Tanium

Integration version: 11.0

Prerequisites

Tanium uses API tokens to authenticate calls into the REST APIs. For more information on how to generate API tokens, see Managing API tokens in the Tanium documentation.

Integrate Tanium with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root URL N/A Yes Specify the Tanium API Root that integration should use.
API Token Password N/A Yes Specify the Tanium API Token that integration should use.
Verify SSL Checkbox Checked No If enabled, the Google Security Operations SOAR server checks that the certificate is configured for the API root.

Actions

Ping

Test connectivity to the Tanium installation with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run on

This action doesn't run on entities, nor has mandatory input parameters.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Tanium installation with the provided connection parameters!"

The action should fail and stop a playbook execution:

If critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the Tanium installation! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Enrich entities using information from Tanium. Action is a Google Security Operations SOAR async action. Supported entities: Hostname, IP Address.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Additional Fields CSV N/A No

Specify additional fields to fetch from Tanium for entity enrichment.

Parameter accepts multiple values as a comma-separated string.

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
        "now": "2022/01/28 10:18:54 GMT-0000",
        "max_available_age": "",
        "result_sets": [
            {
                "age": 0,
                "id": X,
                "report_count": 2,
                "saved_question_id": 0,
                "question_id": X,
                "archived_question_id": 0,
                "seconds_since_issued": 0,
                "issue_seconds": 0,
                "expire_seconds": 0,
                "tested": 4,
                "passed": 1,
                "mr_tested": 4,
                "mr_passed": 4,
                "estimated_total": 4,
                "select_count": 10,
                "error_count": 0,
                "no_results_count": 0,
                "columns": [
                    {
                        "hash": X,
                        "name": "Computer ID",
                        "type": 1
                    },
                    {
                        "hash": 0,
                        "name": "Count",
                        "type": 3
                    }
                ],
                "cache_id": "X",
                "expiration": 0,
                "filtered_row_count": 1,
                "filtered_row_count_machines": 1,
                "row_count": 1,
                "row_count_machines": 1,
                "item_count": 1,
                "rows": [
                    {
                        "id": x,
                        "cid": x,
                        "data": [
                            [
                                {
                                    "text": "X"
                                }
                            ],
                            [
                                {
                                    "text": "No User"
                                }
                            ],
                            [
                                {
                                    "text": "1"
                                }
                            ]
                        ]
                    }
                ]
            }
        ]
    }
}
Enrichment table

Prefix: Tanium_

Enrichment Field Name Logic - When to apply
Computer_ID When available in JSON
Operating_System When available in JSON
OS_Platform When available in JSON
Service_Pack When available in JSON
Domain_Name When available in JSON
Uptime When available in JSON
System_UUID When available in JSON
IP_Address When available in JSON
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success = true): "Successfully enriched the following entities using information from Tanium: {entity.identifier}".

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Tanium: {entity.identifier}"

If there are multiple matches in Tanium for the provided entity (is_success=true): "Multiple results found in Tanium for the entities, taking first match: {entity.identifier}"

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If the 400 status code (bad syntax of question) is reported: "Error executing action "Enrich Entities" because provided question text is invalid. "

If fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities"." Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: {entity.identifier}

Table Columns:

  • Key
  • Value
Entity

Create Question

Create a new Tanium question based on the specified parameters, and the question is immediately asked. Action returns question ID that can be passed to the "Get Question Results" action to get question results. Note that the action is not working with Google Security Operations SOAR entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Question Text String N/A Yes

Specify the contents of Tanium question.

Example: Get Operating System from all machines

Run on

The action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
        "id": X
    }
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success = true): "Successfully created Tanium question with id {question_id_from_response}".

The action should fail and stop a playbook execution:

If the 400 status code (bad syntax of question) is reported: "Error executing action "Create Question" because provided question text is invalid. "

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Question". Reason: {0}''.format(error.Stacktrace)

General

Get Question Results

Fetch results for the Tanium question. Action is a Google Security Operations SOAR async action. Note that the action is not working with Google Security Operations SOAR entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Question ID Integer N/A Yes Specify the Tanium question ID to get results for.
Create Case Wall Table Checkbox Checked No If enabled, the action creates a case wall table as part of action results.
Max Rows to Return Integer 50 Yes Specify the maximum number of rows that the action should return for the question.

