Tanium Interact User Guide
जाहिरात
जाहिरात
Tanium Interact™ User Guide
Version 1.0.0
August 24, 2017
The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc.
has been advised of the possibility of such damages.
Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Please visit https://docs.tanium.com for the most current Tanium product documentation.
Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners.
© 2017 Tanium Inc. All rights reserved.
© 2017 Tanium Inc. All Rights Reserved Page 2
Table of contents
Questions with multiple sensors
Questions with parameterized sensors
Enabling/disabling live updates
Sort results and select columns to view
© 2017 Tanium Inc. All Rights Reserved
Page 3
Issue and manage saved questions
Issue saved questions from a dashboard
Reorder the saved questions in a dashboard
Export the dashboards configuration
Issue saved questions from a category
Export the categories configuration
How can I get a list of running services or be able to single out a specific endpoint?
How can I get a list of running processes or be able to single out a specific endpoint?
How can I display Registry keys and values?
© 2017 Tanium Inc. All Rights Reserved Page 4
How can I get a list of open ports?
How can I get user authentication information?
How can I see the current logged on user?
How can I see when users last logged in?
How can I get the Service Account Logons?
How can I get certificate information?
How can I detect all running Oracle instances within our Linux environment?
How can I get asset information?
Security > Wireless Network Security
Security > Workstation USB Write Protection
© 2017 Tanium Inc. All Rights Reserved Page 5
Overview
This guide describes how to use Tanium Interact™ (Interact). Interact is the user interface for asking questions and reviewing results.
Interact is installed automatically during the Tanium Server installation. Although it is licensed as part of the core platform, Interact is a Tanium solution module, so it can be updated separately from the Tanium Console and the Tanium Server.
You use Interact to: l
Ask dynamic questions
A question is a message sent to Tanium Clients requesting real-time data from its sensors. Aggregate counts are reported in the results grid.
l
Examine results and take action
From the results grid, you can drill down to target specific computers and use the deploy action workflow to schedule actions to be executed on the Tanium Client host computer.
l
Use the saved questions collection and create new ones
A saved question is a configuration object that contains question syntax and question settings. In the Tanium Console, when you click a saved question, the question is issued to Tanium Clients. Saving the question syntax as a configuration object enables it to be reissued later. The configuration object can also be used throughout the platform, both by Tanium solution modules and by user-developed applications that use the SOAP API. For example, you can use Tanium Connect™ to configure a saved question to be run on a schedule with results sent to an external server.
l
Review and manage dashboards
A dashboard is an organized group of saved questions. You can manage the set of saved questions contained in the group and apply computer group filters to the group.
l
Review and manage categories
A category is an organized group of dashboards. You can manage the set of dashboards contained in the group and apply user group permissions to view the category object.
An essential set of saved questions, dashboards, and categories is created when the Initial
Content packs are imported during the Tanium Server installation. Additional saved
© 2017 Tanium Inc. All Rights Reserved Page 6
questions, dashboards, and categories are created when you import additional Tanium content packs and Tanium solution modules.
When you get started with Interact, review the Initial Content so that you are aware of the configuration objects that are already available to you. Reviewing the Initial Content can also help you become familiar with the kinds of questions that can be asked, as well as ways of grouping them that can facilitate reporting and administration tasks. Once you understand how these configuration objects can be used, you will be better prepared to create your own when necessary.
© 2017 Tanium Inc. All Rights Reserved Page 7
Getting started
1. Learn about questions and ask a dynamic question. See
2. Learn about results and use results grid features to understand results and pivot from them to action. See
Using the results grid on page 21 .
3. Review saved questions and issue them. See
Working with saved questions on page
.
4. Review dashboards and issue a saved question from the dashboards page. See
Working with dashboards on page 49 .
5. Review categories and issue a saved question from the categories page. See
Working with categories on page 55 .
© 2017 Tanium Inc. All Rights Reserved Page 8
Asking questions
In Tanium, asking questions is a fundamental interaction with endpoints.
What is a question?
Tanium questions help you get key pieces of information from managed enterprise endpoints.
The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or particularly well formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients.
The following figure shows an example of how natural language input is parsed into proposed queries. First, the user enters the fragment dns server and clicks Search. In response, Interact returns a list of queries cast in valid syntax.
Figure 1: Natural language parser
Basic questions include: l one or more sensor names in the get clause.
l all machines (in other words, all Tanium Client host computers) in the from clause.
© 2017 Tanium Inc. All Rights Reserved Page 9
Advanced questions include filter clauses and parameterized sensors.
What is a sensor?
