Managing saved questions

Saved questions are questions that you can store on the Tanium Server as configuration objects and reissue without entering them in the Interact Ask a Question field or Question Builder. For an overview of saved questions and related concepts, see Saved questions.

Use the Interact Overview page to perform the following actions:

View, issue, create, and edit saved questions.
Move questions between content sets.
Define categories and dashboards, and assign saved questions to them.
View and select favorite categories, dashboards, and saved questions.

For details about the user roles and permissions required to manage saved questions, see User role requirements.

User-specific saved questions

When multiple users work with the same saved question, the following factors control which users can see the question, and which question settings and results the users can see:

User role permissions: To view and edit a saved question, a user must have the required role permissions for the content set to which the question is assigned (see Manage saved questions). Additionally, the Visibility setting in the question determines whether the question is visible only to the owner (question creator) or to any user who has the required role permissions.
User-specific configuration changes: When a user saves changes to the question configuration, Tanium Cloud the Tanium Server saves a copy of the question. When users sign in to Tanium Cloudthe server, the users see only the copy with their own changes.
Computer group management rights: The computer groups assigned to users, user groups, and personas determine the visibility of the saved question Reissue interval and recent question results.

For details, see Tanium Console User Guide: User-specific saved questions.

Create a saved question

Use the Interact Ask a Question field or Question Builder to ask a dynamic question.
The Question Results page shows the results.
Click Save above the question field and configure the following settings:

Table 1: Saved question settings
Settings	Guidelines
Name	Enter a name to identify the saved question in lists that appear in Tanium Interact workflows.
Content Set	Assign the question to a content set. The list is populated with all content sets for which you have Saved Question write permission.
Tags	To add tags for filtering lists of saved questions in Interact, click Add tags, enter a Name to identify the tag, and enter the tag Value. Add a Name-Value pair for each additional tag. In the Sensors page, the Tags column is hidden by default. To show the column, click Customize Columns and select Tags.
Visibility	According to RBAC. Users must have the Saved Question read permission for the content set to which the saved question belongs to see the saved question. Only the Owner and Admins can see this object. Only the question owner and users with the Administrator reserved role can see the saved question. By default, the user who creates the question is the owner. If the user account of the initial owner is deleted, ownership of the question might transfer to another user. See Delete, undelete, or lock out a user.
Reissue	If you want to periodically reissue the question, select Reissue this question every and specify a number and unit for the reissue interval: Minutes, Hours, Days. Tanium CloudThe Tanium Server first issues the saved question immediately after you save the configuration. Tanium Clients that are online at that time respond with their answers. You can use the reissue option to account for clients that are currently offline but will be online later. For example, employee laptops that are offline at the moment you save the saved question configuration might be online at least once during an eight-hour reissue interval. If you configure reissuing, Tanium Cloudthe Tanium Server reissues the saved question in the background at the specified interval. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every eight hours, the Tanium Cloudthe server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. By default, Tanium Cloudthe server caches responses for seven days, and displays the cached responses in the Question Results grid for endpoints that are offline when the server issues the question. You can use the Question History to verify that Tanium Cloudthe server issues the saved questions based on the specified reissue interval. If you specify an eight-hour reissue interval, Tanium Cloudthe Tanium Server reissues the question exactly every eight hours, regardless of time changes due to daylight savings time. Which users can see the reissue interval for a saved question depends on the computer groups assigned to those users. For details, see Tanium Console User Guide: User-specific saved questions.
Show this question in the list of questions that are available for drilling down	Enable this option to include the question in the list that users see when selecting a question for a drill-down operation on question results. For details, see Drill down into results.
Show this question in the list of questions that are available to merge	Enable this option to include the question in the list that users see when selecting a question for a merge operation on question results. Only non-counting questions provide this option. For details, see Merge questions. You cannot change this setting after you save a new saved question configuration. Enabling this option automatically enables the Yes, turn into non-counting question option.
Do not turn into non-counting question Yes, turn into non-counting question	The option to convert the question to a non-counting question is available only if the question has one sensor in the get clause. A single-sensor question is a counting question by default. Converting to a non-counting question is required for users to include the question in merge operations. However, converting has other ramifications to consider before you select that option. See Counting and non-counting questions. You cannot change this setting after you save a new saved question configuration.
Save these settings for myself and other users with no prior settings saved Save these settings for my view only	Select whether the User Settings values that you configured are visible to other users who might view the saved question configuration. This visibility option is useful when you want a question to initially have the same User Settings values for everyone until individual users specify their own values. Save these settings for myself and other users with no prior settings saved: The User Settings that you configured appear to all users who view the question configuration. If a user subsequently edits the settings, only that user will thereafter see the values that the user configured instead of the values that you initially configured. Save these settings for my view only: When users other than yourself view the question configuration, the User Settings have no values until individual users specify values.
Associated Packages	Optionally, select the packages that you want to appear at the top of the Deployment Package dropdown list in the Action Deployment page when users deploy an action based on the question. By default, the Deployment Package selection is set to the first package that you add to the Associated Packages. As an example, for a question that returns the logging level of Tanium Clients on Windows endpoints, you might want to add Set Windows Tanium Client Logging Level as an Associated Package. For details, see Deploying actions and Example: Saved questions with associated packages.

