Asking questions

Using Tanium Interact to ask questions enables you to retrieve information from endpoints. For example, you can ask a question that determines whether any endpoints are missing critical security patches. Based on the question results that the endpoints return, you can then deploy actions, such as installing security patches.

For details on manipulating and analyzing question results, see Managing question results.

For details on deploying actions, see Deploying actions.

For the user roles and permissions required to ask questions, see Tanium Interact permissions.

What is a question?

A Tanium question is a query that you issue from the Tanium Server to managed endpoints. A dynamic question is one that you create and issue through the Ask a Question or Question Builder features in Interact. A saved question is a configuration object that enables you to reissue a question without reconstructing it through those features.

The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or particularly well-formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients. Interact provides the Ask a Question feature as a text-entry field at the top of the Interact Home page and Tanium Console home page.

The following figure shows an example of how Interact uses the natural language parser to propose valid queries based on user input. First, the user enters the fragment last logged in user and clicks Search. In response, Interact returns a list of queries cast in valid syntax.

Figure  1:  Natural language parser

Questions have a get clause that specifies the information to retrieve and a from clause that specifies the target endpoints. Basic questions include the following:

  • One or more sensor names (such as Last Logged In User) in the get clause
  • From all machines (all endpoints that host the Tanium Client) in the from clause

Advanced questions include filter clauses and parameterized sensors.

For more information about question syntax, see Reference: Example questions and Reference: Advanced question syntax.

What is a sensor?

A sensor is a script that runs on an endpoint to compute a response to a Tanium question. The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

  • Hardware and software inventory and configuration
  • Running applications and processes
  • Files and directories
  • Network connections

The installation process for the Tanium Server automatically imports the Tanium™ Default Content and Tanium™ Interact content packs that include sensors for a wide range of common questions. Other Tanium solutions that you import might add more sensors, depending on which Tanium content packs or Tanium solution modules you import. If you cannot find a sensor you need within Tanium-provided content, you can create custom sensors.

For more information, see Managing sensors.

Counting and non-counting questions

A counting question returns results in which it is possible for any particular answer string to be the same for multiple endpoints. The Question Results grid displays a Count column that indicates how many endpoints provided each common answer. A counting question can have only one sensor. Get Operating System from all machines is an example of a counting question, with a sensor that returns the operating system of managed endpoints. When an endpoint adds its answer to the answer message, it increments the tally of the answer that its value matches. The Tanium Server maintains a table of answer strings. In many cases, such as the operating system, many endpoints provide just a few common answers, so the question has a relatively small footprint on the Tanium Server.

Figure  2:  Counting question

A non-counting question has sensors that return a unique answer string from each endpoint. For example, Get IP Address from all machines returns IP addresses, which are unique. For a non-counting question, the Tanium Client adds a new string to the answer message instead of incrementing the tally for an existing string. Therefore, the data footprint for a non-counting question can be large on the Tanium Server.

Figure  3:  Non-counting question

When using the Question Builder to construct a single-sensor question, you have the option to convert a counting question to a non-counting question for cases where a counting question returns the too many results answer.

Questions with multiple sensors

When you construct a question, use the AND operator in the get clause to specify multiple sensors. The Question Results page groups results by the first sensor, then by the next sensor, and so on, as the following example illustrates.

Figure  4:  Question with multiple sensors

Questions with parameterized sensors

A parameterized sensor uses a value that you specify when entering the question in the Ask a Question field or Question Builder. The following example shows the Registry Value Data sensor. The Tanium Console prompts you to specify a file path and file name.

Figure  5:  File Exists parameterized sensor

Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. For example, you might want to get the top 5 highest CPU utilizing processes. The question has the following syntax:

Get High CPU Process[5] from all machines

For sensors with multiple parameters, you can specify an ordered list of comma-separated parameters. For example, to see the first 10 lines from the action log for the action with ID 1, specify a parameter list as follows:

Get Tanium Action Log[1,10] from all machines

Questions with filters

You can use filters to create questions that target fewer endpoints than the default all machines. For example, the following advanced question targets only endpoints that have a specific process name or value.

Figure  6:  Question filter

The left side (get clause) is a complete and valid query; the right side contains a filter: the from all machines with expression. Filters in the from clause are the first part of a question that an endpoint processes. If the endpoint data does not match the filter, the endpoint does not process the question any further. If the question has multiple filters, the endpoint evaluates each filter. The filter expression must evaluate to a Boolean true or false. For example, the expression from all machines with Running Processes contains explore evaluates to true if the specified string matches the result string, or false if it does not. If a filter evaluates to true, the endpoint runs the sensors on the left side of the question and returns the results.

