Tanium Threat Response
Tanium Threat Response This integration was integrated and tested with version xx of Tanium Threat Response
Configure Tanium Threat Response on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for Tanium Threat Response.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| isFetch | Fetch incidents | False |
| incidentType | Incident type | False |
| url | Hostname, IP address, or server URL | True |
| credentials | Username | True |
| insecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
| fetch_time | First fetch timestamp ({number} {time unit}, e.g., 12 hours, 7 days) | False |
| filter_alerts_by_state | A comma-separated list of alert states to filter by in fetch incidents command. Possible options are: unresolved, in progress, resolved or suppressed. Empty list won't filter the incidents by state. | False |
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
tanium-tr-get-intel-doc-by-id
Returns an intel document object based on ID.
Base Command
tanium-tr-get-intel-doc-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| intel-doc-id | The intel document ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.IntelDoc.AlertCount | Number | The number of alerts that currently exist for this intel. |
| Tanium.IntelDoc.CreatedAt | Date | The date at which this intel was first added to the system. |
| Tanium.IntelDoc.Description | String | The description of the intel, as declared in the document or as updated by a user. |
| Tanium.IntelDoc.ID | Number | The unique identifier for this intel in this instance of the system. |
| Tanium.IntelDoc.LabelIds | Number | The IDs of all labels applied to this intel. |
| Tanium.IntelDoc.Name | String | The name of the intel, as declared in the document or as updated by a user. |
| Tanium.IntelDoc.UnresolvedAlertCount | Number | The number of unresolved alerts that currently exist for this intel. |
| Tanium.IntelDoc.UpdatedAt | Date | The date when this intel was last updated. |
Command Example
!tanium-tr-get-intel-doc-by-id intel-doc-id=2
Context Example
{
"Tanium": {
"IntelDoc": {
"AlertCount": 0,
"CreatedAt": "2019-07-31T18:46:28.814Z",
"Description": "Detects usage of the NET.EXE utility to enumerate members of the local Administrators or Domain Administrators groups. Often used during post-compromise reconnaissance.",
"ID": 2,
"LabelIds": [
2,
3,
9,
16
],
"Name": "Administrator Account Enumeration",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:30.934Z"
}
}
}
Human Readable Output
Intel Doc information
| ID | Name | Description | Type | Alert Count | Unresolved Alert Count | Created At | Updated At | Label Ids |
|---|---|---|---|---|---|---|---|---|
| 2 | Administrator Account Enumeration | Detects usage of the NET.EXE utility to enumerate members of the local Administrators or Domain Administrators groups. Often used during post-compromise reconnaissance. | 0 | 0 | 2019-07-31T18:46:28.814Z | 2020-01-14T21:37:30.934Z | 2, 3, 9, 16 |
tanium-tr-list-intel-docs
Returns a list of all intel documents.
Base Command
tanium-tr-list-intel-docs
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of intel documents to return. | Optional |
| offset | The offset number to begin listing intel documents. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.IntelDoc.AlertCount | Number | The number of alerts that currently exist for this intel. |
| Tanium.IntelDoc.CreatedAt | Date | The date at which this intel was first added to the system. |
| Tanium.IntelDoc.Description | String | The description of the intel, as declared in the document or as updated by a user. |
| Tanium.IntelDoc.ID | Number | The unique identifier for this intel in this instance of the system. |
| Tanium.IntelDoc.LabelIds | Number | The IDs of all labels applied to this intel. |
| Tanium.IntelDoc.Name | String | The name of the intel, as declared in the document or as updated by a user. |
| Tanium.IntelDoc.UnresolvedAlertCount | Number | The number of unresolved alerts that currently exist for this intel. |
| Tanium.IntelDoc.UpdatedAt | Date | The date when this intel was last updated. |
Command Example
!tanium-tr-list-intel-docs limit=2
Context Example
{
"Tanium": {
"IntelDoc": [
{
"AlertCount": 0,
"CreatedAt": "2020-01-14T21:37:32.263Z",
"ID": 99,
"LabelIds": [
2,
7,
11,
16
],
"Name": "Spooler Service Creating or Spawning Executables",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:32.263Z"
},
{
"AlertCount": 0,
"CreatedAt": "2020-01-14T21:37:32.075Z",
"ID": 98,
"LabelIds": [
2,
8,
16
],
"Name": "RunDll Creating MiniDump",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:32.075Z"
}
]
}
}
Human Readable Output
Intel docs
| ID | Name | Alert Count | Unresolved Alert Count | Created At | Updated At | Label Ids |
|---|---|---|---|---|---|---|
| 99 | Spooler Service Creating or Spawning Executables | 0 | 0 | 2020-01-14T21:37:32.263Z | 2020-01-14T21:37:32.263Z | 2, 7, 11, 16 |
| 98 | RunDll Creating MiniDump | 0 | 0 | 2020-01-14T21:37:32.075Z | 2020-01-14T21:37:32.075Z | 2, 8, 16 |
tanium-tr-list-alerts
Returns a list of all alerts.
Base Command
tanium-tr-list-alerts
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of alerts to return. The default value is 5. | Optional |
| offset | The offset number to begin listing alerts. | Optional |
| computer-ip-address | Filter alerts by the specified computer IP addresses. | Optional |
| computer-name | Filter alerts by the specified computer name. | Optional |
| scan-config-id | Filter alerts by the specified scan config ID. | Optional |
| intel-doc-id | Filter alerts by the specified intel document ID. | Optional |
| severity | Filter alerts by the specified severity. | Optional |
| priority | Filter alerts by the specified priority. | Optional |
| type | Filter alerts by the specified type. | Optional |
| state | Filter alerts by the specified state. Can be "Unresolved", "In Progress", "Ignored", or "Resolved". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Alert.Priority | String | The priority of the alert. |
| Tanium.Alert.ComputerName | String | The hostname of the computer that generated the alert. |
| Tanium.Alert.GUID | String | A globally unique identifier for this alert in the customer environment. |
| Tanium.Alert.AlertedAt | Date | The moment that the alert was generated. |
| Tanium.Alert.UpdatedAt | Date | The last time the alert state was updated. |
| Tanium.Alert.State | String | The current state of the alert. For example, "unresolved", "inprogress", and so on. |
| Tanium.Alert.ComputerIpAddress | String | The IP address of the computer that generated the alert. |
| Tanium.Alert.Type | String | The name of the alert type. For example, "detect.endpoint.match". |
| Tanium.Alert.ID | Number | The ID of the alert. For example, "123". |
| Tanium.Alert.CreatedAt | Date | The date when the alert was received by the Detect product. |
| Tanium.Alert.IntelDocId | Number | The intel document revision, if intelDocId is present. |
| Tanium.Alert.Severity | String | The severity of the alert. |
Command Example
!tanium-tr-list-alerts limit=1
Context Example
{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "172.0.0.0",
"ComputerName": "HOST_NAME",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2020-02-05T14:55:41.440Z"
}
}
}
Human Readable Output
Alerts
| ID | Type | Severity | Priority | Alerted At | Created At | Updated At | Computer Ip Address | Computer Name | GUID | State | Intel Doc Id |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | detect.match | info | high | 2019-09-22T14:01:31.000Z | 2019-09-22T14:01:59.768Z | 2020-02-05T14:55:41.440Z | 172.0.0.0 | HOST_NAME | a33e3482-556e-4e9d-bbbd-2fdbe330d492 | Unresolved | 64 |
tanium-tr-get-alert-by-id
Returns an alert object based on alert ID.
