Configuring Risk
If you did not install Risk with the Apply All Tanium recommended configurations option, you must enable and configure certain features.
When you import Risk with automatic configuration, the following default setting is configured:
The following default setting is configured:
Setting | Default value |
---|---|
Action group |
|
Install and configure
Configure Tanium Endpoint Configuration
Manage solution configurations with Tanium Endpoint Configuration
Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.
Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.
Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Risk, see User role requirements.
To use Endpoint Configuration to manage approvals, you must enable configuration approvals.
- From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
-
Click Settings
and click the Global tab.
- Select Enable configuration approvals, and click Save.
For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.
Configure Risk
(Optional) Configure the Risk action group
Importing the Risk module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Risk, the action group targets No Computers.
If you used automatic configuration and restricted targeting was disabled when you imported Risk, configuring the Risk action group is optional.
Select the computer groups to include in the Risk action group.
- From the Main menu, go to Administration > Actions > Action Groups.
- Click Tanium Risk.
- Select the computer groups that you want to include in the action group and click Save.
If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.
(Optional) Assign asset criticality
Asset criticality is a rating on individual endpoints that is used to assess an endpoint’s impact to the overall risk score. Higher criticality ratings for a particular endpoint increase the risk score if vulnerabilities are found. Possible values are critical, high, medium, and low. By default, all endpoints are assigned a medium criticality.
The score for a particular endpoint is adjusted based on the criticality:
- Low: no adjustment to the score for the endpoint
- Medium: (default) multiplies the score for the endpoint by 1.33
- High: multiplies the score for the endpoint by 1.67
- Critical: multiplies the score for the endpoint by 2
For example, if an endpoint has a score of 200, but the endpoint is flagged as critical, the score reported for that endpoint is 400.
You can upload a CSV file to adjust the criticality values for endpoints.
- Create a CSV file, with endpointname and criticality header fields, that contains the endpoints for which you want to assign a criticality value other than medium.
In the CSV file, list the endpoints as the Computer Name (exactly as it is returned by the Computer Name sensor) followed by the criticality rating for that endpoint, similar to the following example:
endpointname,criticality
computername1.domain.com,critical
computername2.domain.com,high - On the Risk Overview page, click Settings
and then click Asset Criticality.
- Click Import and browse to the CSV file.
The criticality ratings update for endpoints specified in the CSV file. Click Download to download the CSV ratings file that is currently in use.
(Optional) Configure computer groups
By default, Risk uses the All Computers computer group. If needed, you can change this default computer group. You can also configure the computer groups that are available to select when you analyze risk scores. These computer groups are available in the Computer Groups dropdown list on all Risk pages.
- On the Risk Overview page, click Settings
, then click Computer Groups.
- If you want to change the default computer group to use as the default for all pages, select that computer group in the Default column.
- If you want to add computer groups, click Select Computer Groups and select additional computer groups. Click Save.
- If you want to remove computer groups from the list, click Remove
.
(Optional) Configure data collection frequency
Risk collects data from endpoints every two hours by default. If needed, you can modify this frequency.
- On the Risk Overview page, click Settings
, then click Data Collection.
- Specify a time period and select Minutes or Hours.
The time period must be over 15 minutes and under 24 hours.
Set up Risk users
You can use the following set of predefined user roles to set up Risk users.
To review specific permissions for each role, see User role requirements.
For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.
Risk Administrator
Assign the Risk Administrator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:
- Configure Risk service settings
- View and modify Risk asset criticality configurations
Risk Operator
Assign the Risk Operator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:
- Configure Risk service settings
- View and modify Risk asset criticality configurations
Risk User
Assign the Risk User role to users who need visibility into Risk data.
This role can view Risk.
Risk Endpoint Configuration Approver
Assign the Risk Endpoint Configuration Approver role to a user who approves or rejects Risk configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Risk is installed.
Sensors that are registered by default
- Sensors used to gather information about compensating controls:
- CredGuard Status
- Data Execution Prevention Enabled
- DeviceGuard Status
- Enforce - Host Firewall Enabled
- Enforce - TPM Status
- Storage Encryption Status
- Tanium PowerShell Execution Policy
- USB Write Protected
- Windows Credential Security Settings
- Windows Security Center Registered Antivirus Software
- Sensors used to gather information about health status:
- Comply - Coverage Status
- Impact - Coverage Status
- Reveal - Coverage Status
- SSL Server Audit Tools Required
- Sensors used to gather information for reports and calculations:
- Comply - Compliance Findings
- Comply - CVE Findings
- SSL Server Certificate CA Short Name
- SSL Server Certificate Details
- Risk Endpoint Criticality
- Sensors used to gather information about vectors:
- Reveal - Background Scan Results
- SSL Server Cipher Suite
- SSL Server Certificate Expiry
- Risk - Vector Base Score
- Impact Rating
To manage which sensors are registered in the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.
Do not modify the default collection settings for these sensors.
Last updated: 5/17/2022 3:15 PM | Feedback