Managing saved questions

Saved questions overview

Saved questions are questions that you can reissue without reconstructing them in the Interact Explore Data field. They are configuration objects for which you can define reissue intervals, access permissions, associated packages, and other settings. You can issue saved questions manually or based on a schedule. You can also issue saved questions through Tanium modules or through custom applications that use the Tanium XML API. For example, you can use Tanium™ Connect to periodically issue a saved question and send the results to an external server. You create saved questions by issuing a dynamic question through the Explore Data field and saving it. Tanium modules and content packs that you import also provide predefined saved questions. The Interact module organizes saved questions under dashboards and organizes dashboards under categories. Each category, dashboard, and saved question is assigned to one content set.

Dashboard

A dashboard is a group of saved questions that are related with respect to the information that they retrieve from endpoints. For example, the predefined Hardware Inventory dashboard contains questions that retrieve CPU, disk, memory, and BIOS information. You can issue all the questions in a dashboard simultaneously.

Category

A category is a group of dashboards. It serves as an umbrella term for questions that you use for a particular purpose. For example, the Security category includes multiple dashboards that contain security-related questions.

Content set

A content set is a group of saved questions, dashboards, categories, and other content to which you apply user role permissions to control access. Tanium provides several predefined content sets through the Default Content pack and through Tanium modules. You can also create custom content sets. For details and related tasks, see Managing content sets.

Use the following Tanium Console pages to view, issue, and edit saved questions, and to move the questions between content sets. You can also perform actions that are specific to each page:

  • Content > Saved Questions page: Use this page to see the configuration settings of saved questions, and to copy, export, or delete questions.
  • Interact Overview page. Use this page to define categories and dashboards, and assign saved questions to them. You can also select specific questions, dashboards, and categories as favorites, and create new saved questions.

For details about the user roles and permissions required to manage saved questions, see Content management permissions.

User-specific saved questions

When multiple users work with the same saved question, the following factors control which users can see the question, and which question settings and results the users can see:

  • User role permissions: To view and edit a saved question, a user must have the required role permissions for the content set to which the question is assigned (see Manage saved questions). Additionally, the Visibility setting in the question determines whether the question is visible only to the owner (question creator) or to any user who has the required role permissions.
  • User-specific configuration changes: When a user saves changes to the question configuration, Tanium as a Service (TaaS) the Tanium Server saves a copy of the question. When users sign in to TaaSthe server, the users see only the copy with their own changes.
  • Computer group management rights: The computer groups assigned to users, user groups, and personas determine the visibility of the saved question Reissue interval and recent question results.

For details, see the KB article Reference: User-specific saved questions.

View saved question details

  1. From the Main menu, go to Administration > Content > Saved Questions.

    The Saved Questions grid displays many of the attributes that are described under Create a saved question.

  2. (Optional) To display attributes that the grid hides by default, click Customize Columns Customize columns and select the attributes.
  3. (Optional) Use the filters to find specific saved questions:
    • Filter by text: To filter the grid by question Name or Question Text, enter a text string in the Filter items field.
    • Filter by attribute: Filter the grid by one or more attributes, such as the Content Set assignment. Expand the ExpandFilters section, click Add Add, select an attribute and operator, enter a text string that contains all or part of the attribute value, and click Apply. If you add multiple attribute filters, the Boolean AND operator applies. After you finish specifying attributes, click Apply All to filter the grid.
  4. To see all the attributes for a particular question, click the question Name. Table 1 describes the attributes.

Create a saved question

  1. Use the Interact Explore Data field or Question Builder to ask a dynamic question.

    The Question Results page shows the results.

  2. Click Save above the question field and configure the following settings:
  3.  Table 1: Saved question settings
    Settings Guidelines
    Name Enter a name to identify the saved question in lists that appear in Tanium Console workflows.
    Content Set Assign the question to a content set. The list is populated with all content sets for which you have Saved Question write permission.
    Tags To add tags for filtering lists of saved questions in the Tanium Console, click Add tags, enter a Name to identify the tag, and enter the tag Value. Add Add a Name-Value pair for each additional tag.

