Other versions

Managing saved questions

You create a saved question from the Interact Question bar. A saved question configuration includes question syntax and settings.

Role requirements

You must be assigned a role with the Write Saved Question permission to create, modify, or delete saved question configurations. The sensors available are determined by Read Sensor content set permissions.

You must have the Write Action and Write Package permissions to add an "associated action" to a new saved question configuration. You must have owner permissions to modify or delete the associated action.

Users assigned the Administrator or Content Administrator reserved roles have these permissions.

Edit a saved question

  1. Go to Authoring > Saved Questions.
  2. Use the search and column sorting features to find the saved question you want to edit.
  3. Click in the saved question row to select it.
  4. Click Edit and complete the configuration as described in Table 1.
  5. Save your changes.

If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question behaves as originally designed until the saved question is modified. Then it behaves as expected with the new sensor definition.

Table 1:   Saved question configuration guidelines
Settings Guidelines
Name Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.
Content Set Assign to a content set. The list is populated with all content sets for which you have Write Saved Question permission.
Visibility
  • According to RBAC. Users must have the Read Saved Question permission for the content set to which the saved question belongs to see the saved question.
  • Only the Owner and Admins. Only the object owner and users with the Administrator reserved role can see the saved question.
Reissue this question every The saved question is first issued immediately upon saving the configuration. Clients that are online at that time respond with their answers.

You can use the "reissue" option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every 8 hours.

When reissue is selected, the saved question is reissued in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every 8 hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of "recent" responses displayed in the results grid for machines that are not online when you use Interact to issue the question.

You can use the Question History to verify that the saved questions are sent according to the reissue interval you have configured.

Specify a number and unit for the reissue interval: Minutes, Hours, Days.

Note: If you specify a reissue interval of 8 hours, the system reissues the saved question exactly every 8 hours, regardless of time changes due to daylight savings time.

Make this question available for drilldown Include in the Select Drilldown Question dialog box Saved Questions tab.
Make this question available for merging Include in the Select Merge Questions dialog box Saved Questions tab.
Enable recent view on this counting question If a counting question has exactly one sensor, you can select this option to enable reporting in the recent results view of the results grid.
Default Tab Specify a default tab: Question, Grid, Pie.

The Default Tab setting is saved as a user preference unless the Use these as the default for all users setting is selected.

Default Grid Chart Zoom Specify a data period: Current or Recent.

Current data includes responses from machines that are currently online.

Recent data may include responses from offline machines. The Tanium Server caches client responses for 7 days by default. If a client is not online when a question is issued, but the Tanium Server has a cached value for it, the "recent" cached result can be passed to the results grid.

(You can change the default limit for recent with the global setting max_most_recent_age.)

The Default Grid Chart Zoom setting is saved as a user preference unless the Use these as the default for all users setting is selected.

Use these as the default preferences for all users Select this option to make the Default Tab and Default Grid Chart Zoom settings apply to all users who issue this saved question.
Associated Actions Optional. Click Add Package and select a package you want to be the default when a user clicks the Deploy Action button from the results grid.
Tags Optional. Tags are name-value pairs. Use the controls to add tags. The Saved Questions page includes a Tags column, and you can sort and filter on tags.

Import/export a saved question configuration

We recommend that you develop and test content in your lab environment before distributing it to your production servers. The console import/export XML feature supports this practice.

Role requirements

Users can export specific saved questions for which they have Write Saved Question permission. Users with the Administrator or Content Administrator reserved role can export and import the complete saved questions configuration.

Export specific saved questions

  1. Go to Authoring > Saved Questions.
  2. Select one or more saved questions and click the Export icon.
  3. Enter a file name or use the default and click OK.

Export the complete saved questions configuration

  1. From any Authoring page, click the Export to XML link in the top right.
  2. In the Export Content selection box, select the Saved Questions item and click Export.
  3. Enter a file name or use the default and click OK.

    The XML file is downloaded to your local computer.

Import a configuration

  1. From any Authoring page, click the Import from XML link in the top right.
  2. Browse to the configuration file and click Import.

    If you are unsure how to handle naming conflicts, see Conflicts and Best practices or consult with your TAM.

You must use KeyUtility.exe to sign XML files before you import them. You must also copy the public key for the key that signed the XML file to the Tanium Server keys folder. When you import content, the Tanium Server verifies the signature on the imported content against its store of content signing key files. See Signing content XML files.

Last updated: 7/31/2018 5:03 PM | Feedback