Asking questions
In Tanium, asking questions is a fundamental interaction with endpoints.
What is a question?
Tanium questions help you get key pieces of information from managed enterprise endpoints.
The Ask a Question feature is built on a natural language parser that enables you to get started with natural questions rather than a specialized query language. You do not need to enter questions as complete sentences or particularly well formed inquiries. Word forms are not case sensitive and can even include misspellings. The parser interprets your input and suggests a number of valid queries that you can use to formalize the question that is sent to Tanium Clients.
The following figure shows an example of how natural language input is parsed into proposed queries. First, the user enters the fragment dns server and clicks Search. In response, Interact returns a list of queries cast in valid syntax.
Figure 1: Natural language parser
Basic questions include: l one or more sensor names in the get clause.
l all machines (in other words, all Tanium Client host computers) in the from clause.
© 2017 Tanium Inc. All Rights Reserved Page 9
Advanced questions include filter clauses and parameterized sensors.
What is a sensor?
In essence, a sensor is a script that is executed on an endpoint to compute a response to a
Tanium question. Sensors are distributed to clients during registration. Sensors enable you to ask questions about: l
Hardware/software inventory and configuration l
Running applications and processes l
Files and directories l
Network connections
The Initial Content that is imported during the Tanium Server installation includes sensors to support a wide range of common questions. Additional sensors may be added when you import additional Tanium content packs and Tanium solution modules. If you cannot find a sensor you need within Tanium-provided content, you can create user-defined sensors.
For more information, see Sensors .
Questions with multiple sensors
Use the
AND operator in the get clause to specify multiple sensors. Results are grouped by the first sensor, then by the next sensor, and so on. The following example shows a question that uses multiple sensors.
© 2017 Tanium Inc. All Rights Reserved Page 10
Figure 2: Question with multiple sensors
Questions with parameterized sensors
A parameterized sensor accepts a value specified at the time the question is asked. The following example shows the File Exists sensor. The parser prompts you to specify a file path and file name.
Figure 3: File Exists parameterized sensor
© 2017 Tanium Inc. All Rights Reserved Page 11
Another example is the High CPU Processes sensor. You can specify a parameter that is the number of CPU processes to return from each machine. Let's say you want to get the top 5 highest CPU utilizing processes. The question has the following syntax:
Get High CPU Process[5] from all machines
For sensors with multiple parameters, you can pass an ordered list separated by a comma.
For example, if you want to get the results of Tanium Action Log number 1 and get 10 lines of results, specify a parameter list as shown in the following example:
Get Tanium Action Log[1,10] from all machines
Note: If you create a saved question based on a parameterized sensor, and then modify the sensor, the saved question will behave as originally designed until the saved question is modified. Then it will behave as expected with the new sensor definition.
Questions with filters
You can use filters to craft questions that target fewer computers than "all machines". You often want to work with a set of computers that have a specific process name or value.
This is an example of an advanced question. The left side is a complete and valid query; the right side contains a filter—the "with" expression. The filter expression on the right side must evaluate to a Boolean true or false. For example, the expression with Running
Processes containing "trillian.exe" evaluates to true if the specified string matches the result string, or false if it does not.
A parameterized sensor like File Exists[] returns "File Exists: Filename" or "File does not exist", so you must be careful how you cast it in a filter expression.
© 2017 Tanium Inc. All Rights Reserved Page 12
Figure 4: Example: Question with parameterized sensor
The filter expression with File Exists[c:\a.txt] containing "Exists" evaluates to true when the result is "File Exists: c:\a.txt" and false when the result is "File does not exist", so it can be used to filter the set of responses.
Figure 5: Example: Filter with parameterized sensor
The filter is the first part of a question that gets processed by the endpoint. If the endpoint data does not match the filter, then the endpoint does not process the question any further. If there are multiple filters, each filter is processed and evaluated. If the evaluation is true, then the sensors on the left side of the question are also executed and returned.
Filter expressions can match strings or regular expressions. The following table describes the operators supported in filter clauses.
© 2017 Tanium Inc. All Rights Reserved Page 13
Filter Usage
contains or
Sensor value contains the specified string.
Example: running processes contains "trillian.exe" containing does not contain Sensor value does not contain the specified string.
starts with Sensor value starts with the specified string.
Example: starts with "tril"
Sensor value does not start with the specified string.
does not start with ends with Sensor value ends with the specified string.
