Configuring Reveal

If you did not install Reveal with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Reveal action group to target the No Computers filter group by enabling restricted targeting before adding Reveal to your Tanium licenseimporting Reveal. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Reveal action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Reveal with automatic configuration, the following default settings are configured:

The following default setting is configured:

Setting	Default value
Action group	Restricted targeting disabled (default): All Computers computer group Restricted targeting enabled: No Computers computer group

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For information about installing Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Installing Endpoint Configuration.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Reveal, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

Deploying profiles
Deleting profiles

Configure Reveal

(Optional) Configure the Reveal action group

Importing the Reveal module automatically creates an action group to target specific endpoints to which the Reveal packages are deployed. If you did not use automatic configuration or you enabled restricted targeting when you imported Reveal, the action group targets No Computers. You can set the action group to All Computers or any computer groups that you have defined.

If you used automatic configuration and restricted targeting was disabled when you imported Reveal, configuring the Reveal action group is optional.

Select the computer groups to include in the Reveal action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Reveal are included in the Reveal action group.

From the Main menu, go to Administration > Actions > Action Groups.
In the list of action groups, click Tanium Reveal.
Select the computer groups that you want to include in the action group and click Save.
If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Reveal users

You can use the following set of predefined user roles to set up Reveal users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Reveal Administrator

Assign the Reveal Administrator role to users who manage the configuration and deployment of Reveal functionality to endpoints.
This role can perform the following tasks:

Administrative functions for Reveal, including viewing, editing, and listing Reveal settings
Configure the service account user
Perform Reveal operations using the API
View snippets of affected files
View affected files
View, edit, and deploy profiles
View and edit patterns
Perform a quick search
View, list, edit, and deploy rules
View, list, and edit rule sets
View, list, edit, and deploy validations
View the status of validation deployments
View the status of rules deployments

Reveal Operator

Assign the Reveal Operator role to users who manage the configuration and deployment of Reveal functionality to endpoints.
This role can perform the following tasks:

View, edit, and list Reveal settings
Perform Reveal operations using the API
View snippets of affected files
View affected files
View, edit, and deploy profiles
View and edit patterns
Perform a quick search
View, list, edit, and deploy rules
View, list, and edit rule sets
View, list, edit, and deploy validations
View the status of validation deployments
View the status of rules deployments

Reveal User

Assign the Reveal User role to users who manage the configuration and deployment of Reveal functionality to endpoints but do not need to administer or configure settings for Reveal.
This role can perform the following tasks:

Perform Reveal operations using the API
View snippets of affected files
View affected files
View, edit, and deploy profiles
View and edit patterns
Perform a quick search
View, list, edit, and deploy rules
View, list, and edit rule sets
View, list, edit, and deploy validations
View the status of validation deployments
View the status of rules deployments

Reveal Read Only User

Assign the Reveal Read Only User role to users who need visibility into Reveal configurations but do not need rights to update them.
This role can perform the following tasks:

Perform Reveal operations using the API
View rules and rule sets
View profiles
View patterns
View the status of validation deployments
View the status of rules deployments

Reveal Endpoint Configuration Approver

Assign the Reveal Endpoint Configuration Approver role to a user who approves or rejects Reveal configuration items in Tanium Endpoint Configuration.
This role can perform the following tasks: approve, reject, or dismiss changes that target endpoints where Reveal is installed.

(Optional) Deploy scans

Reveal scans files that are indexed by Tanium Client Index Extension. The Index endpoint settings determine the frequency of the index scans. For more information on these settings, see Tanium Client Index Extension User Guide: Indexing file systems.

If you have an urgent need to scan endpoints or a specific directory on endpoints outside of the distributed scan time periods, you can deploy a package to force a scan.

On the Reveal Overview page, click Settings , and then click Deploy Scans.
Select an operating system in the Scan Specific Path (Reveal) section to deploy the Index - Request Immediate One-Time Scan to force Reveal to scan a specific path for the selected operating system, and then click Deploy.
The Action Deployment page opens. Specify the required parameters and click Deploy Action. For more information on the parameters on this page, see Tanium Console User Guide: Deploying actions.
CAUTION: This operation is resource intensive, especially if you specify NFS mounts or broad directories, such as /mnt or /home. Do not deploy this action unless you completely understand its scope, impact on individual endpoints, and impact on the environment given the number of targeted endpoints.
Select an operating system in the Scan Full Disk (Index) section to deploy the Index - Force Start Scans package to force start all Client Index Extension scans for the selected operating system, and then click Deploy.
The Action Deployment page opens. Specify the required parameters and click Deploy Action. For more information on the parameters on this page, see Tanium Console User Guide: Deploying actions.

(Optional) Configure Reveal service settings

Configure settings to tune the Reveal service for your environment.

Use profiles to configure Tanium Index subscription and Reveal settings for endpoints. For more information, see Creating profiles.

On the Reveal Overview page, click Settings and then click Settings.

Update the settings as needed:

Setting	Default value	Description
Log Level	info	The log level for Reveal.
Enable Sensitive Data Logging	false	Include search details and file paths in audit logs.
Enable Rule Sets and Tools Automatic Deployment	selected	Select to automatically deploy rule sets and upgrade Reveal tools to the latest available versions when Reveal is installed or upgraded.
Rule Publication Interval	12 hours	The time interval to automatically deploy rule and rule sets assignments to endpoints.
Rule Publication On Modify	30 minutes	The time to automatically deploy rule and rule sets assignments to endpoints after a rule or rule set has been modified.
Validation Publication Interval	30 minutes	The time interval to automatically deploy pending validations.
Content Feed Update Interval Hours	24 hours	The frequency to poll and automatically update the Reveal content feed. Set the value to 0 to manually upload content.
Live Connection Max Snippets	500 snippets	The maximum number of snippets retrieved from a file from an endpoint.
Live Connection Page Expiration	60 minutes	The security setting to expire URLs after the specified period.
Live Connection URL Scope	session	The security setting to share connection URLs across users, scope them to the user, or to the user's current session.

Click Save.