Tanium TCO
COMENTARIOS |
ESTADÍSTICAS |
RÉCORDS
|
Título del Test:
 Tanium TCO Descripción: TCO Certified |
Nuevo Comentario| Comentarios |
|---|
NO HAY REGISTROS |
|
What is the primary purpose of the Tanium platform?. To provide antivirus and malware protection. To replace an organization's existing firewall. To provide real-time endpoint visibility, management, and security across large enterprise networks. To serve as a cloud-based file storage and collaboration tool. A security administrator needs to instantly determine how many endpoints in the organization have a specific, newly discovered vulnerability. Why is Tanium particularly well-suited for this task?. It relies on a central database that is updated hourly. It uses a linear chain architecture that queries endpoints in near real-time. It requires endpoints to be scanned during a specific maintenance window each night. It only scans servers, which are the most critical assets. Which of the following are the three core architectural components of a standard Tanium deployment?. Tanium Server, SQL Server, and Syslog Server. Tanium Server, Tanium Module Server, and Tanium Client. Tanium Zone Server, Tanium Console, and Tanium Gateway. Tanium Client, Tanium Firewall, and Tanium Cloud. A Tanium Operator uses the Tanium Console to perform which of the following tasks?. Install the Tanium Client on endpoints for the first time. Configure the network settings of the Tanium Server. Ask questions, deploy actions, and view results from managed endpoints. Manage the underlying database where Tanium stores its configuration. What is the function of the Tanium Client installed on an endpoint?. To act as a network proxy, routing traffic for other endpoints. To collect and respond to queries, execute actions, and communicate with other Tanium Clients. To replace the endpoint's native operating system firewall. To periodically upload the entire contents of the endpoint's hard drive to the Tanium Server. Which protocol is primarily used for secure communication between Tanium Components, such as between the Tanium Client and the Tanium Server?. HTTP. FTP. TLS/SSL. SNMP. The linear chain communication model of Tanium provides which primary benefit to an organization?. It increases the load on the central Tanium Server. It eliminates the need for a Tanium Server entirely. It improves performance and scalability by distributing the communication load across endpoints, reducing server and WAN traffic. It requires all endpoints to be on the same local subnet. An organization is deploying Tanium for the first time. On which systems must the Tanium Client be installed to be fully managed?. Only on physical servers. Only on workstations and laptops. On all endpoints the organization wishes to manage, including servers, desktops, laptops, and virtual machines. Only on cloud-based virtual machines. A new Tanium Operator is unsure which module to use for a specific task. Where is the most appropriate place to start?. By opening a ticket with Tanium Support. By re-installing the Tanium Client. By exploring the Tanium Console, which provides access to all available modules and the Interact interface for asking questions. By reviewing the firewall logs to see which modules are active. What is a key characteristic of a sensor in the Tanium platform?. It is a physical device plugged into the network to monitor traffic. It is a lightweight script or executable that runs on an endpoint to collect a specific piece of data. It is a background service that only deploys software patches. It is a type of user account with read-only permissions. If an Operator wants to find all endpoints with less than 10% free disk space on their C: drive, what is the correct approach in Tanium?. Wait for the daily report to be generated. Remotely log in to each server to check manually. Ask a question using a combination of relevant sensors (e.g., Get Disk Free Space from all machines and then filter the results). Write a custom script and deploy it as a package to all endpoints, then collect the log files. Besides Interact, where else in the Tanium Console can an Operator find prebuilt queries or visualizations related to specific modules like Patch or Deploy?. They are only available in the Interact interface. In the Administration workspace. Within the respective module workspaces, which often provide dashboards and saved questions. They must be manually created from scratch every time. The Tanium Module Server hosts which key component for Operators?. The Tanium Client installer files. The Tanium Web Console (user interface). The primary Tanium database. The endpoint peer-to-peer communication relay. How does Tanium ensure that communication between Agents and the Server is secure from eavesdropping?. By using proprietary, unpublished encryption algorithms. By relying on the security of the underlying network switches. By using TLS/SSL encryption for all communications. By sending all data in plain text but very quickly, so it's hard to intercept. What is the primary advantage of Tanium's agent-based architecture over agent-less scanning?. It is easier to deploy initially. It does not require administrative credentials to be stored. It provides continuous, real-time visibility and can execute actions even when endpoints are mobile or off-VPN. It requires less network bandwidth for the initial deployment. A Tanium Action is best defined as: A request for information from an endpoint. A set of instructions and associated files used to make a change on an endpoint. A log entry recorded by the Tanium Server. A permission setting that defines what an operator can do. What is the default encryption protocol used for agent-to-server communication in Tanium?. RC4. TLS 1.2 or higher. MD5. Blowfish. If an organization has endpoints distributed across multiple, geographically diverse data centers and cloud providers, how does Tanium's architecture help manage them efficiently?. It requires a separate Tanium Server in each location. Its linear chain architecture is designed to efficiently traverse WAN links by passing queries and data in a compressed, optimized manner. It cannot manage endpoints across high-latency links. It only works if all endpoints are in a single Active Directory site. A new Tanium deployment is being planned. Which component is responsible for storing the historical data and results from saved questions?. The Tanium Client cache. The Tanium Module Server's local storage. The Tanium Server's database. The Tanium Console's browser cache. What is the role of the Tanium Client when a question is asked in Interact?. It does nothing; the Server answers all questions from its database. It receives the question, executes the relevant sensor(s), and returns the result back through the chain to the Server. It forwards the question to a central cloud for analysis. It checks if the user has permission to ask the question. The Tanium Interact interface is primarily designed for: Configuring user roles and permissions. Performing real-time, ad-hoc queries against managed endpoints. Managing the Tanium Server's scheduled tasks. Viewing historical reports only. Which of the following is NOT a typical use case for the Tanium platform?. Real-time asset inventory. Vulnerability assessment and prioritization. Software distribution and patching. High-end 3D graphic design and rendering. What is a Package in Tanium terminology?. A collection of related sensors. A group of users with similar permissions. A bundle of files and instructions that can be deployed to endpoints as an Action. A compressed archive of Tanium Server log files. When an Operator asks a question in Interact, what happens first?. The Tanium Server polls every single endpoint individually. The Tanium Clients all simultaneously send their full inventory to the Server. The Tanium Server uses the natural language parser to translate the question into a structured query and sends it to a subset of managed endpoints. The question is saved in the database and run during the next scheduled maintenance window. The Tanium Client communicates with the Tanium Server over which type of connection?. A constantly open, persistent connection. An outbound TCP connection initiated by the Client. An inbound TCP connection initiated by the Server. UDP broadcasts only. What does the Distribute Over setting help an Operator accomplish when deploying a large Action?. It distributes the software license keys to the endpoints. It throttles the deployment to limit the number of simultaneous connections on a subnet, preventing network congestion. It distributes the Action package to multiple Tanium Servers for load balancing. It creates a distribution list for notifying users about the deployment. Which component is responsible for executing sensors and returning results?. Tanium Module Server. Tanium Console. Tanium Client. Tanium Gateway. A Tanium Operator is asked to provide a list of all software installed on the company's servers from the past month. What is the most efficient way to accomplish this?. Enable logging on a recurring Saved Question that queries installed software daily, and then view the historical data in the Trends module. RDP into each server and run a PowerShell script manually. Ask the question once and export the results, hoping no software changed during the month. Check the help desk ticketing system for software requests. What is a key difference between Tanium and traditional polling-based management tools?. Tanium relies on a scheduled scan every 24 hours. Tanium requires a massive server infrastructure to handle the polling load. Tanium uses a real-time, pull model where the server pushes queries instantly to clients via an established outbound connection. Tanium cannot manage endpoints that are not always on the corporate network. In the context of the Tanium Client, what is the purpose of the tunning or tanner process on an endpoint?. It is the main process that handles sensor execution and communication. It is a setup wizard for first-time installation. It is a logging service for errors only. It is a network diagnostic tool. If an Operator needs to see a visual trend of the average CPU load on a critical group of servers over the last 30 days, which Tanium feature should they use?. Interact. The Action history log. The Trends module. The Admin workspace. What is the role of a Dynamic Group in Tanium?. A group of endpoints whose membership is defined by a static, manually maintained list. A group whose membership is automatically updated based on the results of a Saved Question. A group of users who can dynamically change their own permissions. A group of sensors that are frequently used together. A user types Get Operating System into the Interact bar. What allows Tanium to understand this plain-text request?. The Sensor Execution Engine. The Natural Language Parser. The SQL Query Translator. The Action Scheduler. Which of the following describes the communication flow when a Tanium Client responds to a question?. The client sends its result directly back to the Tanium Server via a new TCP connection. The client sends the result to its neighbor in the chain, which passes it along until it reaches the server. The client broadcasts the result to all devices on the subnet for the server to capture. The client writes the result to a shared network folder which the server then reads. What is the purpose of the Tanium Action Approval workflow?. To require a second operator to review and approve a high-risk action before it is deployed to endpoints. To get financial approval for software license costs before deployment. To approve new users for the Tanium Console. To approve the results of a query before they are displayed. When an Operator creates a new Package from a PowerShell script, what is the most important consideration regarding the script's execution?. The script must be written in VBScript. The script's file path on the target endpoint and its command-line arguments must be correctly specified in the Package settings. The script must be signed by a Microsoft certificate. The script cannot exceed 1KB in size. What is the result of applying a filter to a question in the Interact grid?. It permanently deletes the filtered-out rows from the Tanium database. It temporarily hides rows from the current view to allow the Operator to focus on a subset of the results. It changes the underlying data on the endpoints. It creates a new Dynamic Group. Which of the following scenarios would be the most appropriate use for a one-time, ad-hoc question in Interact?. Generating a monthly compliance report for the IT auditor. Tracking the average free disk space on all file servers over the last year. Checking the current version of a specific application on all marketing department laptops to prepare for an immediate update. Maintaining a dynamic group of endpoints that are missing the latest security patch. The Tanium Module Server communicates with the Tanium Server to: Replace its function if the Tanium Server fails. Install the Tanium Client on endpoints. Retrieve data and present it in the web-based console for the Operator. Act as a firewall between the endpoints and the server. What information is typically found in the Tanium Client's status when queried with taniumclient.exe -status?. The current CPU temperature of the endpoint. The version of the Tanium Client, its connection status, and the last time it connected to the server. A list of all other endpoints on the network. The usernames of all users currently logged into the endpoint. Why is it important that Tanium Clients maintain a persistent outbound connection to the Tanium Server?. It allows the client to continuously stream video to the server. It enables the server to send real-time queries and actions instantly without waiting for a client check-in. It is required for the client to download its initial configuration. It allows the client to function as a web server. A new operator asks, What is the difference between a Sensor and a Package? How would you best answer?. A sensor asks a question, and a package performs an action. A sensor is for Windows, and a package is for Mac. There is no difference; they are the same thing. A sensor is used for servers, and a package is for workstations. When deploying an Action to install software, the Tanium Client on the target endpoint will: Ignore the request if a user is currently logged in. Download the package files from its neighboring clients, execute the defined command, and report the result of the action back. Immediately restart the endpoint to complete the installation. Forward the request to the Tanium Server for approval. An operator is deploying a critical security patch. Which feature ensures that the action is deployed to the correct subset of endpoints, such as All Production Servers?. The Distribute Over setting. The targeting criteria of the Action, which can be a Computer Group or a filter based on a saved question. The Question Expiration setting. The package's file name. What is the purpose of the Question Expiration setting?. It determines how long the question's results will be displayed in the Interact results grid after the question completes. It sets a deadline for endpoints to respond before they are considered offline. It controls how long the question message propagates through the network before being discarded. It defines how long the results are stored in the Trends module. Which statement best describes a Parameterized Sensor?. A sensor that is permanently disabled. A sensor that requires an input value from the user at runtime to complete its data collection (e.g., Get File Size where the user must provide the file path). A sensor that runs only on servers with specific parameters. A sensor that outputs its data in a graph format. What is the most common cause for a No Data error when running a sensor that you know exists?. The Tanium Server is offline. The sensor is not deployed to, or is not compatible with, the targeted endpoints. The operator's console has a display error. The network firewall is blocking all traffic. In Tanium, what is the primary benefit of using Role-Based Access Control (RBAC)?. It speeds up query performance. It restricts operator access to specific features, modules, and data based on their job role, enhancing security and compliance. It automatically creates user accounts based on Active Directory groups. It manages the network bandwidth allocated to Tanium. An organization wants to use Tanium to ensure all endpoints meet a specific security configuration baseline. Which Tanium feature is most suited to continuously enforce this?. The Interact module for one-off checks. The Trends module for historical reporting. The Enforce module (a module for policy enforcement) to remediate drift from the desired configuration. Manually checking each endpoint. Which of the following is NOT a valid data type for a sensor's output?. String. IpAddress. Json. Video File. In the Tanium linear chain architecture, what happens when a new endpoint with the Tanium Client installed comes online?. It must be manually approved by an administrator before it can join the chain. It broadcasts a message to find its nearest neighbors and establish its place in the communication chain. It immediately connects directly to the Tanium Server and stays there permanently. It replaces the existing chain leader. What role does the Tanium Server play in the peer-to-peer communication model after the initial query is distributed?. It acts as a central switchboard, routing every single message between clients. It steps back and allows the peer network to handle the query propagation and result aggregation, only receiving the final, compiled result set. It shuts down to save resources until the query is complete. It creates a direct VPN connection to every endpoint. When troubleshooting a communication issue, which command can be run locally on a Windows endpoint to verify the Tanium Client is running and its status?. ping tanium-server. ipconfig /all. taniumclient.exe -status. netstat -an. An endpoint fails to respond to a query. What are the first two things an operator should check?. The endpoint's screen saver settings and the color of its case. The network connectivity of the endpoint and the status of the Tanium Client service. The Tanium Server's CPU usage and the phase of the moon. The endpoint's disk space and the version of Microsoft Office installed. What type of network ports and protocol do Tanium Clients primarily use for their peer-to-peer communication?. UDP broadcast on port 69. Dynamic, ephemeral TCP ports for establishing connections with their neighbors. ICMP (ping) packets. HTTP on port 80. What is the function of the well-known clients in a Tanium environment?. They are the clients responsible for sending alerts to the security team. They are a small set of clients that the Tanium Server maintains a direct connection with to initiate queries and actions. They are clients that have been marked for decommissioning. They are the only clients that can execute actions. If a Tanium Client in the middle of a chain is shut down or loses network connectivity, what happens?. The entire query process stops for all endpoints downstream from it. The Tanium Server flags this as a critical error and shuts down. The peer-to-peer network is self-healing; the clients on either side of the failed one will detect the break and establish a new direct connection, rerouting the chain. The failed client's children will be unable to communicate until an administrator manually restores the connection. The Tanium Client uses a significant amount of network bandwidth for communication. Is this statement true or false?. True; it constantly streams high-definition video to the server. False; the client communication is highly optimized, and data is compressed, making it very lightweight and bandwidth-efficient. True; it requires a dedicated 1Gbps link for every 100 endpoints. False; it only communicates once per day. An organization has a network with very restrictive firewall rules. For the Tanium Clients to function correctly, what is a key requirement?. All firewalls between clients must be configured to allow inbound connections on a range of TCP ports from other Tanium Clients. The Tanium Client must be configured to use UDP only. All firewalls must be disabled. The Tanium Server must be placed in the DMZ with a public IP address. What is the purpose of data compression in Tanium client-to-client communication?. To make the data unreadable by network sniffers. To reduce the amount of bandwidth used and speed up the transfer of queries and results across the network. To ensure the data can be stored more efficiently on the endpoint. To convert all data into a proprietary Tanium format. When a Tanium Client executes a sensor, where does the script for that sensor run?. On the Tanium Server. In a sandboxed environment on the Tanium Module Server. Locally on the endpoint, using the endpoint's own CPU and memory resources. On a neighboring client to balance the load. What is a Zone Server in a large or geographically distributed Tanium deployment?. A server that acts as a time server for all endpoints in a specific zone. A server that acts as a communication relay for endpoints in a specific network location to optimize traffic across the WAN. A server dedicated to patching only. A backup Tanium Server. When an action is deployed to install a 200MB software package, how is the package transferred to the endpoints to minimize WAN impact?. The Tanium Server sends the 200MB file individually to every single target endpoint. The 200MB file is broken into chunks and distributed via the peer-to-peer network; endpoints download different chunks from their neighbors and reassemble the file locally. The file is emailed to each user with installation instructions. The file is only stored on the server, and each endpoint must mount a network drive to access it during installation. If an endpoint is in sleep mode, how does it handle an incoming Tanium question?. It will wake up to answer the question and then go back to sleep. It cannot answer the question until it is woken up by user activity. The question is queued at the endpoint's last known peer, and the result is sent as soon as the endpoint wakes up and reconnects. It is marked as permanently offline and removed from management. What protocol is used for the initial discovery of neighbors by a new Tanium Client on a subnet?. It uses a proprietary discovery protocol over TCP port 8080. It can use a combination of DNS lookups and a small number of UDP multicast or directed packets to locate other clients. It requires the network administrator to manually configure each client with its neighbor's IP address. It uses DHCP option 66 to find its neighbors. Which statement correctly describes the path of a query result from a client deep in the network?. It is sent via the most efficient direct route back to the Tanium Server, independent of the query path. It is sent back upstream through the same chain of clients that delivered the query, with each client aggregating its own results with those from its downstream