Filtering findings for reports

A finding is the result of a check on an endpoint at a specific point in time. When you run an assessment, the results appear on the Findings page in the Compliance tab or in the Vulnerability tab. Use the provided categories on the Findings page to filter results and save those filtered results as reports. Using findings, reports can be customized and re-run using any combination of available data.

Filter compliance findings

From the Comply menu, click Findings. The findings for compliance assessments are displayed in the Compliance tab. At the top level, you can filter by Computer Group(s). Click within the edit field to add multiple groups to the filter. You can also apply the OR and AND buttons to the selected computer groups.

Only groups that include sensors that are collected by the Tanium Data Service (TDS) are available for filtering.

Click Customize Columns to add or remove categories from the findings grid.

To use filters with more categories, click the Filters link to access Standard filter categories and the Filter Builder.

Standard filter

Using the provided fields, you can filter findings by Computer Group, Rule ID, Rule, Endpoint, Scan Method (Any, Client-Based, Remote Authenticated), Operating System Generation, Operating System, Standard, Profile, Status Category (Fail, Pass, Informational), IP Address and % Compliant (Pass/Fail).

% Compliant (Pass/Fail) is the percentage of the Pass column in relation to the Findings column. Note that this filter does not apply to Findings on the Standard and Profile and Rule tabs.

Filter builder

Click the Filter Builder button in the Filters section to create your own filter. With the filter builder, you can filter compliance and vulnerability findings using Comply Tanium Data Service (TDS) and additional TDS harvested sensors.

From the filter builder, you can filter on the following (This is a sample of some of the available sources):

Computer Groups - Filter compliance or vulnerability findings based on Tanium computer groups.

You can also filter on the following sensors:

Comply - Compliance Findings - Create a complex filter using the metadata from the expansion columns that Comply supplies. The available columns for Compliance Findings are as follows:

  • Check ID - The unique identifier for a Compliance rule. It is made up of the benchmark name, benchmark version, profile name, profile version, and rule id.

  • State - The result of the scan engine evaluation of the rule. The possible values for state are: fail, pass, fixed, error, unknown, notapplicable, notchecked, notselected, informational.

  • Category - A computed value based on the state. The possible values for category are: fail, pass, error, informational. These are all mapped to the same state values. All other state values are ignored.

  • Rule ID - The rule identifier for the benchmark rule.

  • Profile - The name of the benchmark profile.

  • Rule - The name of the benchmark rule.

  • Severity - The severity value of the rule.

  • Standard - The combination of the benchmark name and profile name.

  • Version - The benchmark version.

Comply - Compliance Percentage - This sensor returns the aggregate compliance percentage from an endpoint.

Comply Assessment Status - This sensor returns the status of each assessment evaluated on an endpoint. It has three columns.

  • Assessment ID -The unique hash of the assessment that was evaluated on an endpoint.

  • Status - The status of the assessment. The possible values are:
    • Scanned - The assessment has been completed on the endpoint without error.
    • Error - The assessment has been completed but an error has occurred.

  • Status Details - The error code that represents the type of error that occurred during the assessment. To view error code details, see Reference: Common errors.

Quick filter

You can also quick filter the Findings view by toggling the following tabs:

  • Standard and Profile: A collection of checks and rules along with logic for how to combine those checks to determine a final status for an endpoint

  • Rule: A standard and any filters applied to that standard in a custom profile

  • Endpoints: The targets that are being evaluated

  • Operating system: The operating system installed on the targets

  • All Findings: Lists all results found by assessments. Click the Get more details icon for an individual finding to view pop-up with information for that finding.



Filter vulnerability findings

From the Comply menu, click Findings. The findings for vulnerability assessments are displayed in the Vulnerability tab. At the top level, you can filter by Computer Group(s). Click within the edit field to add multiple groups to the filter. You can also apply the OR and AND buttons to the selected computer groups.

Only groups that include sensors that are collected by the Tanium Data Service (TDS) are available for filtering.

Click Customize Columns to add or remove categories from the findings grid.

To use filters with more categories, click the Filters link to access Standard filter categories and the Filter Builder.

