Configuring Reveal

If you did not install Reveal with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Reveal action group to target the No Computers filter group by enabling restricted targeting before adding Reveal to your Tanium licenseimporting Reveal. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Reveal action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Reveal with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Reveal, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Deploying profiles
  • Deleting profiles

Configure Reveal

Configure service account

The service account is a user that performs the following tasks for Reveal:

  • Creates scheduled actions for automatic tools deployment and indexing
  • Schedules automatic rules deployment
  • Gathers stats and results

After deploying the tools for the first time, endpoints can take some time to display status, depending on throttling configuration.

This user requires the following roles and access:

For more information about Reveal permissions, see User role requirements.

If you imported Reveal with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. On the Reveal Overview page, click Settings and then click Service Account if needed.
  2. Provide a user name and password, and then click Save.

(Optional) Configure the Reveal action group

Importing the Reveal module automatically creates an action group to target specific endpoints to which the Reveal packages are deployed. If you did not use automatic configuration or you enabled restricted targeting when you imported Reveal, the action group targets No Computers. You can set the action group to All Computers or any computer groups that you have defined.

If you used automatic configuration and restricted targeting was disabled when you imported Reveal, configuring the Reveal action group is optional.

Select the computer groups to include in the Reveal action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Reveal are included in the Reveal action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. In the list of action groups, click Tanium Reveal.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Reveal users

You can use the following set of predefined user roles to set up Reveal users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Reveal Administrator

Assign the Reveal Administrator role to users who manage the configuration and deployment of Reveal functionality to endpoints.
This role can perform the following tasks:

  • Administrative functions for Reveal, including viewing, editing, and listing Reveal settings
  • Configure the service account user
  • Perform Reveal operations using the API
  • View snippets of affected files
  • View affected files
  • View, edit, and deploy profiles
  • View and edit patterns
  • Perform a quick search
  • View, list, edit, and deploy rules
  • View, list, and edit rule sets
  • View, list, edit, and deploy validations
  • View the status of validation deployments
  • View the status of rules deployments

Reveal Operator

Assign the Reveal Operator role to users who manage the configuration and deployment of Reveal functionality to endpoints.
This role can perform the following tasks:

  • View, edit, and list Reveal settings
  • Perform Reveal operations using the API
  • View snippets of affected files
  • View affected files
  • View, edit, and deploy profiles
  • View and edit patterns
  • Perform a quick search
  • View, list, edit, and deploy rules
  • View, list, and edit rule sets
  • View, list, edit, and deploy validations
  • View the status of validation deployments
  • View the status of rules deployments

Reveal User

Assign the Reveal User role to users who manage the configuration and deployment of Reveal functionality to endpoints but do not need to administer or configure settings for Reveal.
This role can perform the following tasks:

  • Perform Reveal operations using the API
  • View snippets of affected files
  • View affected files
  • View, edit, and deploy profiles
  • View and edit patterns
  • Perform a quick search
  • View, list, edit, and deploy rules
  • View, list, and edit rule sets
  • View, list, edit, and deploy validations
  • View the status of validation deployments
  • View the status of rules deployments

Reveal Read Only User

Assign the Reveal Read Only User role to users who need visibility into Reveal configurations but do not need rights to update them.
This role can perform the following tasks:

  • Perform Reveal operations using the API
  • View rules and rule sets
  • View profiles
  • View patterns
  • View the status of validation deployments
  • View the status of rules deployments

Reveal Endpoint Configuration Approver

Assign the Reveal Endpoint Configuration Approver role to a user who approves or rejects Reveal configuration items in Tanium Endpoint Configuration.
This role can perform the following tasks: approve, reject, or dismiss changes that target endpoints where Reveal is installed.

Reveal Service Account

Assign the Reveal Service Account role to the account that configures system settings for Reveal.
This role can perform several background processes for Reveal.

(Optional) Deploy scans

Reveal scans files that are indexed by Tanium Client Index Extension. The Index endpoint settings determine the frequency of the index scans. For more information on these settings, see Tanium Client Index Extension User Guide: Indexing file systems.