peers. It is broadcast to all clients, and the server listens for it. It is stored locally on the endpoint until the server performs a daily collection sweep. What is the main function of the Tanium Client's built-in cache?. To store the entire Wikipedia encyclopedia for offline access. To temporarily store sensor results and package files to improve efficiency and support offline or sleeping endpoints. To cache user login credentials. To store a backup of the entire endpoint's operating system. In a high-security environment, an administrator is concerned about peer-to-peer traffic being visible to others on the network. How does Tanium address this?. It does not; peer-to-peer traffic is sent in plain text. All Tanium traffic, including client-to-client communication, is encrypted using TLS/SSL, ensuring confidentiality even if intercepted. It uses a proprietary network protocol that is impossible to decode. It recommends isolating all Tanium Clients on a separate, physical network. What happens to the peer-to-peer chain if a Tanium Client is overwhelmed and cannot respond to a query from its neighbor in a timely manner?. The entire query fails for everyone. The overwhelmed client is bypassed; its neighbor will find an alternative path or wait for a response, and the client may be marked as slow for future queries. The Tanium Server immediately reboots the overwhelmed client. The overwhelmed client will broadcast an emergency signal to the server for more resources. Which network factor most significantly impacts the speed of a query that involves all endpoints in a global organization?. The CPU speed of the Tanium Server. The latency of the connections between the Tanium Server and the well-known clients around the world. The amount of free disk space on the endpoints. The version of the BIOS on the endpoints. An operator asks a question that is expected to take a few minutes to complete. The operator closes their laptop and goes home. What happens to the query?. The query is cancelled immediately. The query continues to run, and the results will be available in the console for the operator to view when they log back in the next day, provided the results haven't expired. The Tanium Server will email the results to the operator. The query will pause until the operator reconnects. What is the function of the Tanium Gateway?. It is the default web proxy for all client internet traffic. It is a component that allows Tanium to manage endpoints that are not persistently connected to the corporate network, by acting as a secure relay. It is the main entry point for the Tanium Console. It is a firewall appliance sold by Tanium. When an endpoint is roaming outside the corporate network and connects via the Gateway, how does it participate in the peer-to-peer chain?. It cannot; it is isolated and must communicate directly with the Gateway. It will create a VPN tunnel to a peer inside the network. It can form peer-to-peer connections with other roaming clients also connected to the same Gateway, creating a cloud chain. It relies on neighboring coffee shop Wi-Fi clients to relay its data. What is a Subnet Broadcast limitation, and how does Tanium overcome it?. Subnet broadcasts are not allowed on the internet; Tanium overcomes this by using only TCP. Broadcast traffic is limited to a single subnet; Tanium overcomes this by using a directed peer-to-peer model over TCP, which can route across subnets via routing infrastructure. Subnet broadcasts are too slow; Tanium overcomes this by using a faster, proprietary broadcast. There are no limitations; Tanium uses broadcast exclusively. The Tanium Server maintains a list of known clients. How is this list primarily populated?. By an administrator manually entering every computer name. By importing a list from Active Directory. Dynamically, as Tanium Clients check in and identify themselves to the server. By scanning the entire network with a port scanner. What is the function of heartbeats in Tanium client-server communication?. To keep the persistent connection alive and allow both sides to verify that the other is still present and the connection is healthy. To provide a regular, timed pulse that synchronizes the clocks on all endpoints. To measure the network latency between the client and server. To transmit the client's current CPU usage every second. If the Tanium Server is restarted for maintenance, what happens to the established connections with clients?. All clients will permanently lose their connection and need to be reinstalled. The connections will break, but the clients are designed to automatically and continuously retry their connection to the server until it comes back online, at which point they will re-establish the persistent connection. The clients will immediately begin communicating with each other to elect a new server. The clients will enter a sleep state until the server is manually turned back on by an administrator logging into each one. When a question is asked, it contains a TTL (Time-to-Live). If a client receives a question with a TTL of 10, what does it do before forwarding it to its neighbors?. It waits 10 seconds before forwarding. It decrements the TTL by 1 (to 9) and forwards it, ensuring the question doesn't circulate indefinitely. It ignores the TTL setting. It divides the TTL by the number of its neighbors. In a large environment, why is it inefficient for the Tanium Server to directly communicate with every single endpoint?. The endpoints would not accept direct communication. It would create a massive load on the server (CPU, memory, network connections) and consume enormous amounts of bandwidth, creating a scalability bottleneck. The network switches would not allow that many connections. Direct communication is actually more efficient. Which of the following is true regarding the data stored in the Tanium Client's cache?. The cache can be cleared by restarting the Tanium Client service. The cache stores a full backup of the user's My Documents folder. The cache is only used for logging errors. The cache is located on the Tanium Server, not the client. A query is sent out with a parameter for a file path. The parameter is passed along the chain. When the client executes the sensor, how does it receive this parameter?. The parameter is injected into the sensor script as a command-line argument or environment variable before execution. The user is prompted on the endpoint to enter the file path. The client must look up the parameter in a central database. Parameters are not supported. An organization has a large number of endpoints in a single data center with high-speed, low-latency connections. How will the Tanium chain form in this environment?. It will form a single, long linear chain. It will form a highly interconnected mesh, optimizing for speed and redundancy. It will not form a chain; all clients will connect directly to the server. The network administrator must design the chain topology manually. What is the primary purpose of the taniumclient.exe process on a Windows endpoint?. To provide a user interface for local Tanium configuration. To manage all Tanium-related activities, including sensor execution, communication, and caching. To uninstall the Tanium Client. To act as a web server for the Tanium Console. If a Tanium Client has a very slow network connection to its neighbor, what is the likely impact on a query that includes that endpoint?. The query will fail for that endpoint only. The query results for that endpoint will be delayed, but the rest of the results will be returned to the console as they arrive. The entire query will be paused until the slow endpoint responds. The slow endpoint will be quarantined from the network. How does the Tanium Client handle sensor execution to ensure it doesn't negatively impact endpoint performance?. It runs all sensors at the highest possible priority. It uses CPU and I/O throttling mechanisms, and sensors are short-lived by design, minimizing resource consumption. It only runs sensors when the endpoint is idle. It offloads sensor execution to the Tanium Server. In a Tanium deployment with multiple Zone Servers, how does a client determine which Zone Server to connect to?. The client connects to the Zone Server with the lowest IP address. The client is configured during installation with the address of its local Zone Server, or it can be determined dynamically based on the client's subnet. The client connects to all Zone Servers simultaneously. The client always connects to the main server first, which then redirects it to a zone server. What is the benefit of the Tanium Client's multi-threaded architecture?. It allows the client to play videos. It enables the client to handle multiple tasks concurrently, such as responding to a query while also downloading a package file from a peer. It simplifies the client's code. It reduces the client's memory footprint. When a question is asked, what information does a client use to determine if it is a member of the target group?. Its hostname. The results of its locally run sensors that are used in the targeting criteria. A centrally managed list of computer names. A random number generator. If a package deployment fails on an endpoint due to a missing file dependency, where is this information typically recorded?. In the Windows Event Log only. In the Action history within the Tanium Console, which will show a failure status and often an error message from the client. It is not recorded anywhere. In a text file on the user's desktop. What is the purpose of the Tanium Client's throttling settings?. To limit the amount of disk space the client can use for its cache. To prevent the client from consuming too much network bandwidth or endpoint CPU when performing actions like downloading package files. To restrict the client's communication to specific times of day. To slow down the client's sensor execution for debugging purposes. What is a TANZ file in the context of Tanium?. A compressed archive of Tanium log files used for support. The installer file for the Tanium Client. A Tanium Package export file. The Tanium Server's database backup file. If a Tanium Client is unable to communicate on its designated TCP port because it's blocked by a firewall, what is a common fallback mechanism?. The client will use UDP. The client will attempt to use a different, configurable TCP port, such as 443 (HTTPS), which is almost always open for outbound traffic. The client will stop working. The client will send its data via email. When an action is deployed, does the Tanium Server wait for every target endpoint to acknowledge the action before considering it deployed?. Yes, the action status will show pending until every single endpoint has reported back. No, the action is considered deployed once the server has sent the command. It then tracks the status of each endpoint individually as they report back success or failure. No, the server only cares if the well-known clients received it. Yes, and if an endpoint is offline, the action will fail globally. What is the purpose of the Action Lock feature?. To prevent an action from being deleted. To ensure that a specific action can only be run on an endpoint once, preventing duplicate executions of the same task. To lock the endpoint so users cannot use it during an action. To lock the package file from being edited. A query is running, and results are streaming into the Interact grid. An operator sorts a column in the grid. What is the effect on the underlying query?. The query is re-run against the endpoints with the new sort order. The query results are re-queried from the Tanium Server's cache in the new order. The data already in the grid is sorted locally; it has no effect on the query or the server. The sort is ignored. What is the role of the Aggregator in the context of Tanium queries?. It is a special server that handles all financial data. It is a function performed by each client in the chain as it collects and combines results from its downstream peers before passing them upstream. It is a third-party tool for Tanium reporting. It is a Tanium module for data visualization. How does the Tanium Console maintain its real-time feel when displaying results from a large query?. It waits for all results to be returned before displaying anything. It displays results as they are received and aggregated by the server, updating the grid in near-real-time. It only shows a preview of the first 100 results. It relies on a high-speed animation. A security vulnerability is announced that only affects a specific version of a specific application. An operator needs to find every instance of that vulnerable software. What is the fastest method?. Deploy an action to uninstall the software from all endpoints. Ask an ad-hoc question in Interact: Get Installed Applications from all machines where Name contains 'AppName' and Version equals 'X.Y.Z'. Wait for the weekly asset report to be generated. Call every department head and ask them to check their computers. What is the role of the Tanium Client when an action with a large package is deployed to a group of endpoints on a remote subnet?. All endpoints on the remote subnet will initiate a download of the package directly from the Tanium Server. One endpoint on the remote subnet will download the package from the server (or a peer), and then share it with the other endpoints on that subnet via peer-to-peer file distribution. The action will fail because WAN links are too slow. The package must be manually copied to a file share on the remote subnet first. An operator wants to know the Tanium Client version running on all endpoints. Which sensor is most appropriate to use?. Computer Name. Operating System. Tanium Client Version. Last Boot Time. An operator types Get Operating System from Windows machines into the Interact bar. How does the Tanium natural language parser interpret this?. It runs the Operating System sensor on all machines and then filters the results in the console to show only Windows. It first asks a question to find all Windows machines, and then asks for their Operating System. It recognizes Operating System as the sensor, and from Windows machines as a filter, instructing the clients to only run the sensor on endpoints that identify as Windows. It ignores the from Windows machines part because it's not a valid sensor. After asking Get Operating System, the Interact grid shows Windows 10 Pro, Windows 11 Enterprise, and Windows Server 2019 in the unique column. What does the count column represent?. The total number of sensors run on each endpoint. The number of endpoints that returned each of those unique values. The number of days since that operating system was installed. The number of updates applied to that operating system. To see a row for every single endpoint, even if they have the same operating system, what action must the operator take in the Interact grid?. Ask the question again. Click the Show Duplicates or Rows button to expand the view to show all individual results. Export the data to Excel. Sort the Operating System column. What is the purpose of the "pin" icon next to a column in the Interact results grid?. To delete that column permanently. To pin that column to the left side of the grid so it remains visible while scrolling horizontally through many other columns. To save that column as a favorite sensor. To share that column with another operator. An operator needs to find all endpoints with a specific registry key value. The sensor Registry Value requires a parameter. How does the operator provide this parameter in Interact?. They must create a new sensor for each registry key. They can type the question like: Get Registry Value from all machines with param HKEY_LOCAL_MACHINE...\\MyKey. They cannot use parameterized sensors in Interact. They must first deploy the sensor as a package. What does it mean if an operator asks Get Operating System from all machines and the results show No Data for a significant number of endpoints?. Those endpoints are not running Windows. Those endpoints have no operating system. The "Operating System" sensor failed to run or return data on those endpoints, possibly because they are offline, the client is not installed, or the sensor is not deployed. The query syntax was incorrect. An operator asks Get Installed Applications and the query times out before completing. What is the most likely cause?. The Tanium Server ran out of disk space. The query was too complex or the Installed Applications sensor took too long to run on a very large number of endpoints, exceeding the question's TTL. The operator's console lost power. The network firewall blocked the results. In the Interact grid, what is the function of the Group By feature?. To create a new Computer Group. To physically rearrange the columns in the grid. To group the results based on the values in one or more columns, similar to a pivot table, for easier analysis. To group the endpoints together for a software deployment. An operator wants to see the computer name, IP address, and logged-in user for all endpoints. Which of the following Interact queries is valid?. Get Computer Name, IP Address, and Logged In User from all machines. Show me everything about all machines. Computer Name + IP Address + User. This is not possible; you must ask three separate questions. How does an operator save a question they have just asked in Interact so they can run it again later?. By bookmarking the page in their web browser. By clicking the Save or Save As button in the Interact interface and providing a name. By taking a screenshot of the results. By emailing the query to themselves. What is the primary benefit of using filters within a question (e.g., from Windows machines) instead of asking a broader question and filtering in the grid after the results are returned?. There is no benefit; both methods are identical in performance. Filtering in the question is more efficient because it offloads the work to the endpoints, reducing the amount of data that must be sent back to the server. Filtering in the grid is faster. The natural language parser cannot handle filters. After running a saved question, where can an operator go to see how the results of that question have changed over the last 30 days?. They must ask the question every day and manually record the results in a spreadsheet. The Trends module allows them to select that saved question and visualize its historical data. The Action history log. The Administration workspace. An operator asks Get Operating System from all machines and sees that some rows in the Operating System column are blue, underlined hyperlinks. What does this indicate?. The data is out of date. The operating system has an update available. The cell is a drill-down link, allowing the operator to click it to ask a new question about that specific subset of endpoints. The operating system name is a link to the manufacturer's website. What is the best practice for naming a Saved Question?. Use the current date (e.g., Question 2024-05-20). Use a short, cryptic name for security. Use a descriptive, meaningful name that indicates the query's purpose (e.g., Windows Servers with less than 10% disk space on C:). Name all saved questions Default. How can an operator share a useful query they built with a colleague?. They can't; each operator must build their own queries. By providing the query text to the colleague, who can then type it into their own Interact bar. By granting the colleague access to the Saved Questions folder where the question is stored. Both B and C are valid methods, but saving and sharing access is more permanent and manageable. When an operator asks a question and the results grid shows a No Data value for a specific sensor on a specific endpoint, what does this most likely indicate about that endpoint?. The endpoint's hard drive is full. The sensor ran but returned nothing (e.g., a file path was not found, a registry key didn't exist). The endpoint is a Mac, and the sensor is Windows-only. The endpoint is powered off. An operator asks Get Logged In User from all machines and notices that some endpoints show a username, while others show a blank value. What is the most likely reason for the blank values?. Those endpoints have no users. Those endpoints are servers that no one is currently logged into locally or via RDP. The Tanium Client is not working on those endpoints. The operator does not have permission to see those usernames. Which of the following actions can be performed directly from within the Interact results grid on a selected endpoint or group of endpoints?. Initiate an Action, such as a reboot or software install. Change the endpoint's IP address. Install a new physical hard drive. Modify the endpoint's BIOS settings. In the Interact query bar, what does the asterisk (*) represent when used as a filter value, such as in Get Process Status where Name contains chrome?. It is a wildcard, matching any process name that includes the word chrome (e.g., chrome.exe, chromium.exe). It indicates a multiplication operation. It is a syntax error. It means all processes. What is the difference between asking Get Operating System from all machines and Get Operating System from machines with Tanium Client connected?. The first question asks all known endpoints, while the second targets only those with a currently active connection to the server. There is no difference. The second question is not valid syntax. The first question is faster. An operator wants to see a list of all unique usernames currently logged into company workstations, without seeing the computer names. How can this be achieved in Interact?. Ask Get Logged In User from all workstations and then hide the Computer Name column in the grid. Ask Get Unique values of Logged In User from all workstations. This is not possible; you must export to Excel and remove the column. Ask Get Logged In User from all workstations and group by Logged In User. When viewing a saved question's results, an operator sees a clock icon next to the data. What does this signify?. The data is live and currently being updated. The data is from the last time the saved question was run (cached), not a real-time query. The data is too old and should be deleted. It indicates that the question is scheduled to run at a specific time. What is the purpose of the Add Column function in the Interact query builder?. To add a physical column to the Tanium database. To add another sensor to the current question, allowing you to ask for more data points without re-typing the whole query. To add a note or comment to the results grid. To add a new filter to the query. An operator needs to find all endpoints that have not reported to Tanium in the last 7 days. Which sensor and filter combination would achieve this?. Get Operating System from all machines with Last Report Time greater than 7 days. Get Computer Name from all machines where Last Report Time is before 7 days ago. Get Tanium Client Status from all machines with Status equals 'Disconnected'. Get all machines and look at the list manually. After asking a question with multiple sensors, an operator notices that the column order in the grid is not ideal. How can