This documentation includes content for releases that might not be available on-premises. For the latest on-premises Interact documentation, see the PDF version of Tanium™ Interact User Guide version 2.15.133.
Use Tanium Interact to issue questions to managed endpoints, analyze their answers, and deploy actions to the endpoints based on the answers.
A Tanium question is a query that you issue from
The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or strictly well-formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients. Interact provides the Ask a Question feature as a field at the top of the Interact Overview page, the Tanium Home page, and the Quick Search bar in the Console header.
The following figure shows an example of how Interact uses the natural language parser to propose valid queries based on user input. After the user types the fragment last loggedlast logged, Interact returns a list of queries cast in valid syntax.
Questions have a get clause that specifies the information to retrieve and a from clause that specifies the target endpoints. Basic questions include the following:
- One or more sensor names (such as Last Logged In User) in the get clause
- From all machines (all endpoints that host the Tanium Client) in the from clause
Advanced questions include reserved words or characters (such as match or $), regular expressions, filters, or advanced options.
For the steps to issue questions, see Asking questions and searching endpoints. For example questions and details about question syntax, see Reference: Example questions and Reference: Advanced question syntax.
A sensor is a script that runs on an endpoint to compute an answer to a Tanium question.
- Hardware and software inventory and configuration
- Running applications and processes
- Files and directories
- Network connections
After all the sensors in a question compute answers, Tanium Clients return the answers to Tanium Cloud
Operating System is an example of a sensor that returns a single row and column for each unique result from endpoints. An additional Count column indicates how many endpoints returned each result.
The Count column does not appear if its value is 1 for every result.
IP Address is an example of a sensor that can return multiple rows for one endpoint if the endpoint has multiple interfaces and a mix of IPv4 and IPv6 addresses.
Installed Applications is an example of a sensor that returns multiple rows and columns for each endpoint: one row for each application on the endpoint and two columns to indicate the application name and version.
If the question has multiple sensors, the Question Results grid shows their results in separate columns. If one of the sensors provides multiple columns, the column headings show the sensor name above the column names. In the following example, the Installed Applications sensor provides the application Name and Version columns. For more information about multi-sensor questions, see Questions with multiple sensors.
To filter multi-column sensors by the values in a particular column, see Use sensor column filters.
For details on manipulating and analyzing sensor results, see Managing question results.
The Interact Question Results grid aggregates results differently based on whether you issued a counting or non-counting question. For a counting question, the Count column shows how many endpoints returned the same unique value in a result that has one or more values for a single sensor. For a non-counting question, the Count shows how many endpoints returned all the same values in all the results of one or more sensors. Results aggregation describes this Count distinction in detail.
The Question Results page automatically shows a Count column if its value exceeds 1 for any row and hides the column otherwise. To manually show or hide the column, click Customize Columns in the Question Results toolbar and select (show) or clear (hide) the Count check box.
A question with multiple sensors in its get clause is always a non-counting question. A question with one sensor in its get clause is a counting question by default but you can convert it to a non-counting question (see Convert counting questions to non-counting questions). Before you issue a single-sensor question, consider the following ramifications of counting and non-counting questions.
The Question Results grid presents results the same way for a counting or non-counting question if each endpoint provides only one value for the result of a single sensor. Each grid row shows one unique value and the Count of endpoints that returned the value. Operating System is an example of a single-value sensor.
The Installed Applications sensor is an example of a sensor that includes multiple sets of values from each endpoint. Each set is the name and version of an application and the result includes as many sets as the endpoint has applications. The Question Results grid presents the results of a multi-value sensor differently for non-counting and counting questions:
Each grid row shows the Count of endpoints that return all the same value sets in a result. In the following example, a non-counting question is useful if you want to know how many endpoints have all the same application versions.
Each grid row shows the Count of endpoints that return the same unique value set. In the following example, a counting question is useful if you want to know how many endpoints have a particular application version, regardless of whether any endpoints share all the same application versions. The grid shows how many endpoints have Microsoft Remote Desktop version 10.6.1 and how many have Microsoft Silverlight 5.1.5.0918.0, but the grid does not show how many endpoints have both.
The Question Results grid might show more rows than you can effectively review for a non-counting question. For example, if your network has five operating systems (OSs) across 10,000 endpoints, the grid would show 10,000 rows for the non-counting question Get?forceComputerIdFlag=1 Operating System from all machines because each result includes the Computer ID along with the Operating System of each endpoint. In this case, if the only important information is the count of endpoints that run each OS, you could issue the counting question Get Operating System from all machines and the grid would be more readable with only five rows to review. In this example, the counting question would also generate much less network traffic for Tanium Cloud
You can select only a non-counting question for a merge operation on question results. See Merge questions.
The Question Results page shows [too many results] to indicate that more results are available but Tanium Clients will not return the additional results. If a counting question returns this message, converting it to a non-counting question might resolve the issue. See Too many results.
Specify the Force Computer ID option to issue a single-sensor question as a non-counting question. This option compels endpoints to return results for the Computer ID sensor along with the results for the sensor that you specify in the question. Tanium Cloud
- Ask a Question field: Use the Get?forceComputerIdFlag=1 statement instead of Get. See Issue a question through the Ask a Question field.
- Question Builder: Specify the Force Computer ID option in the Advanced Question Options. See Issue a question through the Question Builder.
- Saved question configuration: Select the option Yes, turn into non-counting question. See Create a saved question.
When you construct a question, use the AND operator in the get clause to specify multiple sensors. The Question Results page groups results by the first sensor, then by the next sensor, and so on, as the following example illustrates. For details about how the Question Results page shows sensor results across multiple columns, see What is a sensor?.
