Tanium

Use the Tanium integration to manage questions, packages, and actions.

This integration was integrated and tested with version 7.0.314 of Tanium v7.0.314 and Pytan v2.2.2.

Configure Tanium on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Tanium.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Host URL (e.g. 1.2.3.4)
    • Port
    • Credentials
    • Use system proxy settings
    • Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

Action Commands

  1. Parse question text: tn-ask-question
  2. Ask a question about an endpoint: tn-ask-system
  3. Create and ask a manual question: tn-ask-manual-question
  4. Deploy a package: tn-deploy-package
  5. Approve pending (saved) actions: tn-approve-pending-action
  6. Create a package object: tn-create-package

Information Commands

  1. Get sensor information: tn-get-sensor
  2. Get a package object: tn-get-package
  3. Get a saved question: tn-get-saved-question
  4. Get an object: tn-get-object
  5. Get all packages: tn-get-all-packages
  6. Get all saved questions: tn-get-all-saved-questions
  7. Get all saved actions: tn-get-all-saved-actions
  8. Get all pending actions: tn-get-all-pending-actions
  9. Get all objects: tn-get-all-objects

Debug Commands

  1. Request the server to parse question text: tn-parse-query

Action Commands

1. Parse question text


Ask the server to parse the question text and select one of the parsed results as the question to run.

Base Command

tn-ask-question

Input
Argument Name Description Required
question The question text Required
index The index of the parsed question to be asked (as returned by the tn-parse-query command) Optional

Context Output
Path Type Description
Tanium.QuestionResults object Results of the requested question. Can be a complex object.
Command Example
  !tn-ask-question question="Get Computer Name from all machines"
Context Example
{
	Tanium: {
   		QuestionResults:[{
      		Computer Name: Demisto-Computer,
      		Count:1
   		}]
	}
}
Human Readable Output

Result for parsed query - Get Computer Name from all machines

Count Computer Name
1 Demisto-Computer

2. Ask a question about an endpoint


Ask a question about a specific endpoint.

Base Command

tn-ask-system

Input
Argument Name Description Required
hostname Name of host Required

Context Output
Path Type Description
Tanium.QuestionResults object Results of requested computer name. Can be a complex object.

Command Example
!tn-ask-system hostname="Demisto-Computer"
Context Example
{
	Tanium: {
   		QuestionResults:[{
      		Computer Name: Demisto-Computer,
      		Count:1
   		}]
	}
}
Human Readable Output

Result for parsed query - Get Computer Name from all machines

Count Computer Name
1 Demisto-Computer

3. Create and ask a manual question


Ask a manual question using human strings, and get the question results. Use the help argument for full details.

Base Command

tn-ask-manual-question

Input
Argument Name Description Required
sensors A semicolon-separated list of sensors (columns) to include in a question. For detailed information use  the tn-get-sensor command. Optional
question_filters A semicolon-separated list of filters that apply to the entire question Optional
question_options

A semicolon-separated list of options that apply to the entire question. Options are

  • ignore_case
  • match_case
  • match_any_value
  • match_all_values
  • max_data_age
  • value_type
  • and
  • or
Optional
filters_help Print the help string for filters and exit Optional
sensors_help Print the help string for sensors and exit Optional
options_help Print the help string for options and exit Optional
polling_secs Number of seconds to wait between result fetching attempts Optional
complete_pct Percentage of mr_tested out of estimated_total to consider the question Optional

Context Output
Path Type Description
Tanium.QuestionResults object Results of requested question. May be a complex object

Command Example
!tn-ask-manual-question sensors="Computer Name, opt:max_data_age:60" question_filters="Index Query File Exists{fileMagicNumber=10}, that contains:No;Computer Name, that contains:WIN"
Context Example
{
	Tanium: {
   		QuestionResults:[{
      		Computer Name: Demisto-Computer,
      		Count:1
   		}]
	}
}
Human Readable Output

Result for parsed query - Get Computer Name from all machines

Count Computer Name
1 Demisto-Computer

4. Deploy a package


Deploy a package and get the results.