Base Command
tanium-tr-get-alert-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| alert-id | The alert ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Alert.Priority | String | The priority of the alert. |
| Tanium.Alert.ComputerName | String | The hostname of the computer that generated the alert. |
| Tanium.Alert.GUID | String | A globally unique identifier for this alert in the customer environment. |
| Tanium.Alert.AlertedAt | Date | The date when the alert was generated. |
| Tanium.Alert.UpdatedAt | Date | The date when the alert state was last updated. |
| Tanium.Alert.State | String | The current state of the alert. For example, "unresolved", "inprogress". |
| Tanium.Alert.ComputerIpAddress | String | The IP address of the computer that generated the alert. |
| Tanium.Alert.Type | String | The name of the alert type. For example, "detect.endpoint.match". |
| Tanium.Alert.ID | Number | The ID of the alert. For example, "123". |
| Tanium.Alert.CreatedAt | Date | The date when the alert was received by the Detect product. |
| Tanium.Alert.IntelDocId | Number | The intel document revision, if intelDocId is present. |
| Tanium.Alert.Severity | String | The severity of the alert. |
Command Example
!tanium-tr-get-alert-by-id alert-id=1
Context Example
{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "172.0.0.0",
"ComputerName": "HOST_NAME",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2020-02-05T14:55:41.440Z"
}
}
}
Human Readable Output
Alert information
| ID | Type | Severity | Priority | Alerted At | Created At | Updated At | Computer Ip Address | Computer Name | GUID | State | Intel Doc Id |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | detect.match | info | high | 2019-09-22T14:01:31.000Z | 2019-09-22T14:01:59.768Z | 2020-02-05T14:55:41.440Z | 172.0.0.0 | HOST_NAME | a33e3482-556e-4e9d-bbbd-2fdbe330d492 | Unresolved | 64 |
tanium-tr-alert-update-state
Updates the state of a single alert.
Base Command
tanium-tr-alert-update-state
Input
| Argument Name | Description | Required |
|---|---|---|
| alert-id | The ID of the alert to update. | Required |
| state | The new state for the alert. Can be "Unresolved", "In Progress", "Ignored", or "Resolved". | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Alert.Priority | String | The priority of the alert. |
| Tanium.Alert.ComputerName | String | The hostname of the computer that generated the alert. |
| Tanium.Alert.GUID | String | A globally unique identifier for this alert in the customer environment. |
| Tanium.Alert.AlertedAt | Date | The date when the alert was generated. |
| Tanium.Alert.UpdatedAt | Date | The date when the alert state was last updated. |
| Tanium.Alert.State | String | The current state of the alert. For example, "unresolved", "inprogress". |
| Tanium.Alert.ComputerIpAddress | String | The IP address of the computer that generated the alert. |
| Tanium.Alert.Type | String | The name of the alert type. For example, "detect.endpoint.match". |
| Tanium.Alert.ID | Number | The ID of the alert. For example, "123". |
| Tanium.Alert.CreatedAt | Date | The date when the alert was received by the Detect product. |
| Tanium.Alert.IntelDocId | Number | The intel document revision, if intelDocId is present. |
| Tanium.Alert.Severity | String | The severity of the alert. |
Command Example
!tanium-tr-alert-update-state alert-id=1 state=Unresolved
Context Example
{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "172.0.0.0",
"ComputerName": "HOST_NAME",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2020-02-05T14:55:41.440Z"
}
}
}
Human Readable Output
Alert state updated to Unresolved
| ID | Type | Severity | Priority | Alerted At | Created At | Updated At | Computer Ip Address | Computer Name | GUID | State | Intel Doc Id |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | detect.match | info | high | 2019-09-22T14:01:31.000Z | 2019-09-22T14:01:59.768Z | 2020-02-05T14:55:41.440Z | 172.0.0.0 | HOST_NAME | a33e3482-556e-4e9d-bbbd-2fdbe330d492 | Unresolved | 64 |
tanium-tr-list-snapshots-by-connection
Returns all snapshots of a single connection.
Base Command
tanium-tr-list-snapshots-by-connection
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of snapshots to return. | Optional |
| offset | The offset number to begin listing snapshots. | Optional |
| connection-name | The connection name. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Snapshot.ConnectionName | String | The snapshot connection name. |
| Tanium.Snapshot.Error | String | The snapshot error message. |
| Tanium.Snapshot.ID | String | The snapshot id. |
| Tanium.Snapshot.Started | Date | The date when the snapshot was created. |
| Tanium.Snapshot.State | String | The current state of the snapshot. |
Command Example
!tanium-tr-list-snapshots-by-connection connection-name=HOST_NAME limit=2
Context Example
{
"Tanium": {
"Snapshot": [
{
"ConnectionName": "HOST_NAME",
"FileName": "2020_02_06T15.54.43.600Z.db",
"Started": "2020-02-06T15:54:43.600Z",
"State": "complete"
},
{
"ConnectionName": "HOST_NAME",
"Error": "Error checkpointing remote database",
"FileName": "2020_02_06T15.54.46.795Z.db",
"Started": "2020-02-06T15:54:46.795Z",
"State": "error"
}
]
}
}
Human Readable Output
Snapshots
| File Name | Connection Name | State | Started | Error |
|---|---|---|---|---|
| 2020_02_06T15.54.43.600Z.db | HOST_NAME | complete | 2020-02-06T15:54:43.600Z | |
| 2020_02_06T15.54.46.795Z.db | HOST_NAME | error | 2020-02-06T15:54:46.795Z | Error checkpointing remote database |
tanium-tr-create-snapshot
Captures a new snapshot by connection name.
Base Command
tanium-tr-create-snapshot
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
Context Output
There is no context output for this command.
Command Example
!tanium-tr-create-snapshot connection-name=HOST_NAME
Human Readable Output
Initiated snapshot creation request for HOST_NAME.
tanium-tr-delete-snapshot
Deletes a snapshot by connection name and snapshot ID.
Base Command
tanium-tr-delete-snapshot
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| snapshot-id | The snapshot ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Snapshot.ID | String | The snapshot ID. |
| Tanium.Snapshot.ConnectionName | String | The connection name. |
| Tanium.Snapshot.Deleted | Boolean | Whether the snapshot has been deleted. |
Command Example
!tanium-tr-delete-snapshot connection-name=HOST_NAME snapshot-id=2020_02_06T15.54.43.600Z.db
Context Example
{
"Tanium": {
"LocalSnapshot": {
"ConnectionName": "HOST_NAME",
"Deleted": True,
"FileName": "2020_02_06T15.54.43.600Z.db"
}
}
}
Human Readable Output
Snapshot 2020_02_06T15.54.43.600Z.db deleted successfully.
tanium-tr-list-local-snapshots-by-connection
Returns all local snapshots of a single connection.
Base Command
tanium-tr-list-local-snapshots-by-connection
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of local snapshots to return. The default value is 50. | Optional |
| offset | The offset number to begin listing local snapshots. | Optional |
| connection-name | The connection name. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.LocalSnapshot.ConnectionName | String | The snapshot connection name. |
| Tanium.LocalSnapshot.Deleted | Boolean | Whether the snapshot has been deleted. |
| Tanium.LocalSnapshot.FileName | String | The snapshot file name. |
Command Example
!tanium-tr-list-local-snapshots-by-connection connection-name=HOST_NAME limit=2
Context Example
{
"Tanium": {
"LocalSnapshot": [
{
"ConnectionName": "HOST_NAME",
"Deleted": false,
"FileName": "2020_02_06T15.54.43.600Z.db"
},
{
"ConnectionName": "HOST_NAME",
"Deleted": false,
"FileName": "2020_01_09T15.25.13.535Z.db"
}
]
}
}
Human Readable Output
Local snapshots
| File Name | Connection Name |
|---|---|
| 2020_02_06T15.54.43.600Z.db | HOST_NAME |
| 2020_01_09T15.25.13.535Z.db | HOST_NAME |
tanium-tr-delete-local-snapshot
Deletes a local snapshot by directory name and file name.