Example: starts with "lian.exe" does not end with Sensor value does not end with the specified string.
matches Sensor value matches the specified regular expression (in Boost syntax ).
does not match is equal to is not equal to
Sensor value does not match the specified regular expression.
Sensor value is equal to the specified value or string. You can also use an equals sign (=) or the word is
.
Sensor value is not equal to the specified value or string. You can also use a negated equals sign (!=).
is less than is less than or equal to is greater than is greater than or equal to
Sensor value is less than the specified value.
Example: application version[chrome.exe] < 12
Sensor value is less than or equal to the specified string.
Example: application version[chrome.exe] <= 12
Sensor value is greater than the specified value.
Example: application version[chrome.exe] > 12
Sensor value is greater than or equal to the specified string.
Example: application version[chrome.exe] >= 12
© 2017 Tanium Inc. All Rights Reserved Page 14
Using the Question Builder
The Question Builder is another way to create a question. It has form fields to help you complete the get clause, the from clause, and optional filters.
You can launch the Question Builder in either of the following ways: l
In the Ask a Question box, click Question Builder in the top right corner.
l
After you have asked a question and want to refine it, click Copy to Question Builder.
The following figure shows the Question Builder.
Figure 6: Question Builder
© 2017 Tanium Inc. All Rights Reserved Page 15
The first text box is for sensor names. Start typing and then use the typeaheads to select sensors.
Figure 7: Typeaheads
Alternatively, you can use the Browse Sensors dialog box to select sensors. When you use the dialog box, you can review sensor descriptions.
© 2017 Tanium Inc. All Rights Reserved Page 16
Figure 8: Browse sensors
The following table provides guidelines for Advanced Sensor Options.
Settings
Case Sensitivity
Guidelines
l l
Ignore case
Group and count result values regardless of differences in upper-case and lower-case characters.
Match case
Group and count result values with strict attention to lettercase.
© 2017 Tanium Inc. All Rights Reserved Page 17
Settings
Matching
Treat Data As
Maximum Data
Age
Guidelines
l l
Match Any Value
Any value in the answer must match the value specified in the question.
Match All Values
All values in the answer must match the value specified in the question.
For some sensors, a Tanium Client might compute multiple results. For example, in response to the IP Address sensor, it is possible for a Tanium
Client to return both an IPv4 address and an IPv6 address. A question based on the IP Address sensor containing
192.168
for example could possibly match the IPv4 address but not the IPv6 address. In this case, you probably want to match "any".
Sensor values are treated as the type of data you specify: l l l l l l l l l
Date/Time (BES)
Date/Time (WMI)
File Size
Integer
IP Address
Numeric
Text
Time Duration
Version
Maximum time the Tanium Client may use a cached result to answer a question.
For example, by default, the maximum data age for the File Size sensor is 15 minutes. When a Tanium Client is asked a question that executes the File Size sensor, it caches the result. Over the next 15 minutes, if the Tanium Client is asked a question that includes the File Size sensor, it responds with the cached answer.
After 15 minutes, if the Tanium Client is asked a question that includes the File
Size sensor, it executes the sensor script again to compute a fresh answer.
Use shorter ages for sensors that return values subject to change frequently, such as status and utilization sensors. Use longer ages for values that typically change infrequently, such as the chassis type or Active Directory
Domain membership.
Question expiration
When a dynamic or saved question is issued, the question is assigned a question ID. In your web browser, you will notice the question ID in the URL.
© 2017 Tanium Inc. All Rights Reserved Page 18
Figure 9: Question ID
The question ID "expires" after 10 minutes, and its corresponding URL becomes invalid.
This means that for up to 10 minutes, you can refresh the page or share the link. After 10 minutes, if you navigate to the link, Interact displays a message indicating the question has expired, and it gives you the option to copy the question text to the Question Bar so you can reissue it.
Figure 10: Question Expired message
Question History
Go to Administration > Question History to review a chronology of questions that have been issued. By default, an entry for a question is maintained in the chronology for 7 days.
© 2017 Tanium Inc. All Rights Reserved Page 19
You can change the default limit with the global setting SOAPQuestionHistoryLimitInDays.
You can use the Question History to review question syntax and the question expiration timestamps. You can also copy the question to the Question Bar or Question Builder.
© 2017 Tanium Inc. All Rights Reserved Page 20
