Tanium v2

Tanium endpoint security and systems management This integration was integrated and tested with version 7.3.0 of Tanium server

Tanium v2 Playbooks

  • Tanium - Ask Question
  • Tanium - Get Saved Question Result

Use Cases

  • Create questions, groups, packages, etc on the Tanium Server.
  • Deploy packages to machines groups.
  • Get information about sensors, packages, actions, hosts etc.

Detailed Description

  • Integration with Tanium REST API. Available from Tanium version 7.3.0. You can manage questions, actions, saved questions, packages and sensor information.
  • ## Configuration Parameters
  • **Hostname**
  • The network address of the Tanium server host.
  • **Domain**
  • The Tanium user domain. Relevant when there is more than one domain inside Tanium.
  • **Credentials**
  • The credentials should be the same as the Tanium client.

Configure Tanium v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Tanium v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Hostname, IP address, or server URL.
    • Domain
    • Credentials
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Returns a package object based on name or ID: tn-get-package
  2. Asks the server to parse the question text and choose the first parsed result as the question to run: tn-ask-question
  3. Returns the question result based on question ID: tn-get-question-result
  4. Returns a list of all sensors: tn-list-sensors
  5. Returns detailed information about a sensor object based on name or ID: tn-get-sensor
  6. Creates a saved question object: tn-create-saved-question
  7. Returns all saved questions: tn-list-saved-questions
  8. Returns the saved question result based on the saved question ID: tn-get-saved-question-result
  9. Returns all client details: tn-get-system-status
  10. Creates a package object: tn-create-package
  11. Returns all package information: tn-list-packages
  12. Returns a question object based on question ID: tn-get-question-metadata
  13. Returns all saved actions: tn-list-saved-actions
  14. Returns a saved action object based on name or ID: tn-get-saved-action
  15. Returns a saved question object based on name or ID: tn-get-saved-question-metadata
  16. Creates a saved action object: tn-create-saved-action
  17. Creates an action object based on the package name or the package ID: tn-create-action
  18. Returns all actions: tn-list-actions
  19. Returns an action object based on ID: tn-get-action
  20. Retrieves all saved action approval definitions on the server: tn-list-saved-actions-pending-approval
  21. Returns a group object based on ID or name: tn-get-group
  22. Creates a group object based on computers or IP addresses list: tn-create-manual-group
  23. Creates a group object based on text filter: tn-create-filter-based-group
  24. Returns all groups: tn-list-groups
  25. Deletes a group object: tn-delete-group
  26. Creates an action object, based on a package name or package ID: tn-create-action-by-host

1. tn-get-package


Returns a package object based on name or ID.

Base Command

tn-get-package

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
name The name of the package. Optional
id The package ID. Package ID or package name is required. When both exist, ID is used. Optional

Context Output
Path Type Description
TaniumPackage.Command String The command to run.
TaniumPackage.CommandTimeout Number Timeout in seconds for the command execution.
TaniumPackage.ContentSet.Id Number The ID of the content set to associate with the package.
TaniumPackage.ContentSet.Name String The name of the content set to associate with the package.
TaniumPackage.CreationTime String The time and date when this object was created in the database.
TaniumPackage.DisplayName String The name of the package that displays in the user interface.
TaniumPackage.ExpireSeconds Number Timeout in seconds for the action.
TaniumPackage.Files.Hash String The SHA-256 hash of the contents of the file.
TaniumPackage.Files.Id Number The unique ID of the package_file object.
TaniumPackage.Files.Name String The unique name of the package_file object.
TaniumPackage.ID Number The unique ID of the package_spec object.
TaniumPackage.LastModifiedBy String The user who most recently modified this object.
TaniumPackage.LastUpdate String The most recent time and date when this object was modified.
TaniumPackage.ModUser.Domain String The domain of the user who most recently modified this object
TaniumPackage.ModUser.Id Number The ID of the user who most recently modified this object
TaniumPackage.ModUser.Name String The name of the user who most recently modified this object
TaniumPackage.ModificationTime String The most recent time and date when this object was modified.
TaniumPackage.Name String The unique name of the package_spec object.
TaniumPackage.Parameters.Values String The parameter values.
TaniumPackage.Parameters.Label String Parameter description.
TaniumPackage.Parameters.Key String The attribute name of the parameter.
TaniumPackage.Parameters.ParameterType String The type of parameter.
TaniumPackage.SourceId Number The ID of the package into which the parameters are substituted.
TaniumPackage.VerifyExpireSeconds Number A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed.

Command Example

!tn-get-package id=225

Context Example
{
    "TaniumPackage": {
        "Command": "cmd /c cscript ApplyWindowsQuarantine.vbs \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" \"$6\" \"$7\" \"$8\" \"$9\"",
        "CommandTimeout": 180,
        "ContentSet": {
            "Id": 32,
            "Name": "Incident Response"
        },
        "CreationTime": "2019-09-19T13:57:35Z",
        "DisplayName": "Apply Windows IPsec Quarantine",
        "ExpireSeconds": 780,
        "Files": [
            {
                "Hash": "26cab9aaddf7d0e1ecf4113dee1ee976f6df9070a1f9edf3fa9e10bc63eb6a94",
                "ID": 699,
                "Name": "PortTester.exe"
            },
            {
                "Hash": "7a2aaaf742831abf22918e4726181f25aa8b32c1dcb6b500824fe5e5ffec25fb",
                "ID": 700,
                "Name": "taniumquarantine.dat"
            },
            {
                "Hash": "b2dfeab931f5938c52df84b8e6b157e698c508c7723b23505659e5ae659fcf6f",
                "ID": 701,
                "Name": "ApplyWindowsQuarantine.vbs"
            }
        ],
        "ID": 225,
        "LastModifiedBy": "administrator",
        "LastUpdate": "2019-09-19T13:57:35Z",
        "ModificationTime": "2019-09-19T13:57:35Z",
        "Name": "Apply Windows IPsec Quarantine",
        "Parameters": [
            {
                "Key": "$1",
                "Label": "Apply Custom Config (below)",
                "ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
                "Values": null
            },
            {
                "Key": null,
                "Label": null,
                "ParameterType": "com.tanium.components.parameters::SeparatorParameter",
                "Values": null
            },
            {
                "Key": "$2",
                "Label": "Allow All DHCP",
                "ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
                "Values": null
            },
            {
                "Key": "$3",
                "Label": "Allow All DNS",
                "ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
                "Values": null
            },
            {
                "Key": "$4",
                "Label": "Allow All Tanium Servers",
                "ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
                "Values": null
            },
            {
                "Key": "$5",
                "Label": "Validate Tanium Server Availability",
                "ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
                "Values": null
            },
            {
                "Key": "$6",
                "Label": "Notification Message",
                "ParameterType": "com.tanium.components.parameters::TextAreaParameter",
                "Values": null
            },
            {
                "Key": "$7",
                "Label": "Custom Quarantine Rules",
                "ParameterType": "com.tanium.components.parameters::TextAreaParameter",
                "Values": null
            },
            {
                "Key": "$8",
                "Label": "Alternate Tanium Servers",
                "ParameterType": "com.tanium.components.parameters::TextInputParameter",
                "Values": null
            },
            {
                "Key": "$9",
                "Label": "VPN Servers",
                "ParameterType": "com.tanium.components.parameters::TextInputParameter",
                "Values": null
            }
        ],
        "SourceId": 0,
        "VerifyExpireSeconds": 600
    }
}
Human Readable Output

Package information

Command CommandTimeout ContentSet CreationTime DisplayName ExpireSeconds ID LastModifiedBy LastUpdate ModUser ModificationTime Name SourceId VerifyExpireSeconds
cmd /c cscript ApplyWindowsQuarantine.vbs "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" 180 Id: 32
Name: Incident Response
2019-09-19T13:57:35Z Apply Windows IPsec Quarantine 780 225 administrator 2019-09-19T13:57:35Z 2019-09-19T13:57:35Z Apply Windows IPsec Quarantine 0 600

