In a Tanium™ deployment, asking questions is a fundamental interaction with endpoints.
Tanium questions help you get key pieces of information from managed enterprise endpoints.
The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or particularly well formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium™ Clients.
The following figure shows an example of how natural language input is parsed into proposed queries. First, the user enters the fragment last logged in user and clicks Search. In response, Interact returns a list of queries cast in valid syntax.
Basic questions include:
- one or more sensor names in the get clause.
- all machines (in other words, all Tanium Client host computers) in the from clause.
Advanced questions include filter clauses and parameterized sensors.
In essence, a sensor is a script that is executed on an endpoint to compute a response to a Tanium question. Sensors are distributed to clients during registration. Sensors enable you to ask questions about:
- Hardware/software inventory and configuration
- Running applications and processes
- Files and directories
- Network connections
The Initial Content that is imported during the Tanium Server installation includes sensors to support a wide range of common questions. Additional sensors may be added when you import additional Tanium content packs and Tanium solution modules. If you cannot find a sensor you need within Tanium-provided content, you can create user-defined sensors.
For more information, see Sensors.
A counting question is designed to return results that can be meaningfully counted. A counting question can have only one sensor. For example, Get Tanium Client Logging Level from all machines is a counting question. The sensor returns the value of the LogVerbosityLevel setting. When a managed endpoint is prompted to add its answer to the answer message, it increments the tally of the answer that its value matches. The Tanium Server maintains a table of answer strings. In many cases, like logging level, there are just a few common answers, so the question has a relatively small footprint.
A non-counting question has sensors that return unique strings. For example, Get Tanium Client IP Address from all machines returns IP addresses, which are unique. When a Tanium Client is prompted to add its answer to the answer message, it adds a new string. On the Tanium Server, the data footprint for a non-counting question can be quite large.
When using the Question Builder to construct a question, you have the option to convert a counting question to a non-counting question for cases where a counting question returns the too many results answer.
Use the AND operator in the get clause to specify multiple sensors. Results are grouped by the first sensor, then by the next sensor, and so on. The following example shows a question that uses multiple sensors.
A parameterized sensor accepts a value specified at the time the question is asked. The following example shows the File Exists sensor. The parser prompts you to specify a file path and file name.
Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. Let's say you want to get the top 5 highest CPU utilizing processes. The question has the following syntax:
Get High CPU Process from all machines
For sensors with multiple parameters, you can pass an ordered list separated by a comma. For example, if you want to get the results of Tanium Action Log number 1 and get 10 lines of results, specify a parameter list as shown in the following example:
Get Tanium Action Log[1,10] from all machines
You can use filters to craft questions that target fewer computers than "all machines". You often want to work with a set of computers that have a specific process name or value.
This is an example of an advanced question. The left side is a complete and valid query; the right side contains a filter—the "from all machines with" expression.
Filters in the from clause are the first part of a question that gets processed by the endpoint. If the endpoint data does not match the filter, then the endpoint does not process the question any further. If there are multiple filters, each filter is processed and evaluated. If the evaluation is true, then the sensors on the left side of the question are also executed and returned.
The filter expression on the right side must evaluate to a Boolean true or false. For example, the expression with Running Processes contains explore evaluates to true if the specified string matches the result string, or false if it does not.
A parameterized sensor like File Exists returns a string "File Exists: Filename" or "File does not exist", so you must be careful how you cast it in a filter expression.
The filter expression with File Exists[c:\a.txt] containing "Exists" evaluates to true when the result is "File Exists: c:\a.txt" and false when the result is "File does not exist", so it can be used to filter the set of responses.
Filter expressions can match strings or regular expressions. The following table describes the supported filter operators as they appear when you use the Question Builder. The table also describes how some operators are normalized after you load them from the Question Builder or enter the expressions in the question bar.
Sensor value contains the specified string.
Example: running processes contains "explore"
|does not contain||Sensor value does not contain the specified string.|
|starts with||Sensor value starts with the specified string.
Example: starts with "explore"
|does not start with||Sensor value does not start with the specified string.|
Sensor value ends with the specified string.
Example: ends with "explore.exe"
|does not end with||Sensor value does not end with the specified string.|
|matches||Sensor value matches the specified regular expression (in Boost syntax).|
|does not match||Sensor value does not match the specified regular expression.|
|in||Sensor value matches one of the specified strings. Use commas without spaces to separate the strings. When you load the question, the expression shown in the question bar uses equals and or operators in place of in.
