Tanium 6.x: Saving Questions

Commonly asked questions can be saved for later by any operator and referred to by a friendly name. However, at times it can be faster to re-type some questions than it is to find them in the UI. A novice operator may not realize it, but there are numerous very important reasons to save a question, and they are outlined in this guide. Operators that can ask a question can save a question. At the top of every Answers Grid is a line that says “Save this question …”

Save_question_link.png

 

Click the link to begin the process of saving the question.

Save_current_question_box.png

 

There are a few interesting things to note about saved questions. An experienced operator will put something that can help categorize a question into the question’s name. This can be the operator’s name or department or a question category. The “Question Text:” box contains the parsed question. It can be copied and pasted into the Question Bar, but cannot be altered.

An operator can optionally make the question visible to all. Use discretion here; if a question is significant only to the author, it need not clutter the saved questions list for everyone. Skipping to the bottom, you can take a default action on a question so that when an operator clicks “Deploy Package” at the bottom of the saved question, the console pre-selects the package to deploy in the Deploy Package box. Package deployment is covered in-depth in its own section.

Perhaps most importantly, there’s the ability to Archive the question on a schedule. Tanium will collect answers from machines in seconds. The answers it collects are the result of execution of a Sensor on the machines a question targets. This means that answers are real-time, and there are no answers for machines which are not on. In order for an operator to find out how machines were responding to the questions when nobody was logged in and watching the Answers Grid, or to ensure that there are answers for machines which are not online 100% of the time, the question must be saved and the answers archived. Archived questions typically represent a very small subset of the total amount of Sensor-based information that can possibly be retrieved in real-time. The rule here is to know what you will need to know later if you must have historical data.

Archiving_options.png
 

The checkbox that archives aggregated results will only keep a count of unique answer rows (perhaps Computer Name, or perhaps how many days old antivirus dat files are), so that counts of results can be tracked on a macro-level but not, as an example, per-machine or per-result. This saves space in the archive database.

As a general rule, questions should not be archived more frequently than is necessary. Most questions will not require 5 minute resolution. All operators that can save questions should know that saving a bunch of questions at 1 minute intervals not only pollutes the archive database, but can cause machines they have rights to in the environment to needlessly evaluate sensors around the clock.

Saved Questions can be retrieved from the Authoring -> Saved Questions tab. However, the real utility in saving a question is not clicking through the UI to find and load it, but dropping it into a dashboard along with other saved questions and, perhaps, putting that dashboard into a dashboard group. Saved Questions are also necessary for the Drill Down functionality. Saved Questions are the building blocks for a lot of functionality.

Have more questions? Submit a request