Base Command

tn-deploy-package

Input
Argument Name Description Required
package Name of package to deploy with this action Required
action_filters A semicolon-separated list of strings. Each string must describe a sensor and a filter, which limits which computers the action will deploy package to, (e.g., Operating System, that contains:Windows; Computer Name, that contains:WIN ) Optional
action_options A comma-separated list of options to apply to action_filters (e.g. "max_data_age:3600,and" ). Default is or . Optional
get_results Specifies whether to wait for result completion after deploying action Optional
package_args A comma-separated list of arguments needed to execute the package command. Run the tn-get-package command to view a detailed list of arguments. Optional
action_filters_groups A comma-separated list of computer group names to filter by Optional
action_group Name of action group Optional

Context Output
Path Type Description
Tanium.SavedActions.Id string Saved action ID
Tanium.SavedActions.Name string Saved action name

Command Example
!tn-deploy-package package="Comply - Remove Selected Hashes - Unix" package_args=hash1
Context Example
Tanium:{
	SavedActions:[{
		Id:1050
		Name:API Deploy Comply - Remove Selected Hashes - Unix
	}]
}
Human Readable Output

Id of saved action is 1050

5. Approve pending (saved) actions


Approve saved actions.

Base Command

tn-approve-pending-action

Input
Argument Name Description Required
action_id ID of the saved action to approve Required

Context Output
Path Type Description
Tanium.ActionApproval.ApprovedFlag boolean Approval status
Tanium.ActionApproval.Id string Saved action ID
Tanium.ActionApproval.Name string Saved action name

Command Example
!tn-approve-pending-action id=1050
Context Example
Tanium:{
	ActionApproval:[{
		ApprovedFlag:1
		Id:1050
		Name:API Deploy Comply - Remove Selected Hashes - Unix
	}]
}
Human Readable Output

Action Approval

ApprovedFlag Id Name
1 1050 API Deploy Comply - Remove Selected Hashes - Unix

6. Create a package object


Create a package object.

Base Command

tn-create-package

Input
Argument Name Description Required
name Name of package to create Required
command Command to execute Required
display_name Display name of package Optional
file_urls A comma-separated list of URLs of files to add to the package Optional
command_timeout_seconds Timeout for command execution (in seconds) Optional
expire_seconds Timeout for action expiry (in seconds) Optional

Context Output
Path Type Description
Tanium.Packages.verify_expire_seconds string Timeout for verifying the action expiry (in seconds)
Tanium.Packages.display_name string Display name of package
Tanium.Packages.name string Name of created package
Tanium.Packages.command string Command to execute
Tanium.Packages.creation_time date Package creation time
Tanium.Packages.command_timeout number Timeout for command execution (in seconds)
Tanium.Packages.modification_time date Package modification time
Tanium.Packages.last_update date Time when package was last updated
Tanium.Packages.deleted_flag boolean Was the package deleted
Tanium.Packages.id string Tanium unique package ID
Tanium.Packages.expire_seconds number Timeout for action expiry (in seconds)

Command Example
!tn-create-package command="cmd /c echo $1" name=ExamplePackage display_name="Example Package"
Context Example
Tanium:{
	Packages:[{
		skip_lock_flag:0
		hidden_flag:0
		verify_group_id:0
		available_time:2001-01-01T00:00:00
		last_modified_by:Shani
		verify_expire_seconds:3600
		display_name:Echo
		name:EchoPackage
		command:cmd /c echo $1
		creation_time:2018-08-23T15:22:54
		command_timeout:600
		modification_time:2018-08-23T15:22:54
		last_update:2018-08-23T15:22:54
		deleted_flag:0
		_type:package_spec
		verify_group:{}
		_type:group
		id:0
		id:771
		expire_seconds:600
		source_id:0
	}]
}
Human Readable Output

Tanium Package

id name creation_time command
772 EchoPackage 2018-08-23T15:22:54 cmd /c echo $1

Information Commands

1. Get sensor information


Get detailed information about a specified sensor.