Base Command
tanium-tr-delete-local-snapshot
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| file-name | The file name. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.LocalSnapshot.FileName | String | The snapshot file name. |
| Tanium.LocalSnapshot.Deleted | Boolean | Whether the local snapshot has been deleted. |
Command Example
!tanium-tr-delete-local-snapshot connection-name=HOST_NAME file-name=2020_02_06T15.54.43.600Z.db
Context Example
{
"Tanium": {
"LocalSnapshot": {
"ConnectionName": "HOST_NAME",
"Deleted": true,
"FileName": "2020_02_06T15.54.43.600Z.db"
}
}
}
Human Readable Output
Local snapshot from Directory HOST_NAME and File 2020_02_06T15.54.43.600Z.db is deleted successfully.
tanium-tr-list-connections
Returns all connections.
Base Command
tanium-tr-list-connections
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of connections to return. | Optional |
| offset | The offset number to begin listing connections. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Connection.CreateTime | Date | Time when the connection was first created. |
| Tanium.Connection.Name | String | The connection name. |
| Tanium.Connection.Remote | Boolean | Whether it is a remote connection. |
| Tanium.Connection.State | String | Current connection state. Can be "closed", "pending", "active", "timeout", or "migrating". |
| Tanium.Connection.Deleted | Boolean | Whether the connection has been deleted. |
| Tanium.Connection.DestionationType | String | The destionation type (computer_name or ip_address). |
| Tanium.Connection.DST | String | The connection's DST. |
| Tanium.Connection.OSName | String | The connection's operating system. |
Command Example
!tanium-tr-list-connections limit=2
Context Example
{
"Tanium": {
"Connection": [
{
"DST": "HOST_NAME",
"Name": "HOST_NAME",
"State": "timeout",
"Deleted": false,
"DestionationType": "computer-name",
"OSName": "Linux"
},
{
"DST": "HOST_NAME-2020_01_09T15.25.13.535Z.db",
"Name": "HOST_NAME-2020_01_09T15.25.13.535Z.db",
"State": "timeout",
"Deleted": false,
"DestionationType": "computer-name"
"OSName": "Linux"
}
]
}
}
Human Readable Output
Connections
| Name | State | DST | OS Name |
|---|---|---|---|
| HOST_NAME | timeout | HOST_NAME | Linux |
| HOST_NAME-2020_01_09T15.25.13.535Z.db | timeout | HOST_NAME-2020_01_09T15.25.13.535Z.db | Linux |
tanium-tr-get-connection-by-name
Returns a connection object based on connection name.
Base Command
tanium-tr-get-connection-by-name
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Connection.CreateTime | Date | Time when the connection was first created. |
| Tanium.Connection.Name | String | The connection name. |
| Tanium.Connection.Remote | Boolean | Whether it is a remote connection. |
| Tanium.Connection.State | String | Current connection state. Can be "closed", "pending", "active", "timeout", or "migrating". |
| Tanium.Connection.Deleted | Boolean | Whether the connection has been deleted. |
| Tanium.Connection.DestionationType | String | The destionation type (computer_name or ip_address). |
| Tanium.Connection.DST | String | The connection's DST. |
| Tanium.Connection.OSName | String | The connection's operating system. |
Command Example
!tanium-tr-get-connection-by-name connection-name=HOST_NAME
Context Example
{
"Tanium": {
"Connection": {
"CreateTime": "2020-02-06T15:54:40.830Z",
"Name": "HOST_NAME",
"Deleted": false,
"OSName": "Windows",
"Remote": true,
"State": "active"
}
}
}
Human Readable Output
Connection information
| Name | State | Remote | Create Time | OS Name |
|---|---|---|---|---|
| HOST_NAME | active | true | 2020-02-06T15:54:40.830Z | Windows |
tanium-tr-create-connection
Creates a local or remote connection.
Base Command
tanium-tr-create-connection
Input
| Argument Name | Description | Required |
|---|---|---|
| remote | Whether it is a remote connection. Can be "True" or "False". | Required |
| destination-type | Type of destination. Can be "ip_address" or "computer_name". | Required |
| destination | Computer name or IP address. | Required |
| connection-timeout | connection timeout, in milliseconds. | Optional |
Context Output
There is no context output for this command.
Command Example
!tanium-tr-create-connection destination=HOST_NAME destination-type=computer_name remote=False
Human Readable Output
Initiated connection request to HOST_NAME.
tanium-tr-delete-connection
Deletes a connection by connection name.
Base Command
tanium-tr-delete-connection
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The name of the connection. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Connection.Name | String | The connection name. |
| Tanium.Connection.Deleted | Boolean | Whether the connection has been deleted. |
Command Example
!tanium-tr-delete-connection connection-name=HOST_NAME
Context Example
{
"Tanium": {
"Connection": {
"Name": "HOST_NAME",
"Deleted": true
}
}
}
Human Readable Output
Connection HOST_NAME deleted successfully.
tanium-tr-list-labels
Returns all available labels in the system.
Base Command
tanium-tr-list-labels
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of labels to return. | Optional |
| offset | The offset number to begin listing labels. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Label.CreatedAt | Date | The date when this label was created. |
| Tanium.Label.Description | String | An extended description of the label. |
| Tanium.Label.ID | Number | The unique identifier for this label. |
| Tanium.Label.IndicatorCount | Number | The number of indicator-based intel documents associated with this label, not including Tanium Signals. |
| Tanium.Label.Name | String | The display name of the label. |
| Tanium.Label.SignalCount | Number | The number of Tanium Signal documents associated with this label. |
| Tanium.Label.UpdatedAt | Date | The date when this label was last updated, not including the intel and signal counts. |
Command Example
!tanium-tr-list-labels limit=2
Context Example
{
"Tanium": {
"Label": [
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"ID": 1,
"IndicatorCount": 0,
"Name": "Alpha",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.",
"ID": 2,
"IndicatorCount": 0,
"Name": "Beta",
"SignalCount": 97,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
}
]
}
}
Human Readable Output
Labels
| Name | Description | ID | Indicator Count | Signal Count | Created At | Updated At |
|---|---|---|---|---|---|---|
| Alpha | These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed. | 1 | 0 | 0 | 2019-07-31T18:46:28.629Z | 2019-07-31T18:46:28.629Z |
| Beta | These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed. | 2 | 0 | 97 | 2019-07-31T18:46:28.629Z | 2019-07-31T18:46:28.629Z |
tanium-tr-get-label-by-id
Returns a label object based on label ID.
Base Command
tanium-tr-get-label-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| label-id | The label ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Label.CreatedAt | Date | The date when this label was created. |
| Tanium.Label.Description | String | An extended description of the label. |
| Tanium.Label.ID | Number | The unique identifier for this label. |
| Tanium.Label.IndicatorCount | Number | The number of indicator-based intel documents associated with this label, not including Tanium Signals. |
| Tanium.Label.Name | String | The display name of the label. |
| Tanium.Label.SignalCount | Number | The number of Tanium Signal documents associated with this label. |
| Tanium.Label.UpdatedAt | Date | The date this label was last updated, not including the intel and signal counts. |
Command Example
!tanium-tr-get-label-by-id label-id=1
Context Example
{
"Tanium": {
"Label": {
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"ID": 1,
"IndicatorCount": 0,
"Name": "Alpha",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
}
}
}
Human Readable Output
Label information
| Name | Description | ID | Indicator Count | Signal Count | Created At | Updated At |
|---|---|---|---|---|---|---|
| Alpha | These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed. | 1 | 0 | 0 | 2019-07-31T18:46:28.629Z | 2019-07-31T18:46:28.629Z |
tanium-tr-list-file-downloads
Returns all downloaded files in the system.
