Troubleshooting Risk

Tanium as a Service is a self-monitored service, designed to detect failures before the failures surface to users. For more information, see Tanium as a Service Deployment Guide: Troubleshooting Tanium as a Service.

To collect and send information to Tanium for troubleshooting, collect logs and other relevant information.

Collect logs

The information is saved as a ZIP file that you can download with your browser.

  1. From the Risk Overview page, click Help , then the Troubleshooting tab.
  2. Click Create Package.
  3. When the package is ready, click Download Package.
    A tanium-risk-support.[timestamp].zip file downloads to the local download directory.
  4. Contact Tanium Support to determine the best option to send the ZIP file. For more information, see Contact Tanium Support.

Monitor and troubleshoot Risk health

The Health section of the Risk Overview page includes two charts to monitor the health of the module: Risk Coverage and Risk Vector Calculation Issues.

Risk Coverage

The Risk Coverage chart shows the coverage status of all endpoints on which risk vector scores were calculated in the last 30 days. The coverage metrics might report endpoints as Optimal, Needs Attention or Initializing. The Optimal status indicates that all necessary tools, configurations, and scans are installed and complete for an endpoint. The Initializing status is a transient status that returns when an endpoint is downloading required tools, configuring, or waiting on completion of an initial scan. No action is needed for Optimal or Initializing states.screen capture of the Risk Coverage chart

Risk Vector Calculation Issues

The Risk Vector Calculation Issues chart breaks out the data from the Risk Coverage chart by vector. Use this chart to determine the vectors for which endpoints are unable to allow calculations.

Click the Risk Vector Calculation Issues chart title to open the Risk Health page, which includes a table that lists specific endpoints that are unable to allow risk vector calculations.

The following table lists contributing factors into why the coverage metric for a vector might report endpoints as Needs Attention, and corrective actions you can make.

Vector Contributing factor Corrective action
All vectors

Endpoints do not have the latest Risk tools installed

Ask this question in Interact to determine whether endpoints have the necessary tools installed: Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains Risk from all machines.

Check for endpoints where the Status column lists as Not Installed or Error. Reinstall the tools on the endpoint. For more information, see Endpoint Configuration User Guide: Reinstall one or more tools installed by Endpoint Configuration.

All vectors

Endpoints do not have the latest tools for a required solution installed

Ask this question in Interact to determine whether endpoints have the necessary tools installed: Get Endpoint Configuration - Tools Status Details having Endpoint Configuration - Tools Status Details:Tool Name contains <Solution associated with the vector> from all machines. Substitute the following solution names for the vector that you are troubleshooting:

  • System Vulnerability: Comply
  • System Compliance: Comply
  • Administrative Access: Impact
  • Password Identification: Reveal
  • Expired Certificates: SSL Server Audit
  • Insecure SSL / TLS: SSL Server Audit

Check for endpoints where the Status column lists as Not Installed or Error. Reinstall the tools on the endpoint. For more information, see Endpoint Configuration User Guide: Reinstall one or more tools installed by Endpoint Configuration.

System Vulnerability

  • Endpoints do not have the latest scan engine installed
  • Specific endpoints missing Comply tools, scan engines, or JREs
  • Issue with a specific endpoint that might prevent Comply from running successfully

If endpoints return the status Needs Attention for the System Vulnerability vector, use these steps to troubleshoot further: Comply User Guide: Monitor and troubleshoot Comply coverage.

System Compliance

  • Endpoints do not have the latest scan engine installed
  • Specific endpoints missing Comply tools, scan engines, or JREs
  • Issue with a specific endpoint that might prevent Comply from running successfully

If endpoints return the status Needs Attention for the System Compliance vector, use these steps to troubleshoot further: Comply User Guide: Monitor and troubleshoot Comply coverage.

Administrative Access

Python tools are not installed

If endpoints return the status Needs Attention for the Administrative Access vector, use these steps to troubleshoot further: Impact User Guide: Monitor and troubleshoot Impact coverage.

Password Identification

Index Health and Configuration

If endpoints return the status Needs Attention, use these steps to troubleshoot further: Reveal User Guide: Monitor and troubleshoot Reveal coverage.

Expired Certificates

Insecure SSL/TLS

SSL Server Audit Tools are not installed

Ask this question in Interact to determine whether endpoints are missing the tools: Get SSL Server Audit Tools Required from all machines.

If endpoints return the status Not Installed or Missing: <package name>, reinstall the SSL Server Audit tools on the endpoint.

Remove Risk tools from endpoints

You can deploy an action to remove Risk tools from an endpoint or computer group. Separate actions are available for Windows and non-Windows endpoints.

  1. In Interact, target the computers from which you want to remove the tools. For example, ask a question that targets a specific operating system:
    Get Endpoint Configuration - Tools Status from all machines with Is <OS> equals True , for example: 
    Get Endpoint Configuration - Tools Status from all machines with Is Windows equals True
  2. In the results, select the row for Risk, drill down as necessary, and select the targets from which you want to remove Risk tools. For more information, see Tanium Interact User Guide: Drill Down.
  3. Click Deploy Action.
  4. On the Deploy Action page, enter Endpoint Configuration - Uninstall in the Enter package name here box, and select Endpoint Configuration - Uninstall Tool [Windows] or Endpoint Configuration - Uninstall Tool [Non-Windows], depending on the endpoints you are targeting.
  5. For Tool Name, select Risk.

  6. (Optional) By default, after the tools are removed they cannot be reinstalled. To allow tools to be automatically reinstalled, clear the selection for Block reinstallation. Re-installation occurs almost immediately.

    If reinstallation is blocked, you must unblock it manually:

    • To allow Risk to reinstall tools, deploy the Endpoint Configuration - Unblock Tool [Windows] or Endpoint Configuration - Unblock Tool [Non-Windows] package (depending on the targeted endpoints).

    • If you reinstall tools manually, select Unblock Tool when you deploy the Endpoint Configuration - Reinstall Tool [Windows] or Endpoint Configuration - Reinstall Tool [Non-Windows] package.

  7. (Optional) To remove all Risk databases and logs from the endpoints, clear the selection for Soft uninstall.

  8. (Optional) To also remove any tools that were dependencies of the Risk tools that are not dependencies for tools from other solutions, select Remove unreferenced dependencies.

  9. Click Show preview to continue.
  10. A results grid displays at the bottom of the page showing you the targeted endpoints for your action. If you are satisfied with the results, click Deploy Action.

If you have enabled Endpoint Configuration, tool removal must be approved in Endpoint Configuration before tools are removed from endpoints.

Uninstall Risk

  1. From the Main menu, click Administration > Configuration > Solutions.
  2. Select Risk, and click Uninstall.
  3. Review the content that will be removed and click Uninstall.
  4. Depending on your configuration, enter your password or click Yes to start the uninstall process.
  5. Return to the Solutions page and verify that the Import button is available for Risk.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.