Base Command

tn-get-sensor

Input
Argument Name Description Required
name Name of the sensor Required

Context Output
Path Type Description
Tanium.Sensors.max_age_seconds number Sensor maximum age (in seconds)
Tanium.Sensors.description string Description of the sensor
Tanium.Sensors.name string Name of the sensor
Tanium.Sensors.id string ID of the sensor

Command Example
!tn-get-sensor name="Index Query File Exists"
Context Example
Tanium:{
	Sensors:[{
		hidden_flag:0
		string_count:6
		max_age_seconds:86400
		queries:{
			_type:queries
			query:[{
				_type:query
				platform:Windows
				script:select CSName from win32_operatingsystem
				script_type:WMIQuery
			}]
		}
		exclude_from_parse_flag:0
		value_type:String
		name:Computer Name
		ignore_case_flag:1
		_type:sensor
		id:3
		description:The assigned name of the client machine. Example: workstation-1.company.com
		category:Reserved
		source_id:0
	}]
}
Human Readable Output

Tanium Sensor - Index Query File Exists

id name category description max_age_seconds
706 Index Query File Exists Index Returns Yes or No, using Index to determine whether specified file exists based on the supplied input 900

Sensor Parameters Details

Key Name Values Description Type
directoryPath Directory Path Any value Glob of directory name used for searching,e.g. Windows TextInputParameter
fileName File Name Any value Glob of file name used for searching, e.g. *exe TextInputParameter

2. Get a package object


Get a package object by name or ID.

Base Command

tn-get-package

Input
Argument Name Description Required
name Name of package Optional
id Tanium ID of package (use instead of name) Optional

Context Output
Path Type Description
Tanium.Packages.verify_expire_seconds number Timeout for verifying action (in seconds)
Tanium.Packages.display_name string Display name of package
Tanium.Packages.name string Name of created package
Tanium.Packages.command string Command to execute
Tanium.Packages.creation_time date Package creation time
Tanium.Packages.command_timeout number Timeout for command execution (in seconds)
Tanium.Packages.modification_time date Package modification time
Tanium.Packages.last_modified_by string User who last modified packge
Tanium.Packages.last_update date Time when package was last updated
Tanium.Packages.deleted_flag boolean Was the package deleted
Tanium.Packages.id string Tanium unique package ID
Tanium.Packages.expire_seconds number Timeout for action (in seconds)
Tanium.Packages.files object Package files

Command Example
!tn-get-package name="Set Mac Tanium Client Logging Level"
Context Example
Tanium:{
	Packages:[{
		skip_lock_flag:0
		hidden_flag:0
		verify_group_id:0
		available_time:2016-04-06T13:03:12
		last_modified_by:Administrator
		verify_expire_seconds:600
		display_name:Set Mac Tanium Client Logging Level
		parameter_definition:{"parameters":[{"maximum":99,"key":"$1","stepSize":1,"label":"Log Level (0-99)","helpString":"Enter a logging level, 0=no logging, 99=verbose logging","snapInterval":1,"defaultValue":"1","minimum":0,"value":"1","parameterType":"com.tanium.components.parameters::NumericParameter","model":"com.tanium.components.parameters::NumericParameter"}],"parameterType":"com.tanium.components.parameters::ParametersArray","model":"com.tanium.components.parameters::ParametersArray"}
		name:Set Mac Tanium Client Logging Level
		command:/bin/sh set-log-level-parameterized.sh $1
		creation_time:2018-01-10T18:37:56
		command_timeout:900
		modification_time:2018-01-10T18:37:56
		last_update:2018-01-10T18:37:56
		deleted_flag:0
		files:{}
		_type:package_spec
		verify_group:{}
		_type:group
		id:0
		id:50
		expire_seconds:1500
		source_id:0
	}]
}
Human Readable Output

Tanium Package

id name creation_time command last_modified_by
50 Set Mac Tanium Client Logging Level 2018-01-10T18:37:56 /bin/sh set-log-level-parameterized.sh $1 Administrator

Package Arguments Details

Key Name Values Description Type
$1 Log Level (0-99) Any value Enter a logging level, 0=no logging, 99=verbose logging NumericParameter

3. Get a saved question


Get a saved question by name or ID.