Parameters information

Key Label ParameterType Values
$1 Apply Custom Config (below) com.tanium.components.parameters::CheckBoxParameter
com.tanium.components.parameters::SeparatorParameter
$2 Allow All DHCP com.tanium.components.parameters::CheckBoxParameter
$3 Allow All DNS com.tanium.components.parameters::CheckBoxParameter
$4 Allow All Tanium Servers com.tanium.components.parameters::CheckBoxParameter
$5 Validate Tanium Server Availability com.tanium.components.parameters::CheckBoxParameter
$6 Notification Message com.tanium.components.parameters::TextAreaParameter
$7 Custom Quarantine Rules com.tanium.components.parameters::TextAreaParameter
$8 Alternate Tanium Servers com.tanium.components.parameters::TextInputParameter
$9 VPN Servers com.tanium.components.parameters::TextInputParameter

Files information

Hash ID Name
26cab9aaddf7d0e1ecf4113dee1ee976f6df9070a1f9edf3fa9e10bc63eb6a94 699 PortTester.exe
7a2aaaf742831abf22918e4726181f25aa8b32c1dcb6b500824fe5e5ffec25fb 700 taniumquarantine.dat
b2dfeab931f5938c52df84b8e6b157e698c508c7723b23505659e5ae659fcf6f 701 ApplyWindowsQuarantine.vbs

2. tn-ask-question


Asks the server to parse the question text and choose the first parsed result as the question to run.

Base Command

tn-ask-question

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
question-text The question text. Required
parameters The question parameters. For example, sensor1{key1=val1,key2=val2},sensor2{key1=val1}. Optional

Context Output
Path Type Description
Tanium.Question.ID Number The unique ID of the question object.

Command Example

!tn-ask-question question-text=`Get IP Address from all machines`

Context Example
{
    "Tanium.Question": {
        "ID": 50500
    }
}
Human Readable Output

New question created. ID = 50500

3. tn-get-question-result


Returns the question result based on question ID.

Base Command

tn-get-question-result

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
question-id The question ID. Required

Context Output
Path Type Description
Tanium.QuestionResult.QuestionID Number The unique ID of the question object.
Tanium.QuestionResult.Results Unknown The question results.
Tanium.QuestionResult.Status String The status of the question request. Can be: "Completed" or "Pending".

Command Example

!tn-get-question-result question-id=50477

Context Example
{
    "Tanium.QuestionResult": {
        "QuestionID": "50477",
        "Status": "Pending"
    }
}
Human Readable Output

Question is still executing, Question id: 50477

4. tn-list-sensors


Returns a list of all sensors.

Base Command

tn-list-sensors

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximum number of sensors to return. Optional

Context Output
Path Type Description
TaniumSensor.Category String The category that includes this sensor.
TaniumSensor.ContentSetId Number The ID of the content set to associate with the sensor.
TaniumSensor.ContentSetName String The name of the content set to associate with the sensor.
TaniumSensor.CreationTime String The time and date when this object was created in the database.
TaniumSensor.Description String A description for the sensor.
TaniumSensor.Hash String The hash ID of the sensor.
TaniumSensor.ID Number The unique ID of the sensor object.
TaniumSensor.IgnoreCaseFlag Boolean Whether to ignore the case flag of the sensor. Default is 1, which means the case flag is ignored.
TaniumSensor.KeepDuplicatesFlag Boolean Whether to keep duplicate values in the sensor results. Default is 1 which keeps duplicate values instead of returning each unique value once.
TaniumSensor.LastModifiedBy String The name of the user who last modified this object.
TaniumSensor.MaxAgeSeconds Number The maximum age in seconds a sensor result is invalid. When results are half this value, the sensor is re-evaluated.
TaniumSensor.ModUserDomain String The domain of the user who most recently modified this object.
TaniumSensor.ModUserId Number The ID of the user who most recently modified this object.
TaniumSensor.ModUserName String The name of user who most recently modified this object.
TaniumSensor.ModificationTime String The most recent time and date when this object was modified.
TaniumSensor.Name String The name of the sensor.
TaniumSensor.SourceId Number The ID of the sensor into which the parameters are substituted. If specified, source_hash may be omitted.

Command Example

!tn-list-sensors limit=1

Context Example
{
    "TaniumSensor": [
        {
            "Category": "Network",
            "ContentSetId": 10,
            "ContentSetName": "Network",
            "CreationTime": "2019-07-17T20:13:49Z",
            "Description": "Returns the SSID (name) of a wireless network a machine is connected to.\nExample: linksys",
            "Hash": "1466668831",
            "ID": 232,
            "IgnoreCaseFlag": true,
            "KeepDuplicatesFlag": false,
            "LastModifiedBy": "administrator",
            "MaxAgeSeconds": 900,
            "ModUserDomain": "EC2AMAZ-N5ETQVT",
            "ModUserId": 1,
            "ModUserName": "administrator",
            "ModificationTime": "2019-07-17T20:13:49Z",
            "Name": "Wireless Network Connected SSID",
            "SourceId": 0
        }
    ]
}
Human Readable Output

Sensors

Category ContentSetId ContentSetName CreationTime Description Hash ID IgnoreCaseFlag KeepDuplicatesFlag LastModifiedBy MaxAgeSeconds ModUserDomain ModUserId ModUserName ModificationTime Name SourceId
Network 10 Network 2019-07-17T20:13:49Z Returns the SSID (name) of a wireless network a machine is connected to.
Example: linksys
1466668831 232 true false administrator 900 EC2AMAZ-N5ETQVT 1 administrator 2019-07-17T20:13:49Z Wireless Network Connected SSID 0

5. tn-get-sensor


Returns detailed information about a sensor object based on name or ID.

Base Command

tn-get-sensor

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
id The sensor ID. Optional
name The name of the sensor. Optional

Context Output
Path Type Description
TaniumSensor.Category String The category that includes this sensor.
TaniumSensor.ContentSetId Number The ID of the content_set to associate with the sensor.
TaniumSensor.ContentSetName String The name of the content_set to associate with the sensor.
TaniumSensor.CreationTime String The date and time when this object was created in the database.
TaniumSensor.Description String A description for the sensor.
TaniumSensor.Hash String The hash id of the sensor
TaniumSensor.ID Number The unique ID of the sensor object.
TaniumSensor.IgnoreCaseFlag Boolean Ignore the case flag. Default is 1, which means the case flag is ignored.
TaniumSensor.KeepDuplicatesFlag Boolean Keep duplicates flag in the sensor results. Default is 1, which preserves duplicate values in sensor results instead of only returning each unique value once.
TaniumSensor.LastModifiedBy String The name of the user who last modified this object.
TaniumSensor.MaxAgeSeconds Number The maximum age in seconds of a sensor result before it is invalid. When results are half this value, the sensor is re-evaluated.
TaniumSensor.ModUserDomain String The domain of the user who most recently modified this object.
TaniumSensor.ModUserId Number The ID of the user who most recently modified this object.
TaniumSensor.ModUserName String The name of the user who most recently modified this object.
TaniumSensor.ModificationTime String The most recent time and date when this object was modified.
TaniumSensor.Name String The name of the sensor.
TaniumSensor.Parameters.Key String The attribute name of the parameter.
TaniumSensor.Parameters.Label String The description of the parameter.
TaniumSensor.Parameters.Values String The values of the parameter.
TaniumSensor.Parameters.ParameterType String The type of parameter.
TaniumSensor.SourceId Number The ID of the sensor into which the parameters are substituted. If specified, source_hash may be omitted.

