Interact overview

Use Tanium Interact to issue questions to managed endpoints, analyze their answers, and deploy actions to the endpoints based on the answers. Although it is licensed as part of the Tanium Core Platform, Interact is a Tanium module, so you can update it separately from the Tanium Console and the Tanium Server.

What is a question?

A Tanium question is a query that you issue from Tanium Cloudthe Tanium Server to managed endpoints. A dynamic question is one that you create and issue through the Ask a Question or Question Builder features in Interact. A saved question is a configuration object that enables you to reissue a question without reconstructing it through those features.

The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or particularly well-formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients. Interact provides the Ask a Question feature as a field at the top of the Interact Overview page and the Tanium Home page. For details, see Issue a question through the Ask a Question field.

The following figure shows an example of how Interact uses the natural language parser to propose valid queries based on user input. First, the user enters the fragment last loggedlast logged in user and clicks Search. In response, Interact returns a list of queries cast in valid syntax.

Figure  1:  Natural language parser

Questions have a get clause that specifies the information to retrieve and a from clause that specifies the target endpoints. Basic questions include the following:

  • One or more sensor names (such as Last Logged In User) in the get clause
  • From all machines (all endpoints that host the Tanium Client) in the from clause

Advanced questions include reserved words or characters (such as match or $), regular expressions, filter clauses, the in operator, or advanced options.

For the steps to issue questions and view question history, see Asking questions and searching endpoints. For more information about question syntax, see Reference: Example questions and Reference: Advanced question syntax.

What is a sensor?

A sensor is a script that runs on an endpoint to compute a response to a Tanium question.Tanium Cloud The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

  • Hardware and software inventory and configuration
  • Running applications and processes
  • Files and directories
  • Network connections

Tanium Cloud provides The Tanium Server automatically imports initial content that includes sensors for a wide range of common questions (see Tanium Console User Guide: Initial content). Other Tanium solutions that you import might provide more sensors. If you cannot find a sensor that you need within Tanium-provided content, you can create custom sensors.

For more information, see Tanium Console User Guide: Managing sensors.

Counting questions and non-counting questions

A counting question returns results in which it is possible for any particular answer string to be the same for multiple endpoints. The Question Results grid displays a Count column that indicates how many endpoints provided each common answer. A counting question can have only one sensor. Get Operating System from all machines is an example of a counting question, with a sensor that returns the operating system of managed endpoints. When an endpoint adds its answer to the answer message, it increments the tally of the answer that its value matches. Tanium CloudThe Tanium Server maintains a table of answer strings. In many cases, such as the operating system, many endpoints provide just a few common answers, so the question has a relatively small footprint on Tanium Cloudthe Tanium Server.

Figure  2:  Counting question

A non-counting question has sensors that return a unique answer string from each endpoint. For example, Get Computer ID from all machines returns unique answers. For a non-counting question, the Tanium Client adds a new string to the answer message instead of incrementing the tally for an existing string. Therefore, the data footprint for a non-counting question can be large on Tanium Cloudthe Tanium Server.

Figure  3:  Non-counting question

If the Count column does not appear in the Question Results grid, click Customize Columns Customize Columns in the grid toolbar and select the Count check box to show the column. For more information on managing the Question Results grid, see Manage row sorting, column visibility, and text wrapping for question results.

When using the Question Builder to construct a single-sensor question, you have the option to convert a counting question to a non-counting question for cases where a counting question returns the [too many results] answer. For details about that answer, see Tanium Console User Guide: Troubleshoot question results issues.

Questions with multiple sensors

When you construct a question, use the AND operator in the get clause to specify multiple sensors. The Question Results page groups results by the first sensor, then by the next sensor, and so on, as the following example illustrates.

Figure  4:  Question with multiple sensors

Questions with parameterized sensors

A parameterized sensor uses a value that you specify when entering the question in the Ask a Question field or Question Builder. The following example shows the Registry Value Data sensor. The Tanium Console prompts you to specify a registry path and value.

Figure  5:  Parameterized sensor

Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. For example, you might want to get the top 5 highest CPU utilizing processes. The question has the following syntax:

Get High CPU Process[5] from all machines

For sensors with multiple parameters, you can specify an ordered list of comma-separated parameters. For example, to see the first 10 lines from the action log for the action with ID 1, specify a parameter list as follows:

Get Tanium Action Log[1,10] from all machines

For more details, see Tanium Console User Guide: Example: Parameterized sensors.

Questions with filters

You can use filters to create questions that target fewer endpoints than the default all machines. For example, the following advanced question targets only endpoints that have a specific process name or value.

Figure  6:  Question filter

The left side (get clause) is a complete and valid query; the right side contains a filter: the from all machines with expression. Filters in the from clause are the first part of a question that an endpoint processes. If the endpoint data does not match the filter, the endpoint does not process the question any further. If the question has multiple filters, the endpoint evaluates each filter. The filter expression must evaluate to a Boolean true or false. For example, the expression from all machines with Running Processes contains explore evaluates to true if the specified string matches the result string, or false if it does not. If a filter evaluates to true, the endpoint runs the sensors on the left side of the question and returns the results.

A parameterized sensor like File Exists[] returns the result File Exists: Filename or File does not exist, so be careful how you enter the sensor in a filter expression.

Figure  7:  Example: Question with parameterized sensor

The filter expression from all machines with File Exists["C:\Program Files\PuTTY\putty.exe"] contains "Exists" evaluates to true when the result is File Exists: C:\Program Files\PuTTY\putty.exe and false when the result is File does not exist, so you can use it to filter the set of responses.

Figure  8:  Example: Filter with parameterized sensor

Filter expressions can match strings or regular expressions. The following table describes the supported filter operators as they appear when you use the Question Builder. The table also describes how some operators are normalized after you load them from the Question Builder or enter the expressions in the Ask a Question field.