Base Command
tanium-tr-list-file-downloads
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of files to return. The default value is 50. | Optional |
| offset | Offset to start getting file downloads. The default is 0. | Optional |
| host | Filter downloaded files by host. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.FileDownload.Size | Number | The size of the file, in bytes. |
| Tanium.FileDownload.Path | String | The path of the file. |
| Tanium.FileDownload.Downloaded | Date | The date when this file was downloaded. |
| Tanium.FileDownload.Host | String | The hostname of the downloaded file. |
| Tanium.FileDownload.Created | Date | The date when the file was created. |
| Tanium.FileDownload.Hash | String | The file hash. |
| Tanium.FileDownload.SPath | String | The file SPath. |
| Tanium.FileDownload.ID | Number | The downloaded file ID. |
| Tanium.FileDownload.LastModified | Date | The date when the file was last modified. |
| Tanium.FileDownload.CreatedBy | String | The user that created this file. |
| Tanium.FileDownload.CreatedByProc | String | The process path that created this file. |
| Tanium.FileDownload.LastModifiedBy | String | The user that last modified this file. |
| Tanium.FileDownload.LastModifiedByProc | String | The process path that modified this file. |
| Tanium.FileDownload.Comments | String | Additional comments for the downloaded file. |
| Tanium.FileDownload.Tags | String | The downloaded file tags. |
| Tanium.FileDownload.Deleted | Boolean | Whether the file download has been deleted. |
Command Example
!tanium-tr-list-file-downloads host=HOST_NAME limit=2 offset=1
Context Example
{
"Tanium": {
"FileDownload": [
{
"Created": "2020-01-02 15:39:57.289",
"CreatedBy": "NT AUTHORITY\\LOCAL SERVICE",
"CreatedByProc": "C:\\Windows\\System32\\svchost.exe",
"Downloaded": "2020-01-02 15:40:29.003",
"Hash": "2ae2da9237309b13b9a9d52d1358c826",
"Host": "HOST_NAME",
"ID": 4,
"LastModified": "2020-01-02 15:39:57.289",
"LastModifiedBy": "NT AUTHORITY\\LOCAL SERVICE",
"LastModifiedByProc": "C:\\Windows\\System32\\svchost.exe",
"Path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive1.dat",
"SPath": "6ae86937-611f-45e9-900c-3ba57298f264.zip",
"Size": 2048,
"Deleted": false
},
{
"Created": "Tue, 03 Sep 2019 17:51:40 GMT",
"Downloaded": "2020-01-15 13:04:02.827",
"Hash": "99297a0e626ca092ff1884ad28f54453",
"Host": "HOST_NAME",
"ID": 6,
"LastModified": "Wed, 15 Jan 2020 08:57:19 GMT",
"Path": "C:\\Program Files (x86)\\Tanium\\Tanium Client\\Logs\\log1.txt",
"SPath": "c0531415-87a6-4d28-a226-b485784b1881.zip",
"Size": 10485904,
"Deleted": true
}
]
}
}
Human Readable Output
File downloads
| ID | Host | Path | Hash | Downloaded | Size | Created | Created By | Created By Proc | Last Modified | Last Modified By | Last Modified By Proc | S Path |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4 | HOST_NAME | C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat | 2ae2da9237309b13b9a9d52d1358c826 | 2020-01-02 15:40:29.003 | 2048 | 2020-01-02 15:39:57.289 | NT AUTHORITY\LOCAL SERVICE | C:\Windows\System32\svchost.exe | 2020-01-02 15:39:57.289 | NT AUTHORITY\LOCAL SERVICE | C:\Windows\System32\svchost.exe | 6ae86937-611f-45e9-900c-3ba57298f264.zip |
| 6 | HOST_NAME | C:\Program Files (x86)\Tanium\Tanium Client\Logs\log1.txt | 99297a0e626ca092ff1884ad28f54453 | 2020-01-15 13:04:02.827 | 10485904 | Tue, 03 Sep 2019 17:51:40 GMT | Wed, 15 Jan 2020 08:57:19 GMT | c0531415-87a6-4d28-a226-b485784b1881.zip |
tanium-tr-get-downloaded-file
Gets the actual content of a downloaded file by file ID.
Base Command
tanium-tr-get-downloaded-file
Input
| Argument Name | Description | Required |
|---|---|---|
| file-id | The file ID. | Required |
Context Output
There is no context output for this command.
Command Example
!tanium-tr-get-downloaded-file file-id=4
Context Example
{
"File": {
"EntryID": "8389@b32fdf18-1c65-43af-8918-7f85a1fab951",
"Extension": "zip",
"Info": "application/zip",
"MD5": "216923cc567afe1009e7c90c105450f5",
"Name": "lastalive1.dat.zip",
"SHA1": "f7d257dc94ea0b650f62cc87264861b593a341c8",
"SHA256": "5d0051b4c596e06217bdb3e48196b0515a7983f18a8ea7477bc33c837e0202e5",
"SHA512": "269669cda90658e1bfea8ff85f27f8f68320ccd3b54c64a00037204fa3b5422634d9107806ddad585fa0d5c7fe7aa7fa240afb4142c6ff02537b039d176bd482",
"SSDeep": "6:5jPRX/CSkILyratwQte+zetPYwCRXgLrCDh/+loUn:5jtCCPtTzep33vCDJaoUn",
"Size": 253,
"Type": "Zip archive data, at least v2.0 to extract"
}
}
Human Readable Output
tanium-tr-list-events-by-connection
Queries events for a connection.