    In the Sensors page, the Tags column is hidden by default. To show the column, click Customize Columns Customize Columns and select Tags.

    Visibility
    • According to RBAC. Users must have the Saved Question read permission for the content set to which the saved question belongs to see the saved question.
    • Only the Owner and Admins can see this object. Only the question owner and users with the Administrator reserved role can see the saved question. By default, the user who creates the question is the owner.

      If the user account of the initial owner is deleted, ownership of the question might transfer to another user: see Delete, undelete, or lock out a user.

    Reissue If you want to periodically reissue the question, select Reissue this question every and specify a number and unit for the reissue interval: Minutes, Hours, Days. TaaSThe Tanium Server first issues the saved question immediately after you save the configuration. Tanium Clients that are online at that time respond with their answers. You can use the reissue option to account for clients that are currently offline but will be online later. For example, employee laptops that are offline at the moment you save the saved question configuration might be online at least once during an eight-hour reissue interval.

    If you configure reissuing, TaaSthe Tanium Server reissues the saved question in the background at the specified interval. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every eight hours, the TaaSthe server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. By default, TaaSthe server caches responses for seven days, and displays the cached responses in the Question Results grid for endpoints that are offline when the server issues the question. You can use the Question History to verify that TaaSthe server issues the saved questions based on the specified reissue interval.

    If you specify an eight-hour reissue interval, TaaSthe Tanium Server reissues the question exactly every eight hours, regardless of time changes due to daylight savings time.

    Which users can see the reissue interval for a saved question depends on the computer groups assigned to those users. For details, see the KB article Reference: User-specific saved questions.

    Show this question in the list of questions that are available for drilling down Enable this option to include the question in the list that users see when selecting a question for a drill-down operation on question results. For details, see Drill down into results.
    Show this question in the list of questions that are available to merge Enable this option to include the question in the list that users see when selecting a question for a merge operation on question results. Only non-counting questions provide this option. For details, see Merge questions.
    You cannot change this setting after you save a new saved question configuration.

    Enabling this option automatically enables the Yes, turn into non-counting question option.

    Do not turn into non-counting question

     

    Yes, turn into non-counting question

    The option to convert the question to a non-counting question is available only if the question has one sensor in the get clause. Converting to a non-counting question enables TaaSthe Tanium Server to store the answers as recent data, which TaaSthe server uses when live data is unavailable, such as when the answering endpoints are offline. For details, see Display current or recent question results.
    You cannot change this setting after you save a new saved question configuration.

    Non-counting questions consume more disk storage because the Tanium Server maintains the answer strings for each endpoint (based on computer ID).

    Save these settings for myself and other users with no prior settings saved

     

    Save these settings for my view only

    Select whether the User Settings values that you configured are visible to other users who might view the saved question configuration. This visibility option is useful when you want a question to initially have the same User Settings values for everyone until individual users specify their own values.
    • Save these settings for myself and other users with no prior settings saved: The User Settings that you configured appear to all users who view the question configuration. If a user subsequently edits the settings, only that user will thereafter see the values that the user configured instead of the values that you initially configured.
    • Save these settings for my view only: When users other than yourself view the question configuration, the User Settings have no values until individual users specify values.
    Associated Packages Optionally, select the packages that you want to appear at the top of the Deployment Package drop-down list in the Action Deployment page when users deploy an action based on the question. By default, the Deployment Package selection is set to the first package that you add to the Associated Packages. As an example, for a question that returns the logging level of Tanium Clients on Windows endpoints, you might want to add Set Windows Tanium Client Logging Level as an Associated Package. For details, see Deploying actions and Example: Saved questions with associated packages.
  4. Expand the Preview section to preview the results of the saved question, and then click Save.

The question appears in the Administration > Content > Saved Questions page.

