Managing question results

Question results overview

After you use Tanium Interact to issue a dynamic question, the Question Results page opens and displays a grid with the answers (results) from endpoints. The page facilitates analyzing the results by providing display options such as live updates, cached results, and filters. You can also use the page to retrieve additional information from endpoints by merging questions and by drilling down into the results.

Each row in the results grid is an aggregation of the endpoints that reported the same answer. For counting questions, the Count column shows the number of Tanium Clients with that answer, as shown in Figure  1 (for details, see Counting and non-counting questions).

When you issue a saved question or a dashboard of questions, the Tanium Console opens the saved question results page or dashboard results page respectively. These pages resemble the Question Results page but have additional options. See Issue a saved question and Issue a dashboard of saved questions.

If Tanium Clients do not answer questions, see Tanium Console User Guide: Troubleshoot question results issues.

Figure  1:  Question Results grid

Selecting rows

After you manipulate the grid to show the results that you want, you can deploy actions to the associated endpoints by selecting some or all of the result rows and clicking Deploy Action. For the full procedure, see Deploying actions.

  • You can select up to 100 rows in the grid.
  • To quickly select multiple consecutive result rows for drilling down, copying, exporting, or deploying actions, click the check box in the first row to include, hold down the Shift key, and then click the check box in the last row to include.
  • Click the check box next to the header row to select 100 rows, starting with the first row that displays on the screen. If you already have rows selected, Interact only selects rows to reach the 100 limit. Click the check box again to clear any selected rows.




Enable or disable live updates

The top left of the Question Results grid toolbar shows the percentage of Tanium Clients that reported results. The live updates feature is enabled by default, which means the Tanium Console updates the grid as more Tanium Clients report results.

Click Pause Pause to stop the grid from updating and click Play Play to resume updating.

Even after 100% of Tanium Clients have reported, some answer rows might indicate incomplete results. To investigate incomplete results, see Troubleshoot question results issues.

Display results for online and offline endpoints

When the Question Results page opens, it initially displays only current results, which are answers from endpoints that were online at the moment you issued the question. However, you can also display recent or cached results that Tanium Cloudthe Tanium Server stored when it queried endpoints that were previously online but are currently offline.

Figure  2:  Current, recent, and cached results

The option to display stored results enables you to have a more complete view of your managed endpoints. For example, to evaluate the security state of both online and offline endpoints, you can display both current and stored results for questions about which endpoints have a critical patch applied or a particular third-party application installed. Click the button for the type of results that you want to display:

  • Current: By default, the grid displays results only from endpoints that are currently online.
  • Recent (saved questions only): In addition to results from online endpoints, this option includes results from offline endpoints if those results still reside on Tanium Cloudthe Tanium Server after the last time Tanium Cloudthe server issued that question. Tanium CloudThe server stores the results of saved questions for seven days by default. Note that Tanium Cloudthe server associates recent results with specific saved questions, not with sensors. This means that even if multiple saved questions share the same sensor, the results grid might show different recent results for that sensor based on which question you issue and your computer management group permissions. Only users who have the permissions to create saved questions can view recent results.
  • Cached: The grid displays results that Tanium Cloudthe Tanium Server collects by periodically querying all managed endpoints for specific sensors. The option appears only for questions in which all the sensors are registered for collection. Tanium CloudThe server stores the results for 30 days by default. Because Tanium Cloudthe server saves the results on a per-sensor basis, the grid displays the same results for a particular sensor when you issue any dynamic or saved question that uses that sensor. The grid displays only the most recent collected results. Only users with the Data Collection Registration write permission can register sensors. For details, see Manage sensor results collection.

For offline endpoints, view Cached results instead of Recent results. For cached results, Tanium Cloudthe Tanium Server more accurately identifies the responding endpoints, allows all users to view the results, and returns results for both dynamic and saved questions.

Filter question results

Use the filter controls in the header of the Question Results grid to display only results that match the criteria you specify.

Figure  3:  Question Results grid filters

The Question Results grid includes multiple grid filters. Tanium CloudThe Tanium Server combines the filters with a Boolean AND. For example, if you select a computer group filter and also configure an advanced filter, Tanium Cloudthe server combines the logic of both filters.

Use a text filter

Use the Filter By Text field to filter the Question Results grid based on values in pertinent grid columns. The Tanium Server filters the grid without reissuing the question. Select the Contains or Does not contain operator, enter a search string, and click Search Search.

For most questions, the text filter shows matching results in any grid column. If you filter on certain cached results, values in the Count column are ignored by the text filter.

Use a computer group filter

After you select an entry in the Filter by Computer Group drop-down, Tanium Cloudthe Tanium Server issues a new question with the added filter. Select All Computers, No Computers, or a user-configured computer group. If the list of computer groups is long, you can use the text filter within the Computer Group drop-down to filter by group name. If you save the question, the question text includes the Computer Group filter but not the text filter within the drop-down.

