Reference: Example questions

Review the following examples to learn about the kinds of questions that Tanium Interact enables you to issue to endpoints.

Example starter questions

The following examples show common questions.

How can I get a list of running services on all endpoints or a specific endpoint?

Get Running Service from all machines

Get Service Details from all machines

Get Running Service from all machines with Computer Name containing "<hostname>"

How can I get a list of running processes on all endpoints or a specific endpoint?

Get Running Processes from all machines

Get Running Processes from machines where Computer Name contains "<hostname>"

Get Running Processes and Computer Name contains "<hostname>" from all machines

How can I display Windows Registry keys and values?

Get Registry Value Data[registry key path, value-name] from all machines

Get Registry Value Data[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, CommonFilesDir] from all machines

Get Registry Key Value Exists[registry key path, value-name] from all machines

Get Registry Key Exists[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, CommonFilesDir] from all machines

How can I get a list of open ports?

Get Computer Name and Open Port from all machines

Get Open Port from machines where Computer Name contains "<hostname>"

Get Open Port from all machines with Computer Name containing "<hostname>"

How can I get user authentication information?

Get Logged In Users contains "<user name>" from all machines

Get Logged In Users containing "BABOON08D9ANGUI\Administrator" from all machines

Get Logged In Users and Computer Name from all machines

Get Local User Login Dates from all machines

Get Logged In Users and Client Date from all machines

Get Last Logged In User and Client Date from all machines

Get Local Administrators from all machines

How can I see the current logged on user?

Get User Sessions from all machines

How can I see when users last logged in?

Get local User Login Dates from all machines

How can I get certificate information?

Get Machine Certificates[authroot] from all machines

Get Machine Certificates[disallowed] from all machines

Get Machine Certificates[root] from all machines

For Intermediate Certs:

Get Machine Certificates[CA] from all machines (Intermediate Certs)

How can I detect all running Oracle instances within a Linux environment?

Get computer name and running processes that contains "ora_pmon" from machines with running processes contains "ora_pmon"

How can I get asset information?

Get Cpu and Cpu Details and Chassis and Architecture and Serial Number and Computer Name and Bios and IP Address and Mac Address and serial number from all machines

Example dashboard questions

Reviewing the list of predefined saved questions in dashboards and categories is a good way to learn how to use questions to get meaningful results. The following examples illustrate a few such predefined questions that are organized by <category> > <dashboard>.

Security > Data Leakage

Get Computer Name and Non-Approved Established Connections from all machines with Non-Approved Established Connections containing ":"

Security > Wireless Network Security

Get Wireless Networks Visible from all machines

Get Hosted Wireless Ad-Hoc Networks from all machines with Hosted Wireless Ad-Hoc Networks containing "started"

Get Unencrypted Wireless Networks from all machines with Unencrypted Wireless Networks containing "open"

Get Wireless Networks Using WEP from all machines with Wireless Networks Using WEP containing "wep"

Security > Proactive Security

Get Firewall Status containing "disabled" from all machines with Firewall Status containing "disabled"

Get Computer Name and Open Share Details from all machines with Open Share Details not containing "No shares"

Security > Workstation USB Write Protection

Get USB device details from all machines

Get Computer Name and Username from all machines with ( Operating System not containing "server" and USB Write Protected containing "False" )

Get Computer Name and Username from all machines with ( Operating System not containing "server" and USB Write Protected containing "True" )