Reference: Advanced question syntax
Use reserved words or characters
The Tanium™ parser uses certain words and characters to interpret the question text that you enter as valid query syntax. For example, the parser uses the bracket characters [ and ] to enclose the values of parameterized sensors and uses variations of the word match to support regular expressions. You must enclose these reserved words and characters in quotation marks when you use them as string literals in questions. For example, to see all endpoints that have computer names containing the letter combination in, issue the question Get Computer Name from all machines with Computer Name contains "in".
The following characters require quotation marks when you use them as string literals in questions:
-
"
Use double quotation marks as an escape-character sequence for each instance of quotation marks in a text string. For example, to see which endpoints have a computer name that contains the string "test", issue the question:
Get Computer Name from all machines with Computer Name contains """test"""
-
.
-
,
-
:
-
?
-
$
-
White spaces
For example, to see which endpoints have a computer name that has a blank space before and after the string DBserver, issue the question:
Get Computer Name from all machines with Computer Name contains " DBserver "
The following words require quotation marks when you use them as string literals in questions:
-
all
-
and
-
any
-
contain
-
containing
-
contains
-
does match
-
does not match
-
ending
-
ends
-
equals
-
get
-
having
-
in
-
matches
-
matching
-
not
-
or
-
with
-
starting
-
starts
Sensors with names that use reserved words also require quotation marks when you use them as string literals in questions. See Special characters and reserved words.
Use regular expressions
The question parser supports regular expression matching (Boost syntax).
The following example matches computer names that begin with the letter q in the tanium.com domain.

The Detect Primary Alerts sensor uses a regular expression to collect results that match any digit 0-9. Because Detect alerts have numeric IDs, this expression excludes empty results.

You can also use a combination of negation and regular expressions to build filter expressions. For example, the built-in computer group No Computers uses a question with the not matches expression and a regular expression (.*) to match empty results. The author knows that Computer Name always returns a string, so it is a clever way to turn off a scheduled action. The Default action group includes only No Computers. To prevent

Use computer group filters
You can issue questions that specify a computer group in the from clause. Use quotes around the name of the computer group. The computer group can be a management group or filter group (for details about these types, see Managing computer groups.)
For computer groups with filter-defined membership, the question parser converts the specified computer group name into the question that determines membership.

Use sensor column filters
Multi-column sensors are designed to collect multiple pieces of related information in a single answer.

Using the regular expression starts with, ends with, or contains to filter results for a multi-column sensor, such as Installed Applications, can be tricky because the result string for a multi-column sensor is actually a single string with column delimiters. If you are not careful, you might match a string in an unexpected column or unknowingly match a string in a hidden column that you were not even aware of. You can specify which column to match results from multi-column sensors. The syntax is get sensor having sensor:column contains value. The column name is case sensitive. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:). To match results from all the columns, the syntax is get sensor contains value.
The following example uses a sensor column filter in the get clause.

The following example uses a sensor column filter in both the get clause and the from clause.

Use $substring() filters
You can use $substring() filters to match result string patterns. The $substring() function takes the following arguments: sensor name, starting position (where 0 is the first position), number of characters.
The following example matches results from the Installed Applications sensor where the first two characters match the string Go.

The $substring() filter is not supported with multicolumn sensors.
Use the in operator
You can use the in operator to specify a collection of matching sensor results. The operator takes a comma-separated list of arguments that is parsed into a Boolean OR.
The following example uses the in operator to match a sensor filter in the from clause with results containing Virtual or Physical.

The following example uses the in operator to match a sensor column filter in the from clause. The question syntax:
Get Computer Name and Installed Applications having Installed Applications:Name contains Adobe Reader from all machines with Installed Applications:Name contains Adobe Reader and Installed Applications:Version in(9.5.0,11.0.06)

Use nested filters
In the from clause of a question, you can configure multiple filters, including nested filters.
The following example shows nested filters in the Question Builder. The example combines one matching expression with either one of the nested expressions.

You can also specify nested filters in the Explore Data field.

The following example shows different Boolean logic: match both of these OR this one.

Target random endpoints
Use the Online Random Sample sensor to identify a random subset of online endpoints from all targeted endpoints. You might want to target random endpoints when you test a new package or configuration on a random subset of endpoints, or to check a random set of endpoints to ensure they have proper configurations prior to an audit. The Online Random Sample sensor is included in the Default Content pack.
The Online Random Sample sensor retrieves True and False results from all targeted endpoints. The sensor accepts a Sample % parameter from 0-100 to determine the rough percentage of endpoints that answer with True. For example, if you pass 25 as a parameter and target from all machines, approximately 25% of endpoints in the environment will return a True response. Because each endpoint evaluates the sensor and generates a random True or False answer according to the percentage that you specify, the number of endpoints that return True can vary. The default value for Sample % is 5.

Specify advanced sensor settings
Tanium Client answers must conform with any advanced sensor settings that you specify in a question message. You can configure advanced sensor settings in the Question Builder (see the following figure) or in the Explore Data field.

The following table describes the advanced sensor settings.
Settings | Guidelines | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Case Sensitivity | Group strings:
|
||||||||||||||||||||
Matching | This option is available only in the from computers with section.
For some sensors, a Tanium Client might compute multiple results. When the sensor is used as a filter in the from clause, specify whether any or all of the results must match the filter:
For example, in response to the IP Address sensor, it is possible for a Tanium Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing 192.168 for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want the match Match Any Value option. |
||||||||||||||||||||
Treat Data As | Interact treats sensor values as the type of data that you specify:
|
||||||||||||||||||||
Maximum Data Age |
Maximum amount of time that the Tanium Client can use a cached result to answer a question. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.
Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory Domain membership. |
The following example specifies the Treat Data as <type> option. The syntax is sensor?type=value.

Only use the Treat Data as type option with comparison operators, such as Free Memory greater than 300, as shown in the example.
The following example specifies the Max Age option. The syntax is sensor?maxAge=value. When specifying maxAge in the Explore Data field, specify a number of seconds.

The following example specifies the Ignore Case option. The syntax is sensor?ignoreCase=value. 0 means match case and 1 means ignore case.

The following example specifies the Matches all option. A machine might have multiple interfaces and multiple IP addresses for those interfaces. In this example, the Matches all option is used to filter results for only computers with all IP addresses matching the specified string. You can specify this option only in the from clause. The syntax is with all sensor contains value.

The following example shows how to specify multiple advanced sensor options.

Specify advanced question settings
Enable the Force Computer ID setting to convert a single-sensor, counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Note that the Question Results page does not include the computer ID results when you select this option. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see Enable or disable live updates. You can enable the setting in the Explore Data field by using the Get?forceComputerIdFlag=1 statement. You can also enable the setting in the Question Builder, under Advanced Question Options.
Last updated: 5/17/2022 2:10 PM | Feedback