Reference: Advanced question syntax

Tanium Core Platform 7.2 or later supports the following advanced question syntax.

Use regular expressions

The question parser supports regular expression matching (Boost syntax).

The following example matches computer names that begin with the letter t in the tam.local domain.

Figure  1:  Matching a regular expression

The Detect Primary Alerts saved question uses a regular expression to collect results that match any digit 0-9. Because Detect alerts have numeric IDs, this expression would exclude empty results.

Figure  2:  Regular expression to exclude empty results

You can also use a combination of negation and regular expressions to build filter expressions. For example, the built-in computer group No Computers uses a question with the not matches expression and a regular expression (.*) to match empty results. The author knows that Computer Name always returns a string, so it is a clever way to turn off a scheduled action. The default action group includes only No Computers so that no computers are targeted until an administrator knowingly changes the configuration.

Figure  3:  Regular expression to not match anything

Use computer group filters

In 7.2 and later, you can issue questions that specify a computer group in the from clause. The computer group can be a management group or filter group (for details about these types, see Managing computer groups.)

For computer groups with filter-defined membership, the question parser converts the specified computer group name into the question that determines membership. In the following example, the computer group named Windows is parsed into its definition: is Windows contains true.

Figure  4:  From clause with computer group that has filter-defined membership

For computer groups with manually-defined membership, the question parser lists possible manual group object IDs. In the following example, the computer group named Infrastructure is parsed into its manual group object ID: Manual Group Membership equals 95.

Figure  5:  From clause with computer group that has manually defined membership

Use sensor column filters

Multi-column sensors are designed to collect multiple pieces of related information in a single answer.

Figure  6:  Results from a multicolumn sensor

Using the regular expression starts with, ends with, or contains to filter results for a multicolumn sensor, such as Installed Applications, can be tricky because the result string for a multicolumn sensor is actually a single string with column delimiters. If you are not careful, you might match a string in an unexpected column or unknowingly match a string in a hidden column that you were not even aware of. In Tanium Core Platform 7.2 and later, you can specify which column to match results from multi-column sensors. The syntax is get sensor having sensor:column contains value. The column name is case sensitive. Note that single-column filtering works only if the sensor definition specifies column delimiters with a single character (such as |), not multiple characters (such as |:). To match results from all the columns, the syntax is get sensor contains value.

The following example uses a sensor column filter in the get clause.

Figure  7:  Sensor column filter in the get clause

The following example uses a sensor column filter in both the get clause and the from clause.

Figure  8:  Sensor column filter in the get clause and the from clause

Use $substring() filters

You can use $substring() filters to match result string patterns. The $substring() function takes the following arguments: sensor name, starting position (where 0 is the first position), number of characters.

The following example matches results from the Computer Name sensor where the first two characters match the string ts.

Figure  9:  $substring() filter

The following example matches results from the MAC Address column of the Network Adapters sensor where the fourth and fifth characters match the string e8.

Figure  10:  $substring() filter on specified sensor column

Use the in operator

You can use the in operator to specify a collection of matching sensor results. The operator takes a comma-separated list of arguments that is parsed into a Boolean OR.

The following example uses the in operator to match a sensor filter in the from clause with results containing Virtual or Physical.

Figure  11:  in operator in the from clause

The following example uses the in operator to match a sensor column filter in the from clause.

Figure  12:  in operator with a sensor column filter

Use nested filters

In the from clause of a question, you can configure multiple filters, including nested filters.

The following example shows nested filters in the Question Builder. The example combines one matching expression with either one of the nested expression.

Figure  13:  Nested filters in the Question Buider

You can also specify nested filters in the Ask a Question field.

Figure  14:  Nested filters in the Ask a Question field

The following example shows different Boolean logic: match both of these OR this one.

Figure  15:  Nested filters in the Ask a Question field

Specify advanced sensor settings

Tanium Client answers must conform with any advanced sensor settings that are specified in a question message. In releases before Tanium Server 7.2, you could configure advanced sensor settings only with the Question Builder.

Figure  16:  Question Builder: Advanced sensor settings

In Version 7.2 and later, you can specify advanced sensor settings in the Ask a Question field.

Table 1:   Advanced Sensor Options
Settings Guidelines
Case Sensitivity Group strings:
  • Ignore case: Group and count result values regardless of differences in upper-case and lower-case characters.
  • Match case: Group and count result values with strict attention to lettercase.
Matching This option is valid in the from computers with clause.

For some sensors, a Tanium Client might compute multiple results. When the sensor is used as a filter in the from clause, specify whether any or all of the results must match the filter:

  • Match Any Value: Any value in the answer must match the value specified in the question.
  • Match All Values: All values in the answer must match the value specified in the question.

For example, in response to the IP Address sensor, it is possible for a Tanium Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing 192.168 for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want to match "any".

Treat Data As Sensor values are treated as the type of data you specify:
  • Date/Time (BES)
  • Date/Time (WMI)
  • File Size
  • Integer
  • IP Address
  • Numeric
  • Text
  • Time Duration
  • Version
Maximum Data Age Maximum amount of time that the Tanium Client can use a cached result to answer a question. For example, the maximum data age for the File Size sensor is 15 minutes by default. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer. After 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it executes the sensor script again to compute a fresh answer.

Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory Domain membership.

The following example specifies the Treat Data as <type> option. The syntax is sensor?type=value.

Figure  17:  Advanced sensor settings - Treat Data as type

Only use the Treat Data as type option with comparison operators, such as Free Memory greater than 300, as shown in the example.

The following example specifies the Max Age option. The syntax is sensor?maxAge=value. When specifying maxAge in the Ask a Question field, specify a number of seconds.

Figure  18:  Advanced sensor settings - maxAge

The following example specifies the Ignore Case option. The syntax is sensor?ignoreCase=value. 0 means match case and 1 means ignore case.

Figure  19:  Advanced sensor settings - ignoreCase

The following example specifies the Matches all option. A machine might have multiple interfaces and multiple IP addresses for those interfaces. In this example, the Matches all option is used to filter results for only computers with all IP addresses matching the specified string. You can specify this option only in the from clause. The syntax is with all sensor contains value.

Figure  20:  Advanced sensor settings - matching all

The following examples shows how to specify multiple advanced sensor options.

Figure  21:  Advanced sensor settings - multiple settings

Specify advanced question settings

In Tanium Server 7.3.314.3639 and later, you can enable a Force Computer ID setting to convert a counting question into a non-counting question by forcing Tanium Clients to include the computer ID in their answers. Converting to a non-counting question is a workaround that resolves cases where a counting question returns the too many results answer. For details, see the KB article Troubleshooting Errors / Informational Messages (too many results message). You can enable the setting in the Ask a Question field by using the get?forceComputerIdFlag=1 statement. You can also enable the setting in the Question Builder, under Advanced Question Options. The following figure shows the results for a question converted to a non-counting question.

Figure  22:  Question converted to non-counting question

The following figure shows the results for the same question issued as a counting question.

Figure  23:  Counting question