Tanium 6.x: Asking Questions

Introduction

One powerful aspect of Tanium is that it can process natural English questions. As a result, a Tanium operator without any training can quickly begin to use this functionality to craft useful queries.

While the Tanium natural English parser is intuitive and relatively simple, there are many advanced functionalities worth exploring. This article is intended to help operators effectively craft a query designed to elicit the response intended in version 6.5 or later of Tanium.

Asking a Basic Question

In every day language, a Question is a sentence designed to obtain information. A Tanium Question is similar in that a user enters a query and receives responses. An example Question might be “Get Computer Names from all machines.” This question will return Computer Name from all agents.

Questions do not need to be entered into Tanium as complete sentences or particularly well formed to return results. In fact, typing just “Get Computer Name” is good enough for Tanium to form the input into the Question, “Get computer name from all machines.” The case is insensitive in questions.

Questionbar.png
 

Tanium is also able to process misspelled words and incomplete sentences because of its advanced Parser. Input entered into the Tanium Question form field and that information is sent to the Parser. The Parser takes user input and suggests several options for what the operator may have intended to ask. The operator then selects the query that best represents the question intended and the Parser proposes several potential options that the operator may have intended:

Parser.png
 

Once an operator selects a question, each endpoint receives the question in a format that it knows how to respond to. In seconds, each endpoint will process their answer and send a response.

Tanium uses a multitude of techniques to reduce the overall bandwidth that is required to process Questions. One technique that is used is called counting. If a Question is asked that will elicit common responses, Tanium can use this behavior to reduce the amount of data being passed. For example, if a Question about running processes is asked, it is very likely that many hosts will share the same running processes. Thus, Tanium need send the running process only once and each subsequent endpoint will add a “me too” to the count of systems with that running process. This reduces the overall amount of traffic that is sent and provides speed in communication.

Countexample.png
 

Users can also ask for only a count of items. For example, the below question “Get number of machines with Running Processes starting with "def"”.

Count_Dial.png
 

What Questions are Available to Ask?

One frequently asked question about Questions is “what questions are available to ask?” The answer is that each Question inside of Tanium is actually a piece of code that is delivered to the endpoints. This piece of code is called a Sensor. If a Sensor exists, it can be added as part of a Question.

Sensors can be viewed, modified, or created by Tanium operators. For more information on Sensors and how they can be created and modified please refer to Sensor Authoring.

To view the list of available Sensors installed in your solution, navigate in the console to Authoring > Sensors. Sensors can be sorted by category, name, or by the description text accompanying the Sensor.

Take some time to review your available Sensors. There may be some additional Sensors already installed in your environment that can solve a major business problem.

Sensors.png
 

Compound Questions

Often, an operator will want to obtain multiple pieces of information from an endpoint. This is possible and easy to perform with Tanium. To combine multiple Sensors into Question, simply use the combining word “and.” For example, an operator can ask “Get Computer Names and Running Processes.” This will return “Computer Name” and “Running Processes” in two separate columns. In this case, Computer Name rows will contain multiple Running Process entries:

CompoundQuestions.png
 

One benefit of compound Questions is that operators are able to quickly string together useful elements of information. Operators can continue to add information that is useful by simply appending “and” between Sensors. For example, “Get A and B and C and D,” and so on.

Saving Questions

Some questions might be long or complicated. After taking the time to craft one of these queries, it may be useful to save it for later. Further, you can use a Saved Questions with the Connect Module Tanium Connect Users Guide.

Saved questions can also be used to populate Dashboards. For more information on Dashboards please see Dashboards and Dashboard Groups.

Saved Questions can be retrieved and executed from Administration > Saved Questions.

To save a question run a query and click Save this Question in the top left of the console.

SaveQuestions.png
 

When you save a Question you will provide a name and optionally add the Question to a Dashboard as well as configure some settings and permissions if you desire.

Basic and Compound Question Examples

A basic Question might be as follows:

Get Tanium Client Version from all machines

Another Question below will return the Running Services:

Get Running Service from all machines

This Question will return a computer name and running services:

Get computer name and running processes from all machines

Two sensors are provided in one console output here. This is an example of a Compound Question. The computer name (which is generally unique) is provided alongside a list of processes that are running on a system with that computer name.

Merging

Once a Question is asked, it is common for operators to want to ask additional questions. Tanium can add additional information to Questions by tacking on an additional question, thus “merging” the results of multiple Questions into the original query.

