In the Tanium™ Console, when you click a saved question, the question is issued to Tanium Clients. Saving the question syntax as a configuration object enables it to be reissued later. The configuration object can also be used throughout the platform, both by Tanium™ solution modules and by user-developed applications that use the SOAP API. For example, you can use Tanium™ Connect to configure a saved question to be run on a schedule with results sent to an external server.
You must have a user role with the Write Saved Question permission to create, modify, or delete saved question configurations. The Read Sensor content set permissions determine the available sensors.
In addition to the Write Saved Question permission, you must have the Write Action and Write Package permissions to add associated actions to a new saved question configuration. In addition to these three permissions, you must also have owner permissions for the question if you later want to modify or delete the associated actions.
Users assigned the Administrator or Content Administrator reserved roles have these permissions.
- Use the Question bar to ask a dynamic question.
- Click Save this question directly under the Question bar.
- Complete the settings described in the following table.
- According to RBAC. Users must have the Read Saved Question permission for the content set to which the saved question belongs to see the saved question.
- Only the Owner and Admins. Only the object owner and users with the Administrator reserved role can see the saved question.
- Click Preview to preview the results you will get when you use the saved question.
- Click Create Saved Question.
|Name||Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.|
|Content Set||Assign to a content set. The list is populated with all content sets for which you have Write Saved Question permission.|
|Reissue this question every||If you want to periodically reissue the question, specify a number and unit for the reissue interval: Minutes, Hours, Days. The Tanium Server first issues the saved question immediately after you save the configuration. Tanium Clients that are online at that time respond with their answers. You can use the reissue option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every eight hours.
If you configure reissuing, the Tanium Server reissues the saved question in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every eight hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of recent responses displayed in the Question Results grid for machines that are not online when you use Interact to issue the question. You can use the Question History to verify that the saved questions are sent according to the reissue interval you configured.
Note: If you specify a reissue interval of eight hours, the Tanium Server reissues the saved question exactly every eight hours, regardless of time changes due to daylight savings time.
This option appears only for users with the Administrator or Content Administrator roles. The purpose is to enable an advanced user to curate the configuration for other users. Defaults are commonly understood as good choices. When this option is selected, the administrator's choices populate the initial defaults shown for subsequent users.
The subsequent users are free to modify the settings. When non-administrator users modify the settings, their choices are preserved and will persist even when another administrator subsequently changes the default preferences.
Note: When an Administrator or Content Administrator makes changes, it does change the settings for all other Administrator or Content Administrator users. This design forces administrators to agree on the best default settings.
|Make this question available for drilldown||Include in the Select Drilldown Question dialog box, Saved Questions tab.|
|Non-Counting Question / Counting Question||Specify whether to turn the question into a non-counting question. Non-counting questions have a larger data footprint because the Tanium Server maintains data per computer ID. However, this enables storing recent data for the endpoint. Furthermore, the Allow for merging option is available only for non-counting questions.
The non-counting question option appears when the question is a counting question that has exactly one sensor in the select clause. You can configure the non-counting question option only in the New Saved Question form, not the Edit Saved Question form.
You can configure the Enable collection and reporting of recent data option only in the New Saved Question form, not the Edit Saved Question form.
|Default Tab||Specify a default tab: Question, Grid, or Pie.
The Default Tab setting is saved as a user preference unless you
|Default Grid Chart Zoom||Set the data period for the initial Question Results grid display: Current or Recent.|
|Associated Actions||Optional. Click Add Package and select the package that you want to be the default when a user clicks the Deploy Action button in the Question Results grid.|
The Tanium Server reissues your question and displays the results in the Question Results grid. Depending on the settings you configured, the saved question might appear in saved question lists that are incorporated into Tanium Console workflows.
When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium™ Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.
The Tanium Server maintains a copy of the saved question configuration for each user who has saved the configuration. For example:
- admin01 creates a saved question.
- user01 edits it and saves a copy.
- user02 edits it and saves a copy.
- user03 does not edit the saved question but has permission to read or edit it.
Tanium Server now has three copies—one for each user who has saved it. The per-user settings are saved in the system as metadata for the saved question configuration.
The different preferences user01 or user02 may have with respect to a saved question are applied when the user logs in. For example, if user01 settings allow the question to be included in merge operations and user02 settings do not, those differences are applied, and the users have different experiences. user03, not having saved the configuration, is subject to the admin01 settings.
When the reissue option is set, the question is issued at the interval specified by each user configuration. However, if multiple users have essentially the same management computer group rights, the Tanium Server throttles the redundant traffic. For example, if user01 and user02 both have access to the All Computers computer group and set a reissue interval every 4 hours, the Tanium Server will reissue the question only once every 4 hours, not once for each user. However, if user01 has access to only the computer group A, and user02 has access only to computer group B, the Tanium Server will reissue the question according to each user's requirements.
Last updated: 12/17/2018 3:11 PM | Feedback