Asking questions and searching endpoints

Use Tanium Interact to ask questions and retrieve information from endpoints. For example, you can ask a question that determines if any endpoints are missing critical security patches. Based on the question results that the endpoints return, you can then deploy actions, such as installing security patches. You can also use the Interact Search Endpoints feature to quickly retrieve comprehensive information about a single endpoint instead of constructing a long question with many sensors.

For an overview of questions and related concepts, see Interact overview. For the user roles and permissions required to ask questions, see User role requirements.

Issue a question through the Ask a Question field

Use the Interact Ask a Question field to quickly construct dynamic questions. The field is particularly useful when you want to issue simple questions, or when you understand Tanium question syntax sufficiently to manually enter advanced questions that involve filters, regular expressions, or operators.

If you want guidance while creating questions, see Issue a question through the Question Builder. For details on question syntax, including how to handle reserved words and characters in question text or sensor names, see Reference: Advanced question syntax.

  1. Go to the Tanium Home page or Interact Overview page.
  2. In the Ask a Question field, enter your question and press Enter, or just move your cursor to the field to open a dropdown list from which to select a recently asked question. Note the following options and behaviors for the field:
    • Interact uses a natural language parser to interpret your entry. The question text can be in natural English and does not require complete sentences, case sensitivity, or strictly correct spelling.
    • Unless you specify a from clause in the question, Interact uses the default from all machines. This default value specifies that all managed endpoints that are members of computer groups assigned to your user account answer the question.
    • For new users, the dropdown list contains a list of common questions. When you return to the Ask a Question field for subsequent questions, the dropdown list shows your most recent questions.
    • Expand Expand a question in the dropdown list to show details for that question, including the average runtime on endpoints and which sensors are used.
    • When you enter a question, the dropdown list displays a set of proposed questions in valid syntax, listed in the order of how closely they approximate your question text. If the proposed questions do not match your entry, add quotation marks around the sensor names (see Use reserved words or characters). Alternatively, click More ways to explore data in the dropdown list to open the Question Builder, which shows how to properly format question text.
    • If your question does not appear in the dropdown list, select the Use enhanced search for option. The natural language parser then examines the question text and shows additional questions.
    • If your question text includes a parameterized sensor, Interact prompts you for the parameters.
  3. After you press Enter or select a question in the dropdown list, the Question Results page opens to show answers from endpoints.

For examples of questions that you can enter in the Ask a Question field, see Reference: Example questions.

For details and tasks relating to question results, see Managing question results.

Issue a question through the Question Builder

The Question Builder provides a guided method for creating a dynamic question. It has form fields to help you complete the get statement and the from clause, including any filters.

Figure  1:  Question Builder

  1. Open the Question Builder page:
    • To create a new question, click Build Question beside the Ask a Question field on the Tanium Home page.
    • To refine a question that you already issued, click Copy to Question Builder next to the question field on the Question Results page.
    • You can also access the Question Builder page from the Interact menu, and through the More ways to explore data option in the Ask a Question field.
  2. Click + Add below Get the following data to create the get statement. A row appears with a text field for entering a sensor name.
  3. Start typing in the sensor name field, use the typeaheads to select a sensor, and click Apply.

    Alternatively, click Browse All Sensors below the sensor name field to open the Browse Sensors dialog and select a sensor. The bottom of the dialog displays the Sensor Description.

  4. For a sensor that produces data across multiple Question Results columns, you can add filters based on column data matches. In the Question Builder, click Add filter below the sensor field to configure a filter. By default, filter matching applies to a single column, which you select in the first dropdown list below the sensor name. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as "|"), not multiple characters (such as "|:"). To apply matching to all the columns for a sensor, select Row Filter.

    You can select matching operators and specify regular expressions to match strings. To match on substrings, select the Substring box and specify a Start position (where 0 is the first position) and number of characters (Length).

  5. (Optional) If you add a filter in the Get the following data or from computers with sections, you can click Advanced Sensor Options below the filter to configure additional settings. See Reference: Advanced sensor options.
  6. To create the from clause, click one of the following buttons below from computers with and then click Apply:
    • + Add: Add one or more conditions that endpoints must match. You can base the matching (Select Attribute) on a Sensor or Computer Group (management group or filter group).
    • + Grouping: Select this option to nest a Boolean operator and then use + Add to build the nested expression.

    You can configure multiple filters, including nested filters. For example, to investigate the web browsers installed on computers, you can select the Boolean AND or OR in the from clause to target modern browsers.

  7. (Optional) Click Advanced Question Options and enable Force Computer Id if you want to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Note that the Question Results page does not include the computer ID results when you select this option. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see Enable or disable live updates.
  8. Click Ask Question to issue the question.

    The Question Results page opens to show the answers from endpoints.

For details and tasks relating to question results, see Managing question results.

Search endpoints

Use the Interact Search Endpoints field to view comprehensive information about a single endpoint as an alternative to issuing a long, complex question. Interact quickly retrieves and displays information for the Search Endpoints feature, even for endpoints that are currently offline, because most of the sensors that collect the information are registered by default with the Tanium Data Service.

The permissions that are required to use the Search Endpoints field are available to the Administrator reserved role, Interact Power User role, and Interact Basic User role.

The Search Endpoints field requires Interact 2.13 or later and Reporting 1.9 or later.

The Search Endpoints field provides two levels of information:

  • Basic information: This includes the results of the following sensors: Computer Name, Tanium Client IP Address, OS Platform, Last Logged in User, and Online status (online Online or offline Offline).

  • Detailed information: You can open a page that shows a single endpoint view with comprehensive details from dozens of sensors. In addition to the basic information, the detailed information include data about the endpoint operating system, hardware, primary user, Tanium Client version, processors, installed applications, logical disks, network adapters, and physical disks. If the endpoint is online, you can deploy an action to it from the endpoint view page.

You can also access this information through the Question Results page. See View details for a single endpoint.

  1. Go to the Tanium Home page and click Search Endpoints.
  2. Display basic information about an endpoint by typing its computer name, Tanium Client IP address, or last logged-in user name without pressing Enter.

    Type a partial string to see basic information about multiple endpoints. For example, if you type 10.20.21, a dropdown list shows information about all the endpoints with an IP address that contains those digits.Search Endpoints

  3. Click the Computer Name to open the Endpoint Details page, which contains detailed information and provides additional options for exploring or managing the endpoint.

    For information about using the Endpoint Details page, see Tanium Reporting User Guide: Viewing and managing a single endpoint.

View question history

Use the Question History page to manually reissue questions or view a chronology of issued questions, as well as their syntax and other details (such as issuer and expiration time stamp). By default, the Question History page shows questions that were issued in the past 24 hours. You can change the date range to show more entries, or apply filters to limit the entries that appear.

By default, question Expiration date-times are based on the Local Time of the system that you use to access the Tanium Console, but you can switch to Coordinated Universal Time (UTC).

Users require a role with the Question History read permission to see the Question History page. For the permissions that are required to load questions from the page, see Question history.

Reissue a question

To reissue a question, select the question in the grid and click Load. The Tanium Console displays the results in the Question Results page.

Export question history

Export information from the Question History grid as a CSV file to view the information in an application that supports that format. If you have the Administrator reserved role, you can also export the information as a JSON file.

  1. From the Main menu, go to Administration > Content > Question History.
  2. Select rows in the grid to export information only for specific questions. If you want to export information for all questions, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: export information for all All questions in the grid or just for the Selected questions.
  6. Select the file Format: CSV (default) or JSON (Administrator reserved role only).
  7. Click Export.

    Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy question history details

Copy question history details to your clipboard to paste them into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Question History.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.