In essence, a sensor is a script that is executed on an endpoint to compute a response to a
Tanium question. Sensors are distributed to clients during registration. Sensors enable you to ask questions about: l
Hardware/software inventory and configuration l
Running applications and processes l
Files and directories l
Network connections
The Initial Content that is imported during the Tanium Server installation includes sensors to support a wide range of common questions. Additional sensors may be added when you import additional Tanium content packs and Tanium solution modules. If you cannot find a sensor you need within Tanium-provided content, you can create user-defined sensors.
For more information, see Sensors .
Questions with multiple sensors
Use the
AND operator in the get clause to specify multiple sensors. Results are grouped by the first sensor, then by the next sensor, and so on. The following example shows a question that uses multiple sensors.
© 2017 Tanium Inc. All Rights Reserved Page 10
Figure 2: Question with multiple sensors
Questions with parameterized sensors
A parameterized sensor accepts a value specified at the time the question is asked. The following example shows the File Exists sensor. The parser prompts you to specify a file path and file name.
Figure 3: File Exists parameterized sensor
© 2017 Tanium Inc. All Rights Reserved Page 11
Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. Let's say you want to get the top 5 highest CPU utilizing processes. The question has the following syntax:
Get High CPU Process[5] from all machines
For sensors with multiple parameters, you can pass an ordered list separated by a comma.
For example, if you want to get the results of Tanium Action Log number 1 and get 10 lines of results, specify a parameter list as shown in the following example:
Get Tanium Action Log[1,10] from all machines
Note: If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question will behave as originally designed until the saved question is modified. Then it will behave as expected with the new sensor definition.
Questions with filters
You can use filters to craft questions that target fewer computers than "all machines". You often want to work with a set of computers that have a specific process name or value.
This is an example of an advanced question. The left side is a complete and valid query; the right side contains a filter—the "with" expression. The filter expression on the right side must evaluate to a Boolean true or false. For example, the expression with Running
Processes containing "trillian.exe" evaluates to true if the specified string matches the result string, or false if it does not.
A parameterized sensor like File Exists[] returns "File Exists: Filename" or "File does not exist", so you must be careful how you cast it in a filter expression.
© 2017 Tanium Inc. All Rights Reserved Page 12
Figure 4: Example: Question with parameterized sensor
The filter expression with File Exists[c:\a.txt] containing "Exists" evaluates to true when the result is "File Exists: c:\a.txt" and false when the result is "File does not exist", so it can be used to filter the set of responses.
Figure 5: Example: Filter with parameterized sensor
The filter is the first part of a question that gets processed by the endpoint. If the endpoint data does not match the filter, then the endpoint does not process the question any further. If there are multiple filters, each filter is processed and evaluated. If the evaluation is true, then the sensors on the left side of the question are also executed and returned.
Filter expressions can match strings or regular expressions. The following table describes the operators supported in filter clauses.
© 2017 Tanium Inc. All Rights Reserved Page 13
Filter Usage
contains or
Sensor value contains the specified string.
Example: running processes contains "trillian.exe" containing does not contain Sensor value does not contain the specified string.
starts with Sensor value starts with the specified string.
Example: starts with "tril"
Sensor value does not start with the specified string.
does not start with ends with Sensor value ends with the specified string.
Example: starts with "lian.exe" does not end with Sensor value does not end with the specified string.
matches Sensor value matches the specified regular expression (in Boost syntax ).
does not match is equal to is not equal to
Sensor value does not match the specified regular expression.
Sensor value is equal to the specified value or string. You can also use an equals sign (=) or the word is
.
Sensor value is not equal to the specified value or string. You can also use a negated equals sign (!=).
is less than is less than or equal to is greater than is greater than or equal to
Sensor value is less than the specified value.
Example: application version[chrome.exe] < 12
Sensor value is less than or equal to the specified string.
Example: application version[chrome.exe] <= 12
Sensor value is greater than the specified value.
Example: application version[chrome.exe] > 12
Sensor value is greater than or equal to the specified string.
Example: application version[chrome.exe] >= 12
© 2017 Tanium Inc. All Rights Reserved Page 14
Using the Question Builder
The Question Builder is another way to create a question. It has form fields to help you complete the get clause, the from clause, and optional filters.
You can launch the Question Builder in either of the following ways: l
In the Ask a Question box, click Question Builder in the top right corner.
l
After you have asked a question and want to refine it, click Copy to Question Builder.
The following figure shows the Question Builder.
Figure 6: Question Builder
© 2017 Tanium Inc. All Rights Reserved Page 15
The first text box is for sensor names. Start typing and then use the typeaheads to select sensors.