A parameterized sensor uses a value that you specify when entering the question in the Ask a Question field or Question Builder. The following example shows the Registry Value Data sensor. Tanium Interact prompts you to specify a registry path and value.
Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. For example, you might want to get the top 5 highest CPU utilizing processes. The question has the following syntax:
Get High CPU Process from all machines
For sensors with multiple parameters, you can specify an ordered list of comma-separated parameters. For example, to see the first 10 lines from the action log for the action with ID 1, specify a parameter list as follows:
Get Tanium Action Log[1,10] from all machines
For more details, see Tanium Console User Guide: Example: Parameterized sensors.
You can use a filter in the from clause of a question to target fewer endpoints than the default all machines. For example, the following question targets only endpoints where CPU consumption exceeds 80%.
To filter the get clause of a question, see Use question filters.
Filters in the from clause are the first part of a question that an endpoint processes. If the endpoint data does not match the filter, the endpoint does not process the question any further. If the question has multiple filters, the endpoint evaluates each filter. The filter expression must evaluate to a Boolean true or false. For example, the expression from all machines with CPU Consumption > 80% evaluates to true if CPU consumption exceeds 80% on the endpoint and evaluates to false othewise. If a filter evaluates to true, the endpoint runs the sensors in the get clause of the question and returns the results.
A parameterized sensor like File Exists returns the result File Exists: <file name> or File does not exist, so be careful how you enter the sensor in a filter expression. The filter expression from all machines with File Exists["C:\Program Files\PuTTY\putty.exe"] contains "Exists" evaluates to true when the result is File Exists: C:\Program Files\PuTTY\putty.exe and false when the result is File does not exist, so you can use it to filter the set of responses.
Filter expressions can match strings or regular expressions. For details on the supported filter operators and examples of complex filter expressions, see Reference: Advanced question syntax.
For example, if the Max Sensor Age is 8 minutes, the client runs the sensor twice: first upon receiving the question and then again after 8 minutes. If the client receives another question between those two instances, the client returns a cached result instead of rerunning the sensor. If the Max Sensor Age exceeds 10 minutes, the client runs the sensor only once before the question expires.
For details about the Max Sensor Age setting
For each question,
Saved questions are questions that you can reissue without reconstructing them in the Interact Ask a Question field or Question Builder. They are configuration objects for which you can define reissue intervals, access permissions, associated packages, and other settings. You can issue saved questions manually or based on a schedule. You can issue saved questions through Tanium solutions or through custom applications that use the Tanium XML API. For example, you can use Tanium™ Connect to periodically issue a saved question and send the results to an external server.
Each saved question is assigned to one content set. You control access to saved questions by assigning content set permissions to user roles. For details about the roles and permissions required to manage saved questions, see Tanium Console User Guide: Manage saved questions. For details about content sets, see Tanium Console User Guide: Managing content sets.
Fresh results: For online endpoints, results that you see in Reporting are never stale because Tanium Data Service reissues questions every 30 minutes and the questions remain open for that entire interval. By contrast, results from saved questions become stale if the associated values on endpoints change after the 10-minute question expiration interval but before the next reissue interval. See Question expiration.
- Offline endpoint data: For offline endpoints, you can see results in Reporting for up to 30 days (the storage duration for registered sensors), whereas Tanium Cloud
the Tanium Serverstores the results of saved question for only 7 days. See Display results for online and offline endpoints.
Reporting shows results in reports and on the Explore Data page. See Tanium Reporting User Guide: Working with reports.
You must register sensors with Tanium Data Service before their results appear in Reporting. See Register or unregister sensors for collection.
Interact uses dashboards and categories to organize saved questions.
A dashboard is a group of saved questions that are related with respect to the information that they retrieve from endpoints. For example, the predefined Hardware Inventory dashboard contains questions that retrieve CPU, disk, memory, and BIOS information. You can issue all the questions in a dashboard simultaneously. See Issue a dashboard of saved questions.
Interact dashboards differ from Tanium Reporting dashboards. See Tanium Reporting User Guide: Dashboards.
A category is a group of related dashboards. It serves as an umbrella term for questions that you use for a particular purpose. For example, the Security category includes multiple dashboards that contain security-related questions.
Interact provides predefined dashboards and categories, and you can create your own. To create, edit, reassign, export, or delete dashboards and categories, see Manage categories and dashboards.
Each dashboard and category is assigned to one content set. You control access to dashboards and categories by assigning content set permissions to user roles. For details and related tasks, see Tanium Console User Guide: Managing content sets.
After you issue a question, the Question Results page opens and displays a grid with the answers (results) from endpoints. The page facilitates analyzing the results by providing display options such as live updates, filters, and charts. For details and related procedures, see Managing question results.
After you use Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy a package to those endpoints so that the Tanium Client can run the associated action. For the procedure, see Deploying actions. For details about packages, see Tanium Console User Guide: Managing packages.
API Gateway and Tanium Data Service
Interact includes Tanium Data Service, which is a service that enables you to see stored sensor results for endpoints that are offline at the moment you issue a question. You can use Tanium™ API Gateway to access data from the Tanium Data Service API. For information about what features are available through API Gateway, refer to the API Gateway schema reference.
- For information about how to access the schema reference, see Tanium API Gateway User Guide: Schema reference.
- For information about Tanium Data Service, see Managing Tanium Data Service.
Interact provides access to the Endpoint Details page in Tanium™ Reporting, where you can view comprehensive information about a single endpoint and manage the endpoint. To access the page, see Search endpoints. For more information about endpoint details, see Tanium Reporting User Guide: Viewing and managing a single endpoint.
Last updated: 9/26/2023 2:46 PM | Feedback