Base Command
tanium-tr-list-events-by-connection
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| event-type | The type of event. Can be "File", "Network", "Registry", "Process", "Driver", "Security", "Combined", "DNS", or "Image". The default is "Combined". | Required |
| limit | The maximum number of events to return. The default value is 50. | Optional |
| offset | Offset to start getting the result set. The default is 0. | Optional |
| filter | Advanced search that filters according to event fields. For example: [['process_id', 'gt', '30'], ['username', 'ne', 'administrator']]. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time (UTC). Optional operators: eq (equals), ne (does not equal); for integers/date: gt (greater than), gte (greater than or equals), ls (less than), lse (less than or equals); for strings: co (contains), nc (does not contain). | Optional |
| match | Whether the results should fit all filters or at least one filter. | Optional |
| sort | A comma-separated list of fields to sort on prefixed by +/- for ascending or descending and ordered by priority left to right. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time (UTC). | Optional |
| fields | A comma-separated list of fields on which to search. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TaniumEvent.Domain | String | The domain of the event. |
| TaniumEvent.File | String | The path of the file in the event. |
| TaniumEvent.Operation | String | The event operation. |
| TaniumEvent.ProcessID | Number | The ID of the process. |
| TaniumEvent.ProcessName | String | The name of the process. |
| TaniumEvent.ProcessTableID | Number | The ID of the process table. |
| TaniumEvent.Timestamp | Date | The date when the event was created. |
| TaniumEvent.Username | String | The username associated with the event. |
| TaniumEvent.DestinationAddress | String | The network event destination address. |
| TaniumEvent.DestinationPort | Number | The network event destination port. |
| TaniumEvent.SourceAddress | String | The network event source address. |
| TaniumEvent.SourcePort | Number | The network event source port. |
| TaniumEvent.KeyPath | String | The registry key path. |
| TaniumEvent.ValueName | String | The registry value name. |
| TaniumEvent.ExitCode | Number | The process exit code. |
| TaniumEvent.ProcessCommandLine | String | The process command line. |
| TaniumEvent.ProcessHash | String | The hash value of the process. |
| TaniumEvent.SID | Number | The process SID. |
| TaniumEvent.Hashes | String | The hashes of the driver. |
| TaniumEvent.ImageLoaded | String | The image loaded path of the driver. |
| TaniumEvent.Signature | String | The signature of the driver. |
| TaniumEvent.Signed | Boolean | Whether the driver is signed. |
| TaniumEvent.EventID | Number | The ID of the event. |
| TaniumEvent.EventOpcode | Number | The event opcode. |
| TaniumEvent.EventRecordID | Number | The ID of the event record. |
| TaniumEvent.EventTaskID | Number | The ID of the event task. |
| TaniumEvent.Query | String | The query of the DNS. |
| TaniumEvent.Response | String | The response of the DNS. |
| TaniumEvent.ImagePath | String | The image path. |
| TaniumEvent.CreationTime | Date | The process creation time |
| TaniumEvent.EndTime | Date | The process end time. |
| TaniumEvent.EventTaskName | String | The name of the event task. |
| TaniumEvent.Property.Name | String | The name of the event's property |
| TaniumEvent.Property.Value | String | The value of the event's property |
Command Example
!tanium-tr-list-events-by-connection connection-name=HOST_NAME event-type=Process limit=2
Context Example
{
"Tanium": {
"Event": [
{
"Domain": "root",
"Type": "Process",
"CreationTime": "2020-03-02 16:05:37.574",
"EndTime": "2020-03-03 11:28:28.413",
"ExitCode": 0,
"ProcessCommandLine": "sleep 0.1",
"ProcessID": 13136,
"ProcessName": "/usr/bin/sleep",
"ProcessTableID": 17191168,
"SID": 5,
"Username": "root"
},
{
"Domain": "root",
"Type": "Process",
"CreationTime": "2020-03-02 23:09:33.153",
"EndTime": "2020-03-03 08:48:05.624",
"ExitCode": 0,
"ProcessCommandLine": "sleep 0.1",
"ProcessHash": "BEA3A5351BBE28622A560FF5F18C805E",
"ProcessID": 4229,
"ProcessName": "/usr/bin/sleep",
"ProcessTableID": 17232881,
"SID": 5,
"Username": "root"
}
]
}
}
Human Readable Output
Events for HOST_NAME
| Domain | Type | Process Table ID | Process Command Line | Process ID | Process Name | Exit Code | SID | Username | Creation Time | End Time |
|---|---|---|---|---|---|---|---|---|---|---|
| root | Process | 17191168 | sleep 0.1 | 13136 | /usr/bin/sleep | 0 | 5 | root | 2020-03-02 16:05:37.574 | 2020-03-03 11:28:28.413 |
| root | Process | 17232881 | sleep 0.1 | 4229 | /usr/bin/sleep | 0 | 5 | root | 2020-03-02 23:09:33.153 | 2020-03-03 08:48:05.624 |
tanium-tr-get-file-download-info
Gets the metadata of a file download. You must supply either the path or id agument for the command to run successfully.
Base Command
tanium-tr-get-file-download-info
Input
| Argument Name | Description | Required |
|---|---|---|
| host | The hostname of the downloaded file. | Required |
| path | The path of the file. | Optional |
| id | File download ID. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.FileDownload.Size | Number | The size of the file, in bytes. |
| Tanium.FileDownload.Path | String | The path of the file. |
| Tanium.FileDownload.Downloaded | Date | The date when this file was downloaded. |
| Tanium.FileDownload.Host | String | The hostname of the downloaded file. |
| Tanium.FileDownload.Created | Date | The date when the file was created. |
| Tanium.FileDownload.Hash | String | The file hash. |
| Tanium.FileDownload.SPath | String | The file SPath. |
| Tanium.FileDownload.ID | Number | The downloaded file ID. |
| Tanium.FileDownload.LastModified | Date | The date when the file was last modified. |
| Tanium.FileDownload.CreatedBy | String | The user that created this file. |
| Tanium.FileDownload.CreatedByProc | String | The process path that created this file. |
| Tanium.FileDownload.LastModifiedBy | String | The user that last modified this file. |
| Tanium.FileDownload.LastModifiedByProc | String | The process path that modified this file. |
| Tanium.FileDownload.Comments | String | The downloaded file comments. |
| Tanium.FileDownload.Tags | String | The downloaded file tags. |
| Tanium.FileDownload.Deleted | Boolean | Whether the file download has been deleted. |
Command Example
!tanium-tr-get-file-download-info host=HOST_NAME id=4
Context Example
{
"Tanium": {
"FileDownload": {
"Created": "2020-01-02 15:39:57.289",
"CreatedBy": "NT AUTHORITY\\LOCAL SERVICE",
"CreatedByProc": "C:\\Windows\\System32\\svchost.exe",
"Downloaded": "2020-01-02 15:40:29.003",
"Hash": "2ae2da9237309b13b9a9d52d1358c826",
"Host": "HOST_NAME",
"ID": 4,
"LastModified": "2020-01-02 15:39:57.289",
"LastModifiedBy": "NT AUTHORITY\\LOCAL SERVICE",
"LastModifiedByProc": "C:\\Windows\\System32\\svchost.exe",
"Path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive1.dat",
"SPath": "6ae86937-611f-45e9-900c-3ba57298f264.zip",
"Size": 2048,
"Deleted": false
}
}
}
Human Readable Output
File download metadata for file C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
| ID | Host | Path | Hash | Downloaded | Size | Created | Created By | Created By Proc | Last Modified | Last Modified By | Last Modified By Proc | S Path |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4 | HOST_NAME | C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat | 2ae2da9237309b13b9a9d52d1358c826 | 2020-01-02 15:40:29.003 | 2048 | 2020-01-02 15:39:57.289 | NT AUTHORITY\LOCAL SERVICE | C:\Windows\System32\svchost.exe | 2020-01-02 15:39:57.289 | NT AUTHORITY\LOCAL SERVICE | C:\Windows\System32\svchost.exe | 6ae86937-611f-45e9-900c-3ba57298f264.zip |
tanium-tr-get-process-info
Get information for a process.
Base Command
tanium-tr-get-process-info
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| ptid | The process instance ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Process.CreateTime | Date | Time when the process was created. |
| Tanium.Process.Domain | String | The domain of the process. |
| Tanium.Process.ExitCode | Number | The process exit code. |
| Tanium.Process.ProcessCommandLine | String | The process command line. |
| Tanium.Process.ProcessID | Number | The ID of the process. |
| Tanium.Process.ProcessName | String | File of the process. |
| Tanium.Process.ProcessTableId | Number | The ID of the process table. |
| Tanium.Process.SID | String | The security ID of the process. |
| Tanium.Process.Username | String | The username who created the process. |
Command Example
!tanium-tr-get-process-info ptid=667680 connection-name=HOST_NAME limit=5
Context Example
{
"Tanium": {
"Process": {
"CreateTime": "2020-01-22 16:16:07.553",
"Domain": "NT AUTHORITY",
"ExitCode": 0,
"ProcessCommandLine": "System",
"ProcessID": 4,
"ProcessName": "System",
"ProcessTableId": 667680,
"SID": "S-1-5-18",
"Username": "SYSTEM"
}
}
}
Human Readable Output
Process information for process with PTID 667680
| Process ID | Process Name | Process Command Line | Process Table Id | SID | Username | Domain | Exit Code | Create Time |
|---|---|---|---|---|---|---|---|---|
| 4 | System | System | 667680 | S-1-5-18 | SYSTEM | NT AUTHORITY | 0 | 2020-01-22 16:16:07.553 |
tanium-tr-get-events-by-process
Gets the events for a process.