Figure 7: Typeaheads
Alternatively, you can use the Browse Sensors dialog box to select sensors. When you use the dialog box, you can review sensor descriptions.
© 2017 Tanium Inc. All Rights Reserved Page 16
Figure 8: Browse sensors
The following table provides guidelines for Advanced Sensor Options.
Settings
Case Sensitivity
Guidelines
l l
Ignore case
Group and count result values regardless of differences in upper-case and lower-case characters.
Match case
Group and count result values with strict attention to lettercase.
© 2017 Tanium Inc. All Rights Reserved Page 17
Settings
Matching
Treat Data As
Maximum Data
Age
Guidelines
l l
Match Any Value
Any value in the answer must match the value specified in the question.
Match All Values
All values in the answer must match the value specified in the question.
For some sensors, a Tanium Client might compute multiple results. For example, in response to the IP Address sensor, it is possible for a Tanium
Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing
192.168
for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want to match "any".
Sensor values are treated as the type of data you specify: l l l l l l l l l
Date/Time (BES)
Date/Time (WMI)
File Size
Integer
IP Address
Numeric
Text
Time Duration
Version
Maximum time the Tanium Client may use a cached result to answer a question.
For example, by default, the maximum data age for the File Size sensor is 15 minutes. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer.
After 15 minutes, if the Tanium Client is asked a question that includes the File
Size sensor, it executes the sensor script again to compute a fresh answer.
Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory
Domain membership.
Question expiration
When a dynamic or saved question is issued, the question is assigned a question ID. In your web browser, you will notice the question ID in the URL.
© 2017 Tanium Inc. All Rights Reserved Page 18
Figure 9: Question ID
The question ID "expires" after 10 minutes, and its corresponding URL becomes invalid.
This means that for up to 10 minutes, you can refresh the page or share the link. After 10 minutes, if you navigate to the link, Interact displays a message indicating the question has expired, and it gives you the option to copy the question text to the Question Bar so you can reissue it.
Figure 10: Question Expired message
Question History
Go to Administration > Question History to review a chronology of questions that have been issued. By default, an entry for a question is maintained in the chronology for 7 days.
© 2017 Tanium Inc. All Rights Reserved Page 19
You can change the default limit with the global setting SOAPQuestionHistoryLimitInDays.
You can use the Question History to review question syntax and the question expiration timestamps. You can also copy the question to the Question Bar or Question Builder.
© 2017 Tanium Inc. All Rights Reserved Page 20
Using the results grid
In the results grid, an answer row is an aggregation of the computers that responded with the data shown. The Count column shows the number of Tanium Clients with that answer.
Figure 11: Results grid
The grid displays the first 100 answer rows. You can change the number of rows in user preferences. Go to the logged in user link in the upper right corner, and select Preferences to display the configuration page.
© 2017 Tanium Inc. All Rights Reserved Page 21
Enabling/disabling live updates
As results come in, Live Updates in the results grid toolbar shows the percent of Tanium
Clients that have reported results.
Click the pause button to pause updates to the grid.
Click the play button to resume updates to the grid.
Even when 100% of Tanium Clients have reported, you might see answer rows that seem to indicate incomplete results.
[no results]
Indicates that the Tanium Client was instructed to answer but does not have a value that matches the sensor filter. This can be expected when a filter is applied to the get
© 2017 Tanium Inc. All Rights Reserved Page 22
clause and not the from clause. For example, if the question is formed with the syntax
Get IP Address ending with 2 from all machines
, all machines would report answers and all machines that did not have IP address ending in 2 would report no results. It is better to put the filter in the from clause. For example,
Get IP Address from all machines where IP Address ends in 2 would not return unexpected "no results" rows. You might also see [no results] if the sensor does not return a value, or the sensor was unable to execute the script.
[Current Result Unavailable]
If it takes the client longer than usual to evaluate a sensor, it might pass "current result unavailable" to its peer. The sensor process continues on the client, and when it is complete, the client sends its updated answer. The results grid is then updated.
[Results Currently Unavailable]
Indicates an answer cannot be parsed correctly by the Tanium Server. If this occurs, contact your technical account manager (TAM).
Managing rows and columns
Filter results
Use the filter controls to display only rows that match the specified criteria.
Filter by Text
Filters the results grid without reissuing the question. Select the Contains or Does
not contain operator, specify a search string, and click the search icon.
Filter by Computer Group
Issue a new question with the added filter. Select from the wildcard groups All
Computers, No Computers, configured computer groups, and the special Ad Hoc
Filter. The Ad Hoc filter is a one-time only filter. The Ad Hoc filter configuration is not saved.