they rearrange the columns?. They cannot; the column order is fixed. By asking the question again with the sensors listed in the desired order. By clicking and dragging the column headers into a new position. By editing the saved question's XML. What does it mean when the status of a saved question is listed as Pending?. The question has been deleted. The question is scheduled to run but the scheduled time has not yet arrived. The question is currently executing, and results are being collected. The question has failed to run. An operator wants to ask a question about a specific list of 50 computers, rather than using a logical filter. What is the best way to do this in Interact?. Type all 50 computer names into the filter, separated by commas. Create a static Computer Group containing those 50 computers and target the question at that group. Ask a question for all machines and then mentally filter the list. This is not possible in Tanium. The count of function in Interact adds a column that shows: The total number of sensors on each endpoint. The number of endpoints that have returned data for the current row, which is useful when results are grouped. The number of times a question has been asked. The count of running processes on each endpoint. An operator asks Get Operating System from all machines with Operating System contains 'Server'. What is the result of this query?. A list of all endpoints that are servers. An error because you cannot filter on the same sensor you are asking for. A list of all servers and their operating systems, but it is inefficient because it first asks for the OS from all machines and then filters. A list of all servers and their operating systems, and it is efficient because the filter is applied before the sensor runs. How does the Interact grid indicate that the results being viewed are from a saved question and not a live query?. It shows a calendar or clock icon. It grays out the Run button. It shows a warning message. It displays the results in a different font. An operator needs to see the full command line of a running process, not just the process name. Which sensor is most appropriate?. Running Processes. Process Command Line. Process Name. Process ID. An operator asks Get Logged In User and the grid shows No Data for a machine they know has a user logged in via RDP. What is the most likely issue?. The RDP session doesn't count as logged in for this sensor. The sensor is broken. The user is an administrator. The sensor may only return console sessions by default, and a different sensor or parameter is needed to see RDP sessions. What is the function of the Export button in the Interact grid?. To save the query syntax to a text file. To export the displayed results to a file, typically CSV (comma-separated values) for use in other applications like Excel. To uninstall the Tanium Client from the selected endpoints. To create a new sensor based on the results. The Computer Name column in the Interact grid is also a hyperlink. What happens when you click on a specific computer's name?. It opens a remote desktop connection to that computer. It takes you to a Computer Details or Endpoint Details page, providing more information and management options for that single endpoint. It pings that computer. It adds that computer to a favorites list. An operator wants to see the last time each endpoint's Tanium Client checked in with the server. Which sensor should they use?. Last Boot Time. Tanium Client Version. Last Report Time. Uptime. When an operator applies a filter to a column in the Interact grid, what is the scope of that filter?. It applies to the entire Tanium platform and affects all users. It is a temporary, session-only filter that only affects the current user's view of the data currently in the grid. It permanently changes the saved question. It creates a new Dynamic Group. Which of the following questions would return the most data (i.e., the largest result set)?. Get Computer Name from all machines. Get Unique values of Operating System from all machines. Get Computer Name, Operating System, RAM from all machines. Get Count of Operating System from all machines. An operator needs to find all endpoints that have a specific file, secret.txt, anywhere on the C: drive. Which type of sensor is required?. A parameterized file search sensor. The Operating System sensor. The Logged In User sensor. A package deployment. How can an operator see the exact sensor syntax or parameters used in a saved question?. By hovering over the question name. By opening the saved question and viewing its Definition or Properties tab. This information is hidden. By asking the question and looking at the results. An operator types Get Disk Free Space from all machines and the results show the free space in bytes, which is hard to read. How can they make the results more human-readable?. They cannot; the sensor output is fixed. They can change the column's Display Format in the grid settings to show the value in GB or TB. They must ask the question in a different way, like Get Disk Free Space in GB. They must write a new sensor. What is the purpose of the Question Library?. It is where all deleted questions are stored. It is a repository of pre-built, commonly used questions provided by Tanium or created by your organization, which operators can use as a starting point. It is a log of all questions asked. It is a physical book about Tanium. An operator asks a question and realizes they misspelled a sensor name (e.g., Get Operatng System). What will happen?. The natural language parser will automatically correct the spelling. The question will run, but all results will be No Data. The console will indicate that the sensor was not found and suggest alternatives or show an error. The question will run using a default sensor. How can an operator quickly see a list of all sensors that are available for them to use?. They can't; they must just know them. By typing sensors in the Interact bar. By browsing the Sensor Browser or Sensor Library panel within the Interact interface. By asking their administrator for a list. An operator has run a saved question that shows a list of servers and their free disk space. They want to focus only on servers with less than 10% free space, but they don't want to edit and re-save the original question. What is the best way to do this?. Export all the data to Excel and filter there. Apply a grid filter to the Free Space % column for values less than 10. Ask a new ad-hoc question with the filter included. Ask the administrator to change the saved question. What does the refresh button do when viewing the results of a saved question?. It re-runs the saved question live against all endpoints, fetching the absolute latest data. It just re-draws the screen with the same cached data. It deletes the cached data and shows an empty grid. It emails the results to the operator. An operator asks Get Installed Applications and the query runs for a long time. They want to stop it. What should they do?. Close their web browser. Click the Cancel or Stop button next to the running query. Restart the Tanium Server. Unplug their network cable. In the Interact results grid, what does a blank cell typically represent?. The data is classified. The sensor returned an empty string or null value. The operator does not have permission to see the data. The endpoint is offline. An operator wants to see a list of all running processes on a single, specific computer named FIN-WS-01. How can they limit the query to just that machine?. Ask Get Running Processes from all machines and scroll through the list. Ask Get Running Processes from FIN-WS-01. Ask Get Running Processes from all machines with Computer Name equals FIN-WS01. Both B and C are valid ways to target a single machine by name. What does the Is there... syntax do in an Interact question (e.g., Is there a user logged in on all machines?)?. It is invalid syntax. It returns a Boolean (true/false) or a count (1 or 0) for each endpoint, indicating whether the condition is met. It asks for a list of users. It asks for the total number of users. An operator asks a question and the results are returned. They then apply a complex filter to the grid to analyze a subset. Can they save this filtered view?. Yes, they can save the question with the filter applied, which will create a new saved question with the filter as part of its definition. No, the filter is temporary and cannot be saved. Yes, they can take a screenshot. No, filtering is not allowed on saved questions. What is the most accurate technical definition of a Tanium Sensor?. A binary executable file deployed to endpoints. A saved question in the Interact module. A piece of code (script, executable, or DLL) that runs on an endpoint, collects a specific piece of information, and returns it to the Tanium Server. A hardware component that monitors network traffic. Which of the following is a valid and common language for writing Tanium Sensors?. Java. Python. PowerShell (for Windows) or Bash (for Linux/macOS). C++. An operator needs to create a sensor that checks for the existence of a specific file. The file path will be different each time the sensor is used. What type of sensor should they create?. A Parameterized Sensor. A Static Sensor. An Action Sensor. A Multi-return Sensor. In a parameterized sensor script, how is the first parameter passed by the user typically referenced?. %1 or $1. {param1}. [parameter1]. \\1. A sensor that returns Windows 10 Pro, Windows 11 Enterprise, and Windows Server 2022 is an example of what kind of data return?. A JSON object. An IpAddress data type. A String data type. An Integer data type. What is a Multi-return sensor?. A sensor that returns multiple values, typically in a delimited list (e.g., a list of installed applications). A sensor that returns the same value multiple times. A sensor that can be run on multiple operating systems. A sensor that requires multiple parameters. When creating a new sensor from a script, what is the function of the sensor's Supported Platforms setting?. It determines which Tanium Console users can see the sensor. It tells the Tanium Client on which operating systems it should attempt to execute the sensor. It lists the software that must be installed for the sensor to work. It sets the minimum CPU requirements for the endpoint. An operator creates a sensor that returns the free space on the C: drive. The sensor script is correct, but when run on some Windows endpoints, it returns No Data. What is the most likely cause?. The sensor is not compatible with those Windows versions. Those endpoints do not have a C: drive. The sensor is not deployed to those endpoints. The Tanium Client is not installed on those endpoints. What is the purpose of a sensor's Timeout setting?. To set a time for the sensor to be automatically deleted. To prevent a poorly written or long-running sensor from consuming too many resources on the endpoint by killing the process if it exceeds the specified time limit. To set a schedule for when the sensor can run. To define how long the results are stored in the server database. Which of the following sensors would likely be configured with the IpAddress return type?. Get Operating System. Get Computer Name. Get IP Address. Get Installed Applications. An operator wants to create a sensor that counts the number of running processes. What type of sensor should they create, and what return type?. A multi-return sensor with a string return type. A single-value sensor with an integer return type. A parameterized sensor with a string return type. An action sensor with a JSON return type. What is a key difference between a Tanium Sensor and a Tanium Package?. A sensor collects data, a package changes state. A sensor runs on servers, a package runs on workstations. There is no difference. A sensor is a type of package. Which of the following tasks would be most appropriate to solve by writing a new custom sensor?. Deploying the latest version of Adobe Reader to all workstations. Rebooting a group of servers during a maintenance window. Checking for the presence of a specific mutex (a Windows object) that indicates a piece of malware is running. Creating a dynamic group of all Windows 11 machines. When a sensor returns an error (e.g., Access Denied), where is this information typically visible?. Only in the endpoint's local event log. In the Tanium Console, often as the sensor's result value (e.g., the cell shows Access Denied). It is not visible and is silently ignored. In a special Errors column in the grid. An operator wants to use a sensor that is available in the console but does not appear in their list of available sensors when trying to add it to a question. What is the most likely reason?. The sensor is deprecated. Their Role-Based Access Control (RBAC) permissions may not grant them access to use that specific sensor. The sensor is only available on Tuesdays. The sensor is currently being edited. What is a Hash sensor typically used for?. To find the hash value (#) of a column. To calculate and return a cryptographic hash (e.g., MD5, SHA1, SHA256) of a specified file, which is crucial for file integrity checking and threat detection. To hash the user's password for storage. To sort data in the grid. A sensor is returning data, but the results seem to be from yesterday, not from the current moment. What might be happening?. The sensor is broken. The Tanium Client's cache is enabled, and it is returning cached results from a previous run instead of executing the sensor fresh. The server's clock is wrong. The operator is looking at a saved question's cached results. Which of the following is NOT a typical step in the process of creating a new custom sensor?. Writing the script that collects the desired data. Defining the sensor's name, description, and return type in the console. Compiling the script into a binary executable. Deploying the sensor to the target endpoints. An operator needs to create a sensor that runs a complex PowerShell script that relies on a custom PowerShell module. Where should this module file be placed so that the sensor can use it?. It must be hard-coded into the sensor script. It must be included as an additional file in the sensor definition, and the sensor script must reference it locally (e.g., Import-Module .\\mymodule.psm1). It must be installed manually on every endpoint first. It must be stored on the Tanium Server. What is the purpose of the Hidden property for a sensor?. To prevent the sensor from being deployed. To prevent the sensor from appearing in the sensor browser and autocomplete suggestions, while still allowing it to be used in saved questions and by those who know its name. To hide its results from the grid. To mark it for deletion. An operator is writing a sensor to parse a specific log file. The log file format may change slightly in the future. What is a best practice for sensor design?. Write the sensor to be as rigid as possible, assuming the format never changes. Make the sensor flexible and robust, possibly using regular expressions, and consider making the log file path a parameter. Hard-code the file path into the sensor. Create a new sensor every time the log format changes. If a sensor script writes information to the console (e.g., Write-Host in PowerShell), where does that output go?. It is ignored by Tanium. It appears in the endpoint's Windows Event Log. It is captured by the Tanium Client and returned as the sensor's result. It appears in a pop-up window on the endpoint. What is the benefit of using a sensor's Description field?. It is a character count limit. It allows the sensor to run faster. It provides crucial context and documentation for other operators about what the sensor does, its parameters, and its expected output. It is automatically added to every question that uses the sensor. A sensor is not returning any data, and you suspect it's because the script has a syntax error. Where can you find the error message generated by the script?. You must log into the endpoint and run the script manually. The error message will be captured as the sensor's result, so you will see it in the Interact grid (e.g., TerminatingError(Test-Path): Cannot bind argument...). The error is only visible to Tanium administrators. The Tanium Client automatically fixes syntax errors. Which of the following is an example of a built-in Tanium sensor?. Deploy Adobe Reader. Reboot Machine. Operating System. Create User Account. An operator needs to run a sensor that checks the version of a specific DLL file on Windows endpoints. The DLL path will be the same every time. Should this be a parameterized or non-parameterized sensor?. Parameterized, because it involves a file path. Non-parameterized, because the file path is static (always the same). Either would work equally well. Parameterized, because it's on Windows. When a sensor is deployed to an endpoint, where are the sensor files stored locally?. In the user's temporary files. In a dedicated, secure directory within the Tanium Client's installation folder. Anywhere on the C: drive. On the Tanium Server. What is the effect of editing a sensor that has already been deployed and is currently being used in saved questions?. The saved questions will automatically use the new version of the sensor next time they run. The saved questions will break and must be recreated. The sensor changes are ignored. The saved questions will continue using the old version indefinitely. Which of the following sensor output examples would be considered Structured Data like JSON?. Windows 10 Pro. 1024. {name: MyApp, version: 1.2.3, vendor: Microsoft}. C:\\Windows. What is the function of a sensor's Hash or Checksum?. It is a unique identifier generated by Tanium for the sensor, used to verify its integrity. It is the size of the sensor script. It is the date the sensor was created. It is the name of the sensor's author. An operator wants to create a sensor that uses a wget or curl command to download a file from an internal web server. Is this a good practice?. Yes, it's the best way to get files. No, sensors should not initiate outbound network connections. They are for local data collection only. This is a task for a Package or another tool. Yes, but only if the sensor is parameterized. No, because wget and curl are not available on Windows. A sensor that returns the version of a specific application should ideally have its return type set to: IpAddress. String. Integer. Json. What is the purpose of a sensor's Expiration or Cache setting?. To set an expiry date for the sensor itself, after which it will be deleted. To tell the Tanium Client how long it can safely cache the sensor's results before it must re-run the sensor to get fresh data. To define how long the sensor's results are stored in the Trends module. To set the sensor's time-to-live on the network. An operator needs to find all endpoints where a specific user profile exists. Which sensor is most appropriate?. Logged In User. Installed Applications. User Profile List. File Exists to check for the user's profile folder. When creating a sensor, what is the significance of the MIME Type or Output Type field?. It tells the console how to interpret and display the results (e.g., as plain text, as a table, or as HTML). It is used for email integration. It defines the file extension of the sensor script. It is a legacy field with no modern use. A sensor that returns the last boot time of a machine should have its return type set to: String. Integer. DateTime. Boolean. An operator notices that a custom sensor they created yesterday is not available on endpoints that came online today. What is the most likely reason?. New endpoints must be manually targeted for sensor deployment. The sensor is automatically deployed to new endpoints as part of a Content Set or Sensor Group deployment. Sensors are not deployed; they are always run from the server. The sensor has a bug. Which of the following is NOT a valid consideration when writing an efficient sensor?. Keeping the script concise and avoiding unnecessary operations. Ensuring the script handles errors gracefully (e.g., try/catch in PowerShell). Using the most complex algorithm possible to demonstrate skill. Being mindful of the sensor's impact on endpoint disk I/O or CPU. A parameterized sensor is created to accept a process name and return whether that process is running. The script uses $1 for the process name. An operator asks Get Is Process Running with param firefox.exe. On a Mac endpoint, the script might fail. Why?. The script is not written in Bash. The sensor is not supported on Mac. The Supported Platforms setting for the sensor is likely set to Windows only. The Mac does not understand the concept of firefox.exe. What does the Sensor Group feature allow an administrator to do?. Group multiple sensors together for bulk deployment and permission management. Create a group of sensors that can be run at the same time. Group the results of sensors in the grid. Create a group of endpoints based on sensor data. An operator needs to create a sensor that checks for a registry key on Windows and a plist file on macOS. What is the best practice for creating this sensor?. Create a single sensor with a complex script that detects the OS and runs the appropriate code. Create two separate sensors, one for each platform, with clear names (e.g., Check Registry Key - Windows, Check Plist Key - macOS). Create one sensor for Windows and tell Mac users they are out of luck. Create a sensor that only works on Linux. If a sensor script is designed to return True or False, what is the most appropriate return type to select?. String. Integer. Boolean. Text. An operator wants to know the size of a specific folder on all endpoints. What type of sensor is required?. A parameterized sensor that accepts a folder path and returns a file count. A parameterized sensor that accepts a folder path and calculates the total size of all files within it. A static sensor that always checks C:\\Windows. A sensor that returns the total disk size. What is the best way to test a new sensor you've created before deploying it to thousands of production endpoints?. Deploy it to a small test group of endpoints first and run questions against that group. Ask the question on all endpoints and hope for the best. There is no way to test sensors. Run the script manually on a few endpoints, but this won't test the Tanium integration. A sensor returns a list of services and their status. In the Interact grid, this list appears as a single, long string in one cell, which is hard to read. How can this be improved?. By using the Expand Cell feature to see the list better, but it's still one cell. By reconfiguring the sensor to be a multi-return sensor, so each service appears on a new line in the cell, or by setting the MIME type to render it as a table. This is a limitation of Tanium; you cannot improve it. By asking for one service at a time with a parameter. When a sensor is deployed via a Deploy Sensor action, what is the target of that action?. The Tanium Server. The Tanium Module Server. The endpoints that need to receive the sensor. The operator's console. An operator accidentally creates a sensor with an infinite loop. What Tanium feature will protect endpoints from this sensor?. The sensor's Timeout setting. The sensor's Hash. The sensor's Cache setting. The sensor's Supported Platforms setting. Which of the following statements is true regarding sensor execution on an endpoint?. Sensors run with the privileges of the logged-in user. Sensors run with the privileges of the Tanium Client service account, which is typically the high-privilege LOCAL SYSTEM or root account. Sensors run with no privileges. Sensor privileges are configurable per sensor. A sensor designed to run on Windows is working correctly, but you want to make it available for use in questions. Besides deploying it, what is another essential step?. Restart all Tanium Clients. Ensure the sensor is published and not hidden, and that appropriate permissions are granted to operators. Reboot the Tanium Server. Compile the sensor into a binary. What does it mean if a sensor is marked as External?. It was created by an external vendor. It can only be run on endpoints outside the corporate network. Its script is not stored in the Tanium database, but its executable is located on a network share or other external source. It is for external IP addresses only. An operator needs to deploy a critical security patch to all Windows workstations. What is the correct sequence of steps in Tanium?. Create a Sensor -> Ask a question -> Export results. Create a Package containing the patch files and install script -> Create an Action targeting the Windows Workstations group to deploy that Package. Manually RDP into each workstation. Use the Trends module to track patch compliance. What is the difference between a Package and an Action in Tanium?. They are the same thing. A Package is the content (the files and commands), and an Action is the scheduled deployment of that content to a specific set of endpoints. An Action is the content, and a Package is the deployment. A Package is for software installs, and an Action is for reboots. When creating a Package, what is the purpose of the Command Line field?. To specify the exact command that the Tanium Client should execute on the target endpoint to run the package. To add a comment about the package. To define the command to uninstall the package. To set a command that runs on the Tanium Server. An operator wants to deploy a package that runs a PowerShell script. The script file is included in the package. In the command line, how should the script be referenced?. powershell.exe -File C:\\temp\\myscript.ps1. powershell.exe -File .