Reference: Advanced question syntax

Use reserved words or characters

The Tanium™ parser uses certain words and characters to interpret the question text that you enter as valid query syntax. For example, the parser uses the bracket characters [ and ] to enclose the values of parameterized sensors and uses variations of the word match to support regular expressions. You must enclose these reserved words and characters in quotation marks when you use them as string literals in questions. For example, to see all endpoints that have computer names containing the letter combination in, issue the question Get Computer Name from all machines with Computer Name contains "in".

The following characters require quotation marks when you use them as string literals in questions:

"

Use double quotation marks as an escape-character sequence for each instance of quotation marks in a text string. For example, to see which endpoints have a computer name that contains the string "test", issue the question:
Get Computer Name from all machines with Computer Name contains """test"""
.
,
:
?
$
White spaces

For example, to see which endpoints have a computer name that has a blank space before and after the string DBserver, issue the question:

Get Computer Name from all machines with Computer Name contains " DBserver "

The following words require quotation marks when you use them as string literals in questions:

all
and
any
contain
containing
contains
does match
does not match
ending
ends
equals
get
having
in
matches
matching
not
or
with
starting
starts

Use regular expressions

The question parser supports regular expression matching (Boost syntax).

The following example matches computer names that begin with the letter c in the test.local domain.

The Detect Primary Alerts sensor uses a regular expression to collect results that match any digit 0-9. Because Detect alerts have numeric IDs, this expression excludes empty results.

Figure 2: Regular expression to exclude empty results

You can also use a combination of negation and regular expressions to build filter expressions. For example, the built-in computer group No Computers uses a question with the not matches expression and a regular expression (.*) to match empty results. The author knows that Computer Name always returns a string, so it is a clever way to turn off a scheduled action. The Default action group includes only No Computers. To prevent TaaSthe Tanium Server from deploying certain actions to any endpoints, modify those actions to target the Default action group.

Figure 3: Regular expression to not match anything

Use computer group filters

You can issue questions that specify a computer group in the from clause. The computer group can be a management group or filter group (for details about these types, see Managing computer groups.)

For computer groups with filter-defined membership, the question parser converts the specified computer group name into the question that determines membership. In the following example, the computer group named Windows is parsed into its definition: is Windows contains true.

Figure 4: From clause with computer group that has filter-defined membership

Use sensor column filters

Multi-column sensors are designed to collect multiple pieces of related information in a single answer.

Figure 5: Results from a multi-column sensor

Using the regular expression starts with, ends with, or contains to filter results for a multi-column sensor, such as Installed Applications, can be tricky because the result string for a multi-column sensor is actually a single string with column delimiters. If you are not careful, you might match a string in an unexpected column or unknowingly match a string in a hidden column that you were not even aware of. You can specify which column to match results from multi-column sensors. The syntax is get sensor having sensor:column contains value. The column name is case sensitive. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:). To match results from all the columns, the syntax is get sensor contains value.

The following example uses a sensor column filter in the get clause.

Figure 6: Sensor column filter in the get clause

The following example uses a sensor column filter in both the get clause and the from clause.

Figure 7: Sensor column filter in the get clause and the from clause

Use $substring() filters

You can use $substring() filters to match result string patterns. The $substring() function takes the following arguments: sensor name, starting position (where 0 is the first position), number of characters.

The following example matches results from the Installed Applications sensor where the first two characters match the string Go.

The $substring() filter is not supported with multicolumn sensors.

Use the in operator

You can use the in operator to specify a collection of matching sensor results. The operator takes a comma-separated list of arguments that is parsed into a Boolean OR.

The following example uses the in operator to match a sensor filter in the from clause with results containing Virtual or Physical.

Figure 9: in operator in the from clause

The following example uses the in operator to match a sensor column filter in the from clause.

Figure 10: in operator with a sensor column filter

Use nested filters

In the from clause of a question, you can configure multiple filters, including nested filters.

The following example shows nested filters in the Question Builder. The example combines one matching expression with either one of the nested expressions.

Figure 11: Nested filters in the Question Builder

You can also specify nested filters in the Explore Data field.

Figure 12: Nested filters in the Explore Data field

The following example shows different Boolean logic: match both of these OR this one.