An example might be that an operator originally requests a list of computer names and running processes, but finds a suspicious process is running on a few machines. The operator then requests a merged Question to include the last logged in user to identify any common thread of user activity.

Users can merge a Question by clicking the plus (+) symbol in the top right of the answers as shown below:

MergingQuestions.png
 
 

Parameterized Questions

Some Questions have optional or required input fields that can further refine the Sensor’s results. These Questions have a slightly different format to include the additional information.

For example, an operator may want to get the top 5 highest CPU utilizing processes. The relevant Sensor (High CPU Processes) is a parameterized Sensor. The parameter that is required is the number of CPU processes you would like to return from each machine. In our example, we would like to get the top 5 highest CPU utilizing processes. We can ask the question “Get High CPU Process[5]” which will pass the number 5 to the Sensor.

For multiple Parameters, an operator can pass an ordered list separated by a comma and space. For example, if an operator would like to get the results of Tanium Action Log number 1 and get 10 lines of results, the correct Question would be formatted:

Get Tanium Action Log[1, 10] from all machines

Additional Parameters are available for Sensors. Their Input and description can be found at Sensor Authoring.

Advanced Question Authoring

More complicated Questions may be described as advanced. Advanced questions may use multiple filters and apply Boolean logic to obtain the desired result. These questions are generally done to limit the amount of data that is being retrieved or to prevent sensors from executing on certain systems.

Advanced Question Diagram

Below is an example of a more advanced question:

AdvancedQuestionDiagram2.png
 
Advanced Question Diagram

The left side of the advanced question example contains the desired data and the right side of the question contains the filter. The filter will be the first thing processed by a machine. If it does not match the filter, then it will not process the Question (obtain desired data).

Let’s break this question down a bit further:

  • The word “Get” is a keyword to let the operator know that what follows is the desired data.
  • “Computer Name” is a sensor that has respective code available. It will be evaluated by the endpoint and each endpoints response will be included in the results.
  • “and” is a stringing word that tells the parser to combine the results of these sensors to display to the operator.
  • “Running Processes” is a second sensor. It will be evaluated by the endpoint and each response will be included in the results.
  • “containing “trillian.exe”” is a filter for the preceding Sensor. The Sensor will process this as a restriction on its output. Therefore even though Running Processes might return many results, the operator will receive results from this sensor containing only “trillian.exe.”
  • “from all machines” ends the desired data and separates the question from the filter (right). Everything after from all machines in the order of operations is actually processed prior to the left hand side of the question.
  • The remaining green string is “with Running Processes containing “”trillian.exe””. This is the filter clause.
  • “Running Process” is a repeated Sensor that is called and is evaluated by the endpoint to determine what running processes exist on the system at the time being queried.
  • “containing “trillian.exe”” when on this side of the question indicates that computers will first evaluate whether there is any running process which contains “trillian.exe” prior to evaluating the remainder of the question. If a given system does not have “trillian.exe” in its running processes, it will not process the left hand side of the question.

One important consideration is that the order of operations on the question is that the filter (right side) is evaluated first. This means that each element of the right side of the question is executed on the endpoint. In our example, this is the Sensor “Running Processes”. This Sensor is executed and if the Sensor matches the criteria – which in this case the Sensor must “contain” trillian.exe.

If there are multiple filters, each filter will be processed and evaluated. If the evaluation is true, then the Sensor(s) on the left side of the Question will also be executed and returned.

In addition to the operators that we used above, we could have used other words to indicate different types of filtering. Operators for comparison in question asking or filtering include:

Filter Description
contains One element of the result should have the requested keyword or phrase somewhere within the results. Example: “running processes contains “trillian.exe”
< Is used to compare numbers where a given number should be less than another number. Example: application version[chrome.exe] < 12
> Is used to compare numbers where a given number should be greater than another number. Example: application version[chrome.exe] > 12
<= Is used to compare numbers where a given number should be less than or equal to another number. Example: application version[chrome.exe] <= 12
>= Is used to compare numbers where a given number should be greater than or equal to another number. Example: application version[chrome.exe] >= 12
starts with Is used to identify when a string begins with a certain element. Example: starts with “tril”
ends with Is used to identify when a string ends with a certain element. Example: starts with “lian.exe”
equal to Can also use an equals sign (=) or the word “is” to compare that the value or string is equal to the other value or string.
not equal to Can also use a negated equals sign (!=) to compare that the value or string is not equal to the other value or string.

