Managing saved questions

Saved questions overview

Saved questions are questions that you can reissue without retyping them in the Interact Question Bar. They are configuration objects for which you can define reissue intervals, access permissions, associated actions, and other settings. You can issue saved questions manually, through Tanium modules, or through custom applications that use the Tanium XML API. For example, you can use Tanium™ Connect to periodically issue a saved question and send the results to an external server. You can create saved questions by issuing a dynamic question through the Question Bar and saving it. Tanium modules and content packs that you import also provide predefined saved questions. The Interact module organizes saved questions under categories and dashboards. Each category, dashboard, and saved question is assigned to one content set.

Dashboard

A dashboard is a group of saved questions that are related with respect to the information that they retrieve from endpoints. For example, the predefined Hardware Inventory dashboard contains questions that retrieve CPU, disk, memory, and BIOS information. You can issue all the questions in a dashboard simultaneously.

Category

A category is a group of dashboards. It serves as an umbrella term for questions that you use for a particular purpose. For example, the Security category includes the Data Leakage, Wireless Network Security, and USB Device Security dashboards, all of which contain security-related questions.

Content set

A content set is a group of saved questions, dashboards, categories, and other content to which you apply user role permissions to control access. Tanium provides several predefined content sets through Initial Content packages and Tanium modules, and you can also create custom content sets. For details and related tasks, see Managing content sets.

Use the following Tanium Console pages to view, issue, and edit saved questions, and to move the questions between content sets. You can also perform actions that are specific to each page:

  • Content > Saved Questions page: Use this page to see the configuration settings of saved questions, and to copy, export, or delete questions.
  • Interact Content page: Use this page to define categories and dashboards, and assign saved questions to them. You can also select specific questions, dashboards, and categories as favorites, and create new saved questions.
  • Interact Home page. Use this page to see your favorite categories, dashboards, and saved questions. You can also create new saved questions.

For details about the user roles and permissions required to manage saved questions, see Content management permissions.

User-specific saved questions

When multiple users work with the same saved question, the following factors control which users can see the question, and which question settings and results the users can see:

  • User role permissions: To view and edit a saved question, a user must have the required role permissions for the content set to which the question is assigned (see User role requirements). Additionally, the following settings in the question configuration interact with role permissions to affect which users can see the question and which other settings they can see:
    • Visibility: Determines whether the question is visible only to the owner (question creator) and administrators, or to any user who has the required role permissions.
    • Default Preferences: Determine the default values that users see for the User Settings & Defaults in the question configuration.
  • User-specific configuration changes: When a user saves changes to the question configuration, the Tanium Server saves a copy of the question. Upon logging into the server, users see only the copy with their own changes.
  • Computer group management rights: The computer groups assigned to users and user groups determine the visibility of the saved question Reissue interval and recent question results.

For details, see the KB article Reference: User-specific saved questions.

Create a saved question

  1. Use the Interact Question Bar to ask a dynamic question.
  2. Click Save this question under the Question Bar to open the New Saved Question page.
  3. Complete the settings described in the following table.
  4. Settings Guidelines
    Name Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.
    Content Set Assign to a content set. The list is populated with all content sets for which you have Write Saved Question permission.
    Visibility
    • According to RBAC. Users must have the Read Saved Question permission for the content set to which the saved question belongs to see the saved question.
    • Only the Owner and Admins. Only the question owner (creator) and users with the Administrator reserved role can see the saved question.
    Reissue this question every If you want to periodically reissue the question, specify a number and unit for the reissue interval: Minutes, Hours, Days. The Tanium Server first issues the saved question immediately after you save the configuration. Tanium Clients that are online at that time respond with their answers. You can use the reissue option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every eight hours.

    If you configure reissuing, the Tanium Server reissues the saved question in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every eight hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of recent responses displayed in the Question Results grid for machines that are not online when you use Interact to issue the question. You can use the Question History to verify that the saved questions are sent according to the reissue interval you configured.