\\myscript.ps1 (using a relative path). powershell.exe -Command Invoke-Expression 'myscript.ps1'. The script must be hard-coded into the command line. What is the function of the Files section when creating a Package?. It is a place to write documentation for the package. It is where you upload all the necessary files (e.g., installers, scripts, configuration files) that need to be deployed to the endpoint for the action to work. It is a list of files to be deleted from the endpoint. It is a log of files created by the package. An operator creates a package to deploy an MSI. They include the MSI file in the package and set the command line to msiexec /i myapp.msi /qn. After deploying the action, many endpoints report failure with an error about not finding the file. What is the most likely cause?. The MSI file is corrupted. The command line should use the full path to the MSI file, like msiexec /i .\\myapp.msi /qn or the client can't find it. The endpoints do not have MSI Executer installed. The action was scheduled for the wrong time. What is the purpose of the Action Lock setting in a package or action?. To prevent the action from being edited. To ensure the action is only executed once on a given endpoint, based on a unique key (like a file hash or registry key), preventing duplicate applications of the same change. To lock the endpoint so the user cannot use it while the action is running. To lock the package file from being downloaded. An operator needs to reboot a group of servers. Which of the following is a built-in package often available for this purpose?. Install Software. System Reboot or Restart Computer. Patch Deployment. User Notification. When scheduling an Action, what is the purpose of the Start Time and End Time (or Distribute Over) settings?. To ensure the action runs exactly at that moment on all endpoints simultaneously. To define a window during which the action can be deployed. The Distribute Over setting helps to stagger the deployment across that window to avoid network congestion. To set the time when the action package expires. To notify users that an action will occur between those times. After deploying an action, where does an operator go to see the overall status (e.g., how many succeeded, failed, are pending)?. The Interact results grid. The Trends module. The Action History or Action Status view for that specific action. The Admin logs on the Tanium Server. An action fails on several endpoints with the error Access Denied. What is the most likely cause?. The Tanium Client is not installed. The user running the action in the console does not have permission. The account under which the Tanium Client runs (e.g., SYSTEM) did not have sufficient privileges to perform the operation (e.g., writing to a protected system folder). The endpoint was offline. An operator needs to deploy an action, but the change is high-risk and requires manager approval before it can be deployed to production. Which Tanium feature facilitates this?. The Distribute Over setting. The Action Lock feature. The Action Approval workflow. Role-Based Access Control (RBAC). What is the recommended way to test a new, potentially disruptive package before deploying it to all production machines?. Deploy it to a pilot group first, monitor the results, and then proceed with a broader rollout. Deploy it to all machines but schedule it for 3 AM. Run it as a sensor first to see the impact. Ask the security team to approve it. When viewing the detailed status of an action, an endpoint shows a status of Pending. What does this mean?. The action failed on that endpoint. The action was successful on that endpoint. The action has been sent to the endpoint, but the Tanium Client has not yet reported back with a final success or failure status. The endpoint may be offline, or the action is still running. The endpoint has been skipped. An operator needs to deploy a package that will copy a configuration file to a specific folder. The source file is 1KB. How will this file be transferred to 10,000 endpoints?. The Tanium Server will send the 1KB file individually to all 10,000 endpoints, generating 10MB of total server traffic. The 1KB file will be distributed via the peer-to-peer network. It will be sent across the WAN only a few times and then shared locally among peers. The operator must place the file on a network share and have the package script copy it from there. The Tanium Client will ignore files smaller than 1MB. An action is deployed to a group of 100 endpoints. After an hour, the Action History shows Succeeded: 95, Failed: 5. What is the operator's next best step?. Assume the 5 are fine and move on. Immediately re-deploy the action to all 100 endpoints. Investigate the 5 failed endpoints by looking at the individual error messages provided in the Action History to understand why they failed. Check the status of the Tanium Server. What is a Recurring Action?. An action that runs only once. An action that is scheduled to run automatically on a regular basis (e.g., every day at 2 AM) to perform ongoing maintenance or enforcement. An action that repeats itself on the same endpoint until stopped. An action that is sent to all endpoints multiple times. When creating a package to run a script, why is it a best practice to include error handling in the script (e.g., try/catch in PowerShell)?. To make the script more complex. To ensure that meaningful error messages are returned to the Tanium Console via the Action History, aiding in troubleshooting. To prevent the script from running at all. Error handling is not important in Tanium scripts. An operator deploys an action to install a large software package. They want to minimize the impact on their network during business hours. Which Distribute Over setting is most appropriate?. A short distribution window, like 1 hour. A long distribution window, like 8 hours, to spread the downloads out over the entire day. No distribution window; let it run as fast as possible. The Distribute Over setting does not apply to large packages. What is the function of Command Line Arguments for a package?. They are the same as the Command Line field. They allow you to pass dynamic values to the package at action creation time, similar to how parameters work for sensors. They are used to document the package. They are ignored by the Tanium Client. An operator creates a package that runs a script. In the Action History, a failed endpoint shows the error The system cannot find the file specified. The script file was included in the package. What is the most likely cause?. The endpoint is offline. The Tanium Client could not download the package files. The script file was not successfully transferred to the endpoint, possibly due to a network issue or corruption during transfer. The script file was deleted by an antivirus program. What is the purpose of the Action Group feature?. To group multiple actions together so they can be approved as a set. To define a set of actions that are automatically applied to endpoints based on their membership in a specific computer group. To create a group of users who can approve actions. To group the results of actions in a report. An operator deploys an action to run a script that creates a log file on the endpoint. Where can the operator view the contents of that log file without logging into each machine?. The log file contents are automatically returned in the Action History if the script was written to output the log to STDOUT. They must RDP into each endpoint to see the log. The log file is automatically uploaded to the Tanium Server. The Trends module displays log files. An operator needs to deploy a package, but only to endpoints where a specific condition is met (e.g., a certain file exists). How can this be achieved without creating a separate computer group?. It's not possible; you must create a group. When creating the action, you can use the Target by Question option and specify a question like Get Computer Name from all machines with File Exists 'C:\\test.txt'. You can target the action and then filter the results in the Action History. The package itself must check for the condition and exit if it's not met. What is an Idempotent action, and why is it important in Tanium?. An action that can only be run once. It's important to prevent accidents. An action that can be run multiple times without changing the result beyond the initial application (e.g., setting a registry key to a specific value). This is important for recurring actions and ensuring consistency. An action that is very fast. An action that requires approval. An operator deploys an action to install software. The Action History shows that 50 endpoints are Pending for a very long time. What is the most likely explanation?. Those 50 endpoints are offline or have lost communication with the Tanium network. The software installation is taking a long time. The action failed on those endpoints. The operator does not have permission to see the status. What is the purpose of a Wake-on-LAN (WOL) action in Tanium?. To wake up sleeping endpoints so they can receive and execute actions. To turn off endpoints. To install a new network card. To measure network latency. An operator deploys an action to uninstall an old version of Java. They receive reports that the action failed on many endpoints because Java was not installed. How could the operator have avoided these failures and cleaned up the Action History?. They couldn't have avoided it; it's normal to see failures for uninstall on machines without the software. By using a Target by Question that first finds only machines with Java installed, ensuring the uninstall action is only sent to relevant endpoints. By asking users to uninstall it themselves. By using a different package. What information is typically found in the Action History for a specific endpoint that failed?. The endpoint's serial number. The full command line that was executed and the full STDOUT/STDERR output from that command. The name of the user who was logged in at the time. The IP address of the Tanium Server. An operator wants to create a package that, when deployed, will simply display a message to the logged-in user. What command might this package use?. shutdown /r. msg * System maintenance will occur in 10 minutes. msiexec /i message.msi. del C:\\windows\\temp\\*.log. What is the significance of a package being Signed?. It means the package was approved by a manager. It means the package files have a digital signature that can be verified by the endpoint, ensuring the content comes from a trusted source and has not been tampered with. It means the package was created by Tanium, Inc. It means the package is ready for deployment. An operator creates a new package. Before they can use it in an action, what must they ensure?. The package must be deployed to endpoints. The package must be approved by the Tanium administrator. The package must be saved and is then immediately available to use in an action. The Tanium Server must be restarted. An operator wants to ensure that a specific service (like the Windows Update service) is set to Automatic and running on all servers. What is the most efficient way to do this in Tanium?. Create a one-time action to set the service startup type and start it. Create a recurring action, scheduled to run daily, with a package that checks the service state and corrects it if necessary. Manually check each server. Ask a question to find servers where the service is not set correctly, and then remediate manually. An operator deploys an action to run a script. In the Action History, some endpoints report Success, but the operator later finds that the script did not actually achieve its intended purpose. What does this indicate?. The Tanium platform is broken. The script likely reported success regardless of its actual outcome. A best practice is to have scripts perform proper verification and return a non-zero exit code or an error message on failure. The action was targeted at the wrong group. The Tanium Client on those endpoints is faulty. When creating an action, what is the purpose of the Expiration Date (or Time To Live) for the action itself?. To set a deadline after which the action will no longer be offered to endpoints that are still pending. This prevents offline endpoints from receiving a very old, potentially unsafe action when they come back online weeks later. To set when the action package files are deleted from the server. To set when the action's results are deleted from the database. To set when the action should stop running if it is still in progress. An operator needs to deploy a package that will run a script that requires a reboot. How can they ensure the reboot only happens if the script is successful?. They can't; the reboot must be a separate action. They can create a package that runs the script, checks the exit code, and if successful, initiates a reboot command (e.g., shutdown /r /t 60) as the next step in the script. The Tanium Client will automatically reboot after any action. They can schedule a reboot action to start 5 minutes after the script action. What is the role of Exit Codes in Tanium Actions?. They determine if the action succeeded or failed. A standard exit code of 0 typically means success, while any non-zero code means failure. They are a way to exit the Tanium Console. They are used to name the action. They are ignored by Tanium. An operator creates a package to delete a specific file from endpoints. What is the biggest risk with this action?. It might take too long. It is irreversible and could delete critical data if the targeting is wrong or the file path is misspelled. The Tanium Client might not have permission. The file might be in use. In the Action History, what is the difference between Failed and Error?. There is no difference; they are the same. Failed typically means the command ran but returned a non-zero exit code. Error might indicate a more fundamental problem, like the package files could not be delivered. Error is for user mistakes, Failed is for system mistakes. Failed is for the action, Error is for the endpoint. An operator needs to run an action that will stop a service before updating its files and then restart it. How should this be structured?. As three separate actions that must be run in order. As a single package containing a script that performs all three steps: Stop-Service, Update files, Start-Service. This is not possible in Tanium. As an action group that runs the three actions simultaneously. What is the purpose of the Verify step when creating a package?. To verify the package has been saved correctly. To optionally run a sensor after the main action to confirm the change was successful and report that as part of the action result. To verify the operator has permission to use the package. To verify the package files are not corrupted. An operator deploys an action to a large group, but accidentally includes a typo in the command line. They realize the mistake 5 minutes later. What can they do?. They can edit the running action to fix the typo. They can Cancel or Stop the action to prevent further endpoints from executing it. Nothing; they must let it finish and then clean up the damage. They can delete the action from the history. What is a Client-Side Action?. An action that runs on the Tanium Client's user interface. An action where the primary execution logic is embedded in the Tanium Client itself, rather than in a script, making it very fast for common tasks like rebooting or running a sensor for verification. An action that is only run by the client, not the server. An action that is stored on the client. An operator wants to create a package that, when deployed, will run a different command based on whether the endpoint is a laptop or a desktop. How can this be achieved?. By creating two separate packages and two separate actions targeted at laptop and desktop groups. By writing a script in the package that detects the chassis type and runs the appropriate logic. By using a parameterized sensor to pass the chassis type to the package. This is not possible. An action is deployed to 1,000 endpoints. After a few minutes, the Action History shows Succeeded: 999, Failed: 0, Pending: 1. What is the best course of action?. Re-deploy the action to all 1,000 endpoints. Ignore it; 99.9% is good enough. Investigate the one pending endpoint to determine why it hasn't reported back. It may be offline, and its result will come in later when it reconnects. Assume the pending endpoint will eventually succeed and do nothing. What is the function of a Software Distribution package typically included in the Deploy module?. It is a generic package that can install any MSI or executable by accepting the file and command line as parameters. It is used to uninstall software. It is used to discover software. It is a report on installed software. An operator needs to deploy a package to a set of endpoints, but only if the endpoint's CPU usage has been below 10% for the last 15 minutes. How can they achieve this conditional deployment?. They can't; actions are unconditional. By using an advanced scheduling feature that checks CPU conditions on the server. By using a Smart Action or a pre-deployment condition that runs a sensor on the endpoint to check CPU history before executing the main package. The action only proceeds if the condition is met. By asking users to only run the action when their computer is idle. What is the purpose of the Private flag for a package?. To mark the package for internal use only, preventing it from being shared with other Tanium environments. To hide the package from other operators in the console. To encrypt the package contents. To mark the package as read-only. An operator deploys an action to run a PowerShell script. The script fails with an error about execution policy. What is the most likely fix?. Change the script to be a batch file. Modify the package's command line to include the appropriate execution policy bypass, e.g., powershell.exe -ExecutionPolicy Bypass -File .