Filtering Sensors

Each Sensor within the left side of a Question (Desired Data) set may also include a filter. This filter will be used only to reduce the string results that come back from each Tanium Client, and will not reduce the number of Tanium Clients that respond.

As an example, let’s ask "Get IP Address and Computer Name starting with D". The Sensor filter "starting with D" applies to the Computer Name Sensor, and will instruct the Tanium Clients to return only Computer Names that start with the letter "D".

FilteringSensors.png
 

Note that all Tanium Clients will respond, and you will see that there are results with various responses that may look like not all information is available. Consider that:

[no results] is not uncommon and indicates that the Tanium Client has been instructed to report an empty value back, because the Client has no value that matches the Sensor filter, the Sensor does not return back a value, or the Sensor was unable to execute the script and has errors.

[Current Result Unavailable] may also appear. This means the answers are not yet available to the server. These answers should appear momentarily.

[Results Currently Unavailable] this could indicate that an answer may not complete the request in a timely fashion. Contact a Technical Account Manager for additional information.

Example Advanced Questions

Below is an example of an advanced Question:

Get Username and Computer Name from all machines with 
( Running Processes containing "notepad.exe" and 
Running Service containing "Workstation" ) or ( Running Processes containing "cmd" and
Running Service containing "workstation" )

This Question will obtain the username and computer name from all machines where a machine 1) has a running process with notepad.exe AND a Running Service containing the word Workstation, 2) OR if a machine has a Running Process containing “cmd” AND a Running Service containing the word “Workstation”. If a system has both notepad.exe and cmd processes running, but does not have Workstation Service running, it will not return its results.

In the course of asking advanced Questions, you may encounter the words Any or All. An explanation of the Any or All keywords is below:

  • Any: The condition is matched against any line in the sensor output. If any match, it’s true.
  • All: The condition is matched against all of the lines in the sensor output, if all match, its true So in the case of where you want "machines that do not have this driver"—what you really want is "All lines match "do not contain "driver"”

Best Practices

One best practice in Question development is to target in the affirmative. So a good example would be to ask, “where computer name is labcomputer22.local” instead of “where computer name is not labcomputer33.local”. This is because if there is an error in the Sensor or the computer has changed its name, an operator could inadvertently target incorrectly.

Another best practice is to limit the amount of unique data that is returned from hosts by filtering the sensors to only desired data elements. Alternatively, if the majority of the results are expected to be configured in one manner, consider asking for only the results that are not configured in that manner. This will limit the amount of traffic that is sent and the processing required by the Tanium Server.

How Questions are Answered

Overview

When a Tanium Client sees a new Question, it follows a set of steps to both optimize the delivery of the Question to its peer and provide up-to-date answers throughout the lifetime of the Question.

To optimize Question delivery to the rest of the linear chain, the Client will immediately pass the Question to its forward peer if it:

  1. Sees a Sensor that the Client needs to evaluate (i.e., the Client's current result for a given Sensor is older than the max age or does not exist).
  2. Is able to immediately evaluate the Question group and is not a member of the group.

If the Client does have fresh results for all the Sensors found in the Question, then it will append its answer to the Question, pass the Question to its forward peer, and re-queue the Question to be re-evaluated later (default: 1 minute). If the Client needs to evaluate a set of Sensors, it immediately queues up evaluation for each of the Sensors needed. After a few seconds, the Client will check if all Sensors have been evaluated, and will append the answer to the Question, and pass to its forward peer. Note that a Question object may be passed to a forward peer multiple times within the lifetime of a question (default: 10 minutes).

When Are Clients Finished Answering a Question

You may have noticed the percentage (%) marker that is displayed on the screen when asking a Question. Tanium knows approximately how many systems are online at any given time. As Tanium collects responses it updates the percentage marker to show progress of responses. Customers are able to change the percentage of hosts they wish to receive information from before it is marked as complete. The default is 99%, which means that after 99% of hosts answer the question it will be marked as complete.

It is important to note that even after a Question is “complete” answers may still arrive. This is because systems may be coming online or may be in a particularly slow network connection or otherwise be slow to return the desired results.

At a certain point, new systems that come online or that respond to a late query will no longer be accepted. By default, the drop dead time that this occurs in is 10 minutes. After 10 minutes new responses to Questions will not be sent nor accepted.

