There are a couple of Tanium articles about how to ask Questions in the Tanium Console. First, there's the official Interact documentation on Questions. And second, there's the old KB article on Asking Questions that tries to explain it all in the pre-7.0 Tanium Console (but we've all upgraded to 7.0, right?).
So why bother with this post? Well whenever I explain how to ask Questions to people, I like to start with a brief explanation of the two parts of a Tanium Question. In my opinion, this is a much shorter path to understanding the basics. And in fact, the new 7.0 Question Builder is designed around the same thinking. So read this short post to better understand the basics, and then go back to the other two articles if you want to get the full detail.
If you've already got a 7.0 Tanium Server up and running, you can follow along in your own Console. I'm going to start with the Console's Question Builder (see Interact User Guide for more info) and one of the most common Questions used during TAM demos. The Question Builder is an intuitive form that lets you avoid the "Ask a Question" parser (confusing at first, but powerful). You can specify the Sensors to use in the Question, and then it translates it into a properly structured Tanium Question on the right in the "Question text" field.
In the Question Builder screenshot above, focus on the "Get the following data" and "from computers with". What the Question Builder is doing is breaking up the Tanium Question into two pieces.
The First Half of the Question Specifies What Data Comes Back
The first half of the Question contains Sensors (i.e., "Computer Name" and "Operating System") that equate to the data columns in the result grid. You can actually see this in the Preview section in the Question Builder screenshot above. So, any Tanium Client that evaluates this Question will return back its computer name and operating system like this:
The Second Half Specifies Which Tanium Clients Should Respond
You may have noticed that there is nothing under the "from computers with" section in the Question Builder screenshot above. What this translates to in a Tanium Question is "from all machines", which is what you see highlighted in the "Question text" section in the Question Builder. Since the second half of the question instructs whether a Tanium Client should respond, every single Client would try to answer the above Question because of the "all machines" part.
As a quick example, if I changed the Question Builder to look like this:
Now you can see in the Question Builder that there is a "Computer Name contains Alpha" in the second half of the Question. What this means is, only Tanium Clients on machines with the letters "Alpha" in its computer name will respond back. Tanium Clients that don't match simply don't try to return anything. In fact, they don't even look at the first half of the Question.
You can use other Sensor Filters too
In addition to "contains", you have a pretty solid array of options when you want to filter your results. Most of them are pretty obvious, but a few warrant an explanation:
- "matches" allows you to use a regular expression.
- "less than", "less than or equal to", "greater than", and "greater than or equal to" boil down to basic sorting that relies on the Sensor's value type. For instance, "apple" is less than "banana" if its a string.
Don't be Afraid of the "Ask a Question" FIeld
As I mentioned earlier in the post, the "Ask a Question" field can be a bit complex when you first try to use it. But, once you understand the basics of a Question and can use filters on Sensors, you can start to use the "Ask a Question" field. Simply follow the basic flow that you learned through the Question Builder.
- Figure out what data columns you want back and add those Sensors to the "Ask a Question" field.
- Think about what machines you want to respond, and if necessary, come up with a Sensor filter or two to have the right machines respond.
- Hit go and select the correct parser result.
If the parser fails to return the right question and you can't figure it out, go back to using the Question Builder. And, if the result set isn't quite right, you may need to iterate and ask a slightly different question. Fortunately, repeating this process and asking an entirely new Question is fairly cheap (unless you've got an expensive Sensor -- a post for another day).
Questions? Comments? Either contact us or comment below.