Asking questions and searching endpoints

Use Tanium Interact to ask questions and retrieve information from endpoints. For example, you can ask a question that determines if any endpoints are missing critical security patches. Based on the question results that the endpoints return, you can then deploy actions, such as installing security patches. You can also use the Interact Search Endpoints feature to quickly retrieve a lot of information about a single endpoint instead of constructing a long question with many sensors.

For details on manipulating and analyzing question results, see Managing question results.

For details on deploying actions, see Deploying actions.

For the user roles and permissions required to ask questions, see Tanium Interact permissions.

What is a question?

A Tanium question is a query that you issue from Tanium Cloudthe Tanium Server to managed endpoints. A dynamic question is one that you create and issue through the Ask a Question or Question Builder features in Interact. A saved question is a configuration object that enables you to reissue a question without reconstructing it through those features.

The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or particularly well-formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients. Interact provides the Ask a Question feature as a field at the top of the Interact Overview page and the Tanium Home page. For details, see Issue a question through the Ask a Question field.

The following figure shows an example of how Interact uses the natural language parser to propose valid queries based on user input. First, the user enters the fragment last loggedlast logged in user and clicks Search. In response, Interact returns a list of queries cast in valid syntax.

Questions have a get clause that specifies the information to retrieve and a from clause that specifies the target endpoints. Basic questions include the following:

One or more sensor names (such as Last Logged In User) in the get clause
From all machines (all endpoints that host the Tanium Client) in the from clause

Advanced questions include reserved words or characters (such as match or $), regular expressions, filter clauses, the in operator, or advanced options.

For more information about question syntax, see Reference: Advanced question syntax.

What is a sensor?

A sensor is a script that runs on an endpoint to compute a response to a Tanium question.Tanium Cloud The Tanium Server distributes sensors to endpoints during Tanium Client registration. Sensors enable you to ask questions that collect information such as the following:

Hardware and software inventory and configuration
Running applications and processes
Files and directories
Network connections

Tanium Cloud provides The Tanium Server automatically imports initial content that includes sensors for a wide range of common questions (see Tanium Console User Guide: Initial content). Other Tanium solutions that you import might provide more sensors. If you cannot find a sensor that you need within Tanium-provided content, you can create custom sensors.

For more information, see Managing sensors.

Counting and non-counting questions

A counting question returns results in which it is possible for any particular answer string to be the same for multiple endpoints. The Question Results grid displays a Count column that indicates how many endpoints provided each common answer. A counting question can have only one sensor. Get Operating System from all machines is an example of a counting question, with a sensor that returns the operating system of managed endpoints. When an endpoint adds its answer to the answer message, it increments the tally of the answer that its value matches. Tanium CloudThe Tanium Server maintains a table of answer strings. In many cases, such as the operating system, many endpoints provide just a few common answers, so the question has a relatively small footprint on Tanium Cloudthe Tanium Server.

A non-counting question has sensors that return a unique answer string from each endpoint. For example, Get Computer ID from all machines returns unique answers. For a non-counting question, the Tanium Client adds a new string to the answer message instead of incrementing the tally for an existing string. Therefore, the data footprint for a non-counting question can be large on Tanium Cloudthe Tanium Server.

If the Count column does not appear in the Question Results grid, click Customize Columns in the grid toolbar and select the Count check box to show the column. For more information on managing the Question Results grid, see Manage row sorting, column visibility, and text wrapping for question results.

When using the Question Builder to construct a single-sensor question, you have the option to convert a counting question to a non-counting question for cases where a counting question returns the [too many results] answer. For details about that answer, see Tanium Console User Guide: Troubleshoot question results issues.

Questions with multiple sensors

When you construct a question, use the AND operator in the get clause to specify multiple sensors. The Question Results page groups results by the first sensor, then by the next sensor, and so on, as the following example illustrates.

Figure 4: Question with multiple sensors

Questions with parameterized sensors

A parameterized sensor uses a value that you specify when entering the question in the Ask a Question field or Question Builder. The following example shows the Registry Value Data sensor. The Tanium Console prompts you to specify a registry path and value.

Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. For example, you might want to get the top 5 highest CPU utilizing processes. The question has the following syntax:

Get High CPU Process[5] from all machines

For sensors with multiple parameters, you can specify an ordered list of comma-separated parameters. For example, to see the first 10 lines from the action log for the action with ID 1, specify a parameter list as follows:

Get Tanium Action Log[1,10] from all machines

For more details, see Tanium Console User Guide: Example: Parameterized sensors.

Questions with filters

You can use filters to create questions that target fewer endpoints than the default all machines. For example, the following advanced question targets only endpoints that have a specific process name or value.

The left side (get clause) is a complete and valid query; the right side contains a filter: the from all machines with expression. Filters in the from clause are the first part of a question that an endpoint processes. If the endpoint data does not match the filter, the endpoint does not process the question any further. If the question has multiple filters, the endpoint evaluates each filter. The filter expression must evaluate to a Boolean true or false. For example, the expression from all machines with Running Processes contains explore evaluates to true if the specified string matches the result string, or false if it does not. If a filter evaluates to true, the endpoint runs the sensors on the left side of the question and returns the results.

A parameterized sensor like File Exists[] returns the result File Exists: Filename or File does not exist, so be careful how you enter the sensor in a filter expression.

Figure 7: Example: Question with parameterized sensor

The filter expression from all machines with File Exists["C:\Program Files\PuTTY\putty.exe"] contains "Exists" evaluates to true when the result is File Exists: C:\Program Files\PuTTY\putty.exe and false when the result is File does not exist, so you can use it to filter the set of responses.

Figure 8: Example: Filter with parameterized sensor

Filter expressions can match strings or regular expressions. The following table describes the supported filter operators as they appear when you use the Question Builder. The table also describes how some operators are normalized after you load them from the Question Builder or enter the expressions in the Ask a Question field.

Table 1: Filter operators
Filter operator	Usage
contains	Sensor value contains the specified string. Example: running processes contains "explore"
does not contain	Sensor value does not contain the specified string.
starts with	Sensor value starts with the specified string. Example: starts with "explore" When you load the question, the expression is translated to a regular expression using the matches operator.
does not start with	Sensor value does not start with the specified string.
ends with	Sensor value ends with the specified string. Example: ends with "explore.exe" When you load the question, the expression is translated to a regular expression using the matches operator.
does not end with	Sensor value does not end with the specified string.
matches	Sensor value matches the specified regular expression (in Boost syntax).
does not match	Sensor value does not match the specified regular expression.
in	Sensor value matches one of the specified strings. Use commas without spaces to separate the strings. When you load the question, the expression shown in the question field uses equals and or operators in place of in. Example: The filter in "10.10.10.10,10.10.10.11" in the Question Builder becomes IP Address equals 10.10.10.10 or IP Address equals 10.10.10.11 when you load the question.
is equal to	Sensor value is equal to the specified value or string. When you load the question, the expression shown in the question field uses equals in place of is equal to.
is not equal to	Sensor value is not equal to the specified value or string. When you load the question, the expression shown in the question field uses not equals in place of is not equal to.
is less than	Sensor value is less than the specified value. When you load the question, the expression shown in the question field uses a symbol (<) in place of the operator words. Example: installed application version[chrome] < 12
is less than or equal to	Sensor value is less than or equal to the specified string. When you load the question, the expression shown in the question field uses symbols (<=) in place of the operator words. Example: installed application version[chrome] <= 12
is greater than	Sensor value is greater than the specified value. When you load the question, the expression shown in the question field uses a symbol (>) in place of the operator words. Example: installed application version[chrome] > 12
is greater than or equal to	Sensor value is greater than or equal to the specified string. When you load the question, the expression shown in the question field uses symbols (>=) in place of the operator words. Example: installed application version[chrome] >= 12

For details about advanced filtering options, see Reference: Advanced question syntax.

Issue a question through the Ask a Question field

Use the Interact Ask a Question field to quickly construct dynamic questions. The field is particularly useful when you want to issue simple questions, or when you understand Tanium question syntax sufficiently to manually enter advanced questions that involve filters, regular expressions, or operators.

If you want guidance while creating questions, see Issue a question through the Question Builder. For details on question syntax, including how to handle reserved words and characters in question text or sensor names, see Reference: Advanced question syntax.

