Managing rules

Use rules to determine which endpoints to target and what information to send to your IAM provider.

View rules

Users with the Zero Trust Microsoft Entra ID Rules Read permission can view all rules in Zero Trust.

  1. From the Main menu, go to Administration > Shared Services > Zero Trust.
  2. From the Zero Trust menu, go to Rules.
  3. (Optional) Use the following filter options to find specific rules if the list is long. The list shows only the rules that match all the filters that you specify.
    Rule filter options
    OptionDescription
    Select mode

    Use the Mode buttons to toggle between showing All rules, Audit rules, and Enforce rules.

    Select actionUse the Action buttons to toggle between All rules, rules that Apply an extension attribute, and rules that Remove an extension attribute.
    Select extension attribute numberSelect a value for Extension Attribute # to only show rules that remove or apply a value to the extension attribute.
    Select extension attributeSelect a value for Extension Attribute to only show rules that remove or apply the extension attribute.
    Filter itemsEnter an alphanumeric string to match text in any column.
    Filter by fieldExpand Filters and specify any additional filters. You can filter by Name, Creator, and Owner.
    Sort by columnClick any column header to sort the list of rules by that column.
  4. (Optional) Take action on a rule. The following actions are available:
    Available actions for the rule list
    OptionDescription
    Create ruleClick Create Rule.
    Edit ruleSelect the checkbox next to the rule that you want to edit and then click Edit .
    Prioritize rules

    An event can trigger more than one rule for an endpoint, but only one rule for each extension attribute. When an endpoint matches multiple rules that affect the same extension attribute, the rule with the highest priority determines which result is sent to the zero trust service. Rule priority is in descending order, with 1 the highest priority. To prioritize rules, click Prioritize, drag the rules in the desired order of evaluation, and then click Save. For information, see Prioritize rules.

    Refresh listClick Refresh.
    Export rules

    To retrieve a list of the rules, apply any filters and then click Export. You have the following options:

    • Select Export to CSV to download the list of rules as a CSV file.
    • Select Copy to clipboard to copy the list of rules in CSV format to your clipboard.

    The exported list contains the rules that match the filters you set.

    Take ownershipRules run against the endpoints allowed by the computer management group permissions for the owner of the rule. To change ownership of a rule to yourself, select the checkbox next to the rule, select Actions > Take Ownership, and then click Save.
    Clone ruleSelect the checkbox next to the rule and then select Actions > Clone. The Create Microsoft Entra ID Rule page opens with fields populated from the original rule. Edit any fields and click Save. For information on available fields, see Create a rule.
    Delete ruleSelect the checkbox next to the rule, select Delete , and then click Delete.
  5. Click a rule to view details for the rule. The following actions are available when you view an individual rule:
    6. Available actions for individual rules
    Option Description
    Edit rule Select Actions > Edit.
    Clone rule Select Actions > Clone. The Create Microsoft Entra ID Rule page opens with fields populated from the original rule. Edit any fields and click Save. For information on available fields, see Create a rule.
    Take ownership Rules run against the endpoints allowed by the computer management group permissions for the owner of the rule. To change ownership of a rule to yourself, select Actions > Take Ownership, and then click Save.
    Delete rule Select Actions > Delete and then click Delete.

Create a rule

To create a rule, you must have a role with the Zero Trust Microsoft Entra ID Config Write permission.

  1. From the Zero Trust menu, go to Rules, and then click Create Rule.
  2. Enter a name for the rule, and optionally add a description.
  3. Select a Mode.
    • Select Enforcement if you want Zero Trust to send data to your IAM provider when events occur.
    • Select Audit if you want Zero Trust to log events but not send data to your IAM provider.
  4. Click Add Targeting, use the targeting builder to create a dynamic filter that defines which endpoints to target, and then click Add. For each rule, you can configure multiple filters, including nested filters.

    For Entra ID rules, Zero Trust adds a filter to target only the following endpoints:

    • Endpoints that do not have a tenant ID
    • Endpoints whose tenant ID matches a configured tenant ID in Entra ID

    The filter appears when you view the targeting for the rule and cannot be removed. For steps to find your tenant ID in Entra ID, see Microsoft Azure documentation: How to find your Azure Active Directory tenant ID.

    Targeting filter options
    OptionDescription
    Add a filter
    1. Click Add and select Add Row. A row appears with a text field to enter a sensor name.
    2. Start typing in the Filter by Name field and then use the typeaheads to select a sensor.

      Alternatively, click Browse All Sensors to open the Browse Sensors dialog and select a sensor. The bottom of the dialog contains the Sensor Description.

      The sensors that appear in the Filter by Name field are sourced by Tanium Data Service. To view registered sensors, or to register sensors for collection with Tanium Data Service, see Tanium Interact User Guide: Managing Tanium Data Service.