Command Example

!tn-get-sensor id=204

Context Example
{
    "TaniumSensor": {
        "Category": "Applications",
        "ContentSetId": 11,
        "ContentSetName": "Software",
        "CreationTime": "2019-07-17T20:13:49Z",
        "Description": "The version string of applications which match the parameter given.\nExample:  11.5.502.146",
        "Hash": "2387001299",
        "ID": 204,
        "IgnoreCaseFlag": true,
        "KeepDuplicatesFlag": false,
        "LastModifiedBy": "administrator",
        "MaxAgeSeconds": 900,
        "ModUserDomain": "EC2AMAZ-N5ETQVT",
        "ModUserId": 1,
        "ModUserName": "administrator",
        "ModificationTime": "2019-07-17T20:13:49Z",
        "Name": "Installed Application Version",
        "Parameters": [
            {
                "Key": "application",
                "Label": "Application Name",
                "ParameterType": "com.tanium.components.parameters::TextInputParameter",
                "Values": null
            }
        ],
        "SourceId": 0
    }
}
Human Readable Output

Sensor information

Category ContentSetId ContentSetName CreationTime Description Hash ID IgnoreCaseFlag KeepDuplicatesFlag LastModifiedBy MaxAgeSeconds ModUserDomain ModUserId ModUserName ModificationTime Name SourceId
Applications 11 Software 2019-07-17T20:13:49Z The version string of applications which match the parameter given.
Example: 11.5.502.146
2387001299 204 true false administrator 900 EC2AMAZ-N5ETQVT 1 administrator 2019-07-17T20:13:49Z Installed Application Version 0

Parameter information

Key Label ParameterType Values
application Application Name com.tanium.components.parameters::TextInputParameter

6. tn-create-saved-question


Creates a saved question object.

Base Command

tn-create-saved-question

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
question-id The question ID. Required
name Name of the saved question to create. Required

Context Output
Path Type Description
Tanium.SavedQuestion.ID Number The ID of the saved question.
Tanium.SavedQuestion.Name String The name of the saved question.

Command Example

!tn-create-saved-question name=ip_all_machines question-id=50477

Context Example
{
    "Tanium.SavedQuestion": {
        "ID": 450,
        "name": "ip_all_machines"
    }
}
Human Readable Output

Question saved. ID = 450

7. tn-list-saved-questions


Returns all saved questions.

Base Command

tn-list-saved-questions

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximum number of saved questions to return. Optional

Context Output
Path Type Description
Tanium.SavedQuestion.ArchiveEnabledFlag Boolean Whether archiving is enabled for the saved question.
Tanium.SavedQuestion.ArchiveOwner String The name of the user that owns the archive. Archives can be shared between users with identical management rights groups.
Tanium.SavedQuestion.ExpireSeconds Number The duration in seconds before each question expires. Default value is 600.
Tanium.SavedQuestion.ID Number The unique ID of the question object.
Tanium.SavedQuestion.IssueSeconds Number The time in seconds to reissue the question when active. Default value is 120.
Tanium.SavedQuestion.IssueSecondsNeverFlag Boolean Whether the question is not reissued automatically. Default is 1 (not reissued).
Tanium.SavedQuestion.KeepSeconds Number The number of seconds to save the data results in the archive.
Tanium.SavedQuestion.ModTime String The most recent time and date when this object was modified.
Tanium.SavedQuestion.ModUserDomain String The domain of the user who most recently modified this object.
Tanium.SavedQuestion.ModUserId Number The ID of the user who most recently modified this object.
Tanium.SavedQuestion.ModUserName String The name of user who most recently modified this object.
Tanium.SavedQuestion.MostRecentQuestionId Number The ID of the most recently issued question object generated by the saved question.
Tanium.SavedQuestion.Name String The name of the saved question object.
Tanium.SavedQuestion.QueryText String The textual representation of the question.
Tanium.SavedQuestion.QuestionId Number The ID of the question from which to create the saved question.
Tanium.SavedQuestion.RowCountFlag Boolean If the value is true, only the row count data is saved when archiving this question.
Tanium.SavedQuestion.SortColumn Number The default sort column, if no sort order is specified.
Tanium.SavedQuestion.UserId Number The ID of the user who owns this object.
Tanium.SavedQuestion.UserName String The name of the user who owns this object.

Command Example

!tn-list-saved-questions limit=1

Context Example
{
    "Tanium.SavedQuestion": [
        {
            "ArchiveEnabledFlag": false,
            "ExpireSeconds": 600,
            "ID": 130,
            "IssueSeconds": 120,
            "IssueSecondsNeverFlag": false,
            "KeepSeconds": 0,
            "ModTime": "2019-07-17T20:43:06Z",
            "MostRecentQuestionId": 19563,
            "Name": "SCCM - Client Cache Size",
            "QueryText": "Get SCCM Cache Size from all machines",
            "QuestionId": 19563,
            "RowCountFlag": false,
            "SortColumn": 0,
            "UserId": 1,
            "UserName": "administrator"
        }
    ]
}
Human Readable Output

Saved questions

ArchiveEnabledFlag ArchiveOwner ExpireSeconds ID IssueSeconds IssueSecondsNeverFlag KeepSeconds ModTime MostRecentQuestionId Name QueryText QuestionId RowCountFlag SortColumn UserId UserName
false 600 130 120 false 0 2019-07-17T20:43:06Z 19563 SCCM - Client Cache Size Get SCCM Cache Size from all machines 19563 false 0 1 administrator

8. tn-get-saved-question-result


Returns the saved question result based on the saved question ID.

Base Command

tn-get-saved-question-result

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
question-id The saved question ID. Required

Context Output
Path Type Description
Tanium.SavedQuestionResult.SavedQuestionID Number The ID of the saved question.
Tanium.SavedQuestionResult.Results Unknown The saved question results.
Tanium.SavedQuestionResult.Status String Status of the question request. Can be: "Completed" or "Pending".

Command Example

!tn-get-saved-question-result question-id=130

Context Example
{
    "Tanium.SavedQuestionResult": {
        "SavedQuestionID": "130",
        "Status": "Completed"
    }
}
Human Readable Output

question results:

**No entries.**

9. tn-get-system-status


Returns all client details.

Base Command

tn-get-system-status

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required

Context Output
Path Type Description
Tanium.Client.ComputerId Number The computer ID of the client.
Tanium.Client.FullVersion String The Tanium Client version.
Tanium.Client.HostName String The computer hostname.
Tanium.Client.IpAddressClient String The IP address of the client returned from a sensor on the client.
Tanium.Client.IpAddressServer String The IP address of the client that was recorded on the server during the last registration.
Tanium.Client.LastRegistration Date The most recent time that the client registered with the server.
Tanium.Client.Status String The status of the client. Can be: "Blocked", "Leader" "Normal", "Slow link".

Command Example

!tn-get-system-status

Context Example
{
    "Tanium.Client": [
        {
            "ComputerId": 9065264,
            "FullVersion": "7.2.314.3476",
            "HostName": "ec2amaz-kgmro60",
            "IpAddressClient": "127.0.0.1",
            "IpAddressServer": "127.0.0.1",
            "LastRegistration": "2019-11-27T15:06:08Z",
            "Status": "Leader"
        },
        {
            "ComputerId": 2232836718,
            "FullVersion": "7.2.314.3476",
            "HostName": "HOSTNAME",
            "IpAddressClient": "127.0.0.1",
            "IpAddressServer": "127.0.0.1",
            "LastRegistration": "2019-11-27T15:06:09Z",
            "Status": "Leader"
        }
    ]
}
Human Readable Output

System status

ComputerId FullVersion HostName IpAddressClient IpAddressServer LastRegistration Status
9065264 7.2.314.3476 ec2amaz-kgmro60 127.0.0.1 127.0.0.1 2019-11-27T15:06:08Z Leader
2232836718 7.2.314.3476 HOSTNAME 127.0.0.1 127.0.0.1 2019-11-27T15:06:09Z Leader

10. tn-create-package


Creates a package object.

