Asking questions

Using Tanium Interact to ask questions enables you to retrieve information from endpoints. For example, you can ask a question that determines whether any endpoints are missing critical security patches. Based on the question results that the endpoints return, you can then deploy actions, such as installing security patches. For an overview of questions and related concepts, see Tanium Interact overview. For the user roles and permissions required to ask questions, see User role requirements.

Issue a question through the Question Bar

The Interact Question Bar provides a text-entry field that you can use to quickly construct dynamic questions. The Question Bar is particularly useful when you want to issue simple questions, or when you understand Tanium question syntax sufficiently to manually enter advanced questions that involve filters, regular expressions, or operators.

If you want guidance while creating questions, see Issue a question through the Question Builder. For details on question syntax, see Reference: Example questions and Reference: Advanced question syntax. For details and tasks relating to question results, see Managing question results.

  1. Go to the Tanium Console home page, Interact Home page, or Interact Content page.
  2. (Interact Content page only) Open the collapsed Question Bar to display the Ask a Question field.
  3. Enter your question in the Ask a Question field at the top of the page.

    Interact uses a natural language parser to interpret your entry. The question text can be in natural English and does not require complete sentences, case sensitivity, or strictly correct spelling.

    Unless you specify a from clause in the question, Interact uses the default from all machines. This default value specifies that all managed endpoints for which you have computer group management rights will answer the question.

  4. Click Search.

    Interact displays a set of proposed questions in valid syntax, listed from top to bottom in the order of how closely they approximate your question text. For example, if you entered last logged in user, the top-most question might be Get Last Logged In User from all machines.

    If your question text includes a parameterized sensor, Interact indicates the number of parameters for each proposed question.

  5. Click a proposed question to issue it. If the question has a parameterized sensor, click Expand , enter the parameter value, and click Go to issue the question.

    The Question Results page opens to display the answers from endpoints.

Issue a question through the Question Builder

The Question Builder provides a guided method for creating a dynamic question. It has form fields to help you complete the get statement and the from clause, including any filters.

Figure  1:  Question Builder

  1. Open the Question Builder page:
    • To create a new question, click Question Builder at the top right of the Ask a Question box.
    • To refine a question that you already issued, click Copy to Question Builder below the Question field.
  2. Click + beside Get the following data to create the get statement. A row appears with a text field for entering a sensor name.
  3. Start typing in the sensor name field, use the typeaheads to select a sensor, and click Apply.

    Alternatively, click Browse all Sensors below the sensor name field to open the Browse Sensors dialog and select sensors. When you use the dialog, you can review sensor descriptions.

  4. For a sensor that produces data across multiple Question Results columns, you can add filters based on column data matches. In the Question Builder, click Add Filter below the sensor field to configure a filter. By default, filter matching applies to a single column, which you select in the first drop-down list below the sensor name. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as "|"), not multiple characters (such as "|:"). To apply matching to all the columns for a sensor, enable Row filter.

    You can select matching operators and specify regular expressions to match strings. To match on substrings, select the Substring box and specify a starting position (where 0 is the first position) and number of characters.

  5. (Optional) If you add a filter in the Get the following data or from computers with sections, you can click Advanced Sensor Options below the filter to configure the following settings:
    Table 1:   Advanced Sensor Options
    Case SensitivityGroup strings:
    • Ignore case: Group and count result values regardless of differences in upper-case and lower-case characters.
    • Match case: Group and count result values with strict attention to lettercase.
    MatchingThis option is valid in the from computers with clause.

    For some sensors, a Tanium Client might compute multiple results. When the sensor is used as a filter in the from clause, specify whether any or all of the results must match the filter:

    • Match Any Value: Any value in the answer must match the value specified in the question.
    • Match All Values: All values in the answer must match the value specified in the question.

    For example, in response to the IP Address sensor, it is possible for a Tanium Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing 192.168 for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want to match "any".

    Treat Data AsSensor values are treated as the type of data you specify:
    • Date/Time (BES)
    • Date/Time (WMI)
    • File Size
    • Integer
    • IP Address
    • Numeric
    • Text
    • Time Duration
    • Version
    Maximum Data Age Maximum amount of time that the Tanium Client can use a cached result to answer a question. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

    Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory Domain membership.

  6. Beside from computers with, click +, select one of the following options to create the from clause, and click Apply:
    • Add Row: Add one or more conditions that endpoints must match. You can base the matching (Filter Type) on a Sensor or Computer Group (management group or filter group).
    • Add Group: Select this option to nest a Boolean operator and then use Add Row to build the nested expression.

    You can configure multiple filters, including nested filters. For example, to investigate the web browsers installed on computers, you can use Boolean ANDs and ORs in the from clause to target modern browsers.

  7. (Optional) Click Advanced Question Options and enable Force Computer ID if you want to convert a counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see the KB article Troubleshooting Errors / Informational Messages (too many results message).

    For a non-counting question, the Tanium Console aggregates the results for each reporting Tanium Client.

    For a counting question, the Tanium Console displays a row for each unique result.

  8. Click Ask Question to issue the question.

    The Question Results page opens to display the answers from endpoints.

For details and tasks relating to question results, see Managing question results.

View question history

Use the Administration > Question History page to perform the following tasks.

Users require a role with the Read Question History (micro admin) permission to see the Question History page. However, this permission does not enable loading a question from the Question History page. Users who have the Administrator reserved role can see the Question History page and load a question from it.

  • Review a chronology of issued questions, as well as their syntax and other details (such as issuer and expiration timestamp). By default, the Tanium Server maintains an entry for a question in the chronology for seven days.

    The Persona column indicates only the alternative personas that users used when issuing questions; the column is blank for default personas.

  • Copy an issued question to the Question Bar to reissue it: select the question and click Load.
  • Copy the selected chronology entries to your clipboard.