The Filter by Computer Group drop-down displays only the groups that are available to your user account through assignment or inheritance (management groups) or that are assigned to a content set for which your account has role permissions (filter groups). For details, see Managing computer groups.

Use an advanced filter

Use advanced filters to filter question results based on match conditions, including column values.

  1. In the header of the Question Results grid, click Filters.
  2. Click one of the following buttons to add filter conditions:
    • + Row: Add one or more conditions and click Apply.
    • + Grouping: Select this option to nest a Boolean operator. Use + Row or + Grouping to build the nested expression and then click Apply.

    After you click Apply All, the grid refreshes.

Manage row sorting, column visibility, and text wrapping for question results

To sort rows alphabetically or numerically in the Question Results grid based on the values in a specific column, click the column header. To perform a secondary sort, press the Shift key and click another column header.

To change which columns are visible in the grid, click Customize Columns Customize Columns in the grid toolbar and select (show) or deselect (hide) the column check boxes.

To toggle text wrapping, click Wrap Wrap Text or Unwrap Unwrap Text in the grid toolbar.

Figure  4:  Question Results grid sorting, column visibility, and text wrapping controls

Export and copy question results

The Question Results page provides several options for copying and exporting the results grid contents. To export all results, click Export Export on the right side of the grid toolbar. You can also select specific results and click Copy or Export above the grid.

Figure  5:  Copy or export question results

Copy question results to the clipboard

You can copy question results to the clipboard in text format. To include sensor names (displayed in the grid as column headers) in the copied text, see Set Tanium Console user preferences.

  • To copy specific results, select the corresponding check boxes and click Copy.
  • To copy the contents of a grid cell, hover over the cell, click Options Options, and click Copy Cell Value Copy.
  • To copy the contents of a grid cell, press the Alt key (Windows) or Option key (macOS) and click in the grid cell. The Tanium Console then displays a message indicating that the clipboard has a copy of the cell contents. This operation works for most grids in the Tanium Console.

Export question results

You can export question results to a CSV file.

  1. Select one of the following export options:
    • To export specific results, select the corresponding check boxes and click Export.
    • To export the complete results, click Export Export in the header of the grid.
  2. Enter a File Name for the CSV file.
  3. To include sensor names (grid column headers) in the .csv file, select Include headers in export.

    If you selected only a subset of the results to export, click Export and skip the remaining steps, which describe options that are available only if you are exporting the complete results.

  4. Select how the CSV file displays results for questions where one sensor generates multiple results for each responding endpoint. As an example, for the question Get Computer Name and High CPU Processes[5] from all machines, the High CPU Processes sensor returns five processes for each endpoint. By default, the file displays one row for all the results that the sensor generated for an endpoint. For the example question, this would mean each row lists all the top five processes for each endpoint (identified by Computer Name).

    To display a row for each result that a sensor generates, select Flatten rows. For the example question, a flattened export results in five rows per endpoint: one row for each process that the High CPU Processes sensor returned. Note that this option works only if just one sensor in the question has multiple results.

    If you select Flatten rows, the Fail on errors check box appears. Selecting Fail on errors causes the export to fail for all results if any result includes multiple columns (sensors) with more than one value. In the example, it would be an error if a single endpoint returned multiple results for both Computer Name and High CPU Processes. By default, Fail on errors is disabled, which means the export proceeds despite such errors. However, the output includes errors without flattening the affected results; the output does not use separate lines to account for multiple columns with multiple values.

  5. Click Export.

Merge questions

Question results often lead to additional questions. For example, the results of a question that returns computer names and running processes might indicate that some endpoints are running a suspicious process. You can merge the initial question with another question to learn more information, such as the last logged-in user. Tanium CloudThe Tanium Server issues the merge question in the background, and the Tanium Console re-displays the Question Results grid with one or more additional columns containing results for the sensors that the merge question specified.

Merge operations automatically apply to all results. You do not need to select grid rows before merging.

  1. Click Merge Merge on the right side of the Question Results grid toolbar to open the Select Merge Questions dialog.
  2. Use one of the following tabs to add questions and then click Merge:
    • Saved Questions: Lists saved questions that are assigned to content sets for which you have Saved Question read permission. The questions must also have the Display this question in the list of questions that are available to merge setting enabled.

      To filter the list so that it includes only saved questions with Visibility is set to Only the Owner and Admins can see this object, select Hide public questions.

    • Create a Question: Enter a question using the same syntax as in the Interact Ask a Question field (see Issue a question through the Ask a Question field).
    • Build a Question: Construct a question using the same fields as in the Interact Question Builder (see Issue a question through the Question Builder).

      Notice that you add sensors to the get clause but you do not add filters to the from clause. The from clause is automatically based on the rows that you selected in the Question Results grid when you clicked Merge.

    After you click Merge, the Question Results grid displays the updated results. You can use the Merge Edit button in the grid header to modify the merge settings.