Figure 13: Nested filters in the Explore Data field

Target random endpoints

Use the Online Random Sample sensor to identify a random subset of online endpoints from all targeted endpoints. You might want to target random endpoints when you test a new package or configuration on a random subset of endpoints, or to check a random set of endpoints to ensure they have proper configurations prior to an audit. The Online Random Sample sensor is included in the Default Content pack.

The Online Random Sample sensor retrieves True and False results from all targeted endpoints. The sensor accepts a Sample % parameter from 0-100 to determine the rough percentage of endpoints that answer with True. For example, if you pass 25 as a parameter and target from all machines, approximately 25% of endpoints in the environment will return a True response. Because each endpoint evaluates the sensor and generates a random True or False answer according to the percentage that you specify, the number of endpoints that return True can vary. The default value for Sample % is 5.

Specify advanced sensor settings

Tanium Client answers must conform with any advanced sensor settings that you specify in a question message. You can configure advanced sensor settings in the Question Builder (see the following figure) or in the Explore Data field.

Figure 15: Question Builder: Advanced sensor settings

The following table describes the advanced sensor settings.

Table 1: Advanced sensor settings

Settings

Guidelines

Case Sensitivity

Group strings:

Ignore case: Group and count result values regardless of differences in upper-case and lower-case characters.
Match case: Group and count result values with strict attention to letter case.

Matching

This option is available only in the from computers with section.

For some sensors, a Tanium Client might compute multiple results. When the sensor is used as a filter in the from clause, specify whether any or all of the results must match the filter:

Match Any Value: Any value in the answer must match the value specified in the question.
Match All Values: All values in the answer must match the value specified in the question.

For example, in response to the IP Address sensor, it is possible for a Tanium Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing 192.168 for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want the match Match Any Value option.

Treat Data As

Interact treats sensor values as the type of data that you specify:

Type	Examples
Date/Time (BES)	Fri, 29 Jan 2021 13:14:39 -0500
Date/Time (WMI)	20210129131439.999999-500
File Size	8192 KB 1-100 MB 125 MB 34 GB
Integer	-100 0 64428 100000000
IP Address	10.70.144.52 fe80::8c22:fed6:7720:3c96
Numeric	-100.77 0,25 1 3.1415926534 10.20.30.40 512:17472:192.168.2.187_512:0:98.30.236.25 1.0e-10
Text	(can be any valid string)
Time Duration	42 minutes 8 hours Less than 1 day 2 weeks 36 days 2 years, 3 months, 18 days, 4 hours, 22 minutes, and 3.67 seconds
Version	7.4.4.1250

Maximum Data Age

Maximum amount of time that the Tanium Client can use a cached result to answer a question. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory Domain membership.

The following example specifies the Treat Data as <type> option. The syntax is sensor?type=value.

Figure 16: Advanced sensor settings - Treat Data as type

Only use the Treat Data as type option with comparison operators, such as Free Memory greater than 300, as shown in the example.

The following example specifies the Max Age option. The syntax is sensor?maxAge=value. When specifying maxAge in the Explore Data field, specify a number of seconds.

Figure 17: Advanced sensor settings - maxAge

The following example specifies the Ignore Case option. The syntax is sensor?ignoreCase=value. 0 means match case and 1 means ignore case.

Figure 18: Advanced sensor settings - ignoreCase

The following example specifies the Matches all option. A machine might have multiple interfaces and multiple IP addresses for those interfaces. In this example, the Matches all option is used to filter results for only computers with all IP addresses matching the specified string. You can specify this option only in the from clause. The syntax is with all sensor contains value.

Figure 19: Advanced sensor settings - matching all

The following example shows how to specify multiple advanced sensor options.

Figure 20: Advanced sensor settings - multiple settings

Specify advanced question settings

Enable the Force Computer ID setting to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Note that the Question Results page does not include the computer ID results when you select this option. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see the KB article Troubleshooting Errors / Informational Messages (too many results message). You can enable the setting in the Explore Data field by using the Get?forceComputerIdFlag=1 statement. You can also enable the setting in the Question Builder, under Advanced Question Options.