Managing saved questions

Saved questions are questions that you can store on the Tanium Server as configuration objects and reissue without entering them in the Interact Ask a Question field or Question Builder. For an overview of saved questions and related concepts, see Saved questions.

Use the Interact Overview page to perform the following actions:

  • View, issue, create, and edit saved questions.
  • Move questions between content sets.
  • Define categories and dashboards, and assign saved questions to them.
  • View and select favorite categories, dashboards, and saved questions.

For details about the user roles and permissions required to manage saved questions, see User role requirements.

User-specific saved questions

When multiple users work with the same saved question, the following factors control which users can see the question, and which question settings and results the users can see:

  • User role permissions: To view and edit a saved question, a user must have the required role permissions for the content set to which the question is assigned (see Manage saved questions). Additionally, the Visibility setting in the question determines whether the question is visible only to the owner (question creator) or to any user who has the required role permissions.
  • User-specific configuration changes: When a user saves changes to the question configuration, Tanium Cloud the Tanium Server saves a copy of the question. When users sign in to Tanium Cloudthe server, the users see only the copy with their own changes.
  • Computer group management rights: The computer groups assigned to users, user groups, and personas determine the visibility of the saved question Reissue interval and recent question results.

For details, see Tanium Console User Guide: User-specific saved questions.

Create a saved question

  1. Use the Interact Ask a Question field or Question Builder to ask a dynamic question.

    The Question Results page shows the results.

  2. Click Save above the question field and configure the following settings:
    3.  Table 1: Saved question settings
    Settings Guidelines
    Name Enter a name to identify the saved question in lists that appear in Tanium Console workflows.
    Content Set Assign the question to a content set. The list is populated with all content sets for which you have Saved Question write permission.
    Tags To add tags for filtering lists of saved questions in the Tanium Console, click Add tags, enter a Name to identify the tag, and enter the tag Value. Add Add a Name-Value pair for each additional tag.

    In the Sensors page, the Tags column is hidden by default. To show the column, click Customize Columns Customize Columns and select Tags.
    Visibility
    • According to RBAC. Users must have the Saved Question read permission for the content set to which the saved question belongs to see the saved question.
    • Only the Owner and Admins can see this object. Only the question owner and users with the Administrator reserved role can see the saved question. By default, the user who creates the question is the owner.

      If the user account of the initial owner is deleted, ownership of the question might transfer to another user. See Delete, undelete, or lock out a user.
    Reissue If you want to periodically reissue the question, select Reissue this question every and specify a number and unit for the reissue interval: Minutes, Hours, Days. Tanium CloudThe Tanium Server first issues the saved question immediately after you save the configuration. Tanium Clients that are online at that time respond with their answers. You can use the reissue option to account for clients that are currently offline but will be online later. For example, employee laptops that are offline at the moment you save the saved question configuration might be online at least once during an eight-hour reissue interval.

    If you configure reissuing, Tanium Cloudthe Tanium Server reissues the saved question in the background at the specified interval. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every eight hours, the Tanium Cloudthe server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. By default, Tanium Cloudthe server caches responses for seven days, and displays the cached responses in the Question Results grid for endpoints that are offline when the server issues the question. You can use the Question History to verify that Tanium Cloudthe server issues the saved questions based on the specified reissue interval.

    If you specify an eight-hour reissue interval, Tanium Cloudthe Tanium Server reissues the question exactly every eight hours, regardless of time changes due to daylight savings time.

    Which users can see the reissue interval for a saved question depends on the computer groups assigned to those users. For details, see Tanium Console User Guide: User-specific saved questions.
    Show this question in the list of questions that are available for drilling down Enable this option to include the question in the list that users see when selecting a question for a drill-down operation on question results. For details, see Drill down into results.
    Show this question in the list of questions that are available to merge Enable this option to include the question in the list that users see when selecting a question for a merge operation on question results. Only non-counting questions provide this option. For details, see Merge questions.
    You cannot change this setting after you save a new saved question configuration.

    Enabling this option automatically enables the Yes, turn into non-counting question option.
    Do not turn into non-counting question

     

    Yes, turn into non-counting question

    		 The option to convert the question to a non-counting question is available only if the question has one sensor in the get clause. Converting to a non-counting question enables Tanium Cloudthe Tanium Server to store the answers as recent data, which Tanium Cloudthe server uses when live data is unavailable, such as when the answering endpoints are offline. For details, see Display current or recent question results.
    You cannot change this setting after you save a new saved question configuration.