When you save a question that has a parameterized sensor, the sensor definition, including the substituted values, is saved in an object called a temporary sensor. On the endpoint, the Tanium™ Client runs the temporary sensor when it computes answers to a saved question that calls it. A saved question that is reissued according to a schedule continues to use the temporary sensor even if the sensor from which it was based is updated. Therefore, if a sensor is updated, and you want the saved question to use the updated code, you must re-create the saved question.

Edit a saved question

As a best practice, do not edit saved questions that are provided through Tanium-provided content packs. For details, see Tip 4: Limit customizations to Tanium content.Contact Tanium Support and review User-specific saved questions if editing Tanium-provided questions is necessary. Alternatively, you can create copies of Tanium-provided questions and edit the copies. You can also edit custom saved questions that you created from scratch.

To change the content set assignment for multiple saved questions that must belong to the same set, see Move saved questions between content sets.

  1. Use one of the following methods to open the Edit Saved Question page:
    • From the Main menu, go to Administration > Content > Saved Questions and click the question Name.
    • In the Interact Overview page, find the question in the Saved Questions panel, mouse over the question, click Options , and select Edit Properties.
  2. Configure the settings described in Create a saved question and click Save.

If you create a saved question based on a parameterized sensor and then modify the sensor, the saved question behavior will still reflect the original sensor definition. You must modify the saved question before it will behave as expected with the new sensor definition. See Questions with parameterized sensors.

Move saved questions between content sets

You can move saved questions between content sets as necessary to accommodate changes to the role-based access control (RBAC) configuration of your Tanium deployment. For example, you might want to move certain saved questions to a content set that only highly privileged users can access.

  1. From the Main menu, go to Administration > Content > Saved Questions.
  2. Select the saved question and click Move to Content Set.
  3. Select a content set and click Confirm.

Filter saved questions

The number of saved questions tends to increase as your team uses the Tanium system more. To find specific questions in a long list, you can apply filters. The available filters vary by Tanium Console page. In the Content > Saved Questions page, you can filter by text strings (in the filter field above the grid) or by column values (question settings). In the Interact Content page, you can filter based on text strings, categories, dashboards, or favorites.

Filter by column (setting) value

The Administration > Content > Saved Questions grid displays a column for each question setting. Perform the following steps for each setting that you want to use to filter the grid:

  1. Click grid-nowrap in the desired column header to open the drop-down list.
  2. Select Filter and select an operator (such as Is equal to).
  3. Enter a filter value and click Filter.

Filter by categories and dashboards

In the Interact Overview page, you can select check boxes in the panels so that only items belonging to the selected categories or dashboards appear. You can apply multiple filters. Click Deselect in a panel header to deselect all its filters.

Figure  1:  Interact content filters

Filter by text strings

In the Interact Overview page, use text filters in the panels to find items that match a specified string. Click the x in the text search box to deselect the filter.

Figure  2:  Text filters

Filter by favorites

A favorite is a category, dashboard, or saved question that you want to appear on the Interact Overview page. You can also use favorites as an optional filter on the Interact Overview page. TaaSThe Tanium Server saves favorites as a user-specific setting; your favorites selections do not apply to other users.

Items that you select as favorites before upgrading to Interact 2.0 or later remain favorites after upgrading. If you did not have favorites before an upgrade or before you install a new Tanium Server, all categories and dashboards for which you have read permission are set as favorites anyway.

To configure the display of favorite content, perform the following steps:

  1. From the Main menu, go to Modules > Interact.

    On the Tanium Home page, click the Favorites icon for an item to deselect it as a favorite and remove it from the page. However, the Tanium Home page does not provide the option to show items that are not favorites, so you cannot restore favorite status to items on that page.

  2. Click the Favorites icon next to the name of a category, dashboard, or saved question to select or deselect that item as a favorite.

    To reduce clicks, click Favorite All or Unfavorite All in a panel header and then toggle on or off individual items in that panel.

  3. To view only favorite categories, dashboards, and saved questions, click Favorites in the upper right of the Content section.