You can filter findings by Computer Group, Severity, and expand the Filters link to use the following additional filters: Check ID, CVE Year, CVSS Score, Endpoint, Scan Method (Any, Client-Based, Remote Authenticated), Operating System Generation, Operating System, Title, and IP Address.

Standard filter

Filter findings using any of the following categories: Check ID, CVE Year, Score, Endpoint, Scan Method, Operating System Generation, Operating System, Title, IP Address, CPEs, Affected Products, Affected Platforms. (See the Filter builder section below for details on each category.)

Quick filter

You can also quick filter the findings by Severity by clicking the High, Medium, Low, Info buttons.

Additionally, quick filter with following categories:

  • Check ID: The CVE ID. For example, CVE-2020-0810

  • Endpoints: The targets that are being evaluated

  • Operating system: The operating system installed on the targets

  • Severity: High, Medium, Low, and Info

    . Info represents vulnerabilities for which a CVSS score is pending.
  • All Findings: Lists all results found by assessments. Click the Get More Details icon for an individual finding to view.

Filter builder

Click the Filter Builder button in the Filters section to create your own vulnerability filter. In the Source column for vulnerability filters, the following sensors are available:

Comply Vulnerability Findings - These findings are derived from the Comply - CVE Findings sensor, which only has the Check ID column. Vulnerability findings include the following TDS expansion columns:

  • Check ID - The CVE (Common Vulnerabilities and Exposure) ID.

  • Affected Products - The list of product names associated with the CVE .

  • Affected Platforms - The list of platform names associated with the CVE.

  • CPEs - The list of CPEs (Common Platform Enumeration) associated with the CVE.

  • CVE Modified Date - The date when the CVE definition was last modified.

  • CVE Created Date - The date when the CVE definition was created.

  • CVE Year - The year the CVE was created.

  • CVSS Score - The Common Vulnerability Scoring System score assigned to the CVE.

  • CVSS Severity - The CVSS severity value. One of the following:

    • High - CVSS Score is greater than or equal to 7 and less than or equal to 10.

    • Medium - CVSS Score is greater than or equal to 4 and less than 7.

    • Low - CVSS Score is greater than or equal to 0 and less than 4.

    • Info - No CVSS Score has been assigned to this CVE.

  • CVE Title - The title of the CVE.

Comply - Oval Findings - This sensor returns the list of OVAL (Open Vulnerability Assessment Language) definitions that the scan engine has determined apply to the endpoint. The OVAL definitions are associated with CVEs and are what is used by the scan engine to determine if an endpoint is vulnerable to a particular CVE.

Filter Builder Example

Create a filter to view vulnerability findings from endpoints that have run a Windows 10 compliance benchmark assessment.

For this example, you've run both a compliance scan and vulnerability scans on Windows 10 endpoints, but you want to filter down to those Windows 10 endpoints that ran the compliance scan only. You would select the following fields in the filter builder:

Source: Comply-Assessment status/Column: Assessment ID/Operator:is equal to/Value: The assessment hash for the particular assessment you want to filter by.

Once your selections are made, click the Apply button.

Custom Sensors

If you have created a custom sensor and registered it in TDS, it appears at the end of the Source list for the filter, allowing you to filter by these custom sensors. For example, if you've tagged your endpoints by location, and you have a custom sensor for all the endpoints in your Dallas data center, you can select the sensor for the Dallas data center in the filter builder and use it to find all the vulnerabilities in the Dallas data center. Note that for custom sensors, no columns will appear in the filter builder.

Download as CSV

You can export Findings to a CSV file and download the file by doing the following:

  1. Click the Download as CSV button on the Findings page.

  2. In the export window, enter Name for the CSV file. This file name cannot include spaces or relative paths.
  3. Optionally, select the check box to Include Headers in the file.
  4. Choose a Compression Type or select None.
  5. Click the Export button. The CSV file is downloaded to your local system.


Create reports from findings

Use the Save As button on the Findings page to create a report from the current view.

In the Save Report page, entering the following:

  1. Enter a Report Name. A default name for the report is automatically generated.

  2. Optionally, enter a description for the report.

  3. Select a Content Set. See Tanium Core Platform User Guide: Managing RBAC for information on content sets.

  4. Click Save.



View reports by clicking on Reports in the Comply menu.