A parameterized sensor like File Exists[] returns the result File Exists: Filename or File does not exist, so be careful how you enter the sensor in a filter expression.

Figure  7:  Example: Question with parameterized sensor

The filter expression from all machines with File Exists["C:\Program Files\PuTTY\putty.exe"] containing "Exists" evaluates to true when the result is File Exists: C:\Program Files\PuTTY\putty.exe and false when the result is File does not exist, so you can use it to filter the set of responses.

Figure  8:  Example: Filter with parameterized sensor

Filter expressions can match strings or regular expressions. The following table describes the supported filter operators as they appear when you use the Question Builder. The table also describes how some operators are normalized after you load them from the Question Builder or enter the expressions in the Ask a Question field.

Table 1:   Filter operators
Filter operator Usage
contains Sensor value contains the specified string.

Example: running processes contains "explore"

does not contain Sensor value does not contain the specified string.
starts with Sensor value starts with the specified string.

Example: starts with "explore"

does not start with Sensor value does not start with the specified string.
ends with Sensor value ends with the specified string.

Example: ends with "explore.exe"

does not end with Sensor value does not end with the specified string.
matches Sensor value matches the specified regular expression (in Boost syntax).
does not match Sensor value does not match the specified regular expression.
in Sensor value matches one of the specified strings. Use commas without spaces to separate the strings. When you load the question, the expression shown in the question field uses equals and or operators in place of in.

Example: The filter in "10.10.10.10,10.10.10.11" in the Question Builder becomes IP Address equals 10.10.10.10 or IP Address equals 10.10.10.11 when you load the question.

is equal to Sensor value is equal to the specified value or string. When you load the question, the expression shown in the question field uses equals in place of is equal to.
is not equal to Sensor value is not equal to the specified value or string. When you load the question, the expression shown in the question field uses not equals in place of is not equal to.
is less than Sensor value is less than the specified value. When you load the question, the expression shown in the question field uses a symbol (<) in place of the operator words.

Example: installed application version[chrome] < 12

is less than or equal to Sensor value is less than or equal to the specified string. When you load the question, the expression shown in the question field uses symbols (<=) in place of the operator words.

Example: installed application version[chrome] <= 12

is greater than Sensor value is greater than the specified value. When you load the question, the expression shown in the question field uses a symbol (>) in place of the operator words.

Example: installed application version[chrome] > 12

is greater than or equal to Sensor value is greater than or equal to the specified string. When you load the question, the expression shown in the question field uses symbols (>=) in place of the operator words.

Example: installed application version[chrome] >= 12

See Reference: Advanced question syntax for examples of complex filter expressions, including questions with multi-column sensors.

Issue a question through the Ask a Question field

The Interact Ask a Question field is a text-entry field that you can use to quickly construct dynamic questions. The field is particularly useful when you want to issue simple questions, or when you understand Tanium question syntax sufficiently to manually enter advanced questions that involve filters, regular expressions, or operators.

If you want guidance while creating questions, see Issue a question through the Question Builder. For details on question syntax, see Reference: Example questions and Reference: Advanced question syntax.

  1. Go to the Tanium Console home page or Interact Home page.
  2. Enter your question in the Ask a Question field at the top of the page.

    Interact uses a natural language parser to interpret your entry. The question text can be in natural English and does not require complete sentences, case sensitivity, or strictly correct spelling.

    Unless you specify a from clause in the question, Interact uses the default from all machines. This default value specifies that all managed endpoints for which you have computer group management rights answer the question.

  3. Click Search Search.

    Interact displays a set of proposed questions in valid syntax, listed from top to bottom in the order of how closely they approximate your question text. For example, if you entered last logged in user, the top-most question might be Get Last Logged In User from all machines.



    If your question text includes a parameterized sensor, Interact indicates the number of parameters for each proposed question.

  4. Click a proposed question to issue it. If the question has parameterized sensors, click Expand Expand, enter the parameter values, and click Go to issue the question.

    The Question Results page opens to display the answers from endpoints.

For details and tasks relating to question results, see Managing question results.

Issue a question through the Question Builder

The Question Builder provides a guided method for creating a dynamic question. It has form fields to help you complete the get statement and the from clause, including any filters.