Base Command

tn-get-saved-question

Input
Argument Name Description Required
name Name of saved question Optional
id Tanium unique id of saved question to be used instead of name Optional

Context Output
Path Type Description
Tanium.SavedQuestions.query_text string Question query text
Tanium.SavedQuestions.mod_time date Question modification time
Tanium.SavedQuestions.user.id string Unique ID of user who saved question
Tanium.SavedQuestions.user.name string Name of user who saved question
Tanium.SavedQuestions.name string Name of saved question
Tanium.SavedQuestions.expire_seconds number Question expiration time (in seconds)
Tanium.SavedQuestions.id string Unique ID of the saved question
Tanium.SavedQuestions.issue_seconds number Issue time (in seconds)

Command Example
!tn-get-saved-question id=132
Context Example
Tanium:{
	SavedQuestions:[{
		row_count_flag:0
		hidden_flag:0
		public_flag:1
		query_text:Get Is Virtual and Chassis Type from all machines
		issue_seconds_never_flag:0
		keep_seconds:0
		question:{}
		archive_enabled_flag:0
		mod_user:{}
		mod_time:2018-01-10T18:38:00
		action_tracking_flag:0
		name:Virtualized / Physical Chassis
		user: {}
		most_recent_question_id:519303
		packages:{}
		archive_owner:{}
		sort_column:0
		_type:saved_question
		issue_seconds:120
		id:182
		cache_row_id:68
		expire_seconds:600
	}]
}
Human Readable Output

Tanium Saved Question

query_text name id
Get Computer Name and Operating System from all machines with Action Lock Status containing "Action Lock On" Clients That Cannot Take Actions - Action Lock On 132

4. Get an object


Send a generic get object request.

Base Command

tn-get-object

Input
Argument Name Description Required
name Name of object Optional
id Tanium ID of the object (use instead of name) Optional
object_type Type of object to get Required

Context Output

There is no context output for this command.

Command Example
!tn-get-object object_type=sensor name="Computer Name"
Human Readable Output
{
    "_type": "sensors",
    "sensor": [
        {
            "_type": "sensor",
            "category": "Reserved",
            "description": "The assigned name of the client machine.\nExample: workstation-1.company.com",
            "exclude_from_parse_flag": 0,
            "hash": 3409330187,
            "hidden_flag": 0,
            "id": 3,
            "ignore_case_flag": 1,
            "max_age_seconds": 86400,
            "name": "Computer Name",
            "queries": {},
            "source_id": 0,
            "string_count": 6,
            "value_type": "String"
        }
    ]
}

5. Get all packages


Get all Tanium package objects

Base Command

tn-get-all-packages

Input

There is no input for this command.

Context Output
Path Type Description
Tanium.Packages.verify_expire_seconds number Timeout for verifying the action (in seconds)
Tanium.Packages.display_name string Display name of package
Tanium.Packages.name string Name of created package
Tanium.Packages.command string Command to execute
Tanium.Packages.creation_time date Package creation time
Tanium.Packages.command_timeout number Timeout for command execution (in seconds)
Tanium.Packages.modification_time date Package modification time
Tanium.Packages.last_modified_by string User who last modified packge
Tanium.Packages.last_update date Time when package was last updated
Tanium.Packages.deleted_flag boolean Is the package deleted
Tanium.Packages.id string Tanium unique package ID
Tanium.Packages.expire_seconds number Timeout for the action (in seconds)
Tanium.Packages.files unknown Package files