The following example shows filtered results when both a computer group and text filter are applied. Note the computer group filter affects the question shown in the Question bar; the text filter does not.
© 2017 Tanium Inc. All Rights Reserved Page 23
Figure 12: Filtered results
To create an ad hoc filter:
1. Select Create Ad Hoc Filter from the Filter by Computer Group drop-down list.
Interact displays the Group Builder dialog box.
2. Use one of the tabs to create a filter and then click Apply.
© 2017 Tanium Inc. All Rights Reserved Page 24
The Filter Bar tab includes a natural language parsing search box that helps you build a valid filter expression.
The Filter Builder tab includes fields that enable you to add a filter, apply it, and issue the resulting question. The question is always
Get computer name and IP address
© 2017 Tanium Inc. All Rights Reserved Page 25
from all machines with the filter added to the from clause.
© 2017 Tanium Inc. All Rights Reserved Page 26
The Manual List tab includes fields that enable you to specify a list of computers by hostname or IP address.
Sort results and select columns to view
In column headers, click the menu icon to display the menu for sorting rows and showing/hiding columns.
© 2017 Tanium Inc. All Rights Reserved Page 27
Figure 13: Grid row/column controls
Click the
Clear Sort
button to clear sorting criteria.
Viewing charts
The results grid is the default view. You can use the View button bar in the upper right corner to toggle to a pie chart or bar chart.
Mouse over a pie slice or bar to display the result string and count. If the result count is less than 3 % of the total, it is included in the Other group.
Figure 14: Pie chart
© 2017 Tanium Inc. All Rights Reserved Page 28
Figure 15: Bar chart
Exporting and copying results
Use the Copy Table icon to copy the results to the clipboard in text format. This action copies the complete results, not just the results displayed on the results grid.
Use the Export Table icon to export the results to a .csv file. This action exports the complete results, not just the results displayed on the results grid.
Select one or more rows and use the More selector to copy or export only the selected rows.
Merging questions
Results often lead to additional questions. For example, let's say you originally ask for a list of computer names and running processes, and you see results that indicate a suspicious process is running on a few machines. You can merge the question with another to learn more—for example, the last logged-in user. The result of the merge is a results grid with one or more additional columns that have data for the added sensor.
To merge questions:
© 2017 Tanium Inc. All Rights Reserved Page 29
1. Click Merge in the upper right corner of the results grid toolbar.
Interact displays the Select Merge Questions dialog box.
2. Use one of the tabs to add one or more questions and then click the red Merge button.
© 2017 Tanium Inc. All Rights Reserved Page 30
The Saved Questions tab includes a list of saved questions for which you have Read
Saved Question permission.
The Create a Question tab includes fields that enable you to start a new question.
The Build a Question tab includes fields that enable you to select sensors for the merge question.
© 2017 Tanium Inc. All Rights Reserved Page 31
Notice that you add additional sensors to the "get" clause but you do not add filters to the "from" clause. The from clause is built from the rows that were selected on the results grid when you clicked Merge.
Using drill down
From the results grid, you can drill down from selected results to retrieve additional information from the selected endpoints. By adding a drill-down question, you are essentially adding sensor filters. You often will want to do this when you are targeting a narrow group of computers for an action. For example, let's say you originally ask for a list of chassis types and operating systems. You can drill down from these results to the list of computer names for the matching records.
To drill down:
1. Select one or more rows in the results grid. When you select rows, the red Drill Down,
Deploy Action, and More buttons are displayed.
© 2017 Tanium Inc. All Rights Reserved Page 32
2. Click Drill Down.
Interact displays the Select Drilldown Question dialog box.
The Saved Questions tab includes a list of saved questions for which you have Read
Saved Question permission.
© 2017 Tanium Inc. All Rights Reserved Page 33
The Create a Question tab includes fields that enable you to start a new question.
The Build a Question tab includes fields that enable you to select sensors for a drilldown question.
3. Select or configure a question you want to use and then click the red Drill Down button.
Interact displays the progression of results, including a new results grid for the drilldown question. From here, you can drill down further, deploy an action, save the
© 2017 Tanium Inc. All Rights Reserved Page 34
question, or copy it to the Question Bar or Question Builder for further refinement.
Using deploy action
You use filtering, merging, and drill-down techniques to find the set of computers that are due for administrative action. Then, in the results grid, you can select the targeted computers and launch the Deploy Action workflow page.