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "data": {
        "now": "2022/01/29 04:09:29 GMT-0000",
        "max_available_age": "",
        "result_sets": [
            {
                "age": 0,
                "id": X,
                "report_count": 3,
                "saved_question_id": 0,
                "question_id": X,
                "archived_question_id": 0,
                "seconds_since_issued": 0,
                "issue_seconds": 0,
                "expire_seconds": 0,
                "tested": 4,
                "passed": 4,
                "mr_tested": 4,
                "mr_passed": 4,
                "estimated_total": 4,
                "select_count": 1,
                "error_count": 0,
                "no_results_count": 0,
                "columns": [
                    {
                        "hash": 45421433,
                        "name": "Operating System",
                        "type": 1
                    }
                ],
                "cache_id": "X",
                "expiration": 0,
                "filtered_row_count": 4,
                "filtered_row_count_machines": 4,
                "row_count": 4,
                "row_count_machines": 4,
                "item_count": 4,
                "rows": [
                    {
                        "id": X,
                        "cid": 0,
                        "data": [
                            [
                                {
                                    "text": "X"
                                }
                            ],
                            [
                                {
                                    "text": X
                                }
                            ]
                        ]
                    },
                    {
                        "id": X,
                        "cid": 0,
                        "data": [
                            [
                                {
                                    "text": X
                                }
                            ],
                            [
                                {
                                    "text": X
                                }
                            ]
                        ]
                    },
                    {
                        "id": X,
                        "cid": 0,
                        "data": [
                            [
                                {
                                    "text": X
                                }
                            ],
                            [
                                {
                                    "text": X
                                }
                            ]
                        ]
                    },
                    {
                        "id": X,
                        "cid": 0,
                        "data": [
                            [
                                {
                                    "text": X
                                }
                            ],
                            [
                                {
                                    "text": X
                                }
                            ]
                        ]
                    }
                ]
            }
        ]
    }
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully fetched results for the following Tanium question id: {question id}".

If data is not available (is_success=false): "No results were found for the Tanium question id: {question id}"

The action should fail and stop a playbook execution:

If the 404 status code (question doesn't exist) is reported: "Failed to find Tanium question with question id {question_id}. "

If fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Qet Question Results". Reason: {0}''.format(error.Stacktrace)

General
Table

Table Name: Tanium Question {question_id} Results

Table Columns:

Columns are generated based on the data returned from a question.

General

List Endpoint Events

List events related to the endpoints from Tanium. Action works with Tanium Threat Response API.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Event Type DDL

Combined

Possible values:

  • File
  • Network
  • Process
  • Registry
  • Driver
  • Combined
  • DNS
  • Image
No Specify the type of the event that needs to be returned.
Time Frame DDL

Last Hour

Possible Values:

  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Last Month
  • Alert Time Till Now
  • 5 Minutes Around Alert Time
  • 30 Minutes Around Alert Time
  • 1 Hour Around Alert Time
  • Custom
No

Specify a time frame for the results.

If "Alert Time Till Now" is selected, the action uses start time of the alert as start time for the search and end time is current time.

If "30 Minutes Around Alert Time" is selected, the action searches the alerts 30 minutes before the alert happened till 30 minutes after the alert has happened. Same idea applies to "1 Hour Around Alert Time" and "5 Minutes Around Alert Time". If "Custom" is selected, you also need to provide the "Start Time" parameter.

Start Time String N/A No

Specify the start time for the results.

This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter.

Format: ISO 8601

End Time String N/A No

Specify the end time for the results.

If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time.

Format: ISO 8601

Sort Field String timestamp No Specify the parameter that should be used for sorting.
Sort Order DDL

ASC Possible

Values:

  • ASC
  • DESC
No Specify the order of sorting.
Max Events To Return Integer 50 No

Specify the number of events to return per entity.

Maximum: 500

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
  "events": [
    {
      "create_time": "2022-01-18 11:59:52.000",
      "end_time": null,
      "exit_code": null,
      "pid": 2,
      "process_path": "kthreadd",
      "id": "72057594037927939",
      "process_table_id": "72057594037927939",
      "parent_process_table_id": "72057594037927937",
      "parent_pid": -1,
      "user_name": "root",
      "group_name": "root",
      "hash_type_name": null,
      "hash": null,
      "process_command_line": null,
      "parent_path": "<Unknown Process>",
      "parent_command_line": "<Unknown Process>",
      "parent_hash": null,
      "create_time_raw": 1642507192000,
      "end_time_raw": null
    }
  ]
}
Case wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one event is found for an endpoint (is_success=true): "Successfully returned events for the following endpoints in Tanium:\n".format(entity)."

If no events are found for an endpoint (is_success=true): "No events were found for the following endpoints in Tanium:\n".format(entity)."

If no events are found for all endpoints (is_success=true): "No events were found for the provided endpoints in Tanium."

If couldn't create connection or no connection found for some endpoints (is_success=true): "Action wasn't able to retrieve information about events from the following endpoints in Tanium due to agent connectivity issues: {entity}. Please make sure that those hostnames are connected to the Tanium Threat Response module."