Command Example
!tn-get-all-packages
Context Example
Tanium:{
	Packages:[{
		skip_lock_flag:0
		hidden_flag:0
		verify_group_id:0
		available_time:2016-04-06T13:03:12
		last_modified_by:Administrator
		verify_expire_seconds:600
		display_name:Set Mac Tanium Client Logging Level
		parameter_definition:{"parameters":[{"maximum":99,"key":"$1","stepSize":1,"label":"Log Level (0-99)","helpString":"Enter a logging level, 0=no logging, 99=verbose logging","snapInterval":1,"defaultValue":"1","minimum":0,"value":"1","parameterType":"com.tanium.components.parameters::NumericParameter","model":"com.tanium.components.parameters::NumericParameter"}],"parameterType":"com.tanium.components.parameters::ParametersArray","model":"com.tanium.components.parameters::ParametersArray"}
		name:Set Mac Tanium Client Logging Level
		command:/bin/sh set-log-level-parameterized.sh $1
		creation_time:2018-01-10T18:37:56
		command_timeout:900
		modification_time:2018-01-10T18:37:56
		last_update:2018-01-10T18:37:56
		deleted_flag:0
		files:{}
		_type:package_spec
		verify_group:{}
		_type:group
		id:0
		id:50
		expire_seconds:1500
		source_id:0
	}]
}
Human Readable Output

Tanium Packages

id name creation_time command last_modified_by
734 Detect Intel for Windows 2001-01-01T00:00:00 cmd /c cscript /nologo run-add-intel-package.vbs 2>&1
672 Remove Tanium Trace Tools [Mac-Linux] 2018-08-21T10:57:13 /bin/bash remove_tanium_trace_tools.sh Administrator

6. Get all saved questions


Gets all saved questions.

Base Command

tn-get-all-saved-questions

Input

There are no inputs for this command.

Context Output
Path Type Description
Tanium.SavedQuestions.query_text string Question query text
Tanium.SavedQuestions.mod_time date Question modification time
Tanium.SavedQuestions.user.id string Unique ID of the user who saved question
Tanium.SavedQuestions.user.name string Name of the user who saved question
Tanium.SavedQuestions.name string Name of saved question
Tanium.SavedQuestions.expire_seconds number Question expiration time (in seconds)
Tanium.SavedQuestions.id string Unique ID of the saved question
Tanium.SavedQuestions.issue_seconds number Issue time (in seconds)

Command Example
!tn-get-all-saved-questions
Context Example
Tanium:{
	SavedQuestions:[{
		row_count_flag:0
		hidden_flag:0
		public_flag:1
		query_text:Get Is Virtual and Chassis Type from all machines
		issue_seconds_never_flag:0
		keep_seconds:0
		question:{}
		archive_enabled_flag:0
		mod_user:{}
		mod_time:2018-01-10T18:38:00
		action_tracking_flag:0
		name:Virtualized / Physical Chassis
		user: {}
		most_recent_question_id:519303
		packages:{}
		archive_owner:{}
		sort_column:0
		_type:saved_question
		issue_seconds:120
		id:182
		cache_row_id:68
		expire_seconds:600
	}]
}
Human Readable Output

Tanium Saved Questions

query_text name id
Get Is Virtual and Chassis Type from all machines Virtualized / Physical Chassis 182
Get Installed Applications starting with "adobe reader" from all machines Adobe Reader Versions 197

7. Get all saved actions


Gets all saved actions.

Base Command

tn-get-all-saved-actions

Input

There is no input for this command.

Context Output
Path Type Description
Tanium.SavedActions.distribute_seconds number Distribute seconds of action
Tanium.SavedActions.public_flag boolean Whether action is public or not
Tanium.SavedActions.action_group_id string Group ID of action
Tanium.SavedActions.approver.id string ID of the user who approved the action
Tanium.SavedActions.start_time date Action start time
Tanium.SavedActions.name string Action name
Tanium.SavedActions.user.id string ID of the user who created the action
Tanium.SavedActions.creation_time date Time the action was created
Tanium.SavedActions.end_time date Time the action ended
Tanium.SavedActions.status string Action status
Tanium.SavedActions.last_start_time date Last time action started
Tanium.SavedActions.id string ID of action
Tanium.SavedActions.package_spec.id string The package associated with the action
Tanium.SavedActions.approved_flag boolean Whether action was approved or not