Figure  9:  Question Builder

  1. Open the Question Builder page:
    • To create a new question, click Question Builder above the Ask a Question field in the Tanium Console home page.
    • To refine a question that you already issued, click Copy to Question Builder below the question field.
  2. Click + Add below Get the following data to create the get statement. A row appears with a text field for entering a sensor name.
  3. Start typing in the sensor name field, use the typeaheads to select a sensor, and click Save check mark.



    Alternatively, click Browse All Sensors below the sensor name field to open the Browse Sensors dialog and select a sensor. The bottom of the dialog displays the Sensor Description.

  4. For a sensor that produces data across multiple Question Results columns, you can add filters based on column data matches. In the Question Builder, click Add filter below the sensor field to configure a filter. By default, filter matching applies to a single column, which you select in the first drop-down list below the sensor name. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as "|"), not multiple characters (such as "|:"). To apply matching to all the columns for a sensor, select Row Filter.



    You can select matching operators and specify regular expressions to match strings. To match on substrings, select the Substring box and specify a Start position (where 0 is the first position) and number of characters (Length).

  5. (Optional) If you add a filter in the Get the following data or from computers with sections, you can click Advanced Sensor Options below the filter to configure the following settings:
    Table 2:   Advanced Sensor Options
    SettingsGuidelines
    Case SensitivityGroup strings:
    • Ignore case: Group and count result values regardless of differences in upper-case and lower-case characters.
    • Match case: Group and count result values with strict attention to lettercase.
    MatchingThis option is available only in the from computers with section.

    For some sensors, a Tanium Client might compute multiple results. When the sensor is used as a filter in the from clause, specify whether any or all of the results must match the filter:

    • Match Any Value: Any value in the answer must match the value specified in the question.
    • Match All Values: All values in the answer must match the value specified in the question.

    For example, in response to the IP Address sensor, it is possible for a Tanium Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing 192.168 for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want the match Match Any Value option.

    Treat Data AsInteract treats sensor values as the type of data that you specify:
    • Date/Time (BES)
    • Date/Time (WMI)
    • File Size
    • Integer
    • IP Address
    • Numeric
    • Text
    • Time Duration
    • Version
    Maximum Data Age Maximum amount of time that the Tanium Client can use a cached result to answer a question. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

    Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory Domain membership.

  6. To create the from clause, click one of the following buttons below from computers with and then click Save check mark:
    • + Add: Add one or more conditions that endpoints must match. You can base the matching (Select Attribute) on a Sensor or Computer Group (management group or filter group).
    • + (Group): Select this option to nest a Boolean operator and then use + Add to build the nested expression.

    You can configure multiple filters, including nested filters. For example, to investigate the web browsers installed on computers, you can select the Boolean AND or OR in the from clause to target modern browsers.

  7. (Optional) Click Advanced Question Options and enable Force Computer ID if you want to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Note that the Question Results page does not include the computer ID results when you select this option. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see the KB article Troubleshooting Errors / Informational Messages (too many results message).

  8. Click Ask Question to issue the question.

    The Question Results page opens to display the answers from endpoints.

For details and tasks relating to question results, see Managing question results.

Question expiration

Upon issuing a dynamic or saved question, the Tanium Server assigns a question ID to the question. The question ID appears in the URL field of your web browser. After 10 minutes, the question ID expires and its URL becomes invalid. This means you can refresh the page or share the link only within that 10-minute period.

Figure  10:  Question ID

If you navigate to the URL after 10 minutes, Interact displays a Question Expired message and provides the option to copy the question text to the question field so that you can reissue it.

Figure  11:  Question Expired message

Question history

Use the Administration > Question History page to perform the following tasks.

Users require a role with the Read Question History (micro admin) permission to see the Question History page. However, this permission does not enable loading a question from the Question History page. Users who have the Administrator reserved role can see the Question History page and load a question from it.

  • Review a chronology of issued questions, as well as their syntax and other details (such as issuer and expiration time stamp). By default, the Tanium Server maintains an entry for a question in the chronology for seven days.

    The Persona column indicates only the alternative personas that users used when issuing questions; the column is blank for default personas.

  • Copy an issued question to the Ask a Question field to reissue it: select the question and click Load.
  • Copy Copy the selected chronology entries to your clipboard.

Saved questions

After issuing a dynamic question, you can click Save above the question field to save the question syntax as a configuration object with associated settings . You can then reissue the question without reconstructing it in the Ask a Question field or Question Builder. Tanium content packs that you import provide predefined saved questions. You can issue saved questions manually or based on a configurable schedule. You can also issue saved questions through Tanium modules or custom applications that use the Tanium XML API. For details, see Managing saved questions.