\\script.ps1. Ask the endpoint users to change their PowerShell settings. The script cannot be run on that endpoint. What is the primary advantage of using the Deploy module for software distribution over creating a simple package and action in Interact?. The Deploy module provides a more user-friendly interface for managing the entire software lifecycle, including package creation, targeting, scheduling, and compliance reporting. It is faster. It uses less bandwidth. There is no advantage. What is a Computer Group in Tanium?. A group of users who manage computers. A logical collection of endpoints, defined either statically (by manually adding computers) or dynamically (by a saved question), used for targeting queries and actions. A group of computers that are physically located in the same server rack. A group of software packages. A Static Computer Group is best suited for which scenario?. A group of all Windows 11 workstations. A group of servers that are part of a specific, long-term project, where the membership rarely changes and is known to the administrator. A group of all endpoints missing a specific security patch. A group of all laptops that have been offline for more than 30 days. Which of the following best describes a Dynamic Computer Group?. A group of computers that are constantly moving between network locations. A group whose membership is defined by the results of a Saved Question, and is automatically updated whenever that saved question is run. A group that is created and deleted automatically by the system. A group that dynamically changes its name. An operator creates a dynamic group defined by the saved question Get Computer Name from all machines where Operating System contains 'Server'. What will happen when a new server is deployed and the Tanium Client is installed?. The administrator must manually add it to the group. The next time the saved question is run (manually or on a schedule), the new server will automatically appear in the group's membership. The new server will be added to the group immediately, in real-time. The new server can never be part of the group. What is a key advantage of using a Dynamic Computer Group for targeting an action, instead of typing a filter directly into the action's targeting?. Dynamic groups are faster to evaluate. Dynamic groups are reusable. You can define the logic once (e.g., All unencrypted laptops) and use that same group for reporting, dashboards, and multiple different actions. Dynamic groups can only be used for actions, not questions. There is no advantage. A dynamic group is based on a saved question that runs hourly. An operator uses this group to target a critical action. When will the endpoints that meet the criteria receive the action?. Immediately, as soon as they meet the criteria. When the action is deployed, it will be sent to the group's current membership based on the last time the saved question ran. Endpoints that met the criteria after that will not get this action unless it is re-deployed. The action will wait and only deploy when the saved question runs again. The action will fail because the group is dynamic. An operator wants to create a group that includes All Windows Workstations and All Servers in the DMZ. How can this be achieved?. By creating a single dynamic group with a complex saved question that unions the two conditions. By creating two separate groups and then creating a third Parent group that includes the members of the other two. This is not possible; groups cannot be combined. By manually adding all the computers to one static group. An operator creates a group based on the question Get Computer Name from all machines with Logged In User contains 'jsmith'. A week later, they use this group to target a software install for user jsmith. What is the potential problem?. The group will be empty because jsmith is no longer logged in. The group will be empty because the saved question has not been re-run. The group's membership reflects the last time the saved question was run (maybe a week ago). It will include all machines where jsmith was logged in at that time, which may not be the machines where they are logged in now. The group will still be correct because it's dynamic. Where in the Tanium Console can an operator view the current membership of a Computer Group?. Only by using the group in an action. By opening the Computer Group's definition, which usually has a tab or option to view its current members. They cannot view the membership; it's hidden. By asking the question Get Computer Name from all machines with Computer Group equals 'MyGroup'. An operator creates a static group by manually importing a list of 500 computer names. What is a potential maintenance challenge with this approach?. Static groups are faster than dynamic groups. The list will become outdated over time as computers are added, removed, or renamed, requiring the operator to manually update the list to keep it accurate. Static groups cannot be used in actions. Static groups cannot be exported. An operator needs to create a group of all endpoints that are both Laptops AND Missing a specific security patch. What is the best way to define this group?. Create a saved question that finds all laptops missing the patch, and base a dynamic group on that saved question. Create two dynamic groups, one for laptops and one for missing patches, and then create a third group that intersects them. Create a static group and manually check each laptop. This is not possible. When an action is targeted at a dynamic group, at what exact moment is the list of target endpoints determined?. When the action is created and saved. When the action is approved (if approval is required). When the action is sent to the network for deployment. At the moment each endpoint executes the action. What is the purpose of the Exclude option when defining a Computer Group?. To exclude the group from being used in actions. To define a set of computers that should be removed from the group's membership, even if they meet the inclusion criteria. To exclude the group from appearing in the console. To exclude the group from backup. An operator creates a dynamic group based on a saved question that is very complex and resource-intensive, taking 30 minutes to run. What is the impact on the group's usability?. The group cannot be used for actions. The group will be unusable because it takes too long to evaluate. The group's membership will only update every 30 minutes (or whenever the question finishes). Targeting an action at this group will also take 30 minutes to evaluate before the action can start deploying. The group will update in real-time regardless of the question's runtime. An operator needs to create a group that includes all endpoints except those in the Domain Controllers group. How can this be achieved?. By creating a group All Computers and then using the exclude option to remove the Domain Controllers group. By creating a static list of all computers and manually removing the domain controllers. This is not possible. By creating a dynamic group with a NOT condition in the saved question. An operator is creating a new Computer Group. What is a best practice for naming the group?. Use a cryptic code name for security. Use a clear, descriptive name that indicates the purpose or membership criteria of the group (e.g., Laptops - Missing Critical Patch KB123). Use the name of the operator who created it. Name it Group1. An operator wants to see a dashboard that shows the count of endpoints in various Computer Groups (e.g., Workstations, Servers, Missing Patches). Where could they create such a view?. In the Action History. By using a series of questions in Interact and pinning them to a dashboard. In the Trends module only. This is not possible; groups are not for reporting. An operator needs to create a group that includes all computers that have not checked in with Tanium for over 30 days. What type of group is required?. A static group. A dynamic group based on a saved question using the Last Report Time sensor. An action group. A sensor group. What happens to a dynamic group's membership if its underlying saved question is deleted?. The group becomes a static group with its last known membership. The group will be automatically deleted as well. The group remains but will be empty because it has no definition. The group will continue to function using a cached version of the question. An operator has a dynamic group for Finance Department Laptops. The group is defined by a sensor that checks an LDAP attribute (department=Finance). The LDAP synchronization runs hourly. What is the implication for the group's accuracy?. The group is always 100% accurate in real-time. The group's accuracy is limited by the frequency of the LDAP sync and the frequency of the saved question's execution. If a user moves departments, the change could take up to an hour (LDAP sync) plus the group's update schedule to be reflected. The group will only update when the operator manually refreshes it. The group will update instantly when the user's department changes. What is a potential security benefit of using Computer Groups?. Groups can be used to encrypt endpoint data. Groups can be used in conjunction with RBAC to grant operators permissions only to specific sets of endpoints (e.g., the Help Desk role can only run actions on the Marketing Workstations group). Groups hide endpoints from each other. Groups make endpoints easier to hack. An operator creates a Computer Group called All Windows. What type of group is this most likely to be?. Static. Dynamic, based on the Operating System sensor. An action group. A user group. An operator needs to temporarily exclude a specific computer from a dynamic group for testing purposes, without altering the group's definition. What is the best way to handle this?. Add the computer to the group's Exclude list. Change the group's saved question to specifically exclude that computer's name. Move the computer to a different organizational unit in Active Directory. This is not possible without changing the group definition. When targeting an action, what is the difference between choosing a Computer Group and using "Target by Question"?. A Computer Group is a pre-defined, saved set of endpoints, while "Target by Question" allows you to define an ad-hoc, dynamic target for that one action without creating a persistent group. There is no difference; they are the same thing. "Target by Question" is faster. Computer Groups can only be used for questions, not actions. A dynamic group is defined by the saved question Get Computer Name from all machines with Installed Software contains 'Adobe Reader'. The saved question runs every 6 hours. An administrator uninstalls Adobe Reader from a machine at 9:00 AM. The saved question runs at 10:00 AM. When will the machine be removed from the dynamic group?. Immediately at 9:00 AM. At 10:00 AM, after the saved question runs and shows the machine no longer has Adobe Reader. At 4:00 PM, after the next scheduled run. The machine will never be removed. Which Tanium module is specifically designed for managing the deployment of operating system and third-party software patches?. Trends. Comply. Patch. Asset. An operator needs to generate a report on the historical trends of disk space usage on critical servers over the last 6 months. Which module should they use?. Interact. Deploy. Trends. Patch. What is the primary purpose of the Tanium Asset module?. To deploy software. To provide a comprehensive view of all hardware and software assets in the environment, often with pre-built dashboards and reports. To patch operating systems. To manage cloud costs. An operator needs to ensure that all company laptops have full-disk encryption enabled. Which module is specifically designed for this type of configuration compliance and enforcement?. Patch. Trends. Deploy. Comply or Enforce. The Deploy module in Tanium is primarily used for: Deploying new Tanium Servers. Deploying software packages, managing software lifecycles, and tracking deployment progress. Deploying security patches only. Deploying virtual machines. A security analyst wants to quickly see which endpoints have a specific high-severity vulnerability based on missing patches. Which module would provide the quickest answer?. Interact (by asking a question). Patch (by viewing its vulnerability dashboards). Trends (by looking at historical data). Deploy. An operator needs to create a custom report that shows the computer name, last logged-in user, and operating system for all workstations. They want this report to be available as a link in a dashboard. What is the most efficient way to create this?. Build the query in Interact, save it, and then add that saved question as a tile to a custom dashboard. Write a custom SQL report. Export data from Interact to Excel every day. Use the Asset module's default Workstation Inventory report. Which Tanium module would you use to set up a recurring scan of all endpoints against the CIS (Center for Internet Security) benchmarks?. Patch. Comply. Deploy. Trends. An operator needs to visualize how the average number of running processes on a group of servers has changed over the last month. They have a saved question that collects this data daily. Where should they go?. The Trends module, where they can select the saved question and view its data over time in a graph. The Interact module, by running the saved question and looking at the list. The Asset module, in the hardware inventory. The Admin logs. The Connect module in Tanium is used for: Connecting to remote endpoints via RDP. Integrating Tanium with external systems, such as sending data to a SIEM, a ticketing system, or a data lake. Connecting multiple Tanium environments together. Connecting to the internet. A security analyst wants to be alerted whenever a new, unauthorized application is installed on any company server. Which Tanium feature or module would be most appropriate for this?. The Patch module, to block the installation. The Trends module, to see historical installs. The Enforce or Comply module with a policy that checks for allowed applications, combined with an alerting mechanism. A one-time question in Interact. What is the primary function of the Threat Response module?. To deploy antivirus software. To provide capabilities for investigating and responding to security threats on endpoints in near-real-time, such as isolating a machine or killing a malicious process. To predict future threats. To manage firewall rules. An operator needs to perform a complex query that involves data from multiple sensors and wants to use a visual interface to build the query instead of typing. What should they use?. The Question Builder within the Interact module. The Package Builder in the Deploy module. The Report Builder in the Asset module. They must type the query. The Index module in Tanium is used for: Creating an index of all files on an endpoint to enable extremely fast file search and discovery. Indexing the Tanium help documentation. Indexing the results of queries for faster reporting. Indexing user profiles. An operator wants to see a pre-built dashboard showing the top 10 applications installed in their environment. Which module is most likely to have this dashboard by default?. Patch. Deploy. Asset. Trends. Which module would you use to create a software deployment policy that automatically installs a specific application on all new workstations when they first appear in Tanium?. Patch. Deploy (using its campaign and targeting features). Trends. Comply. An operator needs to generate a PDF report of the current patch compliance status for an auditor. Where is the best place to generate this report?. Take a screenshot of the Trends graph. The Patch module likely has built-in reporting features that can generate and export formatted reports. Manually type up the results from Interact. The Connect module. The Reveal module in Tanium is focused on: Revealing hidden files. Data discovery and classification, helping organizations find and protect sensitive data (like PII or PCI) across their endpoints. Revealing user passwords. Network topology discovery. An operator wants to see a graph of the number of endpoints that have rebooted each day for the last week. They have a saved question that records this. Where can they see this graph?. In the Interact grid. In the Trends module, by selecting the saved question and choosing a line or bar chart view. In the Asset module. In the Patch module. Which module would an operator use to isolate a compromised endpoint from the network to prevent the spread of malware?. Deploy. Patch. Asset. Threat Response. An administrator wants to ensure that a specific, prohibited application is never installed on any company machine. Which module is best suited to prevent this?. Deploy, by creating an uninstall deployment. Patch, by blocking it in patch scans. Enforce or Comply, by creating a policy that continuously checks for and removes the prohibited application. Trends, by tracking its installation. What is the purpose of the Performance module?. To measure the performance of the Tanium platform itself. To monitor the performance (CPU, memory, disk) of managed endpoints and identify potential performance issues. To improve the performance of applications by caching them. To benchmark the performance of different software versions. An operator needs to send a daily summary of new software installations to a central IT ticketing system. Which two modules would be involved in this automation?. Asset and Trends. Patch and Deploy. Interact and Connect. A saved question in Interact (to gather the data) and the Connect module (to send it to the ticketing system). The Benchmark module in Tanium is used for: Benchmarking the performance of the Tanium Server against other management tools. Comparing endpoint configurations against industry-standard security benchmarks (like CIS) and generating compliance scores. Creating performance benchmarks for applications. Benchmarking network speeds. An operator wants to create a dashboard that shows several real-time metrics, such as Total Endpoints, Endpoints Online, and Endpoints Missing Patches. What is the best way to create this dashboard?. Create a single, complex query in Interact that returns all this data. Create separate saved questions for each metric and then add them as tiles to a custom dashboard page in the Tanium Console. Use the Trends module to create a multi-line graph. Print out the results from Interact and pin them to a bulletin board. The Processes view within the Threat Response module is most useful for: Killing a specific malicious process running on multiple endpoints at once. Generating a list of all processes for asset inventory. Benchmarking process performance. Creating a baseline of normal process activity. Which module would you use to perform a one-time, in-depth scan for credit card numbers on all file servers?. Patch. Asset. Reveal. Deploy. An operator needs to ensure that all endpoints have the correct time zone configured. Which module offers the most efficient way to enforce this?. Deploy, with a one-time action. Enforce, with a recurring policy that checks and corrects the time zone. Interact, with a question to find incorrect ones and a manual follow-up. Trends, to track time zone changes over time. The Remote Assistant or Live Connect feature in some Tanium modules allows an operator to: Establish a secure, remote command-line session with an endpoint for advanced troubleshooting. Remotely control the endpoint's mouse and keyboard. Chat with the endpoint's user. Transfer files to and from the endpoint. An operator needs to see which servers have had a specific file modified in the last 24 hours. Which module is best suited for this kind of file integrity monitoring?. Patch. Asset. Integrity Monitor. Trends. When using the Patch module, what is the typical first step after importing patch data?. Approve all patches for immediate deployment. Run a Scan or Assessment to determine which endpoints are missing which patches. Reboot all servers. Disable automatic updates. The Vulnerability or Thintel data feed in Tanium provides information on: The weather forecast. External threat intelligence, such as newly discovered CVEs (Common Vulnerabilities and Exposures) and indicators of compromise. Software license expiration dates. Hardware warranty status. An operator wants to create a compliance report that shows which endpoints have a specific registry key set to the correct value. Which module is best for this?. Deploy. Comply. Trends. Interact. An operator needs to perform a threat hunt to look for a specific indicator of compromise (IOC), like a particular file hash, across the entire environment. Which module would provide the fastest, most scalable solution?. Interact, by asking a question with a file hash sensor. Deploy, by deploying a package to search for the hash. Index, if the file hash data is already indexed, enabling an almost instantaneous search. Trends, by looking at historical hash data. Which module provides pre-built dashboards and workflows for managing and tracking the installation, uninstallation, and version control of applications?. Asset. Deploy. Patch. Comply. An operator runs a saved question and notices that the results have a clock icon next to them. What does this indicate, and what should the operator do if they need the absolute latest data?. The clock indicates an error. They should restart the Tanium Client. The clock indicates the data is from the last time the saved question was run (cached data). To get the latest data, they should click the Run Now or Refresh button. The clock indicates the query is still running. They should wait. The clock indicates the data is from the server's time zone. They can ignore it. A question returns No Data for a sensor that the operator knows should return a value on some endpoints. What is the first step in troubleshooting this?. Reinstall Tanium on all endpoints. Check if the sensor is deployed to and supported on the target endpoints. Verify the sensor's deployment status and Supported Platforms settings. Assume the data doesn't exist. Restart the Tanium Server. A user reports that their endpoint is not showing up in Tanium at all. Which two things should the operator check first?. The endpoint's screen resolution and the phase of the moon. Whether the Tanium Client service is installed and running on the endpoint, and whether the endpoint has network connectivity to the Tanium Server. The endpoint's free disk space and CPU speed. The version of Microsoft Office installed. An operator deploys an action, but it fails on many endpoints with the error Access Denied. What does this typically indicate about the action's context?. The operator's user account does not have permission to deploy actions. The Tanium Client service account (e.g., SYSTEM) did not have sufficient permissions to perform the operation on the endpoint (e.g., writing to a protected system folder). The endpoint is out of disk space. The action's TTL expired. A question that normally takes 30 seconds to complete is now taking over 5 minutes and timing out. What could be a contributing factor?. The Tanium Server was upgraded. The network is experiencing high latency or packet loss, slowing down communication across the peer-to-peer chain. A new version of the Tanium Client was released. The operator's console browser is out of date. An operator tries to use a sensor, but it doesn't appear in the autocomplete suggestions or the sensor browser. What is the most likely cause?. The sensor is new and hasn't been indexed yet. The operator's RBAC role does not grant them permission to view or use that sensor. The sensor is deprecated. The Tanium Console needs to be refreshed. An action is deployed, and the Action History shows many endpoints with a status of Error - Action Not Applicable. What does this mean?. The action was not sent to those endpoints. The endpoints ran the action, but it failed. The Tanium Client on those endpoints evaluated the action's targeting or conditions and determined that it did not need to run (e.g., an Action Lock was already present, or a pre-condition was not met). The endpoints are offline. An operator cannot create a new package. The Create Package button is grayed out. What is the most likely cause?. The Tanium Server is at maximum capacity. The operator's RBAC permissions do not include the right to create or edit packages. The maximum number of packages has been reached. The operator's console session has timed out. After deploying a new sensor, an operator asks a question using it, but some older endpoints return No Data while newer ones work. What could be the issue?. The older endpoints are offline. The sensor script may rely on a feature or PowerShell version not available on the older operating systems. The sensor deployment hasn't finished reaching all endpoints. The operator forgot to save the sensor. An operator is trying to ask a question, but the Interact bar is not responding or is very slow to provide autocomplete suggestions. What could be the cause?. The operator's network connection to the Tanium Console is slow. The Tanium Module Server or Console service might be under heavy load or experiencing issues. The question is too long. The operator's browser is incompatible. A saved question that runs on a schedule has stopped updating. Its last successful run was 3 days ago. What is the first thing to check?. The Tanium Client on the operator's machine. The status of the saved question in the console to see if it is disabled or if its subsequent runs have failed with an error. The power cord of the Tanium Server. The endpoints must all be rebooted. An operator deploys an action, but an hour later, some