    The button changes to a dark background to indicate that the panels display only favorites. Click Favorites again to toggle off the filter.

    After you find and select your favorite Categories or Dashboards, you might want to toggle off the Favorites filter so that the Saved Questions panel displays both favorite and non-favorite questions.

Issue a saved question

After you save a question, you can manually issue it anytime by performing one of the following steps:

  • From the Interact menu, click Content and click the question name in the Saved Questions panel.
  • If the question is selected as a favorite, go to the Interact Home page, scroll down to the Favorite Saved Questions, and click the question name. You can also find and click the question name after navigating to it in the Favorite Categories or Favorite Dashboards sections.
  • From the Main menu, go to Administration > Content > Saved Questions, select a question, and click Load.

The Tanium Console displays the results in the saved question results page. This page provides the option to see recent results from offline endpoints if those results still reside on the Tanium Server after the last time the question was issued. The server stores the results of saved questions for seven days by default. For details, see Display results for online and offline endpoints.

If you want the Tanium Server to automatically reissue a saved question, edit the question configuration and set the Reissue interval: see Edit a saved question.

If you want to simultaneously issue all the questions in a dashboard, see Issue a dashboard of saved questions.

Issue a dashboard of saved questions

In some cases, it is useful to issue several saved questions that are related based on the kind of information they retrieve from endpoints. In such cases, you can group the questions in a single dashboard and issue them simultaneously. For example, the predefined Hardware Inventory dashboard contains questions that retrieve chassis type, operating system, monitor, CPU, disk, memory, and BIOS information.

To issue all the questions in a dashboard:

  1. From the Main menu, go to Modules > Interact.
  2. In the Dashboards panel, click the dashboard name.

    The dashboard results page appears, which shows a results grid for each saved question in the dashboard.

Figure  3:  Dashboard results page

For each question, the dashboard results page provides all the features that are available in the saved question results page, such as viewing Current, Recent, or Cached results (see Managing question results). The dashboard results page also has the following features (matching the numbers in Figure  3):

1 Use the dashboards drop-down list to issue a different dashboard.

2 Use the Filter All Questions Displayed drop-down to filter all the results grids by computer group.

3 The page shows the dashboard name, favorite status ( for favorite, for non-favorite), and number of saved questions in the dashboard. Click the favorite icon / to toggle the favorite status of the dashboard.

4 For each results grid, the page shows the question name and favorite status. Click the favorite icon / to toggle the favorite status of the question. Click the question name to reissue the question. Click Edit to change the question settings (see Edit a saved question).

5 Filter by computer group or text.
6 Apply additional filters to a specific results grid.

Dashboard results filters

Manage categories and dashboards

Tanium solutions and content packs that you import provide predefined categories and dashboards as containers for organizing saved questions. You can also create custom categories and dashboards, and assign saved questions to them based on how you set up role-based access control (RBAC) for your Tanium deployment. You perform all the following tasks on the Interact Overview page.

Create a category

  1. In the Categories panel heading, click Options and select New Category.
  2. Specify a Name, Content Set, Icon, and Visibility option, and click Save.

Create a dashboard

  1. In the Dashboards panel heading, click Options and select New Dashboard.
  2. Specify a Name, Filter Group, Content Set, and Visibility option, and click Save.

Assign dashboards to a category

  1. In the Categories panel, mouse over the category, click Options , and select Add/Remove Dashboards.
  2. In the Dashboards panel, select the dashboards to include in this category and click Apply.

Assign saved questions to a dashboard

  1. In the Dashboards panel, mouse over the category, click Options , and select Add/Remove Saved Questions.
  2. In the Saved Questions panel, select the saved questions to include in this dashboard and click Apply.

Edit category or dashboard settings

  1. In the Categories or Dashboards panel, mouse over the category or dashboard, click Options , and select Edit Category Information or Edit Dashboard Information.
  2. Edit the settings and save the configuration.

To edit saved questions settings, see Edit a saved question.