Base Command
tanium-tr-get-events-by-process
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| ptid | The process instance ID. | Required |
| limit | The maximum number of events to return. | Optional |
| offset | The offset number to begin listing events. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.ProcessEvent.ID | Number | The ID of the event. |
| Tanium.ProcessEvent.Detail | Unknown | The event details. |
| Tanium.ProcessEvent.Operation | String | The event operation. |
| Tanium.ProcessEvent.Timestamp | Date | Time when the event was created. |
| Tanium.ProcessEvent.Type | String | The event type. |
Command Example
!tanium-tr-get-events-by-process ptid=667680 connection-name=HOST_NAME limit=1
Context Example
{
"Tanium": {
"ProcessEvent": {
"Detail": "4: System",
"ID": 667680,
"Operation": "CreateProcess",
"Timestamp": "2020-01-22 16:16:07.553",
"Type": "Process"
}
}
}
Human Readable Output
Events for process 667680
| ID | Detail | Type | Timestamp | Operation |
|---|---|---|---|---|
| 667680 | 4: System | Process | 2020-01-22 16:16:07.553 | CreateProcess |
tanium-tr-get-process-children
Gets the children of this process instance.
Base Command
tanium-tr-get-process-children
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| ptid | The process instance ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.ProcessChildren.ID | Number | The ID of the process. |
| Tanium.ProcessChildren.Name | String | File of the process. |
| Tanium.ProcessChildren.PID | Number | The PID of the process. |
| Tanium.ProcessChildren.PTID | Number | The process instance ID. |
| Tanium.ProcessChildren.Parent | String | The parent process name. |
Command Example
!tanium-tr-get-process-children ptid=667680 connection-name=HOST_NAME
Context Example
{
"Tanium": {
"ProcessChildren": [
{
"ID": 667681,
"Name": "0: Unknown Process",
"PID": 0,
"PTID": 667681,
"Parent": "4: System"
},
{
"ID": 667682,
"Name": "1: Pruned Process",
"PID": 1,
"PTID": 667682,
"Parent": "4: System"
},
{
"ID": 667683,
"Name": "392: smss.exe",
"PID": 392,
"PTID": 667683,
"Parent": "4: System"
}
]
}
}
Human Readable Output
Children for process with PTID 667680
| ID | Name | PID | PTID | Parent | Children Count |
|---|---|---|---|---|---|
| 667681 | 0: Unknown Process | 0 | 667681 | 4: System | 0 |
| 667682 | 1: Pruned Process | 1 | 667682 | 4: System | 0 |
| 667683 | 392: smss.exe | 392 | 667683 | 4: System | 0 |
tanium-tr-get-parent-process
Gets information for the parent process.
Base Command
tanium-tr-get-parent-process
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| ptid | The process instance ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Process.CreateTime | Date | Time when the process was created. |
| Tanium.Process.Domain | String | The domain of the process. |
| Tanium.Process.ExitCode | Number | The process exit code. |
| Tanium.Process.ProcessCommandLine | String | The process command line. |
| Tanium.Process.ProcessID | Number | The ID of the process. |
| Tanium.Process.ProcessName | String | File of the process. |
| Tanium.Process.ProcessTableId | Number | The ID of the process table. |
| Tanium.Process.SID | String | The security ID of the process. |
| Tanium.Process.Username | String | The username who created the process. |
Command Example
!tanium-tr-get-parent-process ptid=667681 connection-name=HOST_NAME
Context Example
{
"Tanium": {
"ParentProcess": {
"CreateTime": "2020-01-22 16:16:07.553",
"Domain": "NT AUTHORITY",
"ExitCode": 0,
"ProcessCommandLine": "System",
"ProcessID": 4,
"ProcessName": "System",
"ProcessTableId": 667680,
"SID": "S-1-5-18",
"Username": "SYSTEM"
}
}
}
Human Readable Output
Process information for process with PTID 667681
| Process ID | Process Name | Process Command Line | Process Table Id | SID | Username | Domain | Exit Code | Create Time |
|---|---|---|---|---|---|---|---|---|
| 4 | System | System | 667680 | S-1-5-18 | SYSTEM | NT AUTHORITY | 0 | 2020-01-22 16:16:07.553 |
tanium-tr-get-parent-process-tree
Gets the parent process tree for the process instance.
Base Command
tanium-tr-get-parent-process-tree
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| ptid | The process instance ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.ParentProcessTree.ID | Number | The parent process ID. |
| Tanium.ParentProcessTree.Name | String | File of the parent process. |
| Tanium.ParentProcessTree.PID | Number | The parent process PID. |
| Tanium.ParentProcessTree.PTID | Number | The parent process instance ID. |
| Tanium.ParentProcessTree.Parent | String | The parent process name. |
| Tanium.ParentProcessTree.Children | Unknown | The parent process children. |
Command Example
!tanium-tr-get-parent-process-tree ptid=667681 connection-name=HOST_NAME
Context Example
{
"Tanium": {
"ParentProcessTree": {
"Children": [
{
"Children": [],
"ID": 667681,
"Name": "0: Unknown Process",
"PID": 0,
"PTID": 667681,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667682,
"Name": "1: Pruned Process",
"PID": 1,
"PTID": 667682,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667683,
"Name": "392: smss.exe",
"PID": 392,
"PTID": 667683,
"Parent": "4: System"
}
],
"ID": 667680,
"Name": "4: System",
"PID": 4,
"PTID": 667680
}
}
}
Human Readable Output
Parent process for process with PTID 667681
| ID | Name | PID | PTID |
|---|---|---|---|
| 667680 | 4: System | 4 | 667680 |
Processes with the same parent
| ID | Name | PID | PTID | Parent | Children Count |
|---|---|---|---|---|---|
| 667681 | 0: Unknown Process | 0 | 667681 | 4: System | 0 |
| 667682 | 1: Pruned Process | 1 | 667682 | 4: System | 0 |
| 667683 | 392: smss.exe | 392 | 667683 | 4: System | 0 |
tanium-tr-get-process-tree
Gets the process tree for the process instance.
Base Command
tanium-tr-get-process-tree
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The connection name. | Required |
| ptid | The process instance ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.ProcessTree.ID | Number | The process ID. |
| Tanium.ProcessTree.Name | String | File of the process. |
| Tanium.ProcessTree.PID | Number | The process PID. |
| Tanium.ProcessTree.PTID | Number | The process instance ID. |
| Tanium.ProcessTree.Parent | String | The parent process name. |
| Tanium.ProcessTree.Children | Unknown | The process children. |
Command Example
!tanium-tr-get-process-tree ptid=667680 connection-name=HOST_NAME
Context Example
{
"Tanium": {
"ProcessTree": {
"Children": [
{
"Children": [],
"ID": 667681,
"Name": "0: Unknown Process",
"PID": 0,
"PTID": 667681,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667682,
"Name": "1: Pruned Process",
"PID": 1,
"PTID": 667682,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667683,
"Name": "392: smss.exe",
"PID": 392,
"PTID": 667683,
"Parent": "4: System"
}
],
"ID": 667680,
"Name": "4: System",
"PID": 4,
"PTID": 667680
}
}
}
Human Readable Output
Process information for process with PTID 667680
| ID | Name | PID | PTID |
|---|---|---|---|
| 667680 | 4: System | 4 | 667680 |
Children for process with PTID 667680
| ID | Name | PID | PTID | Parent | Children Count |
|---|---|---|---|---|---|
| 667681 | 0: Unknown Process | 0 | 667681 | 4: System | 0 |
| 667682 | 1: Pruned Process | 1 | 667682 | 4: System | 0 |
| 667683 | 392: smss.exe | 392 | 667683 | 4: System | 0 |
tanium-tr-list-evidence
Returns a list of all available evidence in the system.