    Non-counting questions consume more disk storage because the Tanium Server maintains the answer strings for each endpoint (based on computer ID).
    Save these settings for myself and other users with no prior settings saved

     

    Save these settings for my view only

    		 Select whether the User Settings values that you configured are visible to other users who might view the saved question configuration. This visibility option is useful when you want a question to initially have the same User Settings values for everyone until individual users specify their own values.
    • Save these settings for myself and other users with no prior settings saved: The User Settings that you configured appear to all users who view the question configuration. If a user subsequently edits the settings, only that user will thereafter see the values that the user configured instead of the values that you initially configured.
    • Save these settings for my view only: When users other than yourself view the question configuration, the User Settings have no values until individual users specify values.
    Associated Packages Optionally, select the packages that you want to appear at the top of the Deployment Package dropdown list in the Action Deployment page when users deploy an action based on the question. By default, the Deployment Package selection is set to the first package that you add to the Associated Packages. As an example, for a question that returns the logging level of Tanium Clients on Windows endpoints, you might want to add Set Windows Tanium Client Logging Level as an Associated Package. For details, see Deploying actions and Example: Saved questions with associated packages.
  3. Expand the Preview section to preview the results of the saved question, and then click Save.

The question appears in the Administration > Content > Saved Questions page.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temporary sensor. On the endpoint, the Tanium™ Client runs the temporary sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temporary sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Edit a saved question

As a best practice, do not edit saved questions that are provided through Tanium content packs (for details, see Tanium Console User Guide: Best practices for resolving import conflicts (Tip 4)). If you need to edit Tanium-provided questions, review User-specific saved questions and contact Tanium Support. For more information, see Contact Tanium Support.

Alternatively, you can create copies of Tanium-provided questions and edit the copies. You can also edit custom saved questions that you created from scratch. To edit a saved question:

  1. From the Interact Overview page, find the question in the Saved Questions panel, mouse over the question, click Options , and select Edit Properties.
  2. Configure the settings described in Create a saved question and save your changes.

If you create a saved question based on a parameterized sensor and then modify the sensor, the saved question behavior reflects the original sensor definition. Only after you modify the saved question will it behave as expected with the new sensor definition. For details on parameterized sensors, see Questions with parameterized sensors.

Filter saved questions

The number of saved questions tends to increase as your team uses the Tanium system more. To find specific questions when the Interact Overview page has too many to scan quickly, you can filter by text strings, categories, dashboards, and favorites.

Filter by categories and dashboards

In the Interact Overview page, you can select check boxes in the panels so that only items belonging to the selected categories or dashboards appear. You can apply multiple filters. Click Deselect in a panel header to deselect all its filters.

Figure  1:  Interact content filters

Filter by text strings

In the Interact Overview page, use text filters in the panels to find items that match a specified string. Click the x in the text search box to deselect the filter.

Figure  2:  Text filters

Filter by favorites

A favorite is a category, dashboard, or saved question that you want to appear on the Interact Overview page. You can also use favorites as an optional filter on the Interact Overview page. Tanium CloudThe Tanium Server saves favorites as a user-specific setting; your favorites selections do not apply to other users.

Items that you select as favorites before upgrading to Interact 2.0 or later remain favorites after upgrading. If you did not have favorites before an upgrade or before you install a new Tanium Server, all categories and dashboards for which you have read permission are set as favorites anyway.

To configure the display of favorite content, perform the following steps:

  1. From the Main menu, go to Modules > Interact.

    On the Tanium Home page, click the Favorites icon for an item to deselect it as a favorite and remove it from the page. However, the Tanium Home page does not provide the option to show items that are not favorites, so you cannot restore favorite status to items on that page.

  2. Click the Favorites icon next to the name of a category, dashboard, or saved question to select or deselect that item as a favorite.

    To reduce clicks, click Favorite All or Unfavorite All in a panel header and then toggle on or off individual items in that panel.

  3. To view only favorite categories, dashboards, and saved questions, click Favorites in the upper right of the Content section.

    The button changes to a dark background to indicate that the panels display only favorites. Click Favorites again to toggle off the filter.

    After you find and select your favorite Categories or Dashboards, you might want to toggle off the Favorites filter so that the Saved Questions panel displays both favorite and non-favorite questions.

Reissue a saved question

After you save a question, you can manually reissue it anytime by performing one of the following steps:

  • From the Interact Overview page, click the question name in the Saved Questions panel.
  • If the question is selected as a favorite, go to the Tanium Home page, scroll to the Favorite Interact Categories, expand the corresponding category and dashboard, and click the question name.