    3. Select an operator and specify a value to match. To match on substrings, select the Substring box and specify a Start position (where 0 is the first position) and number of characters (Length).
    4. (Optional) Click Advanced Question Options and enable Force Computer Id if you want to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For information about counting questions, see Tanium Console User Guide: Counting and non-counting questions.
    5. To create the filter, click Add + below from computers with and then click Apply:
      • Click Add and select Add Row: Add one or more conditions that endpoints must match. You can base the matching (Select Attribute) on a Sensor.
      • Click Add and select Add Group: Select this option to nest a Boolean operator and then use Add Row to build the nested expression.
    6. When finished, click Apply .
    7. Repeat as necessary to add additional filters.
    Nesting filtersClick Add and select Add Group. A nested filter appears with the Boolean operator set to AND. Enter the filter definition and click Apply .
    • To add another filter to the nested filter, click Add below the filter and select Add Row. Use the toggle on the subsequent filters in a nested group to toggle the Boolean operator for all filters in the group between AND and OR.
    • To toggle the Boolean operator for the entire nested group, click AND above the group and select Switch to OR.

      If you switch to the OR operator, the title of the dropdown menu also changes from AND to OR.

    • To add a nested group inside the existing nested group, click Add below the filter and select Add Group.
    • To remove a nested group, click AND above the group and select Delete Group. Any child nested groups are also deleted.
  5. (Optional) Click Preview Targeted Endpoints to view the endpoints that the rule targets, and then adjust your targeting criteria if necessary.

    Be aware that rules are subject to the computer management group permissions of the default persona of the user who owns the rule. If you change ownership of the rule, the rule might target different endpoints.

  6. Specify the Microsoft Entra ID Device Attribute.
    • Action: To apply an extension attribute when an event occurs, select Apply. To remove an extension attribute when an event occurs, select Remove.
    • Extension Attribute: Select the attribute to apply or remove a string when an event occurs. Each extension attribute can only contain one extension attribute string.
    • Extension Attribute String: Enter the string to assign to, or remove from, the extension attribute. If you set Action to Apply, this string is applied to the selected Extension Attribute. If you set Action to Remove, the rule only removes the string if it matches the value that you set in this field.
    • If you select Apply as the Action type, you can select Automatically remove attribute if target conditions are no longer met to remove the attribute when an endpoint no longer meets the target conditions. If you do not select Automatically remove attribute if target conditions are no longer met, the extension attribute string remains until another rule applies or removes the string.
  7. Click Save.

    Zero Trust creates and activates the rule.

Prioritize rules

An event might cause an endpoint to match more than one rule. An event can match multiple rules, but only one rule can trigger for each extension attribute for each endpoint.

For example, consider an event that matches three rules: Rule 1, Rule 2, and Rule 3. Rule 1 assigns a string to extension attribute 1, Rule 2 assigns a string to extension attribute 3, and Rule 3 removes a string from extension attribute 3. The rules are prioritized in order: Rule 1 is priority 1, Rule 2 is priority 2, and Rule 3 is priority 3. When the event occurs, Rule 1 always triggers for the endpoint, because that rule has no conflicts with other rules (and it is also the highest priority rule). However, Rule 2 and Rule 3 affect the same extension attribute, and thus only Rule 2 triggers due to the order of priority.

  1. From the Zero Trust menu, go to Rules.
  2. Click Prioritize.
  3. Drag the rules in the order that you prefer. Rule priority is in descending order, with 1 the highest priority.
  4. When finished, click Save.

Take ownership of a rule

A rule is subject to the computer management group permissions of the user who creates the rule. If a rule does not trigger for an endpoint, you can expand the computer management group permissions for the user, or you can transfer ownership of the rule to a user with the desired permissions.

To change computer management group permissions for a user, see Tanium Console User Guide: Manage computer group assignments for a user.

Rules use the computer management group permissions for the default persona of the user.

  1. From the Zero Trust menu, go to Rules.
  2. Select the checkbox next to the rule and then select Actions > Take Ownership.
  3. Click Save.

The rule immediately uses the management rights of the new owner.

Edit rule

You can edit the name and description of an existing rule.

After you create a rule, you can only edit the name and description of the rule. If you want to edit any other fields, you can clone the rule and then modify any fields you save the new rule. For example, if you create a rule in audit mode and want to change the rule to enforcement mode, clone the rule, edit the mode, and then save the new rule. See Clone rule.

  1. From the Zero Trust menu, go to Rules.
  2. Select the checkbox next to the rule and click Edit .

    Alternatively, you can click the name of the rule to view the rule. From the page that opens, select Actions > Edit.

  3. Edit the name or description of the rule.
  4. Click Save.

Clone rule

To quickly create a rule that is similar to an existing rule, you can clone the rule.

  1. From the Zero Trust menu, go to Rules.
  2. Select the checkbox next to the rule that you want to clone and select Actions > Clone.

    The Create Microsoft Entra ID Rule page opens with fields populated from the original rule.

  3. Edit any fields and click Save. For information about available fields, see Create a rule.
  4. (Optional) Change the priority of the rule. See Prioritize rules.

Delete rule

When you delete a rule, you have the option to remove the extension attribute string from endpoints that were targeted by the rule. To ensure you remove the extension attribute string from all possible endpoints that might have been affected by the rule, change the ownership of the rule to a user who has computer management group permissions to all endpoints that have been targeted by the rule, and then have that user delete the rule. You can also have a user with unrestricted management rights create a temporary rule to remove an extension attribute string from all managed endpoints.

  1. From the Zero Trust menu, go to Rules.
  2. Select the checkbox next to the rule that you want to delete and click Delete .
  3. If the rule set an extension attribute on any endpoints, a prompt appears to determine how to handle those endpoints. You can choose to remove the extension attribute and string for the endpoints or keep the existing extension attribute and string for the endpoints.
  4. Click Delete.