Base Command
tanium-tr-list-evidence
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of evidences to return. The default value is 50. | Optional |
| offset | Offset to start getting the events result set. The default is 0. | Optional |
| sort | A comma-separated list of fields by which to sort, using +/- prefixes for ascending/descending, in order of priority (left to right). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Evidence.ID | Number | The evidence ID. |
| Tanium.Evidence.CreatedAt | Date | Time when the process was created. |
| Tanium.Evidence.LastModified | Date | The date that the file was last modified. |
| Tanium.Evidence.User | String | The user of the evidence. |
| Tanium.Evidence.ConnectionName | String | The evidence connection name. |
| Tanium.Evidence.Type | Number | The evidence type. |
| Tanium.Evidence.ProcessTableId | Number | The evidence process table ID. |
| Tanium.Evidence.Timestamp | Date | The evidence timestamp. |
| Tanium.Evidence.Summary | String | The evidence summary. |
| Tanium.Evidence.Comments | String | The evidence comments. |
| Tanium.Evidence.Tags | String | The evidence tags. |
| Tanium.Evidence.Deleted | Boolean | Whether the evident has been deleted. |
Command Example
!tanium-tr-list-evidence limit=2 offset=1 sort=+id
Context Example
{
"Tanium": {
"Evidence": [
{
"ConnectionName": "HOST_NAME",
"CreatedAt": "2020-01-02 15:40:03",
"ID": 2,
"ProcessTableId": 45632561,
"Summary": "CreateProcess: C:\\Windows\\SysWOW64\\cmd.exe",
"Timestamp": "2020-01-02 15:39:28.809",
"Type": 2,
"UpdatedAt": "2020-01-02 15:40:03",
"User": "actionapprover",
"Deleted": false
},
{
"ConnectionName": "HOST_NAME",
"CreatedAt": "2020-01-13 18:02:01",
"ID": 13,
"ProcessTableId": 4563722,
"Summary": "CreateProcess: C:\\Windows\\System32\\wsqmcons.exe",
"Timestamp": "2020-01-13 18:00:01.010",
"Type": 2,
"UpdatedAt": "2020-01-13 18:02:01",
"User": "HOST_NAME\\administrator",
"Deleted": false
}
]
}
}
Human Readable Output
Evidence List
| ID | Timestamp | Conntection Name | User | Summary | Type | Created At | Updated At | Process Table Id |
|---|---|---|---|---|---|---|---|---|
| 2 | 2020-01-02 15:39:28.809 | HOST_NAME | actionapprover | CreateProcess: C:\Windows\SysWOW64\cmd.exe | 2 | 2020-01-02 15:40:03 | 2020-01-02 15:40:03 | 45632561 |
| 13 | 2020-01-13 18:00:01.010 | HOST_NAME | HOST_NAME\administrator | CreateProcess: C:\Windows\System32\wsqmcons.exe | 2 | 2020-01-13 18:02:01 | 2020-01-13 18:02:01 | 4563722 |
tanium-tr-get-evidence-by-id
Gets evidence by evidence ID.
Base Command
tanium-tr-get-evidence-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| evidence-id | The ID of the evidence. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Evidence.ID | Number | The evidence ID. |
| Tanium.Evidence.CreatedAt | Date | Time when the process was created. |
| Tanium.Evidence.LastModified | Date | The date that the file was last modified. |
| Tanium.Evidence.User | String | The user of the evidence. |
| Tanium.Evidence.ConnectionName | String | The evidence connection name. |
| Tanium.Evidence.Type | Number | The evidence type. |
| Tanium.Evidence.ProcessTableId | Number | The evidence process table ID. |
| Tanium.Evidence.Timestamp | Date | The evidence timestamp. |
| Tanium.Evidence.Summary | String | The evidence summary. |
| Tanium.Evidence.Comments | String | The evidence comments. |
| Tanium.Evidence.Tags | String | The evidence tags. |
| Tanium.Evidence.Deleted | Boolean | Whether the evident has been deleted. |
Command Example
!tanium-tr-get-evidence-by-id evidence-id=2
Context Example
{
"Tanium": {
"Evidence": {
"CreatedAt": "2020-01-02 15:40:03",
"ConnectionName": "HOST_NAME",
"ProcessTableId": 45632561,
"ID": 2,
"Summary": "CreateProcess: C:\\Windows\\SysWOW64\\cmd.exe",
"Timestamp": "2020-01-02 15:39:28.809",
"Type": 2,
"UpdatedAt": "2020-01-02 15:40:03",
"User": "actionapprover",
"Deleted": false
}
}
}
Human Readable Output
Label information
| ID | Timestamp | Connection Name | User | Summary | Type | Created At | Updated At | Process Table Id |
|---|---|---|---|---|---|---|---|---|
| 2 | 2020-01-02 15:39:28.809 | HOST_NAME | actionapprover | CreateProcess: C:\Windows\SysWOW64\cmd.exe | 2 | 2020-01-02 15:40:03 | 2020-01-02 15:40:03 | 45632561 |
tanium-tr-create-evidence
Creates an evidence.
Base Command
tanium-tr-create-evidence
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The name of the connection. | Required |
| ptid | The process instance ID. | Required |
Context Output
There is no context output for this command.
Command Example
!tanium-tr-create-evidence connection-name=HOST_NAME connection-name=HOST_NAME ptid=13538572
Human Readable Output
Evidence have been created.
tanium-tr-delete-evidence
Deletes an evidence.
Base Command
tanium-tr-delete-evidence
Input
| Argument Name | Description | Required |
|---|---|---|
| evidence-id | The ID of the evidence. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Evidence.ID | String | The evidence ID. |
| Tanium.Evidence.Deleted | Boolean | Whether the evidence has been deleted. |
Command Example
!tanium-tr-delete-evidence evidence-id=1
Context Example
{
"Tanium": {
"Evidence": {
"ID": 2,
"Deleted": true
}
}
}
Human Readable Output
Evidence 1 has been deleted successfully.
tanium-tr-request-file-download
Requests a new file download.
Base Command
tanium-tr-request-file-download
Input
| Argument Name | Description | Required |
|---|---|---|
| path | Path to file. | Required |
| connection-name | Connection name. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.FileDownload.Path | String | The file download path. |
| Tanium.FileDownload.ConnectionName | String | The file download connection name. |
| Tanium.FileDownload.Downloaded | Date | Date of the download request. |
| Tanium.FileDownload.Status | String | Status of the file download request. |
| Tanium.FileDownload.ID | Number | ID of the file download. |
Command Example
!tanium-tr-request-file-download connection-name=HOST_NAME path=dev/autofs
Context Example
{
"Tanium": {
"FileDownload": {
"Downloaded": "2020-02-06 16:05:40.227674",
"ConnectionName": "HOST_NAME",
"Path": "dev/autofs"
}
}
}
Human Readable Output
Download request of file autofs has been sent successfully.
tanium-tr-delete-file-download
Deletes a file download.
