be over 15 minutes and under 24 hours.

Set up Risk users

You can use the following set of predefined user roles to set up Risk users.

To review specific permissions for each role, see User role requirements.

On installation, Risk creates a Risk user to automatically manage the Risk service account. Do not edit or delete the Risk user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Do not assign the Risk Service Account and Risk Service Account - All Content Sets roles to users. These roles are for internal purposes only.

Risk Administrator

Assign the Risk Administrator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:

  • Configure Risk service settings
  • View and modify Risk endpoint criticality configurations

Risk Operator

Assign the Risk Operator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:

  • Configure Risk service settings
  • View and modify Risk endpoint criticality configurations

Risk User

Assign the Risk User role to users who need visibility into Risk data.
This role can view Risk.

Risk Endpoint Configuration Approver

Assign the Risk Endpoint Configuration Approver role to a user who approves or rejects Risk configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Risk is installed.

Sensors that are registered by default

When you install Risk, the The following sensors are registered for collection by default. The Tanium Data Service immediately begins collecting and storing results for the registered sensors.

  • Sensors used to gather information about compensating controls:
    • CredGuard Status
    • Data Execution Prevention Enabled
    • DeviceGuard Status
    • Enforce - Host Firewall Enabled
    • Enforce - TPM Status
    • Storage Encryption Status
    • Tanium PowerShell Execution Policy
    • USB Write Protected
    • Windows Credential Security Settings
    • Windows Security Center Registered Antivirus Software
  • Sensors used to gather information about health status:
    • Comply - Coverage Status
    • Impact - Coverage Status
    • Reveal - Coverage Status
    • SSL Server Audit Tools Required
  • Sensors used to gather information for reports and calculations:
    • Comply - Compliance Findings
    • Comply - CVE Findings
    • SSL Server Certificate CA Short Name
    • SSL Server Certificate Details
    • Endpoint Criticality
  • Sensors used to gather information about vectors:
    • Reveal - Background Scan Results
    • SSL Server Cipher Suite
    • SSL Server Certificate Expiry
    • Risk - Vector Base Score
    • Impact Rating

To manage which sensors are registered in the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.

Do not modify the default collection settings for these sensors.