Base Command

tn-create-package

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
command The command to execute. Required
name The name of the package to create. Required

Context Output
Path Type Description
TaniumPackage.Command String The command to run.
TaniumPackage.CommandTimeout Number Timeout in seconds for the command execution.
TaniumPackage.ContentSet.Id Number The ID of the content set to associate with the package.
TaniumPackage.ContentSet.Name String The name of the content set to associate with the package.
TaniumPackage.CreationTime String The time and date when this object was created in the database.
TaniumPackage.DisplayName String The name of the package that displays in the user interface.
TaniumPackage.ExpireSeconds Number Timeout in seconds for the action expiry.
TaniumPackage.ID Number The unique ID of the package_spec object.
TaniumPackage.LastModifiedBy String The user who most recently modified this object.
TaniumPackage.LastUpdate String The most recent time and date when this object was modified.
TaniumPackage.ModUser.Domain String The domain of the user who most recently modified this object.
TaniumPackage.ModUser.Id Number The ID of the user who most recently modified this object
TaniumPackage.ModUser.Name String The name of the user who most recently modified this object
TaniumPackage.ModificationTime String The most recent time and date when this object was modified.
TaniumPackage.Name String The unique name of the package_spec object.
TaniumPackage.SourceId Number The ID of the package into which the parameters are substituted.
TaniumPackage.VerifyExpireSeconds Number A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed.

Command Example

!tn-create-package command=cls name=clear_screen

Context Example
{
    "TaniumPackage": {
        "Command": "cls",
        "CommandTimeout": 600,
        "ContentSet": {
            "Id": 2,
            "Name": ""
        },
        "CreationTime": "2019-11-27T15:06:14Z",
        "DisplayName": "clear_screen",
        "ExpireSeconds": 3600,
        "ID": 1220,
        "LastModifiedBy": "administrator",
        "LastUpdate": "2019-11-27T15:06:14Z",
        "ModificationTime": "2019-11-27T15:06:14Z",
        "Name": "clear_screen",
        "SourceId": 0,
        "VerifyExpireSeconds": 3600
    }
}
Human Readable Output

Package information

Command CommandTimeout ContentSet CreationTime DisplayName ExpireSeconds Files ID LastModifiedBy LastUpdate ModUser ModificationTime Name Parameters SourceId VerifyExpireSeconds
cls 600 Id: 2
Name:
2019-11-27T15:06:14Z clear_screen 3600 1220 administrator 2019-11-27T15:06:14Z 2019-11-27T15:06:14Z clear_screen 0 3600

Parameters information

**No entries.**

Files information

**No entries.**

11. tn-list-packages


Returns all package information.

Base Command

tn-list-packages

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximum number of packages to return. Optional

Context Output
Path Type Description
TaniumPackage.Command String The command to run.
TaniumPackage.CommandTimeout Number Timeout in seconds for the command execution.
TaniumPackage.ContentSet.Id Number The ID of the content set to associate with the package.
TaniumPackage.ContentSet.Name String The name of the content set to associate with the package.
TaniumPackage.CreationTime String The time and date when this object was created in the database.
TaniumPackage.DisplayName String The name of the package that displays in the user interface.
TaniumPackage.ExpireSeconds Number Timeout in seconds for the action expiry.
TaniumPackage.ID Number The unique ID of the package_spec object.
TaniumPackage.LastModifiedBy String The user who most recently modified this object.
TaniumPackage.LastUpdate String The most recent time and date when this object was modified.
TaniumPackage.ModUser.Domain String The domain of the user who most recently modified this object.
TaniumPackage.ModUser.Id Number The ID of the user who most recently modified this object.
TaniumPackage.ModUser.Name String The name of the user who most recently modified this object.
TaniumPackage.ModificationTime String The most recent time and date when this object was modified.
TaniumPackage.Name String The unique name of the package_spec object.
TaniumPackage.SourceId Number The ID of the package into which the parameters are substituted.
TaniumPackage.VerifyExpireSeconds Number A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed.

Command Example

!tn-list-packages limit=1

Context Example
{
    "TaniumPackage": [
        {
            "Command": "/bin/bash run-add-intel-package.sh 2>&1",
            "CommandTimeout": 600,
            "ContentSet": {
                "Id": 8,
                "Name": "Detect Service"
            },
            "CreationTime": "2019-07-23T20:40:17Z",
            "DisplayName": "Detect Intel for Unix Revision 4 Delta",
            "ExpireSeconds": 2400,
            "ID": 132,
            "LastModifiedBy": "administrator",
            "LastUpdate": "2019-07-23T20:40:17Z",
            "ModificationTime": "2019-07-23T20:40:17Z",
            "Name": "Detect Intel for Unix Revision 4 Delta",
            "SourceId": 0,
            "VerifyExpireSeconds": 3600
        }
    ]
}
Human Readable Output

Packages

Command CommandTimeout ContentSet CreationTime DisplayName ExpireSeconds ID LastModifiedBy LastUpdate ModUser ModificationTime Name SourceId VerifyExpireSeconds
/bin/bash run-add-intel-package.sh 2>&1 600 Id: 8
Name: Detect Service
2019-07-23T20:40:17Z Detect Intel for Unix Revision 4 Delta 2400 132 administrator 2019-07-23T20:40:17Z 2019-07-23T20:40:17Z Detect Intel for Unix Revision 4 Delta 0 3600

12. tn-get-question-metadata


Returns a question object based on question ID.

Base Command

tn-get-question-metadata

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
question-id The question ID. Required

Context Output
Path Type Description
Tanium.Question.ID Number The unique ID of the question object.
Tanium.Question.Expiration Date The date the question expires.
Tanium.Question.ExpireSeconds Number The number of seconds before the question expires. Default is 600.
Tanium.Question.ForceComputerIdFlag Boolean Whether to force the question to be a counting question if only one selection is present. Default is not to force. If the question object is an instance of a saved question, this field is derived from the saved question
Tanium.Question.IsExpired Boolean Whether the question has expired.
Tanium.Question.QueryText String The textual representation of the question.
Tanium.Question.SavedQuestionId Number The ID of the saved question derived from this question.
Tanium.Question.UserId Number The ID of the user who created / issued this question.
Tanium.Question.UserName String The name of the user who created / issued this question.

Command Example

!tn-get-question-metadata question-id=50477

Context Example
{
    "Tanium.Question": {
        "Expiration": "2019-11-27T14:16:24Z",
        "ExpireSeconds": 0,
        "ForceComputerIdFlag": false,
        "ID": 50477,
        "IsExpired": true,
        "QueryText": "Get IP Address from all machines",
        "SavedQuestionId": 450,
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Question results

Expiration ExpireSeconds ForceComputerIdFlag ID IsExpired QueryText SavedQuestionId UserId UserName
2019-11-27T14:16:24Z 0 false 50477 true Get IP Address from all machines 450 1 administrator

13. tn-list-saved-actions


Returns all saved actions.