    Notes:

    • If you specify a reissue interval of eight hours, the Tanium Server reissues the saved question exactly every eight hours, regardless of time changes due to daylight savings time.
    • Which users can see the reissue interval for a saved question depends on the computer groups assigned to those users. For details, see the KB article Reference: User-specific saved questions.

    Default preferences The User Settings & Defaults that users see for a saved question vary based on their role permissions and the Default Preferences setting. Default Preferences are useful when you want a question to initially have the same User Settings & Defaults for all users until the users edit those settings. Only users who have the Administrator or Content Administrator reserved role can see and set Default Preferences. For details, see the KB article Reference: User-specific saved questions.
    Make this question available for drilldown Enabling this option makes the question available for drill-down operations on question results. When you select results in the Question Results grid and click Drill Down, the Select Drilldown Question dialog box opens and displays the available questions in the Saved Questions tab. You can then select the question and click Drill Down to filter the results based on that question. For details, see Drill down.
    Non-Counting Question / Counting Question Specify whether to turn the question into a non-counting question. Non-counting questions have a larger data footprint because the Tanium Server maintains data per computer ID. However, this enables storing recent data for the endpoint. Furthermore, the Allow for merging option is available only for non-counting questions.

    The non-counting question option appears when the question is a counting question that has exactly one sensor in the select clause. You can configure the non-counting question option only in the New Saved Question form, not the Edit Saved Question form.

    You can configure the Enable collection and reporting of recent data option only in the New Saved Question form, not the Edit Saved Question form.

    Default Tab Specify a default tab: Question, Grid, or Pie. The Default Tab setting is saved as a user preference unless you set the Default Preferences to all users.
    Default Grid Chart Zoom Set the data period for the initial Question Results grid display: Current or Recent.

    Associated Actions Optional. Click Add Package and select the package that you want to be the default when a user clicks the Deploy Action button in the Question Results grid.
  5. Click Preview to preview the results you will get when you use the saved question.
  6. Click Create Saved Question.

The Tanium Server reissues your question and displays the results in the Saved Question Results grid. Depending on the settings you configured, the saved question might appear in the saved question lists that are used in various Tanium Console workflows.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temp sensor. On the endpoint, the Tanium™ Client runs the temp sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temp sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Edit a saved question

As a best practice, do not edit saved questions that are provided through Tanium content packs. For details, see Tip 4: Limit customizations to Tanium content. If editing Tanium-provided questions is necessary, review User-specific saved questions and consult your Technical Account Manager (TAM). Alternatively, you can create copies of Tanium-provided questions and edit the copies. You can also edit custom saved questions that you created from scratch. Perform the following steps to edit a saved question:

  1. Use one of the following methods to open the Edit Saved Question page:
    • Go to Content > Saved Questions, select the saved question, and click Edit.
    • Go to the Interact Content page, find the question in the Saved Questions panel, mouse over the question, click Edit , and select Edit Properties.
    • If the question is selected as a favorite, go to the Interact Home page, find the saved question in the favorites sections, mouse over the question, click Edit , and then select Edit Properties.
  2. Configure the settings described in Create a saved question and then save your changes.

If you create a saved question based on a parameterized sensor and then modify the sensor, the saved question behavior will still reflect the original sensor definition. Only after you modify the saved question will it behave as expected with the new sensor definition. For details on parameterized sensors, see Questions with parameterized sensors.

Filter saved questions

The number of saved questions tends to increase as your team uses the Tanium system more. To find specific questions in a long list, you can apply filters. The available filters vary by Tanium Console page. In the Content > Saved Questions page, you can filter by text strings (in the filter field above the grid) or by column values (question settings). In the Interact Content page, you can filter based on text strings, categories, dashboards, or favorites.

Filter by column (setting) value

The Content > Saved Questions grid displays a column for each question setting. Perform the following steps for each setting that you want to use to filter the grid:

  1. Click grid-nowrap in the desired column header to open the drop-down list.
  2. Select Filter and select an operator (such as Is equal to).
  3. Enter a filter value and click Filter.

Filter by categories and dashboards

In the Interact Content page, you can click panel cards so that only items belonging to the selected categories or dashboards appear. A card turns gray with a red left edge to indicate you selected it as a filter. You can apply multiple filters. Click Deselect in a panel header to clear all its filters.