Example: The filter in "10.10.10.10,10.10.10.11" in the Question Builder becomes IP Address equals 10.10.10.10 or IP Address equals 10.10.10.11 when you load the question.
|is equal to||Sensor value is equal to the specified value or string. When you load the question, the expression shown in the question bar uses equals in place of is equal to.|
|is not equal to||Sensor value is not equal to the specified value or string. When you load the question, the expression shown in the question bar uses not equals in place of is not equal to.|
|is less than||
Sensor value is less than the specified value. When you load the question, the expression shown in the question bar uses a symbol (<) in place of the operator words.
Example: installed application version[chrome] < 12
|is less than or equal to||
Sensor value is less than or equal to the specified string.
When you load the question, the expression shown in the question bar uses symbols (<=) in place of the operator words.
Example: installed application version[chrome] <= 12
|is greater than||
Sensor value is greater than the specified value.
When you load the question, the expression shown in the question bar uses a symbol (>) in place of the operator words.
Example: installed application version[chrome] > 12
|is greater than or equal to||
Sensor value is greater than or equal to the specified string. When you load the question, the expression shown in the question bar uses symbols (>=) in place of the operator words.
Example: installed application version[chrome] >= 12
See Reference: Advanced question syntax for examples of complex filter expressions.
The Question Builder is another way to create a question. It has form fields to help you complete the get statement and the from clause, including any filters.
You can launch the Question Builder in either of the following ways:
- In the Ask a Question box, click Question Builder in the top-right corner.
- After you ask a question and want to refine it, click Copy to Question Builder.
The following figure shows the Question Builder.
The first text box is for sensor names. Start typing and then use the typeaheads to select sensors.
Alternatively, you can click Browse all Sensors to open the Browse Sensors dialog box and select sensors. When you use the dialog box, you can review sensor descriptions.
For a sensor that produces data across multiple Question Results columns, you can add filters based on column data matches. In the Question Builder, click Add Filter below the sensor field to configure a filter.
You can select matching operators and specify regular expressions to match strings. To match on substrings, select the Substring box and specify a starting position (where 0 is the first position) and number of characters.
If you add a filter in either the get statement and from clause, you can specify advanced options.
In the from clause, you can configure multiple filters, including nested filters. For example, suppose you wanted to investigate the web browsers installed on computers. You can use Boolean ANDs and ORs in the from clause to target "modern" browsers.
Click + and use the controls to add filter conditions:
- Add Row
Add one or more conditions.
- Add Group
Select this option to nest a Boolean operator and then use Add Row to build the nested expression.
Advanced Question Options
Tanium Server 7.3.314.3639 and later provides Advanced Question Options in the Question Builder.
Enabling Force Computer ID converts a counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see the KB article Troubleshooting Errors / Informational Messages (too many results message). The following figure shows the results for a question converted to a non-counting question.
The following figure shows the results for the same question issued as a counting question.
When a dynamic or saved question is issued, the question is assigned a question ID. In your web browser, you will notice the question ID in the URL.
The question ID "expires" after 10 minutes, and its corresponding URL becomes invalid. This means that for up to 10 minutes, you can refresh the page or share the link. After 10 minutes, if you navigate to the link, Interact displays a message indicating the question has expired, and it gives you the option to copy the question text to the Question Bar so you can reissue it.
Go to Administration > Question History to review a chronology of questions that have been issued. By default, an entry for a question is maintained in the chronology for 7 days. You can change the default limit with the global setting SOAPQuestionHistoryLimitInDays.
You can use the Question History to review question syntax and the question expiration timestamps. You can also copy the question to the Question Bar or Question Builder.
You must be assigned a role with the Read Question History (Micro Admin) permission to see the Question History page. However, a user with only the microadmin permission cannot load a question from the Question History page. Users assigned the Administrator reserved role can see the Question History page and load a question from the page.
You must be assigned the Show Interact module permission to see the Ask a Question bar and the Question Builder. You must also have the Ask Dynamic Questions permission (can be assigned in any advanced role). The sensors available for questions are determined by Read Sensor content set permissions.
The Administrator reserved role has all of these permissions. The Content Administrator role has all except the Show Interact module permission. Be sure to explicitly assign the Interact permission.
Last updated: 2/22/2019 1:21 PM | Feedback