Base Command

tn-list-saved-actions

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximin number of saved actions to return. Optional

Context Output
Path Type Description
Tanium.SavedAction.ActionGroupId Number The ID of the group of clients to target.
Tanium.SavedAction.ApprovedFlag Boolean Whether the saved action is approved. True is approved.
Tanium.SavedAction.ApproverId Number The ID of the user to approve the saved action.
Tanium.SavedAction.ApproverName String The name of the user to approve the saved action.
Tanium.SavedAction.CreationTime Date The time and date when this object was created in the database.
Tanium.SavedAction.EndTime Date The time and date to stop issuing actions.
Tanium.SavedAction.ExpireSeconds Number The duration from the start time before the action expires.
Tanium.SavedAction.ID Number The unique ID of the saved action object.
Tanium.SavedAction.LastActionId Number The ID of the action object that was issued last.
Tanium.SavedAction.LastActionStartTime Date The start time and date of the action object that was issued last.
Tanium.SavedAction.LastAaction.TargetGroupId Number The target group of the action object that was issued last.
Tanium.SavedAction.LastStartTime Date The most recent date and time that the action started.
Tanium.SavedAction.Name String The name of the saved_action object.
Tanium.SavedAction.NextStartTime Date The next time and date when the action will start.
Tanium.SavedAction.PackageId Number The ID of the package deployed by the saved action.
Tanium.SavedAction.PackageName String The name of the package deployed by the saved action.
Tanium.SavedAction.PackageSourceHash String The source hash of the package deployed by the saved action.
Tanium.SavedAction.StartTime Date The time and date when the action became active. An empty string or null starts immediately.
Tanium.SavedAction.Status Number The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted.
Tanium.SavedAction.TargetGroupId Number The group of machines to target.
Tanium.SavedAction.UserId Number The ID of the user who created the saved action.
Tanium.SavedAction.UserName String The ID of the user who created the saved action.

Command Example

!tn-list-saved-actions limit=1

Context Example
{
    "Tanium.SavedAction": [
        {
            "ActionGroupId": 432,
            "ApprovedFlag": false,
            "ApproverId": 0,
            "CreationTime": "2019-09-25T16:56:59Z",
            "EndTime": "Never",
            "ExpireSeconds": 600,
            "ID": 353,
            "LastActionId": 7206,
            "LastActionStartTime": "Never",
            "LastStartTime": "Never",
            "Name": "Trace - Start Session [Linux]",
            "NextStartTime": "Never",
            "PackageId": 728,
            "PackageName": "Trace - Start Session [Linux]",
            "PackageSourceHash": "f3931b6451967b74b522887e1f00f4a59b2fae730a5c277577bb804c7f484c61",
            "StartTime": "2019-09-25T16:57:31Z",
            "Status": 0,
            "TargetGroupId": 14652,
            "UserId": 1,
            "UserName": "administrator"
        }
    ]
}
Human Readable Output

Saved actions

ActionGroupId ApprovedFlag ApproverId ApproverName CreationTime EndTime ExpireSeconds ID LastActionId LastActionStartTime LastStartTime Name NextStartTime PackageId PackageName PackageSourceHash StartTime Status TargetGroupId UserId UserName
432 false 0 2019-09-25T16:56:59Z Never 600 353 7206 Never Never Trace - Start Session [Linux] Never 728 Trace - Start Session [Linux] f3931b6451967b74b522887e1f00f4a59b2fae730a5c277577bb804c7f484c61 2019-09-25T16:57:31Z 0 14652 1 administrator

14. tn-get-saved-action


Returns a saved action object based on name or ID.

Base Command

tn-get-saved-action

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
id The saved action ID. Optional
name The saved action name. Optional

Context Output
Path Type Description
Tanium.SavedAction.ActionGroupId Number The ID of the group of clients to target.
Tanium.SavedAction.ApprovedFlag Boolean Whether the saved action is approved. True is approved.
Tanium.SavedAction.ApproverId Number The ID of the user to approve the saved action.
Tanium.SavedAction.ApproverName String The name of the user to approve the saved action.
Tanium.SavedAction.CreationTime Date The time and date when this object was created in the database.
Tanium.SavedAction.EndTime Date The time and date to stop issuing actions.
Tanium.SavedAction.ExpireSeconds Number The duration from the start time before the action expires.
Tanium.SavedAction.ID Number The unique ID of the saved_action object.
Tanium.SavedAction.LastActionId Number The ID of the action object that was issued last.
Tanium.SavedAction.LastActionStartTime Date The start time and date of the action object that was issued last.
Tanium.SavedAction.LastAaction.TargetGroupId Number The target group of the action object that was issued last.
Tanium.SavedAction.LastStartTime Date The most recent date and time that the action started.
Tanium.SavedAction.Name String The name of the saved action object.
Tanium.SavedAction.NextStartTime Date The next time and date when the action will start.
Tanium.SavedAction.PackageId Number The ID of the package deployed by the saved action.
Tanium.SavedAction.PackageName String The name of the package deployed by the saved action.
Tanium.SavedAction.PackageSourceHash String The source hash of the package deployed by the saved action.
Tanium.SavedAction.StartTime Date The time amd date when the action became active. An empty string or null starts immediately.
Tanium.SavedAction.Status Number The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted.
Tanium.SavedAction.TargetGroupId Number The group of machines to target.
Tanium.SavedAction.UserId Number The ID of the user who created the saved action.
Tanium.SavedAction.UserName String The ID of the user who created the saved action.

Command Example

!tn-get-saved-action id=5

Context Example
{
    "Tanium.SavedAction": {
        "ActionGroupId": 315,
        "ApprovedFlag": true,
        "ApproverId": 1,
        "ApproverName": "administrator",
        "CreationTime": "2019-07-17T20:14:36Z",
        "EndTime": "Never",
        "ExpireSeconds": 4500,
        "ID": 5,
        "LastActionId": 5,
        "LastActionStartTime": "Never",
        "LastStartTime": "Never",
        "Name": "Distribute Python - Tools [Linux]",
        "NextStartTime": "2019-11-27T16:14:38",
        "PackageId": 56,
        "PackageName": "Python - Tools [Linux]",
        "PackageSourceHash": "package-hash",
        "StartTime": "2019-07-17T20:14:38Z",
        "Status": 1,
        "TargetGroupId": 243,
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Saved action information

ActionGroupId ApprovedFlag ApproverId ApproverName CreationTime EndTime ExpireSeconds ID LastActionId LastActionStartTime LastStartTime Name NextStartTime PackageId PackageName PackageSourceHash StartTime Status TargetGroupId UserId UserName
315 true 1 administrator 2019-07-17T20:14:36Z Never 4500 5 5 Never Never Distribute Python - Tools [Linux] 2019-11-27T16:14:38 56 Python - Tools [Linux] 10d2ca59b744491a80af4f4df7e19698b86cc779c34984aa56ece55250f1b659 2019-07-17T20:14:38Z 1 243 1 administrator

15. tn-get-saved-question-metadata


Returns a saved question object based on name or ID.

Base Command

tn-get-saved-question-metadata

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
question-id The saved question ID. Optional
question-name The saved question name. Optional

Context Output
Path Type Description
Tanium.SavedQuestion.ArchiveEnabledFlag Boolean Whether to enable archiving.
Tanium.SavedQuestion.ArchiveOwner String The name of the user that owns the archive. Archives can be shared between users with identical management rights groups.
Tanium.SavedQuestion.ExpireSeconds Number The duration in seconds before each question expires. Default value is 600.
Tanium.SavedQuestion.ID Number The unique ID of the saved_question object.
Tanium.SavedQuestion.IssueSeconds Number The number of seconds to reissue the question when active. Default value is 120.
Tanium.SavedQuestion.IssueSecondsNeverFlag Boolean Whether the question is reissued automatically. If value is 1, the question is not reissued automatically.
Tanium.SavedQuestion.KeepSeconds Number The number of seconds to save the data results in the archive.
Tanium.SavedQuestion.ModTime String The most recent time and date when the object was modified.
Tanium.SavedQuestion.ModUserDomain String The domain of the user who most recently modified this object.
Tanium.SavedQuestion.ModUserId Number The ID of the user who most recently modified this object.
Tanium.SavedQuestion.ModUserName String The name of user who most recently modified this object.
Tanium.SavedQuestion.MostRecentQuestionId Number The ID of the most recently issued question object generated by this saved_question.
Tanium.SavedQuestion.Name String The name of the saved_question object.
Tanium.SavedQuestion.QueryText String The textual representation of the question.
Tanium.SavedQuestion.QuestionId Number The ID of the question from which to create the saved question.
Tanium.SavedQuestion.RowCountFlag Boolean Whether the row count data is saved when archiving this question.
Tanium.SavedQuestion.SortColumn Number The column to use as the default sort column, if no sort order is specified.
Tanium.SavedQuestion.UserId Number The ID of the user who owns this object.
Tanium.SavedQuestion.UserName String The name of the user who owns this object.

