Interact overview

Use Tanium Interact to issue questions to managed endpoints, analyze their answers, and deploy actions to the endpoints based on the answers. Although it is licensed as part of the Tanium Core Platform, Interact is a Tanium module, so you can update it separately from Tanium Console and the Tanium Server.

What is a question?

A Tanium question is a query that you issue from Tanium Cloudthe Tanium Server to managed endpoints. The endpoints return answers that you can see on the Question Results page. A dynamic question is one that you create and issue through the Ask a Question or Question Builder features in Interact. A saved question is a configuration object that enables you to reissue a question without recreating it through those features.

The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or strictly well-formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients. Interact provides the Ask a Question feature as a field at the top of the Interact Overview page, the Tanium Home page, and the Quick Search bar in the Console header.

The following figure shows an example of how Interact uses the natural language parser to propose valid queries based on user input. After the user types the fragment last loggedlast logged, Interact returns a list of queries cast in valid syntax.

Figure  1:  Natural language parser

Questions have a get clause that specifies the information to retrieve and a from clause that specifies the target endpoints. Basic questions include the following:

  • One or more sensor names (such as Last Logged In User) in the get clause
  • From all machines (all endpoints that host the Tanium Client) in the from clause

Advanced questions include reserved words or characters (such as match or $), regular expressions, filters, or advanced options.

For the steps to issue questions, see Asking questions and searching endpoints. For example questions and details about question syntax, see Reference: Example questions and Reference: Advanced question syntax.

What is a sensor?

A sensor is a script that runs on an endpoint to compute an answer to a Tanium question. Tanium Cloud The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

  • Hardware and software inventory and configuration
  • Running applications and processes
  • Files and directories
  • Network connections

After all the sensors in a question compute answers, Tanium Clients return the answers to Tanium Cloudthe Tanium Server. Interact then shows the answers, called results, in grid format on the Question Results page. Each sensor result provides one or more rows and columns of information that the grid aggregates according to whether you issued a counting or non-counting question (see Counting and non-counting questions).

Operating System is an example of a sensor that returns a single row and column for each unique result from endpoints. An additional Count column indicates how many endpoints returned each result.

The Count column does not appear if its value is 1 for every result.

Operating System sensor

IP Address is an example of a sensor that can return multiple rows for one endpoint if the endpoint has multiple interfaces and a mix of IPv4 and IPv6 addresses.

IP Address sensor

Installed Applications is an example of a sensor that returns multiple rows and columns for each endpoint: one row for each application on the endpoint and two columns to indicate the application name and version.

Installed Applications sensor

If the question has multiple sensors, the Question Results grid shows their results in separate columns. If one of the sensors provides multiple columns, the column headings show the sensor name above the column names. In the following example, the Installed Applications sensor provides the application Name and Version columns. For more information about multi-sensor questions, see Questions with multiple sensors.

To filter multi-column sensors by the values in a particular column, see Use sensor column filters.

Multi-sensor question

Tanium Cloud provides The Tanium Server automatically imports initial content that includes sensors for a wide range of common questions (see Tanium Console User Guide: Content-only solutions). Other Tanium solutions that you import might provide more sensors. If you cannot find a sensor that you need within Tanium-provided content, you can create custom sensors.

To view, create, or edit sensor configurations, see Tanium Console User Guide: Managing sensors.

For details on manipulating and analyzing sensor results, see Managing question results.

Counting and non-counting questions

The Interact Question Results grid aggregates results differently based on whether you issued a counting or non-counting question. For a counting question, the Count column shows how many endpoints returned the same unique value in a result that has one or more values for a single sensor. For a non-counting question, the Count shows how many endpoints returned all the same values in all the results of one or more sensors. Results aggregation describes this Count distinction in detail.

The Question Results page automatically shows a Count column if its value exceeds 1 for any row and hides the column otherwise. To manually show or hide the column, click Customize Columns Customize Columns in the Question Results toolbar and select (show) or clear (hide) the Count check box.

A question with multiple sensors in its get clause is always a non-counting question. A question with one sensor in its get clause is a counting question by default but you can convert it to a non-counting question (see Convert counting questions to non-counting questions). Before you issue a single-sensor question, consider the following ramifications of counting and non-counting questions.

Results aggregation

The Question Results grid presents results the same way for a counting or non-counting question if each endpoint provides only one value for the result of a single sensor. Each grid row shows one unique value and the Count of endpoints that returned the value. Operating System is an example of a single-value sensor.

Operating System sensor

The Installed Applications sensor is an example of a sensor that includes multiple sets of values from each endpoint. Each set is the name and version of an application and the result includes as many sets as the endpoint has applications. The Question Results grid presents the results of a multi-value sensor differently for non-counting and counting questions:

  • Non-counting question

    Each grid row shows the Count of endpoints that return all the same value sets in a result. In the following example, a non-counting question is useful if you want to know how many endpoints have all the same application versions.