Question Caching

Tanium is a real time platform. However, there are instances where operators may not want to burden an endpoint to re-process a question each time the question is asked. This is especially helpful in large environments where dozens of operators may be asking the same endpoints questions.

Therefore, Tanium questions have the option to cache results on an endpoint for a configurable period of time. Each Question will have a different cache period and will respond with the cache results if the question has been processed more recently than the cache period.

For example, assume a Question was set to have a cache period of 10 minutes. User A asks a question at 1:00. The computer processes the question, returns the answer and caches the result. At 1:05 user B asks the same question. This time the computers process the question, the computers know that the data being requested has a cache period of 10 minutes yet only 5 have elapsed. Thus, the data that is being returned is actually the cache.

To temporarily remove the Question cache, simply click the question mark button and set the maximum age to 1. This will provide actual results and not cached data.

CachingQuestions.png
 

To permanently modify the Maximum Age for a question, modify the Sensor and adjust this number as appropriate. For more information on Sensors and how they can be created and modified please refer to Sensor Authoring.

Hashing

Tanium Clients provide answers to Questions using hashes of the human-readable Sensor results. As an example, if a Tanium Client was evaluating the "IP Address" Sensor and had a value of "192.168.1.1" to report back, it would instead pass back a hashed result, for example purposes: "389956048". For additional information on the string hash management process, see the Message Protocol Strings section.

Question Distribution

Questions are distributed to all Tanium Clients in the environment through two mechanisms: directly through registration and indirectly through linear chaining.

During the registration process, the Client syncs a variety of information including Questions that the Client has not seen. Backward leaders (clients that have the Tanium Server as a backward peer) are also used to drive Questions into the linear chains. When the Server notices a new Question in the database, the Server will cause the backward leaders to go through an out-of-cycle registration to update Questions (as well as all other synchronized objects). Once received, the Client will attempt to answer the Question and also immediately pass the Question itself to the Client's forward peer. Questions received from peers will prevent the Client from having to sync Questions directly from the Tanium Server during the registration process. Questions are signed by the Tanium Server and verified by each Tanium Client to ensure integrity.

When to use the Question Builder

The Tanium Question Builder adds to the functionality of the natural language parser question bar. It can be especially helpful crafting Questions that use extensive Regular expressions, very long questions, or when you want to search the available Sensors to craft a query.

Don’t let the word “advanced” scare you. The Question Builder is actually quite intuitive much like most of Question crafting is. It can be accessed by clicking the “advanced” word at the bottom of the question mark.

QuestionBuilder.png
 

Once inside of Question Builder you can drag sensors to and from the question bar. Drag Sensors to the question bar to add. Drag Sensors from the question bar to remove them.

Drag questions to either the left or right side of the Question to build the Desired Data or filter the results accordingly just as if asking a Question.

Clicking on a Sensor will allow operators additional control over the Question. An example using the Question builder is shown below.

 
Question Builder Example

Example Starter Questions

How can you get a list of running services or be able to single out a specific endpoint?

Get Running Service from all machines
Get Service Details from all machines
Get Running Service from all machines with Computer Name 
containing "hostname"

How can you see installed applications?

The following will show all installed applications, which can then be filtered by entering text in the upper right search bar.

Get installed applications

The following will show only installed applications where the text of the application contains "Chrome"

Get installed applications containing "Chrome" from all machines 

Below will remove [no results] and only show systems that have Chrome installed and where the text of the application contains "Chrome"

Get Installed Applications containing "Chrome" from all machines 
with Installed Applications containing "Chrome"

How can you get a list of running processes or be able to single out a specific endpoint?

Get Running Processes from all machines
Get Running Processes from machines where Computer Name contains 
"hostname"
Get Running Processes and Computer Name contains "hostname" from 
all machines

How can you filter out a specific class C network?

The example below gets computer names from devices in the 10.8.65.0/24 subnet.

Get Computer Name from all machines with IP Address containing 
"10.8.65."

How can I display Registry keys and values?

Syntax of getting registry data:

Get Registry Value Data[registry key path, value-name] from all 
machines

Example of getting registry data:

Get Registry Value 
Data[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion, CommonFilesDir] from all machines

Syntax of identifying if a value exists:

Get Registry Key Value Exists[registry key path, value-name] 
from all machines

Example of identifying if a value exists:

Get Registry Key Exists[HKEY_LOCAL_MACHINE\Software
\Microsoft\Windows\CurrentVersion, CommonFilesDir]
from all machines

Note: This Question has Parameters, it will display with a red arrow, select the arrow and information boxes will appear allowing you to enter the required registry key path and value. Select the "?" for additional information.