Command Example

!tn-get-saved-question-metadata question-id=130

Context Example
{
    "Tanium.SavedQuestion": {
        "ArchiveEnabledFlag": false,
        "ExpireSeconds": 600,
        "ID": 130,
        "IssueSeconds": 120,
        "IssueSecondsNeverFlag": false,
        "KeepSeconds": 0,
        "ModTime": "2019-07-17T20:43:06Z",
        "MostRecentQuestionId": 50501,
        "Name": "SCCM - Client Cache Size",
        "QueryText": "Get SCCM Cache Size from all machines",
        "QuestionId": 50501,
        "RowCountFlag": false,
        "SortColumn": 0,
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Saved question information

ArchiveEnabledFlag ExpireSeconds ID IssueSeconds IssueSecondsNeverFlag KeepSeconds ModTime MostRecentQuestionId Name QueryText QuestionId RowCountFlag SortColumn UserId UserName
false 600 130 120 false 0 2019-07-17T20:43:06Z 50501 SCCM - Client Cache Size Get SCCM Cache Size from all machines 50501 false 0 1 administrator

16. tn-create-saved-action


Creates a saved action object.

Base Command

tn-create-saved-action

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
action-group-id The action group ID. Required
package-id The package ID. Required
name The name of the action. Optional

Context Output
Path Type Description
Tanium.SavedAction.ActionGroupId Number The ID of the group of clients to target.
Tanium.SavedAction.ApprovedFlag Boolean Whether the saved action is approved. True is approved.
Tanium.SavedAction.ApproverId Number The ID of the user to approve the saved action.
Tanium.SavedAction.ApproverName String The name of the user to approve the saved action.
Tanium.SavedAction.CreationTime Date The date and time when this object was created in the database.
Tanium.SavedAction.EndTime Date The date and time to stop issuing actions.
Tanium.SavedAction.ExpireSeconds Number The duration from the start time before the action expires.
Tanium.SavedAction.ID Number The unique ID of the saved_action object.
Tanium.SavedAction.LastActionId Number The ID of the action object that was issued last.
Tanium.SavedAction.LastActionStartTime Date The start time of the action object that was issued last.
Tanium.SavedAction.LastAaction.TargetGroupId Number The target group of the action object that was issued last.
Tanium.SavedAction.LastStartTime Date The most recent date and time that the action started.
Tanium.SavedAction.Name String The name of the saved action object.
Tanium.SavedAction.NextStartTime Date The next date and time when the action will start.
Tanium.SavedAction.PackageId Number The ID of the package deployed by the saved action.
Tanium.SavedAction.PackageName String The name of the package deployed by the saved action.
Tanium.SavedAction.PackageSourceHash String The source hash of the package deployed by the saved action.
Tanium.SavedAction.StartTime Date The date and time when the action became active. An empty string or null starts immediately.
Tanium.SavedAction.Status Number The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted.
Tanium.SavedAction.TargetGroupId Number The group of machines to target.
Tanium.SavedAction.UserId Number The ID of the user who created the saved action.
Tanium.SavedAction.UserName String The ID of the user who created the saved action.

Command Example

!tn-create-saved-action package-id=102 action-group-id=1

Context Example
{
    "Tanium.SavedAction": {
        "ActionGroupId": 1,
        "ApprovedFlag": false,
        "ApproverId": 0,
        "CreationTime": "2019-11-27T15:06:18Z",
        "EndTime": "Never",
        "ExpireSeconds": 0,
        "ID": 641,
        "LastActionId": 19880,
        "LastActionStartTime": "Never",
        "LastStartTime": "Never",
        "NextStartTime": "Never",
        "PackageId": 1221,
        "PackageName": "SCCM - Force Software Update Compliance State Refresh",
        "PackageSourceHash": "package-hash",
        "StartTime": "2019-11-27T15:06:18Z",
        "Status": 0,
        "TargetGroupId": 0,
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Saved action created

ActionGroupId ApprovedFlag ApproverId CreationTime EndTime ExpireSeconds ID LastActionId LastActionStartTime LastStartTime NextStartTime PackageId PackageName PackageSourceHash StartTime Status TargetGroupId UserId UserName
1 false 0 2019-11-27T15:06:18Z Never 0 641 19880 Never Never Never 1221 SCCM - Force Software Update Compliance State Refresh edbf105f4648298e582015aaed927cbf3e8bbbc3666c5d52c7c5e5ad1910ae6a 2019-11-27T15:06:18Z 0 0 1 administrator

17. tn-create-action


Creates an action object based on the package name or the package ID.

Base Command

tn-create-action

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
package-id The package ID. Optional
package-name The package name. Optional
parameters The package parameters. For example, $1=Value1;$2=Value2;$3=Value3. Optional
target-group-id The target group ID to deploy the package. Optional
target-group-name The target group name to deploy the package. Target group and action group ID are required. Target group can passed by name or ID. Note - the target group should be different than "All Computers" or "Default". Optional
action-group-id The action group ID to deploy the package. Required
action-name The action name. Optional

Context Output
Path Type Description
Tanium.Action.ActionGroupId Number The id of the parent group of machines to target.
Tanium.Action.ActionGroupName String The name of the parent group of machines to target.
Tanium.Action.ApproverId Number The id of the approver of this action.
Tanium.Action.ApproverName String The name of the approver of this action.
Tanium.Action.CreationTime Date The date and time when this object was created in the database.
Tanium.Action.ExpirationTime Date The date and time when the action expires.
Tanium.Action.ExpireSeconds Number The timeout in seconds for the action expiry.
Tanium.Action.HistorySavedQuestionId Number The ID of the saved question that tracks the results of the action.
Tanium.Action.ID Number The unique ID of the action object.
Tanium.Action.Name String The action name.
Tanium.Action.PackageId Number The ID of the package deployed by this action.
Tanium.Action.PackageName String The name of the package deployed by this action.
Tanium.Action.SavedActionId Number The ID of the saved action that this action was issued from, if any.
Tanium.Action.StartTime String The date and time when the action became active.
Tanium.Action.Status String The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired".
Tanium.Action.StoppedFlag Boolean Whether an action stop has been issued for this action. A value of true indicates an action stop was issued.
Tanium.Action.TargetGroupId Number The ID of the group of machines to target.
Tanium.Action.TargetGroupName String The name of the group of machines to target.
Tanium.Action.UserDomain String The domain of the user who issued this action.
Tanium.Action.UserId Number The ID of the user who issued this action.
Tanium.Action.UserName String The name of the user who issued this action.

Command Example

!tn-create-action action-group-id=1 action-name=`Trace - Install Endpoint Certificate [Windows]` package-id=225 target-group-name=`Windows machines`

Context Example
{
    "Tanium.Action": {
        "ActionGroupId": 1,
        "ActionGroupName": "All Computers",
        "ApproverId": 1,
        "CreationTime": "2019-11-27T15:06:19Z",
        "ExpirationTime": "2001-01-01T00:13:00Z",
        "ExpireSeconds": 780,
        "HistorySavedQuestionId": 0,
        "ID": 19886,
        "Name": "Trace - Install Endpoint Certificate [Windows] via Demisto API",
        "PackageId": 1222,
        "PackageName": "Apply Windows IPsec Quarantine",
        "SavedActionId": 642,
        "StartTime": "2001-01-01T00:00:00Z",
        "Status": "Pending",
        "StoppedFlag": false,
        "TargetGroupId": 11719,
        "TargetGroupName": "Windows machines",
        "UserDomain": "EC2AMAZ-N5ETQVT",
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Action created

ActionGroupId ActionGroupName ApproverId ApproverName CreationTime ExpirationTime ExpireSeconds HistorySavedQuestionId ID Name PackageId PackageName SavedActionId StartTime Status StoppedFlag TargetGroupId TargetGroupName UserDomain UserId UserName
1 All Computers 1 2019-11-27T15:06:19Z 2001-01-01T00:13:00Z 780 0 19886 Trace - Install Endpoint Certificate [Windows] via Demisto API 1222 Apply Windows IPsec Quarantine 642 2001-01-01T00:00:00Z Pending false 11719 Windows machines EC2AMAZ-N5ETQVT 1 administrator

18. tn-list-actions


Returns all actions.