If you have an urgent need to scan endpoints or a specific directory on endpoints outside of the distributed scan time periods, you can deploy a package to force a scan.

  1. On the Reveal Overview page, click Settings , and then click Deploy Scans.
  2. Select an operating system in the Scan Specific Path (Reveal) section to deploy the Reveal - Index Path package to force Reveal to scan a specific path for the selected operating system, and then click Deploy.

    The Action Deployment page opens. Specify the required parameters and click Deploy Action. For more information on the parameters on this page, see Tanium Console User Guide: Deploying actions.

    CAUTION: This operation is resource intensive, especially if you specify NFS mounts or broad directories, such as /mnt or /home. Do not deploy this action unless you completely understand its scope, impact on individual endpoints, and impact on the environment given the number of targeted endpoints.

  3. Select an operating system in the Scan Full Disk (Index) section to deploy the Index - Force Start Scans package to force start all Client Index Extension scans for the selected operating system, and then click Deploy.

    The Action Deployment page opens. Specify the required parameters and click Deploy Action. For more information on the parameters on this page, see Tanium Console User Guide: Deploying actions.

(Optional) Configure Reveal service settings

Configure settings to tune the Reveal service for your environment.

Use profiles to configure Tanium Index subscription and Reveal settings for endpoints. For more information, see Creating profiles.

  1. On the Reveal Overview page, click Settings and then click Settings.
  2. Update the settings as needed:

    SettingDefault valueDescription
    Enable Rule Sets and Tools Automatic DeploymentselectedSelect to automatically deploy rule sets and upgrade Reveal tools to the latest available versions when Reveal is installed or upgraded.
    Rule Publication Interval12 hours

    The time interval to automatically deploy rule and rule sets assignments to endpoints.

    Rule Publication On Modify30 minutesThe time to automatically deploy rule and rule sets assignments to endpoints after a rule or rule set has been modified.
    Validation Publication Interval30 minutesThe time interval to automatically deploy pending validations.
    Rule Results Scan Interval600 secondsThe frequency to gather rule results metrics from endpoints.
    Status Scan Interval600 secondsThe frequency to query the Reveal status from endpoints.
    Content Feed Update Interval Hours24 hoursThe frequency to poll and automatically update the Reveal content feed. Set the value to 0 to manually upload content.
    Live Connection Max Files1000 filesThe maximum number of files retrieved from an endpoint.
    Live Connection Max Snippets500 snippetsThe maximum number of snippets retrieved from a file from an endpoint.
    Live Connection Page Expiration60 minutesThe security setting to expire URLs after the specified period.
    Live Connection URL ScopesessionThe security setting to share connection URLs across users, scope them to the user, or to the user's current session.
    Package File Cache Timeout300 secondsThe total amount of time to wait for the Tanium Server to cache files for packages. Package and action creation fail if this timeout is exceeded.
    Package Download Timeout1800 secondsThe amount of time to allow for Reveal packages to download before timing out.
    Time Sync Frequency60 minutesThe frequency to send out a time sync package.
    Time Sync Distribute Over Time600 secondsThe time period to distribute the time sync to target endpoints.
    Vocabulary Sampling Interval600 secondsThe time period between when vocabulary sampling questions are sent out.
    Decimation Schedule Automatic Deployment Interval48 hoursHow frequently the decimation schedule gets recreated.
    Decimation Schedule Expiration Period7 daysHow long a decimation schedule is valid.
    Global Vocabulary Decimation Threshold50 percentGlobal completion percentage to reach before decimating the global vocabulary.
    Decimation Scheduler Horizon21 daysHow far into the future the decimation scheduler will attempt to predict.
    Decimation Scheduler Growth Factor Gain1 percentDetermines how much effect each sampling status has on the growth factor.
    Decimation Scheduler Deploy Frequency24 hoursThe maximum amount of time allowed to pass before a new decimation schedule is deployed.

  3. Click Save.