endpoints are still in a Pending state. What is the most likely explanation?. Those endpoints are offline and have not yet received the action. The action is still running on those endpoints. The Tanium Server is too slow to process the results. The operator's console is not refreshing. An operator needs to troubleshoot why a specific package is failing on a single, critical server. Besides checking the Action History, what is another powerful troubleshooting option?. Remotely log into the server and run the package command manually to see the error in real-time. Reinstall the Tanium Client on the server. Ignore the failure, as it's only one server. Run the package on all servers again. An operator asks Get Operating System and the grid shows No Data for all endpoints. What is the most likely catastrophic cause?. All endpoints are offline. The Operating System sensor has been deleted or is not deployed to any endpoints. The Drill Down function was applied completely incorrectly to refine the previous group filter. The Tanium Server is down. An operator creates a new dynamic group based on a saved question. When they view the group's members, it's empty, even though they know endpoints should qualify. What is the first thing to check?. The group's definition to ensure the saved question is correct and has been run recently. The firewall rules. The Tanium Server's hard drive space. The endpoints' network cables. An action to install software consistently fails on a particular model of laptop, but works on others. What should the operator investigate?. A hardware defect in that laptop model. Environmental differences, such as available disk space, RAM, or a specific driver or software that conflicts with the installer on that model. The color of the laptops. The age of the laptops. An operator is attempting to deploy an action to a dynamic group, but the action creation wizard warns that the target group is empty. What does this mean?. The action will fail. The dynamic group currently has no members based on its last evaluation. The operator can proceed, but the action will have zero targets unless the group's membership changes before the action starts. The group has been deleted. The operator does not have permission to target that group. A query runs, but the results seem to be missing a large number of endpoints that the operator knows exist. What is the first thing to check in the query itself?. If the operator accidentally applied a filter that excluded them (e.g., from Windows machines when querying Macs). The phase of the moon. The version of the Tanium Console. The time of day. An operator notices that the Tanium Console is loading very slowly, and some pages time out. The Interact module, however, works fine for asking questions. Where is the bottleneck likely located?. The Tanium Server. The endpoint network. The Tanium Module Server, which hosts the web application and dashboards. The operator's internet connection. An operator tries to run an action, but receives an error: Action target is invalid or No valid targets. What does this indicate?. The action's start time is in the past. The targeting criteria (e.g., a computer group or Target by Question) resulted in an empty set of endpoints when the action was initiated. The package is corrupted. The operator does not have permission to run actions. After creating a new parameterized sensor, an operator asks a question using it but forgets to provide the parameter. What happens?. The sensor will run with a default value. The question will fail, and the console will indicate that a required parameter is missing. The sensor will run, but the parameter will be treated as an empty string. The Tanium Client will prompt the user on the endpoint for the parameter. A recurring action is scheduled to run every day, but an operator notices it hasn't run for a week. What could be a reason?. The action was disabled or deleted. The Tanium Server time is wrong. The operator's view is not refreshed. All of the above are possible. An operator receives a Query Timeout error after asking a very broad question, like Get All Data from all machines. Why is this question problematic?. It is not a valid question. It would attempt to return an enormous amount of data, consuming excessive network bandwidth and likely exceeding the TTL before it could complete. The natural language parser doesn't understand All Data. The Tanium Server will block it for security reasons. An operator creates a package that runs a PowerShell script. The script works when run manually on an endpoint but fails when run as a Tanium action. The error is about a missing module. What is the most likely difference?. The Tanium action runs as a different user (SYSTEM) which has a different PowerShell module path than the manually logged-in user. The script is corrupted during transfer. The endpoint was offline. The Tanium Client has a bug. An operator asks a question, and the Interact grid shows a column with the sensor name, but all cells contain the message Sensor Failed. What does this indicate?. The sensor script executed but returned an error code. The sensor script failed to start or crashed during execution on that endpoint. The operator's license has expired. The sensor is not deployed. An operator notices that the Last Report Time for a group of endpoints is very old (e.g., several days). What does this indicate about those endpoints?. They have not communicated with the Tanium Server recently and are likely offline or having client issues. They are functioning perfectly. They have been rebooted recently. They are new endpoints. An operator deploys an action to a large group. Halfway through, they realize the action had a critical flaw. What can they do?. Immediately cancel the action in the Action History to stop it from being deployed to any more endpoints. They must let it finish. They can edit the action's command line on the fly. They can delete the action from the history. A saved question that used to work is now returning an error. The only change in the environment was the upgrade of the Tanium Server. What could have happened?. The upgrade process automatically fixed all questions. The saved question might have relied on a sensor that was deprecated, renamed, or changed in a way that broke the query during the upgrade. The upgrade deleted all saved questions. The endpoints were all rebooted. An operator is trying to view the members of a dynamic group, but the list is empty. They know the group is defined by a saved question that returns data. What is the most likely issue?. The saved question hasn't been run recently, so the group's membership data is stale or empty. The group is corrupted. The operator does not have permission to view the group's members. The group was deleted. When using a parameterized sensor, an operator includes a space in the parameter value. What should they do to ensure the sensor receives the correct value?. Nothing, spaces are handled automatically. Enclose the parameter value in quotes (e.g., with param C:\\My Files\\doc.txt). Remove the space. Use an underscore instead of a space. An operator deploys an action that is supposed to create a file. The Action History says Success, but the file is not found on the endpoint. What is the most likely explanation?. The Tanium Client is lying. The script executed successfully from its perspective, but the logic failed (e.g., it wrote the file to the wrong path, or it tried to write to a location where it thought it had permission but didn't). The file was created and then automatically deleted by the operating system. The user on the endpoint deleted the file. An operator cannot see the Trends module in their Tanium Console. What is the most likely reason?. The Trends module is not included in their license or not installed on the Tanium Module Server. The operator's console theme is set to Classic. The operator needs to clear their browser cache. The Trends module is only available on Tuesdays. An operator asks a question, and the Interact grid shows Pending for a long time, but no results appear. What does this indicate?. The query is stuck. It is possible that the Tanium Server is not receiving any results from the endpoint network, perhaps due to a major network segmentation issue or a server problem. The operator needs to refresh their browser. The query is running very slowly, but will complete eventually. The operator's question had a syntax error. An operator is trying to create a new Computer Group, but the Save button is disabled. What could be missing?. The group name field is empty. The group's definition (either a saved question for dynamic groups or a list of computers for static groups) is not properly specified. The operator's session has timed out. All of the above are possible. An action to copy a file to a network share fails. The script runs as SYSTEM on the endpoint. What is a likely cause?. The endpoint is offline. The computer account for the endpoint does not have Write permissions to the target network share. The network share is not mapped as a drive letter. The file is too large. An operator runs a saved question and gets the error Question is invalid. What does this mean?. The Tanium Server is down. The underlying sensor(s) or filter(s) in the saved question are no longer valid, perhaps because a sensor was deleted or renamed. The operator does not have permission to run saved questions. The question's TTL was set too low. An operator is using a sensor that returns a large amount of data per endpoint, such as a list of all running processes. The query is timing out. What is a good strategy to troubleshoot?. Ask the question only on a small test group first to see the data structure and estimate the load. Increase the TTL significantly and hope for the best. Ask for a different sensor. Reboot all endpoints. A new operator reports that they can see the Deploy module icon, but when they click it, they get a Permission Denied or blank page. What is the issue?. The Deploy module is not installed. Their RBAC role does not grant them access to the Deploy module. The Deploy module is down for maintenance. Their browser is incompatible. An operator runs an action to stop a service, but the service immediately starts again. What is the likely cause?. The Tanium action failed. The service is configured with a Recovery option to restart the service on failure, and it is being triggered. The operator stopped the wrong service. The endpoint needs to be rebooted. An operator's question returns No Data for a sensor on a specific endpoint. They log into that endpoint and run the sensor script manually, and it returns data. What could explain the discrepancy?. The Tanium Client's cache might be returning stale data. The sensor might not be deployed to that endpoint, or the deployed version is older than the one run manually. The Tanium Client runs as SYSTEM, which might have a different environment (PATH, permissions) than the user who ran the script manually. All of the above are possible. An operator tries to create a new action, but the Package dropdown list is empty. Why?. No packages have been created in the environment. The operator does not have permission to use any existing packages. The Tanium Server is not responding. Both A and B are possible. A query using the Installed Applications sensor is taking a very long time to complete. What is a factor that can significantly impact the speed of this sensor?. The number of endpoints being queried. The method used by the sensor to collect the data (e.g., reading from the registry vs. a full file system scan). The registry method is typically much faster. The network speed. All of the above. An operator needs to troubleshoot a connectivity issue for a remote endpoint. Which command run on the endpoint would give the most detailed information about its Tanium Client status?. ipconfig. ping [Tanium Server IP]. taniumclient.exe -status. netstat -an. An operator runs a saved question and sees results from a week ago, even though they know the data has changed. They click Run Now, but the results are the same. What is a possible explanation?. The Run Now button is broken. The Tanium Client cache is returning cached data on the endpoints, and the cache time for that sensor is set to longer than a week. The saved question is pointing to the wrong sensor. The operator is looking at the wrong saved question. An operator is creating a new dynamic group and wants to base it on a saved question. The saved question they want to use is not in the list. Why?. The saved question might be of a type that is not compatible with dynamic groups (e.g., it returns aggregated data like a count, not a list of computers). The saved question was created by another operator and is not shared. The operator's permissions prevent them from using that saved question. All of the above. An action that runs a script is failing, and the Action History shows a truncated error message. Where else might the full, detailed error log be located?. It is only in the Action History. On the endpoint itself, in the Windows Event Viewer under Applications and Services Logs or in a log file created by the script. In the Tanium Server's application log. The full error is not stored anywhere. An operator notices that the Pending count for a recurring action is slowly increasing over time. What does this trend indicate?. More and more endpoints are failing the action. The action is running successfully on more endpoints. The environment may have a growing number of endpoints that are offline or unable to communicate, as they are not acknowledging the recurring action. The Tanium Server is running out of disk space. An operator tries to use a sensor, but the sensor name appears in red in the autocomplete list. What does this typically mean?. The sensor is a favorite. The sensor is deprecated or has an error in its definition. The sensor is not deployed. The sensor is for Linux only, and the operator is on a Windows console. An operator asks Get Logged In User and sees a result of Type: Not Supported for some endpoints. What does this mean?. The sensor is not supported on the operating system of those endpoints (e.g., a Windows sensor run on Linux). The user's name is Type: Not Supported. The endpoint is a server. The operator typed the sensor name incorrectly. An operator deploys an action, and the Action History shows a status of Expired for some endpoints. What does this mean?. Those endpoints took too long to respond, and the action's expiration time was reached before they could execute it. The action failed on those endpoints. The software license for the package expired. Those endpoints were decommissioned. What is the primary purpose of Role-Based Access Control (RBAC) in Tanium?. To improve the performance of the Tanium Server. To restrict operator access to specific features, modules, data, and actions based on their defined job role, following the principle of least privilege. To manage network firewall rules. To automatically assign roles to users based on their Active Directory group membership. An administrator needs to grant a new hire in the help desk the ability to reboot endpoints and check logged-in users, but nothing else. What is the correct way to accomplish this?. Give them the default Administrator role. Create a custom RBAC role with permissions for specific actions (like System Reboot) and sensors (like Logged In User), and assign that role to the new hire. Share the administrator password with them. Train them to use only those features and trust them not to use others. In Tanium RBAC, what is an Action Group in the context of permissions?. A group of actions that can be run together. A grouping mechanism used to control which operators can deploy specific actions or packages to specific computers. A group of users who can approve actions. A group of endpoints that actions are deployed to. What type of information is typically captured in Tanium's Audit Logs?. The content of all files on endpoints. A record of user activity within the Tanium Console, such as who asked what question, who deployed what action, and when changes were made to system configuration. Network packet captures. A log of all endpoint reboots. An organization is concerned about sensitive data being exposed in question results. How can RBAC help mitigate this risk?. RBAC can restrict which sensors an operator can use, preventing them from accessing sensitive data-collecting sensors (e.g., a Credit Card Number sensor). RBAC can hide entire columns of data in the results grid. RBAC cannot help with data exposure. RBAC encrypts all question results. Which of the following is a security feature built into the Tanium Client's communication?. All communication is in plain text for simplicity. All communication, including peer-to-peer, is encrypted with TLS/SSL. Communication is encrypted, but only between the client and server, not between peers. Communication uses a proprietary, unbreakable cipher. An operator leaves the company. What is the most appropriate action for a Tanium administrator to take regarding this user's account?. Do nothing. Disable or delete the user's Tanium account to immediately revoke all their access. Change their password and keep the account active in case they return. Demote their role to Read-Only. Which Tanium module would be most useful for ensuring that all endpoints comply with a corporate security policy regarding password complexity?. Deploy. Trends. Comply. Patch. A security analyst needs to immediately stop all network traffic to and from a compromised endpoint to contain a breach. Which Tanium action is most appropriate?. A System Reboot action. A Network Isolation action, often found in the Threat Response module. A Software Uninstall action. A Kill Process action. What is the purpose of the Quarantine action in Tanium?. To move an endpoint to a different computer group. To prevent an endpoint from communicating with other systems on the network, effectively isolating it, similar to network isolation. To delete all files on an endpoint. To put an endpoint into a low-power state. An organization needs to prove to an auditor who approved a specific, high-risk action that was deployed last month. Where can they find this information?. In the Action History, which shows the approver's name if an approval workflow was used. They cannot, as this information is not logged. By asking the operator who deployed it. In the endpoint's local logs. Which of the following is an example of a security best practice for managing Tanium operator accounts?. All operators share a single, generic admin account. Each operator has their own unique account, and accounts are disabled immediately when an operator leaves the company. Operator passwords are never changed. All operators are granted the Administrator role for simplicity. What is a Threat Response playbook?. A written document on how to respond to threats. A pre-defined set of automated actions in Tanium's Threat Response module that can be executed in response to a detected threat (e.g., isolate machine, kill process, gather forensics). A list of threats in the environment. A training manual for security analysts. How can Tanium help an organization with compliance frameworks like PCI-DSS or HIPAA?. By automatically filling out compliance paperwork. By providing the ability to continuously monitor and report on the configuration of endpoints against the specific technical requirements of those frameworks. By encrypting all data on the endpoints. By preventing all security breaches. An administrator wants to ensure that operators in the Security role can see all data, but operators in the IT Ops role cannot see data from a special group of Executive endpoints. How can this be achieved?. By creating separate Tanium environments. By using RBAC in conjunction with Computer Groups. Grant the Security role access to all groups, and grant the IT Ops role access to all groups except the Executive group. This is not possible. By asking the IT Ops operators to not look at those endpoints. What is the purpose of hashing package files in the context of security?. To make the files smaller. To provide a unique fingerprint (hash) of the package's contents, which can be used to verify the integrity of the package and ensure it hasn't been tampered with since it was created. To encrypt the package. To organize packages in the console. A security analyst uses the Reveal module and finds a file containing credit card numbers on a developer's workstation. What is the appropriate next step?. Immediately delete the file. Ignore it, as it's just a developer machine. Use the findings to initiate a formal incident response process, which may involve further investigation, containment, and notification, as per PCI DSS requirements. Email the developer and ask them to delete it. In RBAC, what is the principle of least privilege?. Giving all users the maximum possible permissions to avoid support tickets. Granting users only the minimum permissions necessary to perform their job functions. The principle that privileges are a burden. Granting privileges based on a user's seniority. An organization is concerned about the security of the Tanium Client binaries on endpoints. How does Tanium help ensure client integrity?. It doesn't; the client is unprotected. The Tanium Client binary is digitally signed by Tanium, allowing the operating system to verify its authenticity and that it hasn't been tampered with before it runs. The client is encrypted and can only be decrypted by the server. The client checks in with the server every second for a new hash. A Tanium administrator needs to review all actions taken by a specific operator over the last 30 days. Where should they look?. The operator's browser history. The Tanium Audit Logs, which can be filtered by username and date range. The Windows Event Logs on the Tanium Server. The operator's email inbox. Which feature can be used to prevent an operator from accidentally deploying a dangerous action, like a mass reboot, during business hours?. The Distribute Over setting. The Action Approval workflow, which requires a second person to review and approve the action before it can be deployed. The Action Lock feature. RBAC permissions that prevent the operator from seeing the reboot package. What is a key difference between Authentication and Authorization in the context of Tanium security?. They are the same thing. Authentication is verifying who a user is (e.g., via username/password). Authorization is determining what that authenticated user is allowed to do (e.g., via RBAC). Authentication is about actions, authorization is about questions. Authentication is for users, authorization is for endpoints. An organization wants to integrate Tanium with their SIEM (Security Information and Event Management) system. Which Tanium module is designed for this purpose?. Trends. Connect. Asset. Deploy. What information is typically NOT included in a Tanium Audit Log entry?. The username of the person who performed the action. The timestamp of the action. A description of the action performed (e.g., Created new package 'Adobe Reader Update'). The content of