Expand the Preview section to preview the results of the saved question, and then click Save.

The question appears in the Administration > Content > Saved Questions page.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temporary sensor. On the endpoint, the Tanium™ Client runs the temporary sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temporary sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Edit a saved question

As a best practice, do not edit saved questions that are provided through Tanium content packs (for details, see Tanium Console User Guide: Best practices for resolving import conflicts (Tip 4)). If you need to edit Tanium-provided questions, review User-specific saved questions and contact Tanium Support. For more information, see Contact Tanium Support.

Alternatively, you can create copies of Tanium-provided questions and edit the copies. You can also edit custom saved questions that you created from scratch. To edit a saved question:

From the Interact Overview page, find the question in the Saved Questions panel, mouse over the question, click Options , and select Edit Properties.
Configure the settings described in Create a saved question and save your changes.

If you create a saved question based on a parameterized sensor and then modify the sensor, the saved question behavior reflects the original sensor definition. Only after you modify the saved question will it behave as expected with the new sensor definition. For details on parameterized sensors, see Questions with parameterized sensors.

Filter saved questions

The number of saved questions tends to increase as your team uses the Tanium system more. To find specific questions when the Interact Overview page has too many to scan quickly, you can filter by text strings, categories, dashboards, and favorites.

Filter by categories and dashboards

In the Interact Overview page, you can select check boxes in the panels so that only items belonging to the selected categories or dashboards appear. You can apply multiple filters. Click Deselect in a panel header to deselect all its filters.

Filter by text strings

In the Interact Overview page, use text filters in the panels to find items that match a specified string. Click the x in the text search box to deselect the filter.

Filter by favorites

A favorite is a category, dashboard, or saved question that you want to use as an optional filter on the Interact Overview page. Tanium CloudThe Tanium Server saves favorites as a user-specific setting; your favorites selections do not apply to other users.

Favorites also appear on the Tanium Home page. See Tanium Console User Guide: Work with favorite Interact categories, dashboards, and saved questions.

Items that you select as favorites before upgrading to Interact 2.0 or later remain favorites after upgrading. If you did not have favorites before an upgrade or before you install a new Tanium Server, all categories and dashboards for which you have read permission are set as favorites anyway.

To configure the display of favorite content, perform the following steps:

From the Main menu, go to Modules > Interact.
On the Tanium Home page, click the Favorites icon for an item to deselect it as a favorite and remove it from the page. However, the Tanium Home page does not provide the option to show items that are not favorites, so you cannot restore favorite status to items on that page.
Click the Favorites icon next to the name of a category, dashboard, or saved question to select or deselect that item as a favorite.
To reduce clicks, click Favorite All or Unfavorite All in a panel header and then toggle on or off individual items in that panel.
To view only favorite categories, dashboards, and saved questions, click Favorites in the upper right of the Content section.
The button changes to a dark background to indicate that the panels display only favorites. Click Favorites again to toggle off the filter.
After you find and select your favorite Categories or Dashboards, you might want to toggle off the Favorites filter so that the Saved Questions panel displays both favorite and non-favorite questions.

Issue a saved question

After you save a question, you can reissue it through the following methods:

Interact Overview page: Scroll to the Saved Questions panel and click the question name.
Tanium Home page: If the question has favorite status, scroll to the Favorite Interact Questions section and click the question name. If the Favorite Interact Questions section is not visible, see Tanium Console User Guide: Work with favorite Interact categories, dashboards, and saved questions.
Saved Questions page: From the Main menu, go to Administration > Content > Saved Questions, select a question, and click Load.
Question configuration: To automatically reissue a saved question at intervals, edit the question configuration and set the Reissue interval. See Tanium Console User Guide: Edit a saved question.