 Table 1: Filter operators
Filter operator Usage
contains Sensor value contains the specified string.

Example: running processes contains "explore"

does not contain Sensor value does not contain the specified string.
starts with Sensor value starts with the specified string.

Example: starts with "explore"

When you load the question, the expression is translated to a regular expression using the matches operator.

does not start with Sensor value does not start with the specified string.
ends with Sensor value ends with the specified string.

Example: ends with "explore.exe"

When you load the question, the expression is translated to a regular expression using the matches operator.

does not end with Sensor value does not end with the specified string.
matches Sensor value matches the specified regular expression (in Boost syntax).
does not match Sensor value does not match the specified regular expression.
in Sensor value matches one of the specified strings. Use commas without spaces to separate the strings. When you load the question, the expression shown in the question field uses equals and or operators in place of in.

Example: The filter in "10.10.10.10,10.10.10.11" in the Question Builder becomes IP Address equals 10.10.10.10 or IP Address equals 10.10.10.11 when you load the question.

is equal to Sensor value is equal to the specified value or string. When you load the question, the expression shown in the question field uses equals in place of is equal to.
is not equal to Sensor value is not equal to the specified value or string. When you load the question, the expression shown in the question field uses not equals in place of is not equal to.
is less than Sensor value is less than the specified value. When you load the question, the expression shown in the question field uses a symbol (<) in place of the operator words.

Example: installed application version[chrome] < 12

is less than or equal to Sensor value is less than or equal to the specified string. When you load the question, the expression shown in the question field uses symbols (<=) in place of the operator words.

Example: installed application version[chrome] <= 12

is greater than Sensor value is greater than the specified value. When you load the question, the expression shown in the question field uses a symbol (>) in place of the operator words.

Example: installed application version[chrome] > 12

is greater than or equal to Sensor value is greater than or equal to the specified string. When you load the question, the expression shown in the question field uses symbols (>=) in place of the operator words.

Example: installed application version[chrome] >= 12

See Reference: Advanced question syntax for examples of complex filter expressions, including questions with multi-column sensors.

Question expiration

When Tanium Cloudthe Tanium Server issues a dynamic or saved question, it remains open (not expired) for 10 minutes on the targeted Tanium Clients. After a client returns values for the sensors in the question, if the values change while the question is open, that client returns the updated values. For example, if a client initially returns 50% for a question with the CPU Consumption sensor and consumption subsequently increases to 75% within the 10-minute interval, the client then returns 75%. Clients check every 10 seconds to determine whether sensor values have changed.

While a question is open, Tanium Clients evaluate the age of the results for each sensor to determine whether to return cached results or to reexecute the sensors for fresh results when answering subsequent questions that use the same sensors. See Maximum Data Age.

The expiration interval is 30 minutes for questions that the Tanium™ Data Service issues to collect data for registered sensors. See Tanium Console User Guide: Manage sensor results collection.

For each question, Tanium Cloudthe Tanium Server assigns an identifier (ID) that appears in the URL field of your browser when the Question Results page opens. For example, in the URL https://10.20.30.40/#/interact/q/376, the question ID is 376. The question and its ID expire 10 minutes after the question is issued, at which point the URL becomes invalid. This means you can refresh the page or share a link to its URL only within that 10-minute period. If you navigate to the URL after 10 minutes, Interact displays a Question Expired message and Copy Question button. Clicking the button reissues the question.

Saved questions

Saved questions are questions that you can reissue without reconstructing them in the Interact Ask a Question field. They are configuration objects for which you can define reissue intervals, access permissions, associated packages, and other settings. You can issue saved questions manually or based on a schedule. You can also issue saved questions through Tanium modules or through custom applications that use the Tanium XML API. For example, you can use Tanium™ Connect to periodically issue a saved question and send the results to an external server. You create saved questions by issuing a dynamic question through the Ask a Question field and saving it. Tanium solutions that you import also provide predefined saved questions. The Interact module organizes saved questions under dashboards and organizes dashboards under categories. Each category, dashboard, and saved question is assigned to one content set.

Dashboard

A dashboard is a group of saved questions that are related with respect to the information that they retrieve from endpoints. For example, the predefined Hardware Inventory dashboard contains questions that retrieve CPU, disk, memory, and BIOS information. You can issue all the questions in a dashboard simultaneously.

Category

A category is a group of dashboards. It serves as an umbrella term for questions that you use for a particular purpose. For example, the Security category includes multiple dashboards that contain security-related questions.

Content set

A content set is a group of saved questions, dashboards, categories, and other content to which you apply user role permissions to control access. Tanium solutions provide several predefined content sets. You can also create custom content sets. For details and related tasks, see Managing content sets.

Questions results

After you issue a dynamic question, the Question Results page opens and displays a grid with the answers (results) from endpoints. The page facilitates analyzing the results by providing display options such as live updates, filters, and charts. For details and related procedures, see Managing question results.

Actions

After you use Tanium Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy a package to those endpoints so that the Tanium Client can run the associated action. For the procedure, see Deploying actions.

Interoperability with other Tanium products

API Gateway

Interact includes the Tanium Data Service, which is a service that enables you to see stored sensor results for endpoints that are offline at the moment you issue a question. You can use Tanium™ API Gateway to access data from the Tanium Data Service API. For information about what features are available through API Gateway, refer to the API Gateway schema reference.

Reporting

Interact provides access to the Endpoint Details page in Tanium™ Reporting, where you can view comprehensive information about a single endpoint and manage the endpoint. To access the page, see Search endpoints. For more information about endpoint details, see Tanium Reporting User Guide: Viewing and managing a single endpoint.