How can I get a list of open ports?

Get Computer Name and Open Port from all machines
Get Open Port from machines where Computer Name contains 
"hostname"
Get Open Port from all machines with Computer Name 
containing "hostname"

How can I get user authentication information?

Get Logged In Users contains "username" from all machines
Get Logged In Users containing "BABOON08D9ANGUI\Administrator" 
from all machines
Get Logged In Users and Computer Name from all machines
Get Local User Login Dates from all machines
Get Logged In Users and Client Date from all machines
Get Last Logged In User and Client Date from all machines
Get Computer Name and Last Date of Local Administrator Login 
from all machines with Last Date of Local Administrator Login
not containing "no results"
Get Local Administrators from all machines

How can I get a list of Unauthorized External Connections?

Select "Data Leakage" from Security Dashboard or:

Get Computer Name and Non-Approved Established Connections from 
all machines with Non-Approved Established Connections containing
":"

How can I ask a Question to find and kill a running executable?

Ask to “Get Running Processes from all machines” - and then select the process and right click mouse and select "Deploy Action" in the "Select Package" box type Kill Process then select the ">" in the upper right corner (note: if you want this process killed on a routine basis select the "Reissue" option and fill out the other options if required) then select the ">" and the process will be targeted and killed. To locate a running process on a single machine enter this question and then follow the same process as stated above to kill it.

To focus on a single machine, ask the Question “Get Running Processes containing "process-name" from all machines with Computer Name containing "Client-Win7-1"

How can I display visible Wireless Networks?

Select "Wireless Network Security" from Security Dashboard or:

Get Wireless Networks Visible from all machines
Get Hosted Wireless Ad-Hoc Networks from all machines with 
Hosted Wireless Ad-Hoc Networks containing "started"
Get Unencrypted Wireless Networks from all machines with 
Unencrypted Wireless Networks containing "open"
Get Wireless Networks Using WEP from all machines with 
Wireless Networks Using WEP containing "wep"

How can I ask Questions to help with Proactive Security?

Select "Proactive Security" from Security Dashboard or:

Get Firewall Status containing "disabled" from all machines with 
Firewall Status containing "disabled"
Get Computer Name and Open Share Details from all machines with 
Open Share Details not containing "No shares"

How can I look at USB Protection?

Select “Workstation USB Write Protection" from Security Dashboard or:

Get USB device details from all machines
Get Computer Name and Username from all machines with 
( Operating System not containing "server" and USB Write
Protected containing "False" )
Get Computer Name and Username from all machines with 
( Operating System not containing "server" and USB Write
Protected containing "True" )

How can I get Certificate Information?

Get Machine Certificates[authroot] from all machines
Get Machine Certificates[disallowed] from all machines
Get Machine Certificates[root] from all machines

For Intermediate Certs:

Get Machine Certificates[CA] from all machines

How can we detect all our running Oracle instances within our Linux environment?

Get computer name and running processes that contains 
"ora_pmon" from machines with running processes contains
"ora_pmon"

How can I see the current logged on user?

Get User Sessions from all machines

Is there a way to display when users last logged in?

Get local User Login Dates from all machines

Can you display all the Service Account Logons?

Get Service Login Names from all machines

Can you get Asset Information?

What is the Cpu and Cpu Details and Chasis and Architecture and 
Serial Number and Computer Name and Bios and IP Address and Mac
Address and serial number from all machines

Customize the above to best fit your needs.

Note: The above Questions are only examples. Please review the Sensors available in your environment to determine the full extent of Questions you can ask with Tanium.

Troubleshooting

Tanium's natural language parser is pretty good about determining English from sensor names and keywords, but if there is an issue with differentiating the sensor name from English, consider using quotes around the sensor name. For example, consider typing "Get "the new sensor" from all machines" instead of "Get the new sensor from all machines".

Tanium’s Parser at times can be particular on grammar. Specifically, when using the word “contains” or “containing”, one must precede the clause with “where” and “with” accordingly. For example, consider the following example questions phrased correctly:

Get X from machines where Computer Name contains "hostname"
Get X from all machines with Computer Name containing "hostname"
Have more questions? Submit a request