If didn't enrich all (is_success=false): "No information about IOCs were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich IOC". Reason: {0}''.format(error.Stacktrace)

If couldn't create connection or no connection is found for all endpoints (is_success=false): "Error executing action "List Endpoint Events". Reason: action wasn't able to retrieve information about events from the provided endpoints in Tanium due to agent connectivity issues. Please make sure that those hostnames are connected to the Tanium Threat Response module."

General

Quarantine Endpoint

Quarantine the endpoints in Tanium. Action works with Tanium Threat Response API.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Only Initiate Checkbox Unchecked Yes If enabled, the action only initiates the task execution without waiting for results.
Package Names String
  • Apply Linux IPTables Quarantine for Linux
  • Apply Mac PF Quarantine for macOS
  • Apply Windows IPsec Quarantine for Windows
Yes A JSON object containing all package names for every operating system.

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
  "id": 82,
  "type": "responseAction",
  "status": "COMPLETED",
  "metadata": {
      "id": 2,
      "type": "gatherSnapshot",
      "status": "RUNNING",
      "computerName": "EX01.exlab.local",
      "userId": 1,
      "userName": "tanium",
      "options": {},
      "results": {
          "taskIds": [
              73
          ],
          "actionIds": []
      },
      "expirationTime": "2022-03-08T14:31:50.211Z",
      "createdAt": "2022-03-01T14:31:50.212Z",
      "updatedAt": "2022-03-01T14:36:19.533Z"
  },
  "results": {
      "didActionComplete": false,
      "stopped": true,
      "finished": true
  },
  "error": null,
  "startTime": "2022-03-01T14:42:10.390Z",
  "endTime": "2022-03-01T15:29:50.495Z",
  "createdAt": "2022-03-01T14:42:10.379Z",
  "updatedAt": "2022-03-01T14:42:10.379Z"
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one endpoint is quarantined (is_success=true): "Successfully initiated quarantine on the following endpoints in Tanium:\n".format(entity)

If at least one endpoint is not quarantined, but not due to timeout (is_success=false): "Action wasn't able to quarantine the following endpoints in Tanium: {entity}. Please make sure that the Tanium Threat Response agent is connected properly and the hostname/IP address is correct."

If all endpoints are not quarantined, but not due to timeout (is_success=false): "Action wasn't able to quarantine the provided endpoints in Tanium. Please make sure that the Tanium Threat Response agent is connected properly and the hostname/IP address is correct."

Async Pending entities: {entities}

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich IOC". Reason: {0}''.format(error.Stacktrace)

If couldn't create connection or no connection found for all endpoints (is_success=false): "Error executing action "Quarantine Endpoint". Reason: action wasn't able to quarantine the provided endpoints in Tanium due to agent connectivity issues. Please make sure that the endpoints are connected to the Tanium Threat Response module and the hostname/IP address is correct."

If run into a timeout: "Error executing action "Quarantine Endpoint". Reason: action ran into a timeout during execution. Pending entities: {entities that are still in progress}. Please increase the timeout in IDE or enable "Only Initiate"."

General

Download File

Download a file from endpoints in Tanium. Action works with Tanium Threat Response API.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
File Paths CSV N/A Yes Specify the absolute path of the files on the endpoint that needs to be downloaded.
Download Folder Path String N/A Yes Specify the path to the folder, where you want to store the files.
Overwrite Checkbox Unchecked Yes If enabled, the action overwrites the file with the same name.

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "absolute_file_path": [
        "file_path_1",
        "file_path_2"
    ],
    "entity": [
        {
            "identifier": "",
            "task_details": {
                "id": 81,
                "type": "fileDownload",
                "status": "COMPLETED",
                "metadata": {
                    "connection": "remote:centos-003:3864230059:1",
                    "paths": [
                        "/tmp/saaj-impl.jar"
                    ],
                    "compress": "true"
                },
                "results": {
                    "completed": [
                        "/tmp/saaj-impl.jar"
                    ],
                    "failed": [],
                    "fileResults": [
                        {
                            "response": {
                                "source": "/tmp/saaj-impl.jar",
                                "target": "/opt/Tanium/TaniumModuleServer/services/threat-response-service/tmp/4965e791-db87-4f31-ba60-2e52c9bac3de",
                                "totalBytes": 503502,
                                "transferHash": "5402c16c3873a722b94d8a3101cb98f5e4f862acc69cdee3a94cf40c1b04b265",
                                "totalTimeMs": 260,
                                "avgBytesPerSecond": 504123.0769230769
                            },
                            "uuid": "eb5077b3-9b02-42e2-bba4-58d9668a14e4",
                            "finalPath": "/opt/Tanium/TaniumModuleServer/services/threat-response-files/evidence/files/eb5077b3-9b02-42e2-bba4-58d9668a14e4.zip"
                        }
                    ]
                },
                "error": null,
                "startTime": "2022-03-01T14:38:23.952Z",
                "endTime": "2022-03-01T14:38:24.559Z",
                "createdAt": "2022-03-01T14:38:23.943Z",
                "updatedAt": "2022-03-01T14:38:23.943Z"
            }
        }
    ]
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one file is downloaded per entity (is_success=true): "Successfully downloaded the following files from the endpoint {entity} in Tanium:\n".format(downloaded files)."

