Configuring Risk

If you did not install Risk with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Risk action group to target the No Computers filter group by enabling restricted targeting before adding Risk to your Tanium licenseimporting Risk. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Risk action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Risk with automatic configuration, the following default setting is configured:

The following default setting is configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Risk, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Risk

(Optional) Configure the Risk action group

Importing the Risk module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Risk, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Risk, configuring the Risk action group is optional.

Select the computer groups to include in the Risk action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Risk are included in the Risk action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Risk.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

(Optional) Assign asset criticality

Asset criticality is a rating on individual endpoints that is used to assess an endpoint’s impact to the overall risk score. Higher criticality ratings for a particular endpoint increase the risk score if vulnerabilities are found. Possible values are critical, high, medium, and low. By default, all endpoints are assigned a medium criticality.

The score for a particular endpoint is adjusted based on the criticality:

  • Low: no adjustment to the score for the endpoint
  • Medium: (default) multiplies the score for the endpoint by 1.33
  • High: multiplies the score for the endpoint by 1.67
  • Critical: multiplies the score for the endpoint by 2

For example, if an endpoint has a score of 200, but the endpoint is flagged as critical, the score reported for that endpoint is 400.

You can upload a CSV file to adjust the criticality values for endpoints.

  1. Create a CSV file, with endpointname and criticality header fields, that contains the endpoints for which you want to assign a criticality value other than medium.

    In the CSV file, list the endpoints as the Computer Name (exactly as it is returned by the Computer Name sensor) followed by the criticality rating for that endpoint, similar to the following example:

    endpointname,criticality
    computername1.domain.com,critical
    computername2.domain.com,high

  2. On the Risk Overview page, click Settings and then click Asset Criticality.
  3. Click Import and browse to the CSV file.

The criticality ratings update for endpoints specified in the CSV file. Click Download to download the CSV ratings file that is currently in use.

(Optional) Configure computer groups

By default, Risk uses the All Computers computer group. If needed, you can change this default computer group. You can also configure the computer groups that are available to select when you analyze risk scores. These computer groups are available in the Computer Groups dropdown list on all Risk pages.

  1. On the Risk Overview page, click Settings , then click Computer Groups.
  2. If you want to change the default computer group to use as the default for all pages, select that computer group in the Default column.
  3. If you want to add computer groups, click Select Computer Groups and select additional computer groups. Click Save.
  4. If you want to remove computer groups from the list, click Remove .

(Optional) Configure data collection frequency

Risk collects data from endpoints every two hours by default. If needed, you can modify this frequency.

  1. On the Risk Overview page, click Settings , then click Data Collection.
  2. Specify a time period and select Minutes or Hours.

    The time period must be over 15 minutes and under 24 hours.

Set up Risk users

You can use the following set of predefined user roles to set up Risk users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Risk Administrator

Assign the Risk Administrator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:

  • Configure Risk service settings
  • View and modify Risk asset criticality configurations

Risk Operator

Assign the Risk Operator role to users who manage the configuration and deployment of Risk functionality to endpoints.
This role can perform the following tasks:

  • Configure Risk service settings
  • View and modify Risk asset criticality configurations

Risk User

Assign the Risk User role to users who need visibility into Risk data.
This role can view Risk.

Risk Endpoint Configuration Approver

Assign the Risk Endpoint Configuration Approver role to a user who approves or rejects Risk configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Risk is installed.

Sensors that are registered by default

When you install Risk, the The following sensors are registered for collection by default. The Tanium Data Service immediately begins collecting and storing results for the registered sensors.

  • Sensors used to gather information about compensating controls:
    • CredGuard Status
    • Data Execution Prevention Enabled
    • DeviceGuard Status
    • Enforce - Host Firewall Enabled
    • Enforce - TPM Status
    • Storage Encryption Status
    • Tanium PowerShell Execution Policy
    • USB Write Protected
    • Windows Credential Security Settings
    • Windows Security Center Registered Antivirus Software
  • Sensors used to gather information about health status:
    • Comply - Coverage Status
    • Impact - Coverage Status
    • Reveal - Coverage Status
    • SSL Server Audit Tools Required
  • Sensors used to gather information for reports and calculations:
    • Comply - Compliance Findings
    • Comply - CVE Findings
    • SSL Server Certificate CA Short Name
    • SSL Server Certificate Details
    • Risk Endpoint Criticality
  • Sensors used to gather information about vectors:
    • Reveal - Background Scan Results
    • SSL Server Cipher Suite
    • SSL Server Certificate Expiry
    • Risk - Vector Base Score
    • Impact Rating

To manage which sensors are registered in the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.

Do not modify the default collection settings for these sensors.