Working with saved questions
The saved question configuration includes question syntax and settings. A saved question can be issued manually or scheduled to be reissued periodically.
In Tanium™ Interact, the Saved Questions page includes the objects imported with Tanium™ Initial Content and other content packs, as well as questions saved by Tanium administrators.
The visibility of the page and the rows visible on the page are determined by Read Saved Question content set permissions. To issue a saved question, you must also have the Read Sensor permission for the sensors specified in the saved question. To use Drill Down, you must have the Ask Dynamic Questions global permission (assigned in any advanced role). Users assigned the Administrator or Content Administrator reserved roles have these permissions.
Issue and manage saved questions
From the Interact > Saved Questions page, you can take the following actions:
- Click the hyperlinked name of the question to issue it.
- Select the question and copy it to the Question Bar or Question Builder.
- Edit or delete the configuration.
Current / Recent zoom
In addition to all of the features of the results grid for dynamic questions, the results grid for saved questions includes a "zoom" option: Current or Recent. Current data includes responses from machines that are currently online. Recent data may include responses from offline machines. The Tanium Server caches client responses for 7 days by default. If a client is not online when a question is issued, but the Tanium Server has a cached value for it, the "recent" cached result can be passed to the results grid.
You can save questions as configuration objects so that you can use a complex question that you created in the same way you use the predefined saved questions.
You must be assigned a role with the Write Saved Question permission to create, modify, or delete saved question configurations. The sensors available are determined by Read Sensor content set permissions.
You must have Write Action and Write Package permissions to add an "associated action" to a new saved question configuration. You must have owner permissions to modify or delete the associated action.
Users assigned the Administrator or Content Administrator reserved roles have these permissions.
Create a saved question
- Use the Question bar to ask a dynamic question.
- Click Save this question directly under the Question bar.
- Complete the settings described in the following table.
- According to RBAC. Users must have the Read Saved Question permission for the content set to which the saved question belongs to see the saved question.
- Only the Owner and Admins. Only the object owner and users with the Administrator reserved role can see the saved question.
- Click Preview to preview the results you will get when you use the saved question.
- Click Create Saved Question.
|Name||Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.|
|Content Set||Assign to a content set. The list is populated with all content sets for which you have Write Saved Question permission.|
|Reissue this question every||The saved question is first issued immediately upon saving the configuration. Clients that are online at that time respond with their answers.|
You can use the "reissue" option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every 8 hours.
When reissue is selected, the saved question is reissued in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every 8 hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of "recent" responses displayed in the results grid for machines that are not online when you use Interact to issue the question.
You can use the Question History to verify that the saved questions are sent according to the reissue interval you have configured.
Specify a number and unit for the reissue interval: Minutes, Hours, Days.
Note: If you specify a reissue interval of 8 hours, the system reissues the saved question exactly every 8 hours, regardless of time changes due to daylight savings time.
|Make this question available for drilldown||Include in the Select Drilldown Question dialog box Saved Questions tab.|
|Make this question available for merging||Include in the Select Merge Questions dialog box Saved Questions tab.|
|Enable recent view on this counting question||If a counting question has exactly one sensor, you can select this option to enable reporting in the recent results view of the results grid.|
|Default Tab||Specify a default tab: Question, Grid, Pie.
The Default Tab setting is saved as a user preference unless the Use these as the default for all users setting is selected.
|Default Grid Chart Zoom||
Specify a data period: Current or Recent.
Current data includes responses from machines that are currently online.
Recent data may include responses from offline machines. The Tanium Server caches client responses for 7 days by default. If a client is not online when a question is issued, but the Tanium Server has a cached value for it, the "recent" cached result can be passed to the results grid.
(You can change the default limit for recent with the global setting max_most_recent_age.)
The Default Grid Chart Zoom setting is saved as a user preference unless the Use these as the default for all users setting is selected.
|Use these as the default preferences for all users||Select this option to make the Default Tab and Default Grid Chart Zoom settings apply to all users who issue this saved question.|
|Associated Actions||Optional. Click Add Package and select a package you want to be the default when a user clicks the Deploy Action button from the results grid.|
Your question will be issued and results displayed in the results grid. Depending on the settings you configured, the saved question may appear in saved question lists that are incorporated into Tanium Console workflows.
If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question will behave as originally designed until the saved question is modified. Then it will behave as expected with the new sensor definition.
Last updated: 2/9/2018 2:03 PM | Feedback