Figure  1:  Interact Content page filters

Filter by text strings

In the Interact Content page, you can use text filters in the panels to find items that match a specified string. Click the x in the text search box to clear the filter.

Figure  2:  Text filters

Filter by favorites

A favorite is a category, dashboard, or saved question that you want to appear on the Interact Home page. You can also use favorites as an optional filter on the Interact Content page. The Tanium Server saves favorites as a user-specific setting; your favorites selections do not apply to other users.

Items that you selected as favorites before upgrading to Interact 2.0 or later remain favorites after upgrading. If you did not have favorites before an upgrade or before installing a new Tanium Server, all categories and dashboards for which you have read permission are set as favorites anyway.

To configure the display of favorite content, perform the following steps:

  1. Go to the Interact Content page.

    On the Interact Home page, clicking the Favorites icon for an item deselects it as a favorite and removes it from the page. However, the Home page does not provide the option to show items that are not favorites, so you cannot restore favorite status to items on that page.

  2. Beside the name of a category, dashboard, or saved question, toggle the Favorites icon to select or deselect that item as a favorite.

    To reduce clicks, click Favorite All or Unfavorite All in a panel header and then toggle on or off individual items in that panel.

  3. Toggle the Show only filter by clicking Favorites.

    The button changes to a dark background to indicate that the panels display only favorites. After you find and select your favorite Categories or Dashboards, you might want to toggle off the Favorites filter so that the Saved Questions panel displays both favorite and non-favorite questions.

Figure  3:  Favorites filter

Issue a saved question

After you save a question, you can manually issue it anytime by performing one of the following steps:

  • Go to the Interact Content page and, in the Saved Questions panel, click the question name.
  • If the question is selected as a favorite, go to the Interact Home page, scroll down to the Favorite Saved Questions, and click the question name. You can also find and click the question name after navigating to it in the Favorite Categories or Favorite Dashboards sections.
  • Go to the Content > Saved Questions page, select a question, and click Load.

The Tanium Console displays the results in the Saved Question Results page.

If you want the Tanium Server to automatically reissue a saved question, edit the question configuration and set the Reissue interval: see Edit a saved question.

If you want to simultaneously issue all the questions in a dashboard, see Issue a dashboard of saved questions.

For details on working with question results, see Managing question results.

Issue a dashboard of saved questions

In some cases, it is useful to issue several saved questions that are related based on the kind of information they retrieve from endpoints. In such cases, you can group the questions in a single dashboard and issue them simultaneously. For example, the predefined Hardware Inventory dashboard contains questions that retrieve CPU, disk, memory, and BIOS information.

To issue all the questions in a dashboard, perform one of the following steps:

  • Go to the Interact Content page and, in the Dashboards panel, click the dashboard name.
  • If you selected the dashboard as a favorite, go to the Interact Home page, scroll down to the Favorite Dashboards, and click the dashboard name. You can also find and click the dashboard name after navigating to it in the Favorite Categories section.

The Tanium Console displays the dashboard results page, which shows a results grid for each saved question.

Figure  4:  Dashboard results page

The dashboard results page has all the features that are available in the Saved Question Results page for each question, such as the Deploy Action button and Zoom options (see Managing question results). The dashboard results page also has the following features, which correspond to the numbers in Figure  4:

  1. Use the dashboards drop-down list to issue a different dashboard.
  2. Use the Filter All Questions Displayed drop-down list to filter to all the results grids by computer group.
  3. The page displays the dashboard name, favorite status ( for favorite, for non-favorite), and number of saved questions.
  4. Toggle all the results grids on the page between one or two columns.
  5. The page displays the question name and runtime indicator icon (see Managing question and sensor thresholds). The drop-down list provides options to show the question syntax, copy the question to the Question Bar, or copy the question to the Question Builder. You can click the question name to reissue the question. If you want to change the question settings, click Edit (see Edit a saved question).
  6. Expand (to full-page width) or contract (to half-page width) a particular results grid. The Tanium Server saves this setting for each dashboard on a per-user basis. For example, if you contract the Monitor Details grid in the Hardware Inventory dashboard, the Tanium Console displays that grid contracted the next time you issue that dashboard.
  7. Select one or more display options: grid (default), pie chart, bar chart, and question text.
  8. Apply additional filters for each results grid. If you set Filter All Questions Displayed to Filter by Computer Group and also select Filter by Computer Group in the filter for a particular results grid, the Tanium Console uses a Boolean AND to combine the filters.

