Other versions

Managing saved questions

You create a saved question from the Interact Question bar. A saved question configuration includes question syntax and settings.

User role requirements

You must be assigned a role with the Write Saved Question permission to create, modify, or delete saved question configurations. The Read Sensor content set permissions determine the available sensors.

In addition to the Write Saved Question permission, you must have the Write Action and Write Package permissions to add associated actions to a new saved question configuration. In addition to these three permissions, you must also have owner permissions for the question if you later want to modify or delete the associated actions.

Users assigned the Administrator or Content Administrator reserved roles have these permissions.

Edit a saved question

  1. Go to Content > Saved Questions.
  2. Use the search and column sorting features to find the saved question you want to edit.
  3. Click in the saved question row to select it.
  4. Click Edit and complete the configuration as described in the following table.
  5. Settings Guidelines
    Name Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.
    Content Set Assign to a content set. The list is populated with all content sets for which you have Write Saved Question permission.
    • According to RBAC. Users must have the Read Saved Question permission for the content set to which the saved question belongs to see the saved question.
    • Only the Owner and Admins. Only the object owner and users with the Administrator reserved role can see the saved question.
    Reissue this question every The saved question is first issued immediately upon saving the configuration. Clients that are online at that time respond with their answers.

    You can use the "reissue" option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every 8 hours.

    When reissue is selected, the saved question is reissued in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every 8 hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of "recent" responses displayed in the results grid for machines that are not online when you use Interact to issue the question.

    You can use the Question History to verify that the saved questions are sent according to the reissue interval you have configured.

    Specify a number and unit for the reissue interval: Minutes, Hours, Days.

    Note: If you specify a reissue interval of 8 hours, the system reissues the saved question exactly every 8 hours, regardless of time changes due to daylight savings time.

    Default preferences This option is displayed for users with the Administrator or Content Administrator roles only. The purpose is to enable an advanced user to curate the configuration for other users. Defaults are commonly understood as good choices. When this option is selected, the administrator's choices populate the initial defaults shown for subsequent users.

    The subsequent users are free to modify the settings. When a non-admin user modifies the settings, their choices are preserved and will persist even when another administrator subsequently changes the default preferences.

    Note: When an Administrator or Content Administrator makes changes, it does change the settings for all other Administrator or Content Administrator users. This design forces administrators to be on the same page regarding the best default settings.

    Make this question available for drilldown Include in the Select Drilldown Question dialog box Saved Questions tab.
    Non-Counting Question / Counting Question Specify whether to turn the question into a non-counting question.

    Non-counting questions have a larger data footprint because the Tanium Server maintains data per computer ID. However, this makes it possible to store recent data for the endpoint, and it enables the question to be available for merging.

    The non-counting question option is displayed when the question is a counting question that has exactly one sensor in the select clause. The non-counting question option can be configured only in the New Saved Question form, not the Edit Saved Question form.

    The Allow for merging option is available if the question is converted to a non-counting question.

    The Enable collection and reporting of recent data option can be configured only in the New Saved Question form, not the Edit Saved Question form.

    Default Tab Specify a default tab: Question, Grid, Pie.

    The Default Tab setting is saved as a user preference unless the Use these as the default for all users setting is selected.

    Default Grid Chart Zoom Specify a data period for the initial results grid display: Current or Recent.

    Associated Actions Optional. Click Add Package and select a package you want to be the default when a user clicks the Deploy Action button from the results grid.
  6. Save your changes.

If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question behaves as originally designed until the saved question is modified. Then it behaves as expected with the new sensor definition.

Import/export a saved question configuration

We recommend that you develop and test content in your lab environment before distributing it to your production servers. The console import/export XML feature supports this practice.

Role requirements

Users can export specific saved questions for which they have Write Saved Question permission. Users with the Administrator or Content Administrator reserved role can export and import the complete saved questions configuration.

Export specific saved questions

  1. Go to Content > Saved Questions.
  2. Select one or more saved questions and click the Export icon.
  3. Enter a file name or use the default and click OK.

Export the complete saved questions configuration

  1. From any Content page, click the Export to XML link in the top right.
  2. In the Export Content selection box, select the Saved Questions item and click Export.
  3. Enter a file name or use the default and click OK.

    The XML file is downloaded to your local computer.

Import a saved questions configuration

  1. Use KeyUtility.exe to sign XML configuration files before you import them, and copy the associated public key to the correct folder. For the procedure, see Signing content XML files.
  2. From any Content page, click the Import from XML link in the top right.
  3. Browse to the configuration file and click Import.

    The Tanium Console itemizes any naming conflicts and provides resolution options each one. For guidance on how to handle conflicts, see Conflicts and Best practices or consult with your TAM.

Last updated: 11/28/2018 10:20 AM | Feedback