Base Command

tn-list-actions

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximum number of actions to return. Optional

Context Output
Path Type Description
Tanium.Action.ActionGroupId Number The ID of the parent group of machines to target.
Tanium.Action.ActionGroupName String The name of the parent group of machines to target.
Tanium.Action.ApproverId Number The ID of the approver of this action.
Tanium.Action.ApproverName String The name of the approver of this action.
Tanium.Action.CreationTime Date The date and time when this object was created in the database.
Tanium.Action.ExpirationTime Date The date and time when the action expires.
Tanium.Action.ExpireSeconds Number The timeout in seconds for the action expiry.
Tanium.Action.HistorySavedQuestionId Number The ID of the saved question that tracks the results of the action.
Tanium.Action.ID Number The unique ID of the action object.
Tanium.Action.Name String The action name.
Tanium.Action.PackageId Number The ID of the package deployed by this action.
Tanium.Action.PackageName String The name of the package deployed by this action.
Tanium.Action.SavedActionId Number The ID of the saved action that this action was issued from, if any.
Tanium.Action.StartTime String The date and time when the action became active.
Tanium.Action.Status String The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired".
Tanium.Action.StoppedFlag Boolean Whether an action stop has been issued for this action. A value of true indicates an action stop was issued.
Tanium.Action.TargetGroupId Number The ID of the group of machines to target.
Tanium.Action.TargetGroupName String The name of the group of machines to target.
Tanium.Action.UserDomain String The domain of the user who issued this action.
Tanium.Action.UserId Number The ID of the user who issued this action.
Tanium.Action.UserName String The name of the user who issued this action.

Command Example

!tn-list-actions limit=1

Context Example
{
    "Tanium.Action": [
        {
            "ActionGroupId": 432,
            "ActionGroupName": "Tanium Threat Response",
            "ApproverId": 1,
            "ApproverName": "administrator",
            "CreationTime": "2019-08-15T10:39:03Z",
            "ExpirationTime": "2019-08-15T10:50:03Z",
            "ExpireSeconds": 660,
            "HistorySavedQuestionId": 239,
            "ID": 1144,
            "Name": "Trace - Install Endpoint Certificate [Windows]",
            "PackageId": 220,
            "PackageName": "Trace - Install Endpoint Certificate [Windows]",
            "SavedActionId": 31,
            "StartTime": "2019-08-15T10:39:03Z",
            "Status": "Closed",
            "StoppedFlag": false,
            "TargetGroupId": 423,
            "TargetGroupName": "Default",
            "UserDomain": "EC2AMAZ-N5ETQVT",
            "UserId": 1,
            "UserName": "administrator"
        }
    ]
}
Human Readable Output

Actions

ActionGroupId ActionGroupName ApproverId ApproverName CreationTime ExpirationTime ExpireSeconds HistorySavedQuestionId ID Name PackageId PackageName SavedActionId StartTime Status StoppedFlag TargetGroupId TargetGroupName UserDomain UserId UserName
432 Tanium Threat Response 1 administrator 2019-08-15T10:39:03Z 2019-08-15T10:50:03Z 660 239 1144 Trace - Install Endpoint Certificate [Windows] 220 Trace - Install Endpoint Certificate [Windows] 31 2019-08-15T10:39:03Z Closed false 423 Default EC2AMAZ-N5ETQVT 1 administrator

19. tn-get-action


Returns an action object based on ID.

Base Command

tn-get-action

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
id The action ID. Required

Context Output
Path Type Description
Tanium.Action.ActionGroupId Number The ID of the parent group of machines to target.
Tanium.Action.ActionGroupName String The name of the parent group of machines to target.
Tanium.Action.ApproverId Number The ID of the approver of this action.
Tanium.Action.ApproverName String The name of the approver of this action.
Tanium.Action.CreationTime Date The date and time when this object was created in the database.
Tanium.Action.ExpirationTime Date The date and time when the action expires.
Tanium.Action.ExpireSeconds Number The timeout in seconds for the action expiry.
Tanium.Action.HistorySavedQuestionId Number The ID of the saved question that tracks the results of the action.
Tanium.Action.ID Number The unique ID of the action object.
Tanium.Action.Name String The action name.
Tanium.Action.PackageId Number The ID of the package deployed by this action.
Tanium.Action.PackageName String The name of the package deployed by this action.
Tanium.Action.SavedActionId Number The ID of the saved action that this action was issued from, if any.
Tanium.Action.StartTime String The date and time when the action became active.
Tanium.Action.Status String The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired".
Tanium.Action.StoppedFlag Boolean Whether an action stop has been issued for this action. A value of true indicates an action stop was issued.
Tanium.Action.TargetGroupId Number The ID of the group of machines to target.
Tanium.Action.TargetGroupName String The name of the group of machines to target.
Tanium.Action.UserDomain String The domain of the user who issued this action.
Tanium.Action.UserId Number The ID of the user who issued this action.
Tanium.Action.UserName String The name of the user who issued this action.

Command Example

!tn-get-action id=2

Context Example
{
    "Tanium.Action": {
        "ActionGroupId": 3,
        "ActionGroupName": "Default",
        "ApproverId": 1,
        "ApproverName": "administrator",
        "CreationTime": "2018-12-10T13:21:01Z",
        "ExpirationTime": "2018-12-10T14:26:57Z",
        "ExpireSeconds": 3900,
        "HistorySavedQuestionId": 19,
        "ID": 2,
        "Name": "Distribute Tanium Standard Utilities (Linux)",
        "PackageId": 21,
        "PackageName": "Distribute Tanium Standard Utilities (Linux)",
        "SavedActionId": 2,
        "StartTime": "2018-12-10T13:21:57Z",
        "Status": "Closed",
        "StoppedFlag": false,
        "TargetGroupId": 15,
        "TargetGroupName": "Default",
        "UserDomain": "EC2AMAZ-N5ETQVT",
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Action information

ActionGroupId ActionGroupName ApproverId ApproverName CreationTime ExpirationTime ExpireSeconds HistorySavedQuestionId ID Name PackageId PackageName SavedActionId StartTime Status StoppedFlag TargetGroupId TargetGroupName UserDomain UserId UserName
3 Default 1 administrator 2018-12-10T13:21:01Z 2018-12-10T14:26:57Z 3900 19 2 Distribute Tanium Standard Utilities (Linux) 21 Distribute Tanium Standard Utilities (Linux) 2 2018-12-10T13:21:57Z Closed false 15 Default EC2AMAZ-N5ETQVT 1 administrator

20. tn-list-saved-actions-pending-approval


Retrieves all saved action approval definitions on the server.

Base Command

tn-list-saved-actions-pending-approval

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximum number of saved actions to return. Optional

Context Output
Path Type Description
Tanium.PendingSavedAction.ApprovedFlag Boolean Whether the saved action is approved. True is approved.
Tanium.PendingSavedAction.ID Number The unique ID of the saved action object.
Tanium.PendingSavedAction.Name String The name of the saved action object.
Tanium.PendingSavedAction.OwnerUserId Number The ID of the user who owns this object.