Command Example
!tn-get-all-saved-actions
Context Example
Tanium:{
	SavedActions:[{
		distribute_seconds:0
		public_flag:0
		action_group_id:0
		approver:{}
		issue_count:0
		start_time:2001-01-01T00:00:00
		name:Unscheduled - Clean Stale Tanium Client Data
		user:{}
		creation_time:2016-08-10T07:12:58
		metadata:{}
		target_group:{}
		end_time:Never
		status:1
		last_start_time:Never
		package_spec:{}
		approved_flag:1
		next_start_time:Never
		_type:saved_action
		issue_seconds:0
		policy_flag:0
		id:94
		cache_row_id:1
		user_start_time:2016-08-10T07:13:00
		expire_seconds:1800
		last_action:{} 
	}]
}
Human Readable Output

Tanium Saved Actions

id name creation_time action_group_id approved_flag
914 API Deploy USB Write Protect - Set to On 2018-08-17T01:59:31 0 0
939 Start Tanium Trace Session 2018-08-21T07:00:52 2334 0

8. Get all pending actions


Gets all pending actions.

Base Command

tn-get-all-pending-actions

Input

There is no input for this command.

Context Output
Path Type Description
Tanium.PendingActions.distribute_seconds number Distribute seconds of action
Tanium.PendingActions.public_flag boolean Whether action is public or not
Tanium.PendingActions.action_group_id string Group ID of action
Tanium.PendingActions.approver.id string ID of the user who approved the action
Tanium.PendingActions.start_time date Action start time
Tanium.PendingActions.name string Action name
Tanium.PendingActions.user.id string

ID of the user who created the action

Tanium.PendingActions.creation_time date Time the action was created
Tanium.PendingActions.end_time date Time the action ended
Tanium.PendingActions.status string Action status
Tanium.PendingActions.last_start_time date Last time action started
Tanium.PendingActions.id string ID of the action
Tanium.PendingActions.package_spec.id string The package associated with the action
Tanium.PendingActions.approved_flag boolean Whether the action was approved

Command Example
!tn-get-all-pending-actions
Context Example
Tanium:{
	PendingActions:[{
		distribute_seconds:0
		public_flag:0
		action_group_id:0
		approver:{}
		issue_count:0
		start_time:2001-01-01T00:00:00
		name:Unscheduled - Clean Stale Tanium Client Data
		user:{}
		creation_time:2016-08-10T07:12:58
		metadata:{}
		target_group:{}
		end_time:Never
		status:1
		last_start_time:Never
		package_spec:{}
		approved_flag:1
		next_start_time:Never
		_type:saved_action
		issue_seconds:0
		policy_flag:0
		id:94
		cache_row_id:1
		user_start_time:2016-08-10T07:13:00
		expire_seconds:1800
		last_action:{} 
	}]
}
Human Readable Output

Tanium Pending Actions

id name creation_time action_group_id approved_flag
914 API Deploy USB Write Protect - Set to On 2018-08-17T01:59:31 0 0
939 Start Tanium Trace Session 2018-08-21T07:00:52 2334 0

9. Get all objects


Gets all objects of the specified type.

Base Command

tn-get-all-objects

Input
Argument Name Description Required
object_type Type of object to get Required

Context Output

There is no context output for this command.

Command Example
!tn-get-all-objects object_type=package
Human Readable Output
{
    "_type": "sensors",
    "sensor": [
        {
            "_type": "sensor",
            "category": "Reserved",
            "description": "The assigned name of the client machine.\nExample: workstation-1.company.com",
            "exclude_from_parse_flag": 0,
            "hash": 3409330187,
            "hidden_flag": 0,
            "id": 3,
            "ignore_case_flag": 1,
            "max_age_seconds": 86400,
            "name": "Computer Name",
            "queries": {},
            "source_id": 0,
            "string_count": 6,
            "value_type": "String"
        }
    ]
}

Debug Commands

1. Request the server to parse question text


Ask the server to parse the question text and return all parsing options.

Base Command

tn-parse-query

Input
Argument Name Description Required
question The question text to be parsed Optional

Context Output

There is no context output for this command.

Command Example
!tn-parse-query question="get computer name"
Human Readable Output

Tanium Questions

index question
1 Get Computer Name from all machines
2 Get Computer ID from all machines
3 Get Computer ID containing "name" from all machines