For details on working with question results, see Managing question results.

Manage categories and dashboards

Tanium modules and content packs that you import provide predefined categories and dashboards as containers for organizing saved questions. You can also create custom categories and dashboards, and assign saved questions to them based on how you set up role-based access control (RBAC) for your Tanium deployment. You perform all the following tasks on the Interact Content page.

Create a category

  1. In the Categories panel heading, click Settings and select New Category.
  2. Specify a Name, Content Set, and Visibility option, and then click Save.

Create a dashboard

  1. In the Dashboards panel heading, click Settings and select New Dashboard.
  2. Specify a configuration Name, Computer Group Filter, Content Set, and Visibility option, and then click Save.

By default, new dashboards belong to the Other Dashboards category. Only users with the Administrator or Content Administrator role can see that category, and therefore only those users, and the dashboard creator, can see the new dashboard. If you want other users to see the new dashboard, a user with the required permissions must move it to another category.

Assign dashboards to a category

  1. In the Categories panel, mouse over the category, click Edit , and select Add/Remove Dashboards.
  2. In the Dashboards panel, select the dashboards to include in this category and click Apply.

Assign saved questions to a dashboard

  1. In the Dashboards panel, mouse over the category, click Edit , and select Add/Remove Saved Questions.
  2. In the Saved Questions panel, select the saved questions to include in this dashboard and click Apply.

Edit category or dashboard settings

  1. In the Categories or Dashboards panel, mouse over the category or dashboard, click Edit , and select Edit Category Information or Edit Dashboard Information.
  2. Edit the settings and save the configuration.

To edit saved questions settings, see Edit a saved question.

Delete a category or dashboard configuration

When you delete a category, the Tanium Server reassigns its dashboards to the Other Dashboards category. When you delete a dashboard, the Tanium Server does not assign its saved questions to any other dashboard.

  1. In the Categories or Dashboards panel, mouse over the category or dashboard and click Delete .
  2. Confirm that you want to delete the configuration.

You cannot delete a saved question configuration from the Interact Content page, only from the Content > Saved Questions page.

Export categories, dashboards, or questions

  1. Click Settings in the panel heading and select Export Categories, Export Dashboards, or Export Questions.
  2. Select items to export or Select all.
  3. Click Export.
  4. Specify a File Name and click OK.

The XML file is saved to the Downloads folder on the computer that you use to access the Tanium Console.

You can also export and import saved questions through the Content > Saved Questions page: see Import or export a saved question configuration.

Import or export a saved question configuration

As a best practice, develop and test content in your lab environment before distributing it to your production servers. The Tanium Console enables importing and exporting XML files to support this practice.

Users can export specific saved questions for which they have Write Saved Question permission. Users with the Administrator or Content Administrator reserved role can export and import the complete saved questions configuration.

Export specific saved questions

  1. Go to Content > Saved Questions.
  2. Select one or more saved questions and click Export in the toolbar above the table header.
  3. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Export the complete saved questions configuration

  1. Go to Content > Saved Questions and click Export All in the table header.

    Alternatively, or if you want to export other configuration objects in addition to saved questions, go to any Content or Permissions page, click Export to XML in the top right of the Tanium Console, select Saved Questions and any other object types, and click Export.

  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.

Import a saved questions configuration

  1. Use KeyUtility.exe to sign the XML configuration file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedures, see Signing content XML files.
  2. Go to any Content or Permissions page and click Import from XML at the top right of the page.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
  6. Click Import again, and click Close when the import finishes.

Last updated: 7/30/2019 3:03 PM | Feedback