The Tanium Console displays the results in the saved question results page. This page provides the option to see recent results from offline endpoints if those results still reside on the Tanium Server after the last time the question was issued. The server stores the results of saved questions for seven days by default. For details, see Display results for online and offline endpoints.

If you want the Tanium Server to automatically reissue a saved question, edit the question configuration and set the Reissue interval: see Edit a saved question.

If you want to simultaneously issue all the questions in a dashboard, see Issue a dashboard of saved questions.

Issue a dashboard of saved questions

In some cases, it is useful to issue several saved questions that are related based on the kind of information they retrieve from endpoints. In such cases, you can group the questions in a single dashboard and issue them simultaneously. For example, the predefined Hardware Inventory dashboard contains questions that retrieve chassis type, operating system, monitor, CPU, disk, memory, and BIOS information.

To issue all the questions in a dashboard:

  1. From the Main menu, go to Modules > Interact.
  2. In the Dashboards panel, click the dashboard name.

    The dashboard results page appears, which shows a results grid for each saved question in the dashboard.

Figure  3:  Dashboard results page

For each question, the dashboard results page provides all the features that are available in the saved question results page, such as viewing Current, Recent, or Cached results (see Managing question results). The dashboard results page also has the following features (matching the numbers in Figure  3):

1 Use the dashboards dropdown list to issue a different dashboard.
2 Use the Filter All Questions Displayed drop-down to filter all the results grids by computer group.
3 The page shows the dashboard name, favorite status ( for favorite, for non-favorite), and number of saved questions in the dashboard. Click the favorite icon / to toggle the favorite status of the dashboard.
4 For each results grid, the page shows the question name and favorite status. Click the favorite icon / to toggle the favorite status of the question. Click the question name to reissue the question. Click Edit to change the question settings (see Edit a saved question).
5 Filter by computer group or text.
6 Apply additional filters to a specific results grid.

Dashboard results filters

Manage categories and dashboards

Tanium solutions that you import provide predefined dashboards as containers for organizing saved questions. The solutions also provide predefined categories as containers for dashboards. You can create custom categories and dashboards, and assign saved questions to them based on how you set up role-based access control (RBAC) for your Tanium deployment. You perform all the following tasks on the Interact Overview page.

Create a category

  1. In the Categories panel heading, click Options and select New Category.
  2. Specify a Name, Content Set, Icon, and Visibility option, and click Save.

Create a dashboard

  1. In the Dashboards panel heading, click Options and select New Dashboard.
  2. Specify a Name, Filter Group, Content Set, and Visibility option, and click Save.

Assign dashboards to a category

  1. In the Categories panel, mouse over the category, click Options , and select Add/Remove Dashboards.
  2. In the Dashboards panel, select the dashboards to include in this category and click Apply.

Assign saved questions to a dashboard

  1. In the Dashboards panel, mouse over the category, click Options , and select Add/Remove Saved Questions.
  2. In the Saved Questions panel, select the saved questions to include in this dashboard and click Apply.

Edit category or dashboard settings

  1. In the Categories or Dashboards panel, mouse over the category or dashboard, click Options , and select Edit Category Information or Edit Dashboard Information.
  2. Edit the settings and save the configuration.

To edit saved questions settings, see Edit a saved question.

Delete a category or dashboard configuration

When you delete a category, Tanium Cloudthe Tanium Server does not assign its dashboards to any other category. When you delete a dashboard, Tanium Cloudthe server does not assign its saved questions to any other dashboard.

  1. In the Categories or Dashboards panel, mouse over the category or dashboard and click Delete .
  2. Confirm that you want to delete the configuration.

You cannot delete a saved question configuration from the Interact Overview page, only from the Administration > Content > Saved Questions page.

Export or import categories, dashboards, or questions

The following procedures describe how to export and import the configurations of categories, dashboards, or saved questions.

Develop and test content in your lab environment before importing that content into your production environment.

Export categories, dashboards, or questions

If you want to export multiple content types in a single operation, see Manage Tanium shared services and content.

  1. Click Options Options in the panel header and select the export option.
  2. Select items to export or Select all.
  3. Click Export, optionally modify the File Name, and click Export again.

The JSON file is saved to the downloads folder on the computer that you use to access the Tanium Console.

Import categories, dashboards, or questions

Users who are assigned a role with Import Signed Content permission can import content files that are in JSON or XML format. The Administrator reserved role has this permission.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.