Delete a category or dashboard configuration

When you delete a category, TaaSthe Tanium Server does not assign its dashboards to any other category. When you delete a dashboard, TaaSthe server does not assign its saved questions to any other dashboard.

  1. In the Categories or Dashboards panel, mouse over the category or dashboard and click Delete .
  2. Confirm that you want to delete the configuration.

You cannot delete a saved question configuration from the Interact Overview page, only from the Administration > Content > Saved Questions page.

Export or import categories, dashboards, or questions

The following procedures describe how to export and import the configurations of categories, dashboards, or saved questions.

Develop and test content in your lab environment before importing that content into your production environment.

Export categories, dashboards, or questions

If you want to export multiple content types in a single operation, see Manage Tanium shared services and content.

  1. Click Options Options in the panel header and select the export option.
  2. Select items to export or Select all.
  3. Click Export, optionally modify the File Name, and click Export again.

The JSON file is saved to the downloads folder on the computer that you use to access the Tanium Console.

Import categories, dashboards, or questions

You can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

You can also export and import saved questions through the Administration > Content > Saved Questions page: see Export or import saved questions.

Export or import saved questions

The following procedures describe how to export and import the configurations of specific saved questions or all saved questions.

Develop and test content in your lab environment before importing that content into your production environment.

Export saved questions

Export saved questions as a CSV file to view their settings in an application that supports that format. If your user account has a role with the Export Content permission, you can also export saved questions as a JSON file to import them into another Tanium Server. The Administrator reserved role has that permission.

  1. From the Main menu, go to Administration > Content > Saved Questions.
  2. Select rows in the grid to export only specific saved questions. If you want to export all saved questions, skip this step.
  3. Click Export Export.
  4. (Optional) Edit the default export File Name.

    The file suffix (.csv or .json) changes automatically based on the Format selection.

  5. Select an Export Data option: All saved questions in the grid or just the Selected saved questions.
  6. Select the file Format: JSON or CSV.
  7. Click Export.

    TaaSThe Tanium Server exports the file to the downloads folder on the system that you used to access the Tanium Console.

Import saved questions

Users require Import Signed Content and Read Saved Question permissions to import saved questions. Users with the Administrator or Content Administrator reserved role can import all saved questions.

You can import content files that are in JSON or XML format.

  1. (Non-Tanium-provided content only) Digitally sign the content file and ensure a public key is in place to validate the signature. See Authenticating content files.

    You do not have to generate keys or signatures for Tanium-provided solutions, such as the Default Computer Groups content pack. Tanium signs this content before making it available, and the associated public key is distributed to the Tanium Server key store during the server installation process.

  2. From the Main menu, go to any of the following Administration pages:
    • Configuration > Solutions
    • Permissions > Filter Groups
    • Under Content, select Sensors, Packages, or Saved Questions
    • Under Actions, select Scheduled Actions, All Pending Approvals, or Actions I Can Approve
  3. Select an Import option based on the source of the content:
    • Import > Import Files: Perform one of the following steps to select one or more files:
      • Drag and drop files from your file explorer.
      • Click Browse for File, select the files, and click Open.
    • Import > Import URL: Enter the URL in the Import URL field, and click Import.
  4. For each file, expand Expand the File name, review the content to import, and select resolutions for any conflicts with existing content (see Resolve conflicts when importing updates).
  5. If you want to overwrite existing content set assignments for all imported objects with the default Tanium-defined assignments, select Include content set overwrite. By default, the Include content set overwrite check box is deselected and the Tanium Server preserves the existing content set assignments.
  6. Click Begin Install.

Copy saved question configuration details

Copy information from the Saved Questions page to your clipboard to paste the information into a message, text file, or spreadsheet. Each row in the grid is a comma-separated value string.

  1. From the Main menu, go to Administration > Content > Saved Questions.
  2. Perform one of the following steps:
    • Copy row information: Select one or more rows and click Copy Copy.
    • Copy cell information: Hover over the cell, click Options Options, and click Copy Copy.