private files on an endpoint. A user's Tanium account is locked after too many failed login attempts. What security feature does this represent?. RBAC. Account lockout policy, a form of protection against brute-force password guessing. Audit logging. Action Approval. Which of the following is a security best practice for Tanium Service Accounts (the accounts used to run the Tanium Server and Client services)?. Use simple, easy-to-remember passwords. Grant them domain administrator privileges for simplicity. Use strong, complex, and managed service accounts with the minimum privileges necessary on the operating system. Share the same password for all Tanium-related service accounts. An operator discovers a suspicious process running on several endpoints. In the Threat Response module, what is the fastest way to terminate that process on all affected machines?. Ask a question to find the endpoints and then manually create an action to kill the process on each one. Use the Threat Response module's Kill Process feature, which allows them to select the process name and target all affected endpoints with a single action. Reboot all the affected servers. Uninstall the application related to the process. In a highly secure environment, an administrator might want to require multi-factor authentication (MFA) for the Tanium Console. Is this possible?. No, Tanium only supports username and password. Yes, Tanium can integrate with identity providers that support MFA, such as those using SAML 2.0. Yes, but only through a third-party hardware token. MFA is not necessary for a management console. A security analyst uses Tanium to search for a specific file hash across all endpoints. What are they most likely doing?. Performing a software inventory. Hunting for a known piece of malware or an unauthorized application based on its unique fingerprint. Checking for file system errors. Looking for duplicate files. What is the purpose of marking a saved question as Confidential?. To encrypt its results. To flag it as containing sensitive data, which may cause additional access controls (via RBAC) to be enforced on who can view its results. To prevent it from being scheduled. To add a Confidential watermark to the results when exported. An organization needs to ensure that only authorized software can run on their endpoints. Which Tanium module and feature would be most effective for this?. Deploy, to uninstall unauthorized software. Comply/Enforce, with an Application Allow Listing policy that monitors running processes and alerts on or blocks any process not on the approved list. Asset, to report on installed software. Patch, to prevent vulnerable software from running. A Tanium administrator needs to grant an external consultant temporary, read-only access to a specific set of servers for a security audit. How can this be done securely?. Create a temporary user account with a custom RBAC role that grants Read-Only permissions (e.g., can run questions, but not actions) and restricts their visibility to the specific Audit Servers computer group. Share the administrator password with them for the duration of the audit. Give them a walkie-talkie and have them call out questions for you to type. Create a new user and assign them the default Administrator role for simplicity. What is the purpose of the Security Content that Tanium provides?. It is a library of training videos. It includes pre-built sensors, packages, and dashboards for common security use cases, such as checking for known vulnerabilities or collecting forensics data. It is a list of security bulletins. It is a firewall configuration guide. An operator tries to deploy an action, but the Deploy button is grayed out. They have permission to use the package and the target group is valid. What could be another reason?. The action is still in a Draft state and hasn't been finalized. The operator's session has timed out, and they need to log in again. The Tanium Server is offline. All of the above are possible. How can Tanium be used to help respond to a ransomware attack?. By using the Threat Response module to isolate infected machines, kill the ransomware process, and search for indicators of compromise on other endpoints. By restoring files from backup. By paying the ransom. By reinstalling the operating system on all machines. In the context of RBAC, what is a Role?. The name of a computer group. A collection of permissions (e.g., access to specific modules, sensors, action groups, and computer groups) that can be assigned to one or more users. The function of a Tanium Server. A type of sensor. An organization wants to ensure that no operator can deploy an action between 2 AM and 3 AM, which is their critical database backup window. Can Tanium enforce this?. No, actions can be run at any time. Yes, by using scheduling restrictions within RBAC or by configuring maintenance windows for computer groups, preventing actions from being deployed during that hour. Yes, by turning off the Tanium Server during that hour. No, this is not a security feature. A security analyst is investigating a potential breach and wants to see a list of all network connections made from a specific endpoint in the last 24 hours. What Tanium capability would be most useful?. The Index module, to search for connection logs. The Trends module, to see a graph of connections. A forensic data collection package, which could be deployed to the endpoint to gather this volatile data (e.g., netstat output) and return it to the analyst via Action History. Asking the user what websites they visited. What is the primary difference between Comply and Enforce modules in Tanium?. They are the same module with different names. Comply is typically for scanning and reporting on compliance, while Enforce is for automatically taking action to bring non-compliant endpoints back into compliance. Comply is for servers, Enforce is for workstations. Comply is a cloud module, Enforce is on-premise. A Tanium administrator wants to ensure that all access to the Tanium Console is logged, including failed login attempts. How is this typically configured?. This is a default behavior of the Tanium Audit Logs. The administrator must manually enable this in the Tanium Server's configuration file. This is only possible with a third-party SIEM. Failed logins are not logged. An operator needs to create a weekly report for management showing the number of endpoints that are missing critical patches. What is the most efficient way to generate this report on an ongoing basis?. Manually run the query in Interact every Monday morning and copy/paste the results into a Word document. Create a saved question that identifies missing patches, set it to run on a recurring schedule (e.g., every Monday), and use the Trends module or a reporting feature to export the results each week. Ask the Patch team to email you the report. Write a custom script to pull data from the Tanium database directly. What is a Pinned Question in the Tanium Console?. A question that is saved to a file on your desktop. A saved question that is displayed as a live-updating tile on a custom dashboard page for at-a-glance monitoring. A question that has been deleted. A question that is currently running. An operator wants to create a dashboard that shows the top 5 most vulnerable applications in their environment based on the Patch module's data. Is this possible?. No, dashboards can only show data from Interact queries. Yes, the Patch module often has its own dashboards and reporting views. The operator can likely navigate to the Patch module, find a pre-built Top Vulnerabilities view, and perhaps add it to a custom dashboard. No, vulnerability data cannot be visualized. Yes, but only by exporting the data to Excel and creating a chart there. When exporting data from an Interact results grid to a CSV file, what is included in the export?. Only the first 100 rows of data. All data currently displayed in the grid, respecting any column order and filters that have been applied. The raw, unfiltered data from the server, regardless of what is shown in the grid. A screenshot of the grid. Which Tanium module is specifically designed for long-term storage and visualization of historical data from saved questions?. Interact. Trends. Asset. Connect. An operator has a saved question called Servers with Low Disk Space. They want to see a graph of how many servers have fallen into this category over the last 3 months. What should they do?. Open the saved question in Interact and look at the grid. Go to the Trends module, select the saved question Servers with Low Disk Space, and choose an appropriate time range and chart type (e.g., line chart). Export the data daily to Excel and create the graph manually. Ask a new question in Interact with a date filter. What is a key prerequisite for using the Trends module to visualize data over time?. The Tanium Server must be running on a specific operating system. The saved question must be configured to run on a recurring schedule so that historical data points are collected in the database. The operator must have a special Trends license. The data must be from the Asset module. An operator wants to share a custom dashboard they've created with their team. How can this be accomplished?. By taking a screenshot and emailing it to the team. By using the dashboard sharing or publishing features in the Tanium Console, which can make the dashboard available to other users based on their RBAC permissions. Dashboards are personal and cannot be shared. By exporting the dashboard as a file and asking team members to import it. In the Trends module, what is the benefit of being able to drill down from a point on a graph?. It changes the graph's color. It allows the operator to click on a data point (e.g., a peak on the graph) and see the underlying raw data (the list of endpoints) that contributed to that point. It exports the graph as an image. It creates a new saved question. Which of the following is a common output format for reports generated from Tanium modules?. PDF. CSV. HTML. All of the above. An operator creates a custom dashboard with several pinned questions. How often does the data on the dashboard update?. It is static and only updates when the page is refreshed. It updates in near-real-time, as the underlying pinned questions are re-run on a configured interval (e.g., every 5 minutes). It updates once per day. It updates whenever the Tanium Server is rebooted. An operator needs to provide a list of all software installed on a specific set of servers to a license compliance auditor. What is the best method?. Run a saved question targeting that server group to get the installed software, and then export the results to a CSV file. Manually log into each server and run wmic. Ask the server administrators to provide a list. Use the Trends module to generate a graph of software installs. What is the purpose of Report Templates in modules like Asset or Comply?. They are templates for creating new Tanium users. They are pre-defined report formats that can be run to generate consistent, standardized reports on common topics (e.g., Hardware Inventory Report, Compliance Summary Report). They are templates for creating new sensors. They are templates for creating new packages. An operator wants to see the historical trend of the average free memory on a group of critical servers. They have a saved question that collects memory data from these servers every hour. What type of chart in Trends would be most appropriate to visualize this?. A pie chart. A line chart, showing the average value over time. A bar chart of the current memory values. A scatter plot. What is a Dashboard in Tanium?. A physical panel of lights and switches. A customizable page in the Tanium Console that displays a collection of pinned questions, charts, and other widgets for monitoring and analysis. A list of all saved questions. The main page of the Interact module. An operator creates a saved question called Computers with Outdated Antivirus. They pin this question to a dashboard. What will the dashboard tile typically display?. The full list of computer names. A single number representing the count of computers that match the question. A pie chart of antivirus versions. The SQL query for the saved question. An organization needs to provide a monthly executive summary report on endpoint security posture, including patch compliance and configuration compliance. What is the most efficient way to generate this?. Manually copy data from various Interact queries into a PowerPoint deck. Use the reporting features within the Patch and Comply modules to generate the required reports, which can likely be scheduled and emailed automatically. Ask each department to report on their own endpoints. Wait for the annual audit. When viewing data in the Trends module, what is the purpose of the Group By function?. To group the chart by the color of the line. To create separate trend lines on the same graph for different categories of endpoints (e.g., a line for US Servers and a line for EU Servers) based on a sensor value. To group the saved questions in the list. To create a new computer group. An operator wants to add a text box with a description to their custom dashboard. Is this possible?. No, dashboards can only show data. Yes, dashboard editing tools often include the ability to add text or note widgets for documentation and instructions. Yes, but only by adding a pinned question that returns text. No, descriptions must be in the dashboard's title. An operator exports the results of a question to a CSV file. They open it in Excel and see that numbers like 2.14748E+13 appear instead of readable values. What happened?. The Tanium data is corrupted. Excel interpreted long number strings (like serial numbers) as scientific notation. The issue is with Excel's formatting, not the data itself. The operator exported the wrong column. The sensor returned an error. Which of the following is a benefit of using the Asset module's built-in reports over creating a custom report from Interact?. The Asset module reports are often pre-built and optimized for common inventory use cases, saving time. Asset reports are always faster. Interact cannot be used for inventory. Asset reports can only be run once. An operator creates a line chart in Trends showing Number of Running Processes over time. They notice a sharp spike on a particular day. What should be their next step to investigate?. Assume it's a monitoring glitch. Use the drill-down feature on that data point to see which specific endpoints were responsible for the spike. Reboot all servers. Increase the scale of the graph. When creating a custom dashboard, an operator wants to monitor the count of endpoints that have not checked in for over 24 hours. What is the correct component to add to the dashboard?. A saved question, pinned to the dashboard, that asks Get Count of Computer Name from all machines where Last Report Time is before (now - 1 day). A graph from the Trends module. An action history view. A list of all packages. An operator needs to create a report that shows the top 10 most used applications in their company by number of installations. Which module and feature would be best?. The Deploy module, to see what's been deployed. The Trends module, to see installation trends over time. The Asset module, which likely has a Top Software report or a saved question that can be adapted for this purpose. The Patch module, to see which applications are most vulnerable. What is the difference between a Report and a Dashboard in Tanium?. They are the same thing. A report is typically a static, often formatted, exportable document for a specific point in time, while a dashboard is a live, interactive view designed for continuous monitoring. A report is for managers, a dashboard is for operators. A report is text-based, a dashboard is graphical. An operator wants to add a chart to their dashboard that shows the proportion of different operating systems in the environment (e.g., Windows 10, Windows 11, Linux). What type of chart is most suitable?. A line chart. A pie chart or a bar chart. A scatter plot. A table. An operator generates a report from the Comply module showing non-compliant settings. How can they use Tanium to fix the issues identified in the report?. The report is just for information; they must fix things manually. By using the Comply or Enforce module's remediation features, they can often select the non-compliant endpoints and initiate a corrective action directly from the report or scan results. They must create a new sensor to find the issues again. They need to wait for the next automatic remediation cycle. An operator wants to see a visual representation of the disk space usage on a specific server over the last 30 days. They have a saved question that collects this server's disk space daily. How can they get this view?. Go to the Trends module, find the saved question, and apply a filter to show data for only that specific server. Ask a new question in Interact for that server's current disk space. Look at the Asset module's detail page for that server. This is not possible; Trends only shows aggregated data. What is the purpose of a Data Source in the context of Tanium reporting?. The source code for a sensor. The saved question or module data set that provides the raw data for a report or dashboard widget. The physical location of the Tanium Server. The database server's IP address. An operator needs to provide a list of all software installations that occurred in the last 7 days for a security audit. How can they approach this?. Ask a question in Interact: Get Installed Software from all machines where Install Date is after 7 days ago. If the data is not available, they may need to have been collecting it via a recurring saved question. Check the Deploy module's action history. Look at the Patch module's history. This is impossible to determine. What is a Widget in the context of a Tanium dashboard?. A small gadget. An individual component on a dashboard, such as a pinned question tile, a text box, or an embedded graph from the Trends module. A type of Tanium Client. A small package. An operator creates a custom dashboard and wants to give other members of their team the ability to edit it. What is the correct approach?. Share their login credentials. Use the dashboard's sharing or permissions settings to grant edit access to the specific users or a group. Anyone can edit any dashboard by default. They must recreate the dashboard for each team member. Which of the following is NOT a typical use case for the Trends module?. Tracking the average CPU usage on a group of servers over the last quarter. Visualizing the growth in the number of endpoints over time. Performing a one-time, real-time search for a specific file hash across all endpoints. Monitoring the daily count of new software installations. An operator wants to export a chart they created in the Trends module to include in a presentation. How can they do this?. Take a screenshot. Use the Export or Save Image As function that many charting tools provide. Recreate the chart in Excel. Print the screen and scan it. What is the benefit of using Time Range selectors in Trends?. They change the color of the graph. They allow the user to dynamically change the period of time being displayed (e.g., Last 7 days, Last 30 days, Custom Range) to analyze different windows of historical data. They set the time zone for the graph. They schedule when the graph updates. An operator needs to see the logged-in user for every endpoint, but only wants the report to show the computer name and the username, and to exclude any endpoints with no logged-in user. How can they achieve this in a report?. Ask the question Get Computer Name, Logged In User from all machines with Logged In User not empty, and then export the results. Ask the question Get Computer Name, Logged In User from all machines and then manually delete the rows with blank users in Excel. Ask two separate questions. This is not possible; you cannot filter out blank values. What is a Compliance Score as often shown in Comply or Benchmark dashboards?. A score representing how fast the Tanium platform is running. A percentage or numerical grade indicating how well a group of endpoints adheres to a defined security or configuration policy. A score of how many patches are installed. A user's performance rating. An operator creates a dashboard with a pinned question that returns a list of computers. They want the tile to show the list instead of just the count. Is this configurable?. No, pinned questions always show counts. Yes, the tile's display settings can often be changed to show a table of the results, a chart, or just the count. Yes, but only if the list has fewer than 10 items. Yes, by creating a separate report. An operator needs to produce a quarterly report on the adoption of a new standard operating system (e.g., Windows 11) across the company. How can they use Trends for this?. By creating a saved question that counts Windows 11 machines and running it quarterly, then manually compiling the numbers. By having a recurring saved question that counts Windows 11 machines (and total machines) run daily. They can then use Trends to show the percentage of Windows 11 machines over the last quarter, clearly visualizing the adoption trend. Trends cannot show percentages. By asking a single question at the end of the quarter. When viewing a saved question's results in Interact, what is the purpose of the Save As option?. To save the results to a file. To create a new saved question based on the current question, including any filters you may have applied to the grid. To save the question with a new name, overwriting the old one. To email the results. An operator wants to add a line chart to their dashboard showing the trend of Critical Patches Missing. The data comes from a saved question that runs daily. How do they add this chart?. They can't; Trends charts cannot be added to custom dashboards. They can create the chart in the Trends module and then use a share or add to dashboard function to embed that chart as a widget on their custom dashboard. They must recreate the chart manually on the dashboard. They need to use the Asset module. An organization is preparing for an audit and needs to provide evidence of their patching process. Which Tanium data would be most valuable?. A list of all installed software. A report from the Patch module showing patch deployment history, including which patches were approved, when they were deployed, and the success/failure rates. A graph from Trends showing endpoint counts. The Tanium Server's event logs. An operator wants to see the total number of endpoints, broken down by department, on a single dashboard tile. The Department information is available via a sensor. What is the best way to visualize this?. Pin the question Get Count of Computer Name from all machines to the dashboard. Use a pie chart widget whose data source is a saved question that returns Department and counts of computers per department. Ask Get Computer Name, Department from all machines and export to Excel. This is not possible in a single tile. What