If at least one file is not downloaded per entity, but not due to timeout (is_success=false): "Action wasn't able to download the following files from the endpoint {entity} in Tanium: {pending files}. Please make sure that the Tanium Threat Response agent is connected properly and the hostname/IP address is correct. The JSON result has more details about the tasks."

Async Pending entities: {entities}

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Download File". Reason: {0}''.format(error.Stacktrace)"

If a file with the same name already exists, but "Overwrite" == false: "Error executing action "Download File". Reason: files with path {0} already exist. Please delete the files or set "Overwrite" to true."

If run into a timeout: "Error executing action "Download File". Reason: action ran into a timeout during execution. Pending entities: {entities that are still in progress}. Please increase the timeout in IDE."

General

Delete File

Download a file from endpoints in Tanium. Action works with Tanium Threat Response API.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
File Paths CSV N/A Yes Specify the absolute path of the files on the endpoint that needs to be deleted.

Run on

This action works with the following entities:

  • IP Address
  • Hostname

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
  "success": [],
  "not_exist_already_or_errors": []
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one file is deleted (status code: 204, is_success=true): "Successfully deleted files from the following endpoints in Tanium:\n".format(entity)."

If at least one file doesn't exist on one endpoint (status code: 500, is_success=true): "Status about some of the files is not clear, please check the JSON result. Tanium returns status code 500 in the case, when file is not found, but also, if there are some other challenges."

If at least one file doesn't exist on all endpoints (status code: 500, is_success=false): "Status about all of the files is not clear, please check the JSON result. Tanium returns status code 500 in the case, when file is not found, but also, if there are some other challenges."

If at least one endpoint is not found (is_success=true): "Action wasn't able to delete files from the following endpoints in Tanium: {entity}. Please make sure that the Tanium Threat Response agent is connected properly and the hostname/IP address is correct."

If all endpoints are not found (is_success=false): "Action wasn't able to delete files from the provided endpoints in Tanium. Please make sure that the Tanium Threat Response agent is connected properly and the hostname/IP address is correct."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Delete File". Reason: {0}''.format(error.Stacktrace)

General

Get Task Details

Retrieve details about a task in Tanium. Action works with Tanium Threat Response API.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Task IDs CSV N/A Yes Specify a comma-separated list of task IDs for which you want to fetch details.
Wait For Completion Checkbox Checked No

If enabled, the action waits for the task to have one of the following statuses:

  • Completed
  • Incomplete
  • Error

Run on

This action doesn't run on entities.

Action results

Script result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON result
{
    "id": 81,
    "type": "fileDownload",
    "status": "COMPLETED",
    "metadata": {
        "connection": "remote:centos-003:3864230059:1",
        "paths": [
            "/tmp/saaj-impl.jar"
        ],
        "compress": "true"
    },
    "results": {
        "completed": [
            "/tmp/saaj-impl.jar"
        ],
        "failed": [],
        "fileResults": [
            {
                "response": {
                    "source": "/tmp/saaj-impl.jar",
                    "target": "/opt/Tanium/TaniumModuleServer/services/threat-response-service/tmp/4965e791-db87-4f31-ba60-2e52c9bac3de",
                    "totalBytes": 503502,
                    "transferHash": "5402c16c3873a722b94d8a3101cb98f5e4f862acc69cdee3a94cf40c1b04b265",
                    "totalTimeMs": 260,
                    "avgBytesPerSecond": 504123.0769230769
                },
                "uuid": "eb5077b3-9b02-42e2-bba4-58d9668a14e4",
                "finalPath": "/opt/Tanium/TaniumModuleServer/services/threat-response-files/evidence/files/eb5077b3-9b02-42e2-bba4-58d9668a14e4.zip"
            }
        ]
    },
    "error": null,
    "startTime": "2022-03-01T14:38:23.952Z",
    "endTime": "2022-03-01T14:38:24.559Z",
    "createdAt": "2022-03-01T14:38:23.943Z",
    "updatedAt": "2022-03-01T14:38:23.943Z"
}
Case wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If at least one task is fetched (is_success=true): "Successfully fetched details about the following tasks in Tanium:\n".format(id)."

If at least one task is not found (is_success=true): "Action wasn't able to find the following tasks in Tanium:\n".format(id)."

If at least one task is not found (is_success=true): "No tasks were found in Tanium."

Async fetching details about tasks: {task ids}

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Task Details". Reason: {0}''.format(error.Stacktrace)"

If run into a timeout and the "Wait for completion" parameter is enabled