Drill down

In the Question Results grid, you can drill down into selected results to retrieve more information from the associated endpoints. Adding a drill-down question effectively means using its sensors to filter the selected results. A typical use case is targeting a smaller group of endpoints for an action. For example, you might initially issue a question that returns a list of chassis types and operating systems for all endpoints. To see the identities of endpoints that return specific results, you can drill down into those results with the Computer Name sensor.

  1. In the Question Results grid, select the results for which you want more information and then click Drill Down.
  2. Use one of the following tabs to specify a drill-down question and then click Drill Down.

    If the selected Question Results include the value of a parameterized sensor and your drill-down question uses a sensor with a matching parameter, the Select Drill-down Question dialog automatically populates that parameter with the value from the selected results.

    • Saved Questions: Lists saved questions that are assigned to content sets for which you have Saved Question read permission. By default, the list includes only questions that have the Display this question in the list of questions that are available for drilling down setting enabled. To include questions that do not have the setting enabled, select Show all questions.

      To filter the list so that it includes only saved questions with Visibility is set to Only the Owner and Admins can see this object, select Hide public questions.

    • Create a Question: Enter a question using the same syntax as in the Interact Ask a Question field (see Issue a question in natural language).

    • Build a Question: Construct a question using the same fields as in the Interact Question Builder (see Issue a question through the Question Builder).

    After you click Drill Down, Interact shows the progression of results, including a new Question Results grid for the drill-down question. You can then drill down further, deploy an action, save the question, or click Copy to Question Builder for further refinement.

View details for a single endpoint

When you analyze question results from endpoints, you might want to explore additional information about a particular endpoint. For example, if an endpoint returns 100% for a question with the CPU Consumption sensor, you might want to see details about the processors on that endpoint. Interact provides a single endpoint view feature that quickly retrieves and displays the information, even for endpoints that are currently offline, because most of the sensors that collect the information are registered by default with the Tanium Data Service.

Endpoint details are available for viewing through Tanium Reporting or Tanium Asset, depending on which solution is licensed. If both solutions are licensed, endpoint details are available only through Reporting, not Asset. The endpoint details that are available for viewing depend on the installed Tanium solution versions:

If Interact, Reporting, and Asset are all at the required versions, the endpoint details are available only through Reporting, not Asset.

View endpoint details through Reporting

From the Question Results page, you can access two levels of information about an endpoint:

  • Basic information: This includes the results of the following sensors: Computer Name, Tanium Client IP Address, OS Platform, Last Logged in User, and Online status (online Online or offline Offline).

  • Detailed information: You can open a page that shows a single endpoint view with comprehensive details from dozens of sensors. In addition to the basic information, the detailed information include data about the endpoint operating system, hardware, primary user, Tanium Client version, processors, installed applications, logical disks, network adapters, and physical disks. If the endpoint is online, you can deploy an action to it from the endpoint view page.

The permissions that are required to view endpoint details through Reporting are available to the Administrator reserved role, Interact Power User role, and Interact Basic User role.

To access this information without issuing a question, use the Search Endpoints field on the Tanium Home page. See Search endpoints.

  1. Issue a question that includes the Computer Name, Computer ID, or Tanium Client IP Address sensor.
  2. In the Question Results, click an endpoint icon Endpoint to see the details for that endpoint.
    An Endpoint Details dialog opens to display the basic information. If multiple endpoints have the same Computer Name, Tanium Client IP Address, or Last Logged in User, click Previous Back or Next Next in the Multiple Results Found banner to find the details for a specific endpoint. Endpoint Details

  3. Click the View Details to open the Endpoint Details page, which contains detailed information and provides additional options for exploring or managing the endpoint.

    For information about using the Endpoint Details page, see Tanium Reporting User Guide: Viewing and managing a single endpoint.

View endpoint details through Asset

Tanium™ Asset stores numerous details about each endpoint that might be useful for your operational or monitoring activities. For example, you might want to see CPU and storage details about an endpoint before deploying an action to it. If you installed Asset version 1.7 or later and you sign in to the Tanium Console as a user with the Asset Report read permission, you can see those details through the Question Results grid without issuing additional questions that consume more bandwidth and processor resources.

  1. Issue a question that includes any of the following sensors:
    • Computer Name
    • Computer ID
    • Tanium Client IP Address
    • Asset Computer Serial Number
    • Asset Primary User Details
  2. Click the Asset icon Asset icon for an endpoint in the Question Results.

    An Asset Details dialog opens to display a summary of the Asset details for that endpoint. If the Asset database has multiple entries for the same endpoint, click Previous Back or Next Next in the Multiple Results Found banner to find the details for a specific endpoint.Asset icon in Question Results grid

  3. Click View Details in Asset to see all the Asset details for an endpoint. Asset then opens the Computer Asset report for the endpoint.Computer Asset report