IMPORTANT: Do not deploy an action unless you completely understand the scope of the action, you understand the impact on an individual target and the impact on the environment given the number of targets, and you have been authorized by your organization to perform the action. Some organizations require review and approval by a second administrator. For information about enabling and using the action approval feature, see Action Approval .
© 2017 Tanium Inc. All Rights Reserved Page 35
Deploy an action
1. In the results grid, select the rows of interest and click Deploy Action.
Interact displays the Deploy Action workflow page.
© 2017 Tanium Inc. All Rights Reserved Page 36
2. Use the Deployment Package search box typeaheads to select packages.
© 2017 Tanium Inc. All Rights Reserved Page 37
Alternatively, you can use the Browse Packages dialog box to review package descriptions and then select them.
3. Complete the Action Details section.
Settings Guidelines
Name
Description
Tags
Specify a configuration name. The name appears in the record for the action on the Scheduled Actions, Action History, and Action Approval pages.
Optional. A description helps other administrators understand the purpose of the configuration object.
Optional. Tags are name-value pairs. Use the controls to add tags.
© 2017 Tanium Inc. All Rights Reserved Page 38
4. Complete the Schedule Deployment section.
Settings Guidelines
Start at / End at
Distribute over
Optional. You can specify a start time when it is important that the action be deployed to targeted clients during a maintenance window. The time refers to the Tanium Server system clock. The system clock is the Coordinated Universal Time (UTC) for the
Tanium Server host system, not the Tanium Client host systems.
For example, if you specify the action to run at 1:00 am, it is deployed when the Tanium Server system clock time is 1:00 am.
Note the following behavior: l
If a start time is not specified, the action is issued immediately upon completion of the deploy action workflow.
l
If a start time is not specified, and action approval is enabled, the action will be issued immediately after it is approved, provided other action conditions do not preclude it from being issued.
l
If a start time is specified, and action approval is enabled, the action will be issued at the next start time following the approval. For example, if you set the action to be deployed at 1:00 am and to be reissued every day, and it is approved at 2:00 am, the action will be deployed the next day at 1:00 am.
We recommend you specify an end date/time if the scheduled action is configured to be reissued, unless you are sure it is the type of action that should be reissued indefinitely. If you are not sure, configuring the schedule to end in six months is better than having it run indefinitely.
Tanium Server distributes packages to Tanium Clients in batches.
This option randomizes the distribution over the specified duration to avoid spikes in network or other resource utilization. For example, if an action depends on a sensor that queries Active
Directory, an action that is not distributed over time can cause a flood of traffic to the Active Directory server. Similarly, an action that targets clients in a virtual machine farm could exhaust the shared CPU or memory resources if all clients were to run a resource-intensive program at the same time. The "distribute over time" option attenuates the impact a massive orchestration might have on the networked environment or virtualized environment.
Specify a number and unit: Minutes, Hours, Days.
© 2017 Tanium Inc. All Rights Reserved Page 39
Settings
Reissue every
Guidelines
Use this option to put the scheduled action on a repeat schedule.
This option is appropriate: l when action approval is enabled and you are not certain it will be approved before the action expires.
l when you want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window defined by the interval you specify.
l when the action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.
Specify a number and unit: Minutes, Hours, Days.
Note: The Reissue every interval must be greater than the action expiration period. The action expiration period is the larger result from the following calculations: l
The package
Command Timeout
+
Download Timeout
values l
The package
Command Timeout
+ the scheduled action
Distribute over
value
5. Complete the Targeting Criteria section and click Show preview to continue.
6. Review the preview details and click Deploy Action.
You are prompted to review the impact on targets and to provide administrator credentials.
© 2017 Tanium Inc. All Rights Reserved Page 40
7. Enter your password.
The page reloads to display the Action Summary page.
8. Review the status to confirm expected results.
© 2017 Tanium Inc. All Rights Reserved Page 41
The Deploy Action workflow creates a scheduled action configuration object, and the action is entered on the Scheduled Actions, Action History, and (if applicable) Action Approval pages in the Tanium Console. For details, see Managing actions .
© 2017 Tanium Inc. All Rights Reserved Page 42
Working with saved questions
The saved question configuration includes question syntax and settings. A saved question can be issued manually or scheduled to be reissued periodically.
Using saved questions
In Interact, the Saved Questions page includes the objects imported with Tanium Initial
Content and other content packs, as well as questions saved by Tanium administrators.
Issue and manage saved questions
From the Interact > Saved Questions page, you can take the following actions: l
Click the hyperlinked name of the question to issue it.
l
Select the question and copy it to the Question Bar or Question Builder.
l
Edit or delete the configuration.