is the difference between exporting data as CSV vs. exporting as PDF?. CSV is for images, PDF is for text. CSV is a structured data format meant for further analysis in other tools (like Excel), while PDF is a document format meant for presenting and printing formatted reports. CSV files are larger than PDFs. There is no difference. An operator needs to regularly provide a list of all endpoints that have a specific piece of software installed to a license manager. What is the most efficient long-term solution?. Run the query manually each time they ask for it. Create a saved question and teach the license manager how to run it in the Tanium Console. Use the Connect module to automatically send the results of that saved question to the license manager's system or email on a scheduled basis. Print the list and mail it to them. An operator creates a bar chart in a custom dashboard showing the count of endpoints per operating system. One of the bars is for an OS version that is now out of support and should be at zero. What action should the operator take based on this report?. Ignore it. Investigate the endpoints in that bar, as they represent a security risk (unsupported OS) and should be scheduled for upgrade. Hide that bar from the chart. Assume the data is wrong. An operator wants to share a specific view from the Trends module, such as a chart showing patch compliance over the last 6 months, with a colleague who does not have access to Tanium. How can they do this?. Give the colleague a Tanium login. Use the Share feature in Trends to generate a public link. Export the chart as an image or the underlying data as CSV, and share those files via email. Describe the chart to them over the phone. What is the purpose of a Summary or Aggregate report in the Asset module?. To show every detail of every single endpoint. To provide a high-level overview of the environment, often with counts and summaries (e.g., Total Endpoints: 5000, Top 5 Operating Systems). To list all software licenses. To show the status of all actions. An operator notices that a saved question they use for a dashboard tile is taking a very long time to refresh. What could be the cause?. The dashboard tile is broken. The saved question is inefficient (e.g., queries a huge amount of data) or is targeting too many endpoints. Its refresh interval might be set too aggressively. The operator's browser is slow. The Tanium Console is under a denial-of-service attack. An operator needs to create a custom report that combines data from multiple saved questions (e.g., Total Servers, Servers Missing Patches, Servers with Low Disk Space) into a single document. What is the best way to do this?. Export each data set separately and manually combine them in a Word document. Create a custom dashboard with all three as tiles, and then use a Export Dashboard feature if available, which might capture the current view into a report format. This is not possible; reports can only have one data source. Ask the Tanium administrator to write a custom SQL report. What is the purpose of using Content Sets in a Tanium environment?. To set the security level of the Tanium Console. To group related content (sensors, packages, saved questions) together for easier management, deployment, and permission assignment. To set the content of endpoint notifications. To define the content of the Tanium training library. An operator wants to ensure that a critical action, such as a security patch deployment, is applied to all endpoints, even those that are offline at the time of deployment. What feature makes this possible?. The Action Lock. The action's Expiration Date being set far in the future, allowing the Tanium Client to receive and execute the action whenever the endpoint comes back online. The Distribute Over setting. The Target by Question feature. Which of the following is a best practice for managing Tanium Client deployment in a large environment?. Deploy the client to all endpoints at once during business hours. Deploy the client in a phased approach, starting with a pilot group and gradually expanding to larger groups, monitoring for any issues. Manually install the client on each endpoint by walking around with a USB drive. Only deploy the client to servers, as workstations are not important. What is the purpose of the Bandwidth Throttling settings within the Tanium Client or Server configuration?. To increase the speed of the Tanium network. To limit the amount of network bandwidth Tanium can use for its operations, ensuring it doesn't saturate business-critical links. To throttle the CPU usage of the Tanium Client. To limit the number of questions an operator can ask. An operator needs to perform an action on a set of endpoints, but only if a specific condition is true at the moment of execution (e.g., only run if the endpoint has more than 10GB free disk space). How can this be achieved?. By using a Smart Action or a package with a pre-download condition that runs a sensor to check the condition before the main action executes. This is not possible; conditions must be checked before targeting. By creating two separate actions and running them in sequence. By asking the endpoint users to check the condition themselves. What is the purpose of a Maintenance Window in Tanium?. A scheduled time when the Tanium Server reboots. A period of time defined for a computer group during which actions can be automatically deferred to prevent disruption to critical business processes. A time when operators are required to perform maintenance on their consoles. A time when the Tanium database is backed up. An operator needs to create a sensor that returns data in a specific format, such as a comma-separated list. What is the best way to ensure the sensor's output is correctly interpreted?. Just output the data; Tanium will figure it out. Set the sensor's MIME Type or Output Type to text/csv or an appropriate value to tell the console how to render it. Write a note in the sensor's description. There is no way to control this. What is the recommended best practice for creating a package that modifies a system file?. Test the package thoroughly on a representative set of non-production endpoints first. Deploy it to all production endpoints immediately to ensure consistency. Create the package without any error handling. Do not create such packages, as they are too dangerous. In the context of Tanium, what is Content?. The text in the Tanium Console. The collective term for all reusable components created by users or provided by Tanium, including sensors, packages, saved questions, and dashboards. The data stored on endpoints. The Tanium training materials. An operator needs to ensure that a package is only ever executed on an endpoint once, no matter how many times the action is deployed. Which feature is essential for this?. The Action Expiration setting. The Distribute Over setting. An Action Lock configured with a unique key that persists on the endpoint after successful execution. The Target by Question setting. Which of the following is a key difference between a Parameterized Sensor and a Parameterized Package?. There is no difference. A parameterized sensor accepts input at question time to collect data. A parameterized package accepts input at action creation time to modify its behavior during deployment. A parameterized sensor is for Windows, a parameterized package is for Linux. A parameterized sensor is more complex. What is a Baseline in the context of the Comply module?. The minimum performance standard for an endpoint. A set of configuration rules or benchmarks (e.g., CIS Benchmark for Windows Server 2019) that endpoints are measured against for compliance. The original configuration of an endpoint. The average score of all compliance scans. An organization wants to use Tanium to enforce a policy that a specific Windows service must always be running. Which Tanium feature is best suited for this?. A one-time action to start the service. A recurring action, scheduled to run every hour, that checks the service state and starts it if it's stopped. A sensor to report on the service state. A dynamic group of endpoints where the service is stopped. When should an operator consider creating a new Parameterized Sensor instead of a new static sensor?. Whenever the sensor needs to collect a piece of data that could vary, such as a file path or a process name. Only when the sensor is very complex. Never; static sensors are always better. Only when the sensor will be used by multiple people. What is the purpose of a Trusted Content source in Tanium?. A source of content that is guaranteed to be bug-free. A repository (like the Tanium Solutions site) where pre-built, validated content from Tanium and its partners can be downloaded and imported. A list of operators who are trusted to create content. A folder where only administrators can save content. An operator needs to troubleshoot a complex issue that requires looking at the logs from the Tanium Client on a specific endpoint. Where are these logs typically located on a Windows machine?. C:\\Windows\\System32\\config. Within the Tanium Client installation directory, often under C:\\Program Files (x86)\\Tanium\\Tanium Client\\Logs or a similar path. In the Windows Event Viewer under Application. They are not stored locally; they are all on the server. What is the purpose of the taniuminit.dat file on an endpoint?. It is the main Tanium Client executable. It is a configuration file that contains the initial settings for the Tanium Client, such as the server address and port. It is a log file. It is a data cache file. An operator is asked to provide documentation on all custom content (sensors, packages) in the Tanium environment. What is the most efficient way to gather this information?. Manually browse through each content area and take screenshots. Use the Tanium Console's content export or reporting features, which may allow you to export lists and details of all custom content. Ask each operator to document what they created. This information is not available. What is the purpose of Version Control for Tanium content?. To ensure all content is written in the same language. To track changes to sensors, packages, and saved questions over time, allowing administrators to see what changed, when, and by whom, and to revert to previous versions if necessary. To control which version of the Tanium Client is running. To manage software versions on endpoints. An operator needs to perform a query that requires data from a sensor that is known to be slow and resource-intensive on endpoints. What is a best practice to minimize impact?. Run the query on all endpoints during peak business hours. Run the query on a small, representative sample of endpoints first to gauge its impact and runtime. Do not run the query at all. Ask the sensor to be rewritten to be even more complex. What is the function of the Tanium Solutions site?. It is a forum for discussing Tanium problems. It is a repository where Tanium and its community share pre-built content (sensors, packages, dashboards) that can be downloaded and imported into your environment. It is the Tanium documentation site. It is a site for purchasing Tanium licenses. An operator is creating a new package and wants to ensure that any sensitive data, like passwords, used in the script is not exposed in the Action History. What is a recommended practice?. Hard-code the password in the script; it will be encrypted. Use parameters that are passed to the script at runtime, but be aware they will be visible in the Action History. For true secrets, consider using a secrets management tool or having the script retrieve the secret from a secure location at runtime. Pass the password in plain text; it's fine. Do not use passwords in scripts. What is a Deployment Policy in the context of the Deploy module?. A rule about when to deploy software. A set of configurations that define a recurring, automated software deployment to a target group, ensuring that new members of the group automatically receive the software. A policy for which users can deploy software. A policy for which software can be deployed. An operator needs to upgrade the Tanium Client on all endpoints to a new version. What is the recommended best practice for this procedure?. Deploy the new client installer to all endpoints at once using an action. Deploy the new client in a phased manner, starting with a small test group, then a pilot, and then expanding to the rest of the environment, monitoring for success at each stage. Manually upgrade each endpoint. Wait for the clients to auto-update, if that feature is enabled. What is a Parameterized Query in the context of a saved question?. A query that uses a parameterized sensor. A saved question that itself accepts a parameter when it is run, allowing the same saved question to be used for different inputs (e.g., a saved question Get Logged In User for computer that accepts a computer name as a parameter). A query with multiple filters. A query that returns parameters instead of data. An organization wants to integrate Tanium with their IT Service Management (ITSM) tool to automatically create tickets for failed software deployments. Which Tanium module is essential for this integration?. Trends. Deploy. Connect. Asset. What is the best practice for handling credentials within a Tanium package or sensor?. Store them in plain text within the script. Use a dedicated, secure Secrets Management solution and have the script retrieve the necessary credential at runtime using a secure, authenticated method. Share them via email to anyone who needs them. Hard-code them and hope no one looks. An operator notices that a recurring saved question is no longer collecting data. They check its history and see it has been failing with a Timeout error. What is the appropriate first step?. Increase the TTL (timeout) for the saved question significantly. Investigate why the question is timing out. Has the number of targeted endpoints grown? Is the sensor slower than it used to be? Is there a network issue? Addressing the root cause is better than just extending the timeout. Delete the saved question. Ignore the error, as it will likely resolve itself. What is the purpose of a Staging or Test environment in a mature Tanium deployment?. To install the Tanium Server for testing purposes before upgrading production. To test new sensors, packages, and actions on a representative set of endpoints before deploying them to the production environment. To host the Tanium training console. There is no need for a test environment; production is fine for testing. An operator needs to create a sensor that runs a complex Python script. The target endpoints may or may not have Python installed. What is the best practice for handling this dependency?. Assume Python is installed on all endpoints. Include a portable Python interpreter as a file in the sensor, and have the sensor script call that local interpreter to run the main logic. Ask all endpoint users to install Python. Write the sensor in a different language. What is the function of Tracing or Debug Logging on a Tanium Client?. To trace the network path to the server. To enable a more verbose logging mode on the client, capturing detailed information about its internal operations for advanced troubleshooting purposes. To trace the execution of a sensor on the endpoint. To trace user activity on the endpoint. An operator needs to ensure that a particular action is never deployed to a specific, critical server. What is the best way to enforce this?. Add a note to the action description. Place the server in a separate computer group and ensure that all action targeting excludes that group, or use the group's Exclude list in relevant dynamic groups. Ask the operator deploying actions to be careful. Uninstall the Tanium Client from that server. What is the primary advantage of using Deploy Policies over individual actions for software management?. Policies are easier to create. Policies provide continuous enforcement. They ensure that the desired software state is maintained, automatically correcting any drift (e.g., if a user uninstalls the software, the policy will reinstall it). Policies run faster. Policies use less bandwidth. An operator needs to schedule a saved question to run at a very specific time, like 2:15 AM. Can this be done?. No, scheduling is only in hourly increments. Yes, Tanium's scheduling capabilities are typically very flexible, allowing you to specify the exact minute for a recurring or one-time execution. Yes, but only by using a cron job on the server. No, saved questions can only be run manually. What is a Cached Question result, and when is it used?. It is a question that is saved on your local hard drive. It is the stored result from the last time a saved question was executed. It is used when you open a saved question in the console, providing a fast, point-in-time view without re-running the query. It is a question that is stored in the Tanium Client's cache. It is a question that has been deleted. An operator needs to understand the performance characteristics of a slow sensor. They have access to a test endpoint. What is a good troubleshooting step?. Run the sensor on the test endpoint via Tanium and measure the time it takes for the result to appear. Log into the test endpoint and run the sensor script manually, timing how long it takes to execute locally. Ask the sensor author. Guess. What is the purpose of the Ignore list in the context of a compliance scan?. To ignore the scan results entirely. To specify certain findings or endpoints that should be excluded from compliance reporting (e.g., a known exception that has been approved by management). To ignore the scan schedule. To ignore errors during the scan. An operator needs to deploy a package that should only run on 64-bit operating systems. How can they ensure this?. By writing a script that checks the OS architecture and exits if it's not 64-bit. By using a Target by Question that includes a filter for Operating System Architecture equals '64-bit'. By creating a dynamic group for 64-bit machines and targeting that group. All of the above are valid methods, with B and C being more efficient as they prevent the action from being sent to 32-bit machines at all. What is the main difference between a Sensor that returns data and a Package that collects forensic data?. There is no difference; a package can be used to collect data by running a script and returning the output via Action History. A sensor is for real-time queries, a package is for one-off collections. A sensor's output is automatically displayed in Interact, while a package's output is viewed in the Action History for that specific action. Both A and C are valid distinctions. A package is a valid way to perform complex, one-time data collection tasks. An operator wants to share a complex saved question with a colleague in a different geographical region. The colleague should be able to use it but not modify it. What permissions should be set?. Grant the colleague Full Control over the saved question. Place the saved question in a shared folder and grant the colleague's role Read and Execute permissions on that folder, but not Write. Email the query syntax to the colleague. Tell the colleague to re-create it from scratch. What is the purpose of the Tanium Client Config tool (taniumclient.exe config)?. To uninstall the Tanium Client. To view and modify the local configuration settings of the Tanium Client, such as the server address, port, and proxy settings. To run a sensor. To check the client's connection status. An operator is responsible for managing Tanium content. What is a best practice for naming conventions for custom sensors and packages?. Use a consistent, descriptive, and hierarchical naming convention (e.g., Security / CrowdStrike / Check Agent Status). Use random numbers. Use the name of the operator who created it. Use short, single-word names. An organization is deploying Tanium in a highly restricted air-gapped network with no internet access. How can they get the latest threat intelligence and content updates?. They can't; Tanium requires internet access. They can use the Tanium Offline Content or Air-Gap update process, which involves manually downloading content bundles from a connected machine and importing them into the air-gapped environment. They must open a firewall rule to the internet. They must rely only on custom-built content. What is the purpose of a Benchmark in the Comply module?. To measure the performance of the Comply module itself. A pre-defined security configuration standard (e.g., CIS Microsoft Windows Server 2019 Benchmark) against which endpoints can be scanned for compliance. To benchmark the speed of the network. To create a baseline of normal endpoint behavior. An operator needs to schedule a complex action to run at a specific time, but they will be on vacation and unable to monitor it. What should they do?. Schedule it and hope for the best. Ensure the action has appropriate error handling and that notifications are set up (e.g., via Connect module) to alert the on-call team if there are widespread failures. Cancel the action until they return. Ask a colleague to manually check the Action History every hour. What is the function of the Folder structure in the Tanium Console (e.g., for Saved Questions or Packages)?. To store files for packages. To organize content, making it easier to find and manage, and to apply RBAC permissions at a folder level. To create a virtual file system. To store archived content. An operator wants to know the exact version of a custom sensor that is currently deployed to endpoints. Where can they find this information?. By looking at the sensor's definition in the console, which typically includes a version number if the author has maintained it. On the endpoint, in the sensor's cached files. This information is not tracked. By asking the sensor's author. What is the purpose of Impact Analysis before deploying a major new custom sensor or package?. To analyze the impact on the stock market. To assess the potential load the new content might place on endpoints and the network, and to plan its deployment (e.g., during a maintenance window) accordingly. To analyze the impact on user productivity. To see how many endpoints will be affected. An operator creates a new package and wants to ensure it is available for use by other operators in their department, but not by others. How can they achieve this?. By telling other operators about it. By saving the package in a departmental folder and relying on RBAC permissions to restrict access to that folder to only their department's role. By marking the package as Private. By password-protecting the package. A new Tanium Certified Operator's most important takeaway should be: Tanium is a complex tool that only administrators can use. The platform's power comes from its real-time, query-based architecture, and an operator's primary skills are asking effective questions, understanding the data, and using that insight to take targeted actions. The most important thing is to memorize all sensor names. Actions are more important than questions. |