  • Counting question

    Each grid row shows the Count of endpoints that return the same unique value set. In the following example, a counting question is useful if you want to know how many endpoints have a particular application version, regardless of whether any endpoints share all the same application versions. The grid shows how many endpoints have Microsoft Remote Desktop version 10.6.1 and how many have Microsoft Silverlight 5.1.5.0918.0, but the grid does not show how many endpoints have both.

    Installed Applications sensor

Results readability and network traffic

The Question Results grid might show more rows than you can effectively review for a non-counting question. For example, if your network has five operating systems (OSs) across 10,000 endpoints, the grid would show 10,000 rows for the non-counting question Get?forceComputerIdFlag=1 Operating System from all machines because each result includes the Computer ID along with the Operating System of each endpoint. In this case, if the only important information is the count of endpoints that run each OS, you could issue the counting question Get Operating System from all machines and the grid would be more readable with only five rows to review. In this example, the counting question would also generate much less network traffic for Tanium Cloudthe Tanium Server to process because the endpoints return only five result strings.

Merge questions

You can select only a non-counting question for a merge operation on question results. See Merge questions.

Recent results

Tanium Cloud The Tanium Server stores question results as recent results only for non-counting saved questions. The Question Results page shows recent results when live results are unavailable, such as when the answering endpoints are offline. For details, see Display results for online and offline endpoints.

[too many results] message

The Question Results page shows [too many results] to indicate that more results are available but Tanium Clients will not return the additional results. If a counting question returns this message, converting it to a non-counting question might resolve the issue. See Too many results.

Convert counting questions to non-counting questions

Specify the Force Computer ID option to issue a single-sensor question as a non-counting question. This option compels endpoints to return results for the Computer ID sensor along with the results for the sensor that you specify in the question. Tanium CloudThe Tanium Server stores the Computer ID results but the Question Results page shows only the results for the sensor that you specify in the question. Specify the Force Computer ID option through one of the following methods:

Questions with multiple sensors

When you construct a question, use the AND operator in the get clause to specify multiple sensors. The Question Results page groups results by the first sensor, then by the next sensor, and so on, as the following example illustrates. For details about how the Question Results page shows sensor results across multiple columns, see What is a sensor?.

Figure  2:  Question with multiple sensors

Questions with parameterized sensors

A parameterized sensor uses a value that you specify when entering the question in the Ask a Question field or Question Builder. The following example shows the Registry Value Data sensor. Tanium Interact prompts you to specify a registry path and value.

Figure  3:  Parameterized sensor

Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. For example, you might want to get the top 5 highest CPU utilizing processes. The question has the following syntax:

Get High CPU Process[5] from all machines

For sensors with multiple parameters, you can specify an ordered list of comma-separated parameters. For example, to see the first 10 lines from the action log for the action with ID 1, specify a parameter list as follows:

Get Tanium Action Log[1,10] from all machines

For more details, see Tanium Console User Guide: Example: Parameterized sensors.

Questions with target filters

You can use a filter in the from clause of a question to target fewer endpoints than the default all machines. For example, the following question targets only endpoints where CPU consumption exceeds 80%.

Figure  4:  Question target filter

Filter in from clause

To filter the get clause of a question, see Use question filters.

Filters in the from clause are the first part of a question that an endpoint processes. If the endpoint data does not match the filter, the endpoint does not process the question any further. If the question has multiple filters, the endpoint evaluates each filter. The filter expression must evaluate to a Boolean true or false. For example, the expression from all machines with CPU Consumption > 80% evaluates to true if CPU consumption exceeds 80% on the endpoint and evaluates to false othewise. If a filter evaluates to true, the endpoint runs the sensors in the get clause of the question and returns the results.

A parameterized sensor like File Exists[] returns the result File Exists: <file name> or File does not exist, so be careful how you enter the sensor in a filter expression. The filter expression from all machines with File Exists["C:\Program Files\PuTTY\putty.exe"] contains "Exists" evaluates to true when the result is File Exists: C:\Program Files\PuTTY\putty.exe and false when the result is File does not exist, so you can use it to filter the set of responses.

Figure  5:  Example: Filter with parameterized sensor

Filter expressions can match strings or regular expressions. For details on the supported filter operators and examples of complex filter expressions, see Reference: Advanced question syntax.

Question expiration

When Tanium Cloudthe Tanium Server issues a dynamic or saved question, it remains open (not expired) for 10 minutes on the targeted endpoints. Upon receiving a question, the Tanium Client on each endpoint runs the sensors in the question, stores the results in its client cache, and returns the results to Tanium Cloudthe server. If the client reruns a sensor from the question during the 10-minute expiration interval, the client returns the fresh result of that sensor to Tanium Cloudthe server. The frequency at which the client reruns any particular sensor depends on the Max Sensor Age setting in the sensor configuration. The setting determines the maximum time for which the client returns a cached result when answering questions, instead of rerunning the sensor for a fresh result.

For example, if the Max Sensor Age is 8 minutes, the client runs the sensor twice: first upon receiving the question and then again after 8 minutes. If the client receives another question between those two instances, the client returns a cached result instead of rerunning the sensor. If the Max Sensor Age exceeds 10 minutes, the client runs the sensor only once before the question expires.

