Other versions

Managing saved questions

A saved question configuration includes question syntax and settings. You create a saved question from the Interact Question bar.

User role requirements

To create, modify, or delete saved question configurations, your user account requires a role with the Write Saved Question permission. The Read Sensor content set permissions determine the available sensors.

In addition to the Write Saved Question permission, you must have the Write Action and Write Package permissions to add associated actions to a new saved question configuration. In addition to these three permissions, you must also have owner permissions for the question if you later want to modify or delete the associated actions.

Users assigned the Administrator or Content Administrator reserved roles have these permissions.

Edit a saved question

As a best practice, do not edit saved questions that are provided through content packs imported from Tanium (for details, see Tip 4: Limit customizations to Tanium content). Consult your Technical Account Manager (TAM) if editing the Tanium-provided questions is necessary. Alternatively, you can create copies of Tanium-provided questions and edit the copies. You can also edit custom saved questions that you created from scratch. To edit a saved question:

  1. Go to Content > Saved Questions.
  2. Use the search and column sorting features to find the saved question you want to edit.
  3. Select the saved question row, click Edit, and configure the following settings.
  4. Settings Guidelines
    Name Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.
    Content Set Assign to a content set. The list is populated with all content sets for which you have Write Saved Question permission.
    Visibility
    • According to RBAC. Users must have the Read Saved Question permission for the content set to which the saved question belongs to see the saved question.
    • Only the Owner and Admins. Only the object owner and users with the Administrator reserved role can see the saved question.
    Reissue this question every If you want to periodically reissue the question, specify a number and unit for the reissue interval: Minutes, Hours, Days. The Tanium Server first issues the saved question immediately after you save the configuration. Tanium Clients that are online at that time respond with their answers. You can use the reissue option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every eight hours.

    If you configure reissuing, the Tanium Server reissues the saved question in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every eight hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of recent responses displayed in the Question Results grid for machines that are not online when you use Interact to issue the question. You can use the Question History to verify that the saved questions are sent according to the reissue interval you configured.

    Note: If you specify a reissue interval of eight hours, the Tanium Server reissues the saved question exactly every eight hours, regardless of time changes due to daylight savings time.

    Default preferences This option appears only for users with the Administrator or Content Administrator roles. The purpose is to enable an advanced user to curate the configuration for other users. Defaults are commonly understood as good choices. When this option is selected, the administrator's choices populate the initial defaults shown for subsequent users. The subsequent users are free to modify the settings. When non-administrator users modify the settings, their choices are preserved and will persist even when another administrator subsequently changes the default preferences.

    Note: When an Administrator or Content Administrator makes changes, it does change the settings for all other Administrator or Content Administrator users. This design forces administrators to agree on the best default settings.

    Make this question available for drilldown Include in the Select Drilldown Question dialog box, Saved Questions tab.
    Non-Counting Question / Counting Question Specify whether to turn the question into a non-counting question. Non-counting questions have a larger data footprint because the Tanium Server maintains data per computer ID. However, this enables storing recent data for the endpoint. Furthermore, the Allow for merging option is available only for non-counting questions.

    The non-counting question option appears when the question is a counting question that has exactly one sensor in the select clause. You can configure the non-counting question option only in the New Saved Question form, not the Edit Saved Question form.

    You can configure the Enable collection and reporting of recent data option only in the New Saved Question form, not the Edit Saved Question form.

    Default Tab Specify a default tab: Question, Grid, or Pie. The Default Tab setting is saved as a user preference unless you set the Default Preferences to all users.
    Default Grid Chart Zoom Set the data period for the initial Question Results grid display: Current or Recent.

    Associated Actions Optional. Click Add Package and select the package that you want to be the default when a user clicks the Deploy Action button in the Question Results grid.
  5. Save your changes.

If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question behaves as originally designed. Only after you modify the saved question will it behave as expected with the new sensor definition.

Import/export a saved question configuration

As a best practice, develop and test content in your lab environment before distributing it to your production servers. The Tanium Console import/export XML feature supports this practice.

User role requirements

Users can export specific saved questions for which they have Write Saved Question permission. Users with the Administrator or Content Administrator reserved role can export and import the complete saved questions configuration.

Export specific saved questions

  1. Go to Content > Saved Questions.
  2. Select one or more saved questions and click Export in the toolbar above the table header.
  3. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Export the complete saved questions configuration

  1. Go to Content > Saved Questions and click Export All in the table header.

    Alternatively, or if you want to export other configuration objects in addition to saved questions, go to any Content or Permissions page, click Export to XML in the top right of the Tanium Console, select Saved Questions and any other object types, and click Export.

  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Import a saved questions configuration

  1. Use KeyUtility.exe to sign the XML configuration file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedures, see Signing content XML files.
  2. From any Content or Permissions page, click Import from XML at the top right of the Tanium Console.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices or consult your TAM.
  6. Click Import again, and click Close when the import finishes.

Last updated: 2/6/2019 2:40 PM | Feedback