Using Regular Expressions in Questions

 
 

During a recent training, someone in the room was going through some hands-on training activities on how to ask Tanium Questions. As he was working through some Questions using some filters, he asked what a lot of others ask about:  Can you use regular expressions in Questions?

The answer to this insanely common question is yes (if you've upgraded to Tanium v7.0). 


Use the "Matches" Filter for Regular Expressions

When you want to use regular expressions to narrow down the results from a Question, you need to use the "matches" keyword. Keep in mind that your regular expression needs to match the entire Sensor result. For instance, if you wanted to find all the machines that have an IP address ending in 3 numbers, you can't just use "\d{3}^". Instead, you need to account for the beginning of the IP address with ".*" (or something fancier, if you really want to show off).

Lazy Example for Finding IP Addresses ending with 3 Numbers

If you want to do a really quick and basic test for a regex match, you can do something like this. In the "Ask a Question" field, simply ask for "IP Address matching ".*\d{3}":

Tanium Console Parser

Tanium Console Parser

 

Once parsed, you'll be able to quickly find the correct structured Question you want. In this case, you can click on "Get IP Address matching ".*\d{3}" from all machines" and see:

Regex Match Question Result for Get IP Address matching ".*\d{3}" from all machines

Regex Match Question Result for Get IP Address matching ".*\d{3}" from all machines

 

Better Way to see Filtered Results with Plural Sensors

You'll notice that there are "[no results]", which is why I called this basic Question lazy.

To do this properly, you actually have to use both sides of the Question like:

Regex Match Question Result for Get IP Address matching ".*\d{3}" from all machines with IP Address matching ".*\d{3}"

Regex Match Question Result for Get IP Address matching ".*\d{3}" from all machines with IP Address matching ".*\d{3}"

 

Did you notice that there are two  matching filters? For a more detailed explanation on why you might need to have that filter in two places, check out yesterday's post on what they are and how to avoid them.

Additionally, if you didn't care about the IP address data itself and wanted the computer names too, you could simply add Computer Name to the Question:

Regex Match Question Result for Get Computer Name and IP Address matching ".*\d{3}" from all machines with IP Address matching ".*\d{3}"

Regex Match Question Result for Get Computer Name and IP Address matching ".*\d{3}" from all machines with IP Address matching ".*\d{3}"

 

Tidbit

As a small tidbit, I think its interesting (hopefully I'm not the only one) that the Tanium Server uses regex under the covers to implement many of the other filter keywords. As an example, The Tanium Server translates "starts with abc" and converts that to a regex match of "abc.*".


Questions? Comments? Either contact us or comment below.