Command Example

!tn-list-saved-actions-pending-approval limit=1

Context Example
{
    "Tanium.PendingSavedAction": [
        {
            "ApprovedFlag": false,
            "ID": 164,
            "Name": "Deploy Kill Process",
            "OwnerUserId": 1
        }
    ]
}
Human Readable Output

Saved actions pending approval

ApprovedFlag ID Name OwnerUserId
false 164 Deploy Kill Process 1

21. tn-get-group


Returns a group object based on ID or name.

Base Command

tn-get-group

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
id The group ID. Optional
name Name of group. Optional

Context Output
Path Type Description
Tanium.Group.ID Unknown The unique ID of the group object.
Tanium.Group.Name String The name of the group.
Tanium.Group.Text String A description of the clients that this group represents.
Tanium.Group.Type String The type of the group.
Tanium.Group.Deleted Boolean Whether the group is deleted. True if deleted.

Command Example

!tn-get-group name=`linux machines`

Context Example
{
    "Tanium.Group": {
        "Deleted": false,
        "ID": 11721,
        "Name": "linux machines",
        "Text": " OS Platform equals linux",
        "Type": "Manual group"
    }
}
Human Readable Output

Group information

Deleted ID Name Text Type
false 11721 linux machines OS Platform equals linux Manual group

22. tn-create-manual-group


Creates a group object based on computers or IP addresses list.

Base Command

tn-create-manual-group

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
group-name The name of the group to create. Required
computer-names Comma separated list of hosts. For example, Host1,Host2. Optional
ip-addresses Comma separated list of IP addresses. For example, 12.12.12.12,10.1.1.1. Optional

Context Output
Path Type Description
Tanium.Group.ID Number The unique ID of the group object.

Command Example

!tn-create-manual-group group-name=group11 computer-names=host1,host2

Context Example
{
    "Tanium.Group": {
        "Deleted": false,
        "ID": 31825,
        "Name": "group11",
        "Type": "Manual group"
    }
}
Human Readable Output

Group created

Deleted ID Name Type
false 31825 group11 Manual group

23. tn-create-filter-based-group


Creates a group object based on text filter.

Base Command

tn-create-filter-based-group

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
text-filter The text filter-based computer group. For example, operating system contains windows. Required
group-name Name of the group to create. Required

Context Output
Path Type Description
Tanium.Group.ID Number The unique ID of the group object.

Command Example

!tn-create-filter-based-group group-name=linux_machines text-filter=`operating system contains linux`

Context Example
{
    "Tanium.Group": {
        "ID": 31826,
        "Type": "Manual group"
    }
}
Human Readable Output

Group created

ID Type
31826 Manual group

24. tn-list-groups


Returns all groups.

Base Command

tn-list-groups

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
limit The maximum number of groups to return. Optional

Context Output
Path Type Description
Tanium.Group.ID Number The unique ID of the group object.
Tanium.Group.Name String The name of the group.
Tanium.Group.Text String A description of the clients that this group represents.
Tanium.Group.Type String The type of the group.
Tanium.Group.Deleted Boolean whether the group is deleted. True if deleted.

Command Example

!tn-list-groups limit=1

Context Example
{
    "Tanium.Group": [
        {
            "Deleted": false,
            "ID": 315,
            "Name": "Default",
            "Type": "Action group"
        }
    ]
}
Human Readable Output

Groups

Deleted ID Name Text Type
false 315 Default Action group

25. tn-delete-group


Deletes a group object.

Base Command

tn-delete-group

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
id The group ID. Required

Context Output
There are no context output for this command.

Command Example

!tn-delete-group id=31822

Context Example
{
    "Tanium.Group": {
        "Deleted": true,
        "ID": 31822
    }
}
Human Readable Output

Group has been deleted. ID = 31822

26. tn-create-action-by-host


Creates an action object, based on a package name or package ID.

Base Command

tn-create-action-by-host

Required Permissions

The following permissions are required for this command.

  • permission 1
  • permission 2
Input
Argument Name Description Required
package-id The package ID. Optional
package-name The package name. Target group is required and can passed by name or ID. When both exist, the ID is used. Note the target group should be different than "All Computers" or "Default". Optional
parameters Package parameters. For example, $1=Value1;$2=Value2;$3=Value3. Optional
action-group-id The action group ID to deploy the package. Required
hostname The hostname to deploy the package. Hostname or IP address is required. Optional
ip-address The IP address of the host to deploy the package. Optional
action-name The action name. Optional

Context Output
Path Type Description
Tanium.Action.ActionGroupId Number The id of the parent group of machines to target.
Tanium.Action.ActionGroupName String The name of the parent group of machines to target.
Tanium.Action.ApproverId Number The id of the approver of this action.
Tanium.Action.ApproverName String The name of the approver of this action.
Tanium.Action.CreationTime Date The date and time when this object was created in the database.
Tanium.Action.ExpirationTime Date The date and time when the action expires.
Tanium.Action.ExpireSeconds Number The timeout in seconds for the action expiry.
Tanium.Action.HistorySavedQuestionId Number The ID of the saved question that tracks the results of the action.
Tanium.Action.ID Number The unique ID of the action object.
Tanium.Action.Name String The action name.
Tanium.Action.PackageId Number The ID of the package deployed by this action.
Tanium.Action.PackageName String The name of the package deployed by this action.
Tanium.Action.SavedActionId Number The ID of the saved action that this action was issued from, if any.
Tanium.Action.StartTime String The date and time when the action became active.
Tanium.Action.Status String The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired".
Tanium.Action.StoppedFlag Boolean Whether an action stop has been issued for this action. A value of true indicates an action stop was issued.
Tanium.Action.TargetGroupId Number The ID of the group of machines to target.
Tanium.Action.TargetGroupName String The name of the group of machines to target.
Tanium.Action.UserDomain String The domain of the user who issued this action.
Tanium.Action.UserId Number The ID of the user who issued this action.
Tanium.Action.UserName String The name of the user who issued this action.

Command Example

!tn-create-action-by-host action-group-id=1 action-name=`Trace - Install Endpoint Certificate [Windows]` package-id=225 ip-address=127.0.0.1

Context Example
{
    "Tanium.Action": {
        "ActionGroupId": 1,
        "ActionGroupName": "All Computers",
        "ApproverId": 1,
        "CreationTime": "2019-11-27T15:06:19Z",
        "ExpirationTime": "2001-01-01T00:13:00Z",
        "ExpireSeconds": 780,
        "HistorySavedQuestionId": 0,
        "ID": 19881,
        "Name": "Trace - Install Endpoint Certificate [Windows] via Demisto API",
        "PackageId": 1222,
        "PackageName": "Apply Windows IPsec Quarantine",
        "SavedActionId": 642,
        "StartTime": "2001-01-01T00:00:00Z",
        "Status": "Pending",
        "StoppedFlag": false,
        "TargetGroupId": 31823,
        "TargetGroupName": "Default",
        "UserDomain": "EC2AMAZ-N5ETQVT",
        "UserId": 1,
        "UserName": "administrator"
    }
}
Human Readable Output

Action created

ActionGroupId ActionGroupName ApproverId ApproverName CreationTime ExpirationTime ExpireSeconds HistorySavedQuestionId ID Name PackageId PackageName SavedActionId StartTime Status StoppedFlag TargetGroupId TargetGroupName UserDomain UserId UserName
1 All Computers 1 2019-11-27T15:06:19Z 2001-01-01T00:13:00Z 780 0 19881 Trace - Install Endpoint Certificate [Windows] via Demisto API 1222 Apply Windows IPsec Quarantine 642 2001-01-01T00:00:00Z Pending false 31823 Default EC2AMAZ-N5ETQVT 1 administrator

Additional Information

Known Limitations

Troubleshooting