Go to the Tanium Home page or Interact Overview page.
In the Ask a Question field, enter your question and press Enter, or just move your cursor to the field to open a dropdown list from which to select a recently asked question. Note the following options and behaviors for the field:
- Interact uses a natural language parser to interpret your entry. The question text can be in natural English and does not require complete sentences, case sensitivity, or strictly correct spelling.
- Unless you specify a from clause in the question, Interact uses the default from all machines. This default value specifies that all managed endpoints that are members of computer groups assigned to your user account answer the question.
- For new users, the dropdown list contains a list of common questions. When you return to the Ask a Question field for subsequent questions, the dropdown list shows your most recent questions.
- Expand a question in the dropdown list to show details for that question, including the average runtime on endpoints and which sensors are used.
- When you enter a question, the dropdown list displays a set of proposed questions in valid syntax, listed in the order of how closely they approximate your question text. If the proposed questions do not match your entry, add quotation marks around the sensor names (see Use reserved words or characters). Alternatively, click More ways to explore data in the dropdown list to open the Question Builder, which shows how to properly format question text.
- If your question does not appear in the dropdown list, select the Use enhanced search for option. The natural language parser then examines the question text and shows additional questions.
- If your question text includes a parameterized sensor, Interact prompts you for the parameters.

After you press Enter or select a question in the dropdown list, the Question Results page opens to show answers from endpoints.

For examples of questions that you can enter in the Ask a Question field, see Reference: Example questions.

For details and tasks relating to question results, see Managing question results.

Issue a question through the Question Builder

The Question Builder provides a guided method for creating a dynamic question. It has form fields to help you complete the get statement and the from clause, including any filters.

Open the Question Builder page:
- To create a new question, click Build Question beside the Ask a Question field on the Tanium Home page.
- To refine a question that you already issued, click Copy to Question Builder next to the question field on the Question Results page.
- You can also access the Question Builder page from the Interact menu, and through the More ways to explore data option in the Ask a Question field.
Click + Add below Get the following data to create the get statement. A row appears with a text field for entering a sensor name.
Start typing in the sensor name field, use the typeaheads to select a sensor, and click Apply.
Alternatively, click Browse All Sensors below the sensor name field to open the Browse Sensors dialog and select a sensor. The bottom of the dialog displays the Sensor Description.
For a sensor that produces data across multiple Question Results columns, you can add filters based on column data matches. In the Question Builder, click Add filter below the sensor field to configure a filter. By default, filter matching applies to a single column, which you select in the first dropdown list below the sensor name. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as "|"), not multiple characters (such as "|:"). To apply matching to all the columns for a sensor, select Row Filter.
You can select matching operators and specify regular expressions to match strings. To match on substrings, select the Substring box and specify a Start position (where 0 is the first position) and number of characters (Length).
(Optional) If you add a filter in the Get the following data or from computers with sections, you can click Advanced Sensor Options below the filter to configure additional settings. See Reference: Advanced sensor options.
To create the from clause, click one of the following buttons below from computers with and then click Apply:
- + Add: Add one or more conditions that endpoints must match. You can base the matching (Select Attribute) on a Sensor or Computer Group (management group or filter group).
- + Grouping: Select this option to nest a Boolean operator and then use + Add to build the nested expression.
You can configure multiple filters, including nested filters. For example, to investigate the web browsers installed on computers, you can select the Boolean AND or OR in the from clause to target modern browsers.
(Optional) Click Advanced Question Options and enable Force Computer Id if you want to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Note that the Question Results page does not include the computer ID results when you select this option. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see Enable or disable live updates.
Click Ask Question to issue the question.
The Question Results page opens to show the answers from endpoints.

For details and tasks relating to question results, see Managing question results.

Search endpoints

Use the Interact Search Endpoints field to view comprehensive information about a single endpoint as an alternative to issuing a long, complex question. Interact quickly retrieves and displays information for the Search Endpoints feature, even for endpoints that are currently offline, because most of the sensors that collect the information are registered by default with the Tanium Data Service.

The permissions that are required to use the Search Endpoints field are available to the Administrator reserved role, Interact Power User role, and Interact Basic User role.

The Search Endpoints field requires Interact 2.13 or later and Reporting 1.9 or later.