Current / Recent zoom
In addition to all of the features of the results grid for dynamic questions, the results grid for saved questions includes a "zoom" option: Current or Recent. Current data includes responses from machines that are currently online. Recent data may include responses from offline machines. The Tanium Server caches client responses for 7 days by default. If a client is not online when a question is issued, but the Tanium Server has a cached value for it, the "recent" cached result can be passed to the results grid.
© 2017 Tanium Inc. All Rights Reserved Page 43
Figure 16: Current and Recent buttons on the results grid
Saving questions
You can save questions as configuration objects so that you can use a complex question that you created in the same way you use the predefined saved questions.
Create a saved question
1. Use the Question bar to ask a dynamic question.
2. Click Save this question directly under the Question bar.
Interact displays the New Saved Question workflow page.
© 2017 Tanium Inc. All Rights Reserved Page 44
3. Complete the settings described in the following table.
Settings Guidelines
Name
Restrict this question to only owner and administrators
Specify a configuration name. The name appears in saved question lists that are incorporated into Tanium Console workflows. Observe the existing naming scheme so that you and other administrators can find it easily.
Select to restrict visibility. Use discretion here; if a question is significant only to the author, it need not clutter the saved questions list for everyone.
© 2017 Tanium Inc. All Rights Reserved Page 45
Settings
Reissue this question every
Guidelines
The saved question is first issued immediately upon saving the configuration. Clients that are online at that time respond with their answers.
You can use the "reissue" option to account for machines that are not currently online but are routinely online within predictable cycles (and even unpredictable times). For example, employee laptops might be offline the moment you save the saved question configuration, but you think you are likely to find them online at least once if you were to check every 8 hours.
When reissue is selected, the saved question is reissued in the background at the interval you specify. For example, if you save the saved question configuration at 9:00 a.m. local time and specify a reissue interval of every 8 hours, the Tanium Server reissues the saved question at 5:00 p.m., 1:00 a.m., 9:00 a.m., and so on. The results are archived. This improves the data quality of "recent" responses displayed in the results grid for machines that are not online when you use
Interact to issue the question.
You can use the Question History to verify that the saved questions are sent according to the reissue interval you have configured.
Specify a number and unit for the reissue interval: Minutes, Hours,
Days.
Note: If you specify a reissue interval of 8 hours, the system reissues the saved question exactly every 8 hours, regardless of time changes due to daylight savings time.
Include in the Select Drilldown Question dialog box Saved Questions tab.
Make this question available for drilldown
Make this question available for merging
Include in the Select Merge Questions dialog box Saved Questions tab.
© 2017 Tanium Inc. All Rights Reserved Page 46
Settings
Default Tab
Default Grid
Chart Zoom
Guidelines
Specify a default tab:
Question
,
Grid
,
Pie
.
The Default Tab setting is saved as a user preference unless the Use
these as the default for all users setting is selected.
Specify a data period:
Current
or
Recent
.
Current data includes responses from machines that are currently online.
Recent data may include responses from offline machines. The Tanium
Server caches client responses for 7 days by default. If a client is not online when a question is issued, but the Tanium Server has a cached value for it, the "recent" cached result can be passed to the results grid.
(You can change the default limit for recent with the global setting
SOAPQuestionHistoryLimitInDays.)
The Default Grid Chart Zoom setting is saved as a user preference unless the Use these as the default for all users setting is selected.
Select this option to make the Default Tab and Default Grid Chart Zoom settings apply to all users who issue this saved question.
Use these as the default preferences for all users
Associated
Actions
Tags
Optional. Click
Add Package
and select a package you want to be the default when a user clicks the Deploy Action button from the results grid.
Optional. Tags are name-value pairs. Use the controls to add tags. The
Saved Questions page includes a Tags column, and you can sort and filter on tags.
4. Click Preview to preview the results you will get when you use the saved question.
5. Click Create Saved Question.
Your question will be issued and results displayed in the results grid. Depending on the settings you configured, the saved question may appear in saved question lists that are incorporated into Tanium Console workflows.
Note: If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question will behave as originally designed until the
© 2017 Tanium Inc. All Rights Reserved Page 47
saved question is modified. Then it will behave as expected with the new sensor definition.
© 2017 Tanium Inc. All Rights Reserved Page 48
Working with dashboards
In Interact, a dashboard is an organized group of saved questions. You use dashboards to quickly locate and use sets of saved questions. You can manage the set of saved questions contained in the dashboard, and you can apply computer group filters.
