Reference: Advanced question syntax

Use regular expressions

The question parser supports regular expression matching (Boost syntax).

The following example matches computer names that begin with the letter c in the test.local domain.

Figure  1:  Matching a regular expression

The Detect Primary Alerts sensor uses a regular expression to collect results that match any digit 0-9. Because Detect alerts have numeric IDs, this expression excludes empty results.

Figure  2:  Regular expression to exclude empty results

You can also use a combination of negation and regular expressions to build filter expressions. For example, the built-in computer group No Computers uses a question with the not matches expression and a regular expression (.*) to match empty results. The author knows that Computer Name always returns a string, so it is a clever way to turn off a scheduled action. The Default action group includes only No Computers. To prevent the Tanium Server from deploying certain actions to any endpoints, modify those actions to target the Default action group.

Figure  3:  Regular expression to not match anything

Use computer group filters

You can issue questions that specify a computer group in the from clause. The computer group can be a management group or filter group (for details about these types, see Managing computer groups.)

For computer groups with filter-defined membership, the question parser converts the specified computer group name into the question that determines membership. In the following example, the computer group named Windows is parsed into its definition: is Windows contains true.

Figure  4:  From clause with computer group that has filter-defined membership

Use sensor column filters

Multi-column sensors are designed to collect multiple pieces of related information in a single answer.

Figure  5:  Results from a multi-column sensor

Using the regular expression starts with, ends with, or contains to filter results for a multi-column sensor, such as Installed Applications, can be tricky because the result string for a multi-column sensor is actually a single string with column delimiters. If you are not careful, you might match a string in an unexpected column or unknowingly match a string in a hidden column that you were not even aware of. You can specify which column to match results from multi-column sensors. The syntax is get sensor having sensor:column contains value. The column name is case sensitive. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:). To match results from all the columns, the syntax is get sensor contains value.

The following example uses a sensor column filter in the get clause.

Figure  6:  Sensor column filter in the get clause

The following example uses a sensor column filter in both the get clause and the from clause.

Figure  7:  Sensor column filter in the get clause and the from clause

Use $substring() filters

You can use $substring() filters to match result string patterns. The $substring() function takes the following arguments: sensor name, starting position (where 0 is the first position), number of characters.

The following example matches results from the Computer Name sensor where the first two characters match the string ts.

Figure  8:  $substring() filter

The following example matches results from the MAC Address column of the Network Adapter Details sensor where the fourth and fifth characters match the string e8.

Figure  9:  $substring() filter on specified sensor column

Use the in operator

You can use the in operator to specify a collection of matching sensor results. The operator takes a comma-separated list of arguments that is parsed into a Boolean OR.

The following example uses the in operator to match a sensor filter in the from clause with results containing Virtual or Physical.

Figure  10:  in operator in the from clause

The following example uses the in operator to match a sensor column filter in the from clause.

Figure  11:  in operator with a sensor column filter

Use nested filters

In the from clause of a question, you can configure multiple filters, including nested filters.

The following example shows nested filters in the Question Builder. The example combines one matching expression with either one of the nested expression.

Figure  12:  Nested filters in the Question Builder

You can also specify nested filters in the Explore Data field.

Figure  13:  Nested filters in the Explore Data field

The following example shows different Boolean logic: match both of these OR this one.

Figure  14:  Nested filters in the Explore Data field

Specify advanced sensor settings

Tanium Client answers must conform with any advanced sensor settings that you specify in a question message. You can configure advanced sensor settings in the Question Builder (see the following figure) or in the Explore Data field.

Figure  15:  Question Builder: Advanced sensor settings

The following table describes the advanced sensor settings.

Table 1:   Advanced sensor settings
Settings Guidelines
Case Sensitivity Group strings:
  • Ignore case: Group and count result values regardless of differences in upper-case and lower-case characters.
  • Match case: Group and count result values with strict attention to lettercase.
Matching This option is available only in the from computers with section.

For some sensors, a Tanium Client might compute multiple results. When the sensor is used as a filter in the from clause, specify whether any or all of the results must match the filter:

  • Match Any Value: Any value in the answer must match the value specified in the question.
  • Match All Values: All values in the answer must match the value specified in the question.

For example, in response to the IP Address sensor, it is possible for a Tanium Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing 192.168 for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want the match Match Any Value option.

Treat Data As Interact treats sensor values as the type of data that you specify:
  • Date/Time (BES)
  • Date/Time (WMI)
  • File Size
  • Integer
  • IP Address
  • Numeric
  • Text
  • Time Duration
  • Version
Maximum Data Age Maximum amount of time that the Tanium Client can use a cached result to answer a question. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory Domain membership.

The following example specifies the Treat Data as <type> option. The syntax is sensor?type=value.

Figure  16:  Advanced sensor settings - Treat Data as type

Only use the Treat Data as type option with comparison operators, such as Free Memory greater than 300, as shown in the example.

The following example specifies the Max Age option. The syntax is sensor?maxAge=value. When specifying maxAge in the Explore Data field, specify a number of seconds.

Figure  17:  Advanced sensor settings - maxAge

The following example specifies the Ignore Case option. The syntax is sensor?ignoreCase=value. 0 means match case and 1 means ignore case.

Figure  18:  Advanced sensor settings - ignoreCase

The following example specifies the Matches all option. A machine might have multiple interfaces and multiple IP addresses for those interfaces. In this example, the Matches all option is used to filter results for only computers with all IP addresses matching the specified string. You can specify this option only in the from clause. The syntax is with all sensor contains value.

Figure  19:  Advanced sensor settings - matching all

The following examples shows how to specify multiple advanced sensor options.

Figure  20:  Advanced sensor settings - multiple settings

Specify advanced question settings

Enable the Force Computer ID setting to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Note that the Question Results page does not include the computer ID results when you select this option. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see the KB article Troubleshooting Errors / Informational Messages (too many results message). You can enable the setting in the Explore Data field by using the Get?forceComputerIdFlag=1 statement. You can also enable the setting in the Question Builder, under Advanced Question Options.