For details about the Max Sensor Age setting and how to configure it, see Tanium Console User Guide: Max Sensor Age.

The expiration interval is 30 minutes instead of 10 for questions that Tanium Cloudthe Tanium Server issues to collect results for sensors that are registered with Tanium™ Data Service. See Sensor results caching and updates.

For each question, Tanium Cloudthe Tanium Server assigns an identifier (ID) that appears in the URL field of your browser when the Question Results page opens. For example, in the URL https://10.20.30.40/#/interact/q/376, the question ID is 376. The question and its ID expire 10 minutes after the question is issued, at which point the URL becomes invalid. This means you can refresh the page or share a link to its URL only within that 10-minute period. If you navigate to the URL after 10 minutes, Interact displays a Question Expired message and Copy Question button. Clicking the button reissues the question.

Saved questions

Saved questions are questions that you can reissue without reconstructing them in the Interact Ask a Question field or Question Builder. They are configuration objects for which you can define reissue intervals, access permissions, associated packages, and other settings. You can issue saved questions manually or based on a schedule. You can issue saved questions through Tanium solutions or through custom applications that use the Tanium XML API. For example, you can use Tanium™ Connect to periodically issue a saved question and send the results to an external server.

Tanium solutions that you import provide predefined saved questions. You can also create a saved question by issuing a dynamic question through the Ask a Question field or Question Builder and then saving the question. To view, create, edit, issue, or delete saved questions, see Managing saved questions. To control which saved questions appear as favorites on the Tanium Home page, see Tanium Console User Guide: Work with favorite Interact categories, dashboards, and saved questions.

Each saved question is assigned to one content set. You control access to saved questions by assigning content set permissions to user roles. For details about the roles and permissions required to manage saved questions, see Tanium Console User Guide: Manage saved questions. For details about content sets, see Tanium Console User Guide: Managing content sets.

Tanium Reporting provides the following advantages over saved questions, and Interact dashboards of saved questions, for viewing results from sensors that are registered with Tanium Data Service:
  • Fresh results: For online endpoints, results that you see in Reporting are never stale because Tanium Data Service reissues questions every 30 minutes and the questions remain open for that entire interval. By contrast, results from saved questions become stale if the associated values on endpoints change after the 10-minute question expiration interval but before the next reissue interval. See Question expiration.

  • Offline endpoint data: For offline endpoints, you can see results in Reporting for up to 30 days (the storage duration for registered sensors), whereas Tanium Cloudthe Tanium Server stores the results of saved question for only 7 days. See Display results for online and offline endpoints.

Reporting shows results in reports and on the Explore Data page. See Tanium Reporting User Guide: Working with reports.

You must register sensors with Tanium Data Service before their results appear in Reporting. See Register or unregister sensors for collection.

Interact dashboards and categories

Interact uses dashboards and categories to organize saved questions.

  • Dashboard

    A dashboard is a group of saved questions that are related with respect to the information that they retrieve from endpoints. For example, the predefined Hardware Inventory dashboard contains questions that retrieve CPU, disk, memory, and BIOS information. You can issue all the questions in a dashboard simultaneously. See Issue a dashboard of saved questions.

    Interact dashboards differ from Tanium Reporting dashboards. See Tanium Reporting User Guide: Dashboards.

  • Category

    A category is a group of related dashboards. It serves as an umbrella term for questions that you use for a particular purpose. For example, the Security category includes multiple dashboards that contain security-related questions.

Interact provides predefined dashboards and categories, and you can create your own. To create, edit, reassign, export, or delete dashboards and categories, see Manage categories and dashboards.

Each dashboard and category is assigned to one content set. You control access to dashboards and categories by assigning content set permissions to user roles. For details and related tasks, see Tanium Console User Guide: Managing content sets.

Questions results

After you issue a question, the Question Results page opens and displays a grid with the answers (results) from endpoints. The page facilitates analyzing the results by providing display options such as live updates, filters, and charts. For details and related procedures, see Managing question results.

Tanium Cloud The Tanium Server issues questions automatically at intervals to collect results for sensors that are registered with Tanium Data Service. For details, see Managing Tanium Data Service.

Actions

After you use Interact to issue a question, analyze the question results, and determine which endpoints require administrative action, you can deploy a package to those endpoints so that the Tanium Client can run the associated action. For the procedure, see Deploying actions. For details about packages, see Tanium Console User Guide: Managing packages.

Interoperability with other Tanium products

API Gateway and Tanium Data Service

Interact includes Tanium Data Service, which is a service that enables you to see stored sensor results for endpoints that are offline at the moment you issue a question. You can use Tanium™ API Gateway to access data from the Tanium Data Service API. For information about what features are available through API Gateway, refer to the API Gateway schema reference.

Reporting

Interact provides access to the Endpoint Details page in Tanium™ Reporting, where you can view comprehensive information about a single endpoint and manage the endpoint. To access the page, see Search endpoints. For more information about endpoint details, see Tanium Reporting User Guide: Viewing and managing a single endpoint.