An essential set of dashboards is created when Initial Content is imported during the
Tanium Server installation. Additional dashboards may be created when you import additional Tanium content packs and Tanium solution modules, and you can create dashboards and manage them to make them useful to your particular organization.
To display the dashboards page, click Dashboards from the Interact home page.
Figure 17: Dashboards page
Manage dashboards
Use the tools shown in the following figure to manage a dashboard configuration object.
© 2017 Tanium Inc. All Rights Reserved Page 49
Figure 18: Dashboard page tools
Issue saved questions from a dashboard
Use the expander button to show the saved questions within a dashboard. When you click a dashboard, Interact loads the saved questions contained in it. The page navigation uses a hierarchy: (1) category (2) dashboard (3) saved question. You can click a saved question to display its results grid.
© 2017 Tanium Inc. All Rights Reserved Page 50
Figure 19: Category > dashboard > saved questions list
Create a dashboard
1. Click New Dashboard.
2. Specify a configuration name, set filter and visibility options, and click Add.
The dashboard is added to the page.
3. Specify a configuration name, set filter and visibility options, assign it to a content set, and click Add.
The dashboard is added to the page.
4. Click Add Saved Question to display the Add available Saved Questions to Dashboard selection box. The items are populated from saved questions for which you have read
© 2017 Tanium Inc. All Rights Reserved Page 51
permission.
5. Select saved questions and click Add.
Note: A new dashboard is added to the Other category by default. This category is visible only to users with the Administrator or Content Administrator role.
Consequently, the dashboard is also visible only to the creator and users with the
Administrator or Content Administrator role. If you do not have one of these roles, and you want the dashboard you have created to be visible to other users who do not have the Administrator or Content Administrator role, ask a user with the required privileges to move the dashboard to another category.
Reorder the saved questions in a dashboard
You can reorder the saved questions contained in a dashboard from the issued question page.
© 2017 Tanium Inc. All Rights Reserved Page 52
1. Select a saved question in the left pane and move it up or down. You can shift-click to select multiple items.
2. Reorder other saved questions as you like.
3. Click Save.
© 2017 Tanium Inc. All Rights Reserved Page 53
Export the dashboards configuration
1. Click the Export button in the upper right corner.
Interact displays the Select Dashboards to Export dialog box.
2. Select the configurations you want to export and click Export.
© 2017 Tanium Inc. All Rights Reserved Page 54
Working with categories
In Interact, a category is an organized group of dashboards. You use categories to quickly locate and use sets of saved questions. You can manage the set of dashboards contained in the category, and you can apply user group permissions.
A set of categories is created when the Initial Content is imported during the Tanium Server installation. Additional categories may be created when you import additional Tanium content packs and Tanium solution modules, and you can create categories that are meaningful to you.
To display the categories page, click Categories from the Interact home page.
© 2017 Tanium Inc. All Rights Reserved Page 55
© 2017 Tanium Inc. All Rights Reserved Page 56
Figure 20: Categories page
Manage categories
Use the tools shown in the following figure to manage a category configuration object.
Figure 21: Categories page tools
Note: When a new dashboard is created, it is added to a category named Other
Dashboards. Only a user with the Administrator or Content Administrator role can move a dashboard from Other Dashboards to another category.
Issue saved questions from a category
Use the expander button to show the dashboards within the category and the saved questions within the dashboard. When you click one of the category's dashboards, Interact issues the saved questions contained in it. The page navigation uses a hierarchy: (1) category (2) dashboard (3) saved question. You can click a saved question to display its results grid.
© 2017 Tanium Inc. All Rights Reserved Page 57
Figure 22: Category > dashboard > saved questions list
Create a category
1. Click New Category.
2. Specify a name and visibility option and click Add.
© 2017 Tanium Inc. All Rights Reserved Page 58
The category is added to the page.
3. Click Add Dashboard to display the Add available Dashboards to Category selection box. The items are populated from dashboards for which you have read permission.
4. Select dashboards and click Add.
Reorder categories
1. Click the More button in the upper right corner and select Reorder.
© 2017 Tanium Inc. All Rights Reserved Page 59
Interact displays the Reorder Categories dialog box.
2. Move the categories into your preferred order.
Use favorites
Click the Favorites icon to add the category to your Favorites list. Favorites are saved as a user setting. Your favorites selections do not affect other users.
© 2017 Tanium Inc. All Rights Reserved Page 60
Export the categories configuration
1. Click the More button in the upper right corner and select Export.
Interact displays the Select Categories to Export dialog box.
2. Select the configurations you want to export and click Export.
© 2017 Tanium Inc. All Rights Reserved Page 61
Reference: Example questions
This reference provides examples to help you understand the kinds of questions you can ask.