Base Command
tanium-tr-delete-file-download
Input
| Argument Name | Description | Required |
|---|---|---|
| file-id | File download ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.FileDownload.ID | String | The file download ID. |
| Tanium.FileDownload.Deleted | Boolean | Whether the file download has been deleted. |
Command Example
!tanium-tr-delete-file-download file-id=3
Context Example
{
"Tanium": {
"FileDownload": {
"ID": 3,
"Deleted": true
}
}
}
Human Readable Output
Delete request of file with ID 3 has been sent successfully.
tanium-tr-list-files-in-directory
Gets a list of files in the given directory.
Base Command
tanium-tr-list-files-in-directory
Input
| Argument Name | Description | Required |
|---|---|---|
| path | Path to the directory. | Required |
| connection-name | Connection name. | Required |
| limit | The maximum number of files to return. The default value is 50. | Optional |
| offset | Offset to start getting files. The default is 0. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.File.Created | Date | Time the file was created. |
| Tanium.File.Size | Number | The file size. |
| Tanium.File.IsDirectory | Boolean | Whether or not the file is a directory. |
| Tanium.File.LastModified | Date | The date that the file was last modified. |
| Tanium.File.Path | Boolean | The file path. |
| Tanium.File.Permissions | Date | The file permissions. |
| Tanium.File.ConnectionName | String | The host of the file. |
| Tanium.File.Deleted | Boolean | Whether the file has been deleted. |
Command Example
!tanium-tr-list-files-in-directory path=`C:\Program Files (x86)\Tanium\Tanium Client\` connection-name=HOST_NAME limit=2
Context Example
{
"Tanium": {
"File": [
{
"Created": "1970-01-19 03:25:44",
"IsDirectory": false,
"LastModified": "1970-01-19 03:25:44",
"Path": ".detect-engine.lock",
"Permissions": "rw-rw-rw-",
"Size": 0,
"Deleted": false
},
{
"Created": "1970-01-18 21:02:12",
"IsDirectory": true,
"LastModified": "1970-01-19 07:10:05",
"Path": "Downloads",
"Permissions": "rw-rw-rw-",
"Size": 393216,
"Deleted": false
}
]
}
}
Human Readable Output
Files in directory C:\Program Files (x86)\Tanium\Tanium Client\
| Path | Size | Created | Last Modified | Permissions | Is Directory |
|---|---|---|---|---|---|
| .detect-engine.lock | 0 | 1970-01-19 03:25:44 | 1970-01-19 03:25:44 | rw-rw-rw- | false |
| Downloads | 393216 | 1970-01-18 21:02:12 | 1970-01-19 07:10:05 | rw-rw-rw- | true |
tanium-tr-get-file-info
Gets information about a file from a remote connection.
Base Command
tanium-tr-get-file-info
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | The name of the connection. | Required |
| path | The path to the file. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.File.Created | Date | The file creation timestamp. |
| Tanium.File.Size | Number | The file size. |
| Tanium.File.IsDirectory | Boolean | Whether or not the file is a directory. |
| Tanium.File.LastModified | Date | The date that the file was last modified. |
| Tanium.File.Path | String | The file path. |
| Tanium.File.ConnectionName | String | The host of the file. |
| Tanium.File.Deleted | Boolean | Whether the file has been deleted. |
Command Example
!tanium-tr-get-file-info connection-name=HOST_NAME path=`C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe`
Context Example
{
"Tanium": {
"File": {
"Created": "1970-01-18 20:01:58",
"IsDirectory": false,
"LastModified": "1970-01-18 20:01:58",
"Size": 4938736
"Path": "C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe",
"ConnectionName": "HOST_NAME",
"Deleted": false
}
}
}
Human Readable Output
Information for file C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe
| Path | Size | Created | Last Modified | Is Directory | Connection Name |
|---|---|---|---|---|---|
| C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe | 4938736 | 1970-01-18 20:01:58 | 1970-01-18 20:01:58 | false | HOST_NAME |
tanium-tr-delete-file-from-endpoint
Deletes a file from the given endpoint.
Base Command
tanium-tr-delete-file-from-endpoint
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | Connection name. | Required |
| path | Path to file. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.File.Path | String | The file path. |
| Tanium.File.ConnectionName | String | The host of the file. |
| Tanium.File.Deleted | Boolean | Whether the file has been deleted. |
Command Example
!tanium-tr-delete-file-from-endpoint path=`C:\Program Files (x86)\Tanium\Tanium Client\Logs\log0.txt` connection-name=HOST_NAME
Context Example
{
"Tanium": {
"File": {
"Path": "C:\Program Files (x86)\Tanium\Tanium Client\Logs\log0.txt",
"ConnectionName": "HOST_NAME",
"Deleted": true
}
}
}
Human Readable Output
Delete request of file C:\Program Files (x86)\Tanium\Tanium Client\Logs\log0.txt from endpoint HOST_NAME has been sent successfully.
tanium-tr-get-process-timeline
Gets the process timeline.
Base Command
tanium-tr-get-process-timeline
Input
| Argument Name | Description | Required |
|---|---|---|
| connection-name | Connection name. | Required |
| ptid | Process table ID. | Required |
| category | The event categories to retrieve. Can be "File", "DNS", "Registry", "Network", "Image", or "Process". | Required |
| limit | The maximum number of events to return. The default value is 50. | Optional |
| offset | Offset to start getting the events. The default is 0. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.ProcessTimeline.ProcessTableID | Number | The process instance ID. |
| Tanium.ProcessTimeline.ConnectionName | String | The connection name of the process. |
| Tanium.ProcessTimeline.Date | Date | Events date of the process. |
| Tanium.ProcessTimeline.Event | String | Event of the process. |
| Tanium.ProcessTimeline.Category | String | The event category of the process. |
Command Example
!tanium-tr-get-process-timeline ptid=13530396 connection-name=HOST_NAME category=Process limit=2
Context Example
{
"Tanium": {
"ProcessTimeline": [
{
"Category": "Process",
"Date": "2020-02-05 10:16:02.319000",
"Event": [
"Process started by root\\root"
]
},
{
"Category": "Process",
"Date": "2020-02-05 10:17:00.000000",
"Event": [
"Process ended"
]
}
]
}
}
Human Readable Output
Timeline data for process with PTID 13530396
| Date | Event | Category |
|---|---|---|
| 2020-02-05 10:16:02.319000 | Process started by root\root | Process |
| 2020-02-05 10:17:00.000000 | Process ended | Process |
tanium-tr-get-download-file-request-status
Gets the status of the download file request.
Base Command
tanium-tr-get-download-file-request-status
Input
| Argument Name | Description | Required |
|---|---|---|
| request-date | Date of the download file request, or example: 2019-09-23T12:55:08.622 | Required |
| connection-name | The connection to which the request was made. | Optional |
| path | The file path. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.DownloadFile.ID | Number | ID of the file download. |
| Tanium.DownloadFile.ConnectionName | String | Host of the file. |
| Tanium.DownloadFile.Path | String | Path of the file. |
| Tanium.DownloadFile.Status | String | Status of the file download request. |
| Tanium.DownloadFile.Downloaded | Date | The date of the download request. |
Command Example
!tanium-tr-get-download-file-request-status request-date=2019-09-23T12:55:08.622
Context Example
{
"Tanium": {
"FileDownload": {
"Downloaded": "2020-01-02 15:40:18.052",
"ID": 3,
"Status": "Completed",
"Path": "C:\Program Files (x86)\Tanium\Tanium Client\Logs\log1.txt",
"ConnectionName": "HOST_NAME"
}
}
}
Human Readable Output
File download request status
| ID | Connection Name | Status | Path | Downloaded |
|---|---|---|---|---|
| 3 | HOST_NAME | Completed | C:\Program Files (x86)\Tanium\Tanium Client\Logs\log1.txt | 2020-01-02 15:40:18.052 |