The Search Endpoints field provides two levels of information:

Basic information: This includes the results of the following sensors: Computer Name, Tanium Client IP Address, OS Platform, Last Logged in User, and Online status (online or offline ).
Detailed information: You can open a page that shows a single endpoint view with comprehensive details from dozens of sensors. In addition to the basic information, the detailed information include data about the endpoint operating system, hardware, primary user, Tanium Client version, processors, installed applications, logical disks, network adapters, and physical disks. If the endpoint is online, you can deploy an action to it from the endpoint view page.

You can also access this information through the Question Results page. See View details for a single endpoint.

Go to the Tanium Home page and click Search Endpoints.
Display basic information about an endpoint by typing its computer name, Tanium Client IP address, or last logged-in user name without pressing Enter.
Type a partial string to see basic information about multiple endpoints. For example, if you type 10.20.21, a dropdown list shows information about all the endpoints with an IP address that contains those digits.
Click the Computer Name to open the Endpoint Details page, which contains detailed information and provides additional options for exploring or managing the endpoint.

For information about using the Endpoint Details page, see Tanium Reporting User Guide: Viewing and managing a single endpoint.

Question expiration

When Tanium Cloudthe Tanium Server issues a dynamic or saved question, it remains open (not expired) for 10 minutes on the targeted Tanium Clients. After a client returns values for the sensors in the question, if the values change while the question is open, that client returns the updated values. For example, if a client initially returns 50% for a question with the CPU Consumption sensor and consumption subsequently increases to 75% within the 10-minute interval, the client then returns 75%. Clients check every 10 seconds to determine whether sensor values have changed.

While a question is open, Tanium Clients evaluate the age of the results for each sensor to determine whether to return cached results or to reexecute the sensors for fresh results when answering subsequent questions that use the same sensors. See Maximum Data Age.

The expiration interval is 30 minutes for questions that the Tanium™ Data Service issues to collect data for registered sensors. See Tanium Console User Guide: Manage sensor results collection.

For each question, Tanium Cloudthe Tanium Server assigns an identifier (ID) that appears in the URL field of your browser when the Question Results page opens. For example, in the URL https://10.20.30.40/#/interact/q/376, the question ID is 376. The question and its ID expire 10 minutes after the question is issued, at which point the URL becomes invalid. This means you can refresh the page or share a link to its URL only within that 10-minute period. If you navigate to the URL after 10 minutes, Interact displays a Question Expired message and Copy Question button. Clicking the button reissues the question.

Question history

Use the Question History page to manually reissue questions or view a chronology of issued questions, as well as their syntax and other details (such as issuer and expiration time stamp). By default, the Question History page shows questions that were issued in the past 24 hours. You can change the date range to show more entries, or apply filters to limit the entries that appear.

By default, question Expiration date-times are based on the Local Time of the system that you use to access the Tanium Console, but you can switch to Coordinated Universal Time (UTC).

Users require a role with the Question History read permission to see the Question History page. For the permissions that are required to load questions from the page, see Question history.

Reissue a question

To reissue a question, select the question in the grid and click Load. The Tanium Console displays the results in the Question Results page.

Export question history

Export information from the Question History grid as a CSV file to view the information in an application that supports that format. If you have the Administrator reserved role, you can also export the information as a JSON file.

From the Main menu, go to Administration > Content > Question History.
Select rows in the grid to export information only for specific questions. If you want to export information for all questions, skip this step.
Click Export .
(Optional) Edit the default export File Name.
The file suffix (.csv or .json) changes automatically based on the Format selection.
Select an Export Data option: export information for all All questions in the grid or just for the Selected questions.
Select the file Format: CSV (default) or JSON (Administrator reserved role only).
Click Export.
Tanium CloudThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Copy question history details

Copy question history details to your clipboard to paste them into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

From the Main menu, go to Administration > Content > Question History.
Perform one of the following steps:
- Copy row information: Select one or more rows and click Copy .
- Copy cell information: Hover over the cell, click Options , and click Copy .

Saved questions

After issuing a dynamic question, you can click Save above the question field to save the question syntax as a configuration object with associated settings. You can then reissue the question without reconstructing it in the Ask a Question field or Question Builder. Tanium Cloud providesTanium solutions provide predefined saved questions. You can issue saved questions manually or based on a configurable schedule. You can also issue saved questions through Tanium modules or custom applications that use the Tanium XML API. For details, see Managing saved questions.