Example starter questions
This section gives examples of common questions.
How can I get a list of running services or be able to single out a specific endpoint?
Get Running Service from all machines
Get Service Details from all machines
Get Running Service from all machines with Computer Name containing
"hostname"
How can I get a list of running processes or be able to single out a specific endpoint?
Get Running Processes from all machines
Get Running Processes from machines where Computer Name contains "hostname"
Get Running Processes and Computer Name contains "hostname" from all machines
How can I display Registry keys and values?
Get Registry Value Data[registry key path, value-name] from all machines
Get Registry Value Data[HKEY_LOCAL_
MACHINE\Software\Microsoft\Windows\CurrentVersion, CommonFilesDir] from all machines
© 2017 Tanium Inc. All Rights Reserved Page 62
Get Registry Key Value Exists[registry key path, value-name] from all machines
Get Registry Key Exists[HKEY_LOCAL_
MACHINE\Software\Microsoft\Windows\CurrentVersion, CommonFilesDir] from all machines
How can I get a list of open ports?
Get Computer Name and Open Port from all machines
Get Open Port from machines where Computer Name contains "hostname"
Get Open Port from all machines with Computer Name containing "hostname"
How can I get user authentication information?
Get Logged In Users contains "username" from all machines
Get Logged In Users containing "BABOON08D9ANGUI\Administrator" from all machines
Get Logged In Users and Computer Name from all machines
Get Local User Login Dates from all machines
Get Logged In Users and Client Date from all machines
Get Last Logged In User and Client Date from all machines
Get Computer Name and Last Date of Local Administrator Login from all machines with Last Date of Local Administrator Login not containing "no results"
Get Local Administrators from all machines
© 2017 Tanium Inc. All Rights Reserved Page 63
How can I see the current logged on user?
Get User Sessions from all machines
How can I see when users last logged in?
Get local User Login Dates from all machines
How can I get the Service Account Logons?
Get Service Login Names from all machines
How can I get certificate information?
Get Machine Certificates[authroot] from all machines
Get Machine Certificates[disallowed] from all machines
Get Machine Certificates[root] from all machines
For Intermediate Certs:
Get Machine Certificates[CA] from all machines (Intermediate Certs)
How can I detect all running Oracle instances within our Linux environment?
Get computer name and running processes that contains "ora_pmon" from machines with running processes contains "ora_pmon"
How can I get asset information?
Get Cpu and Cpu Details and Chassis and Architecture and Serial Number and
Computer Name and Bios and IP Address and Mac Address and serial number from all machines
Example dashboard questions
Reviewing the predefined list of saved questions included in dashboards and categories is a good way to learn how to use questions to get meaningful results. A few of these predefined questions are repeated here to illustrate this.
© 2017 Tanium Inc. All Rights Reserved Page 64
Security > Data Leakage
Get Computer Name and Non-Approved Established Connections from all machines with Non-Approved Established Connections containing ":"
Security > Wireless Network Security
Get Wireless Networks Visible from all machines
Get Hosted Wireless Ad-Hoc Networks from all machines with Hosted Wireless
Ad-Hoc Networks containing "started"
Get Unencrypted Wireless Networks from all machines with Unencrypted
Wireless Networks containing "open"
Get Wireless Networks Using WEP from all machines with Wireless Networks
Using WEP containing "wep"
Security > Proactive Security
Get Firewall Status containing "disabled" from all machines with Firewall
Status containing "disabled"
Get Computer Name and Open Share Details from all machines with Open Share
Details not containing "No shares"
Security > Workstation USB Write Protection
Get USB device details from all machines
Get Computer Name and Username from all machines with ( Operating System not containing "server" and USB Write Protected containing "False" )
Get Computer Name and Username from all machines with ( Operating System not containing "server" and USB Write Protected containing "True" )
© 2017 Tanium Inc. All Rights Reserved Page 65
Change log
Date
May 4, 2017
May 31, 2017
June 29, 2017
August 24, 2017
Revision Summary
Initial publication.
Revised "Getting Started" topic so it is consistent with the other solution modules.
Revisions to produce HTML versions of 1.1 and 1.0.
Update to reflect changes to capitalization style for user documentation.
© 2017 Tanium Inc. All Rights Reserved Page 66
डाउनलोड
सार्वजनिक दुवा अद्यतनित केला
आपल्या चॅटचा सार्वजनिक दुवा अद्यतनित केला गेला आहे. You may view and manage your chat links after registration here.
दस्तऐवजाचा सार्वजनिक दुवा
जाहिरात