Tanium Console shows the results in the saved question results page. To filter or otherwise manipulate the results, see Managing question results.

Use Tanium Reporting instead of saved questions for viewing results from sensors that are registered with Tanium Data Service. Reporting shows results in reports and on the Explore Data page: see Tanium Reporting User Guide: Working with reports. For details on the advantages of viewing results in Reporting, see Saved questions.

Issue a dashboard of saved questions

In some cases, it is useful to issue several saved questions that are related based on the kind of information they retrieve from endpoints. In such cases, you can group the questions in a single dashboard and issue them simultaneously. For example, the predefined Hardware Inventory dashboard contains questions that retrieve chassis type, operating system, monitor, CPU, disk, memory, and BIOS information. For details on dashboards, see Interact dashboards and categories.

Use Tanium Reporting instead of Interact dashboards for viewing results from sensors that are registered with Tanium Data Service. Reporting shows results in reports and on the Explore Data page: see Tanium Reporting User Guide: Working with reports. For details on the advantages of viewing results in Reporting, see Saved questions.

To issue all the questions in a dashboard:

From the Main menu, go to Modules > Interact.
In the Dashboards panel, click the dashboard name.
The dashboard results page appears, which shows a results grid for each saved question in the dashboard.

For each question, the dashboard results page provides all the features that are available in the saved question results page, such as viewing Current, Recent, or Cached results (see Managing question results). The dashboard results page also has the following features (matching the numbers in Figure 3):

	The page shows the dashboard name, favorite status ( for favorite, for non-favorite), and number of saved questions in the dashboard. Click the favorite icon / to toggle the favorite status of the dashboard.
	Use the Filter All Questions Displayed drop-down to filter all the results grids by computer group.
	Use the dashboards dropdown list to issue a different dashboard.
	For each results grid, the page shows the question name and favorite status. Click the favorite icon / to toggle the favorite status of the question. Click the question name to reissue the question. Click Edit to change the question settings. See Edit a saved question.
	Filter by computer group or text string.
	Apply additional filters to a specific results grid.

Manage categories and dashboards

Interact provides predefined dashboards and categories for organizing saved questions. You can also create custom dashboards and categories. For details about dashboards and categories, see Interact dashboards and categories.

The following tasks describe how to create, edit, reassign, export, or delete dashboards and categories through the Interact Overview page.

Create a category

In the Categories panel heading, click Options and select New Category.
Specify a Name, Content Set, Icon, and Visibility option, and click Save.

Create a dashboard

In the Dashboards panel heading, click Options and select New Dashboard.
Specify a Name, Filter Group, Content Set, and Visibility option, and click Save.

Assign dashboards to a category

In the Categories panel, mouse over the category, click Options , and select Add/Remove Dashboards.
In the Dashboards panel, select the dashboards to include in this category and click Apply.

Assign saved questions to a dashboard

In the Dashboards panel, mouse over the category, click Options , and select Add/Remove Saved Questions.
In the Saved Questions panel, select the saved questions to include in this dashboard and click Apply.

Edit category or dashboard settings

In the Categories or Dashboards panel, mouse over the category or dashboard, click Options , and select Edit Category Information or Edit Dashboard Information.
Edit the settings and save the configuration.

To edit saved questions settings, see Edit a saved question.

Change the favorite status of categories or dashboards

You can control which categories and dashboards appear on the Interact Overview page and Tanium Home page by assigning favorite or non-favorite status to them. See Filter by favorites.

Export categories, dashboards, or questions

If you are assigned a role with the Export Content permission, you can export category, dashboard, and saved question configurations as a JSON file. The Administrator reserved role has that permission.

Click Options in the panel header and select the export option.
Select items to export or Select all.
Click Export, optionally modify the File Name, and click Export again.

The JSON file is saved to the downloads folder on the computer that you use to access Tanium Interact.

Delete a category or dashboard configuration

When you delete a category, Tanium Cloudthe Tanium Server does not assign its dashboards to any other category. When you delete a dashboard, Tanium Cloudthe server does not assign its saved questions to any other dashboard.

In the Categories or Dashboards panel, mouse over the category or dashboard and click Delete .
Confirm that you want to delete the configuration.

You cannot delete a saved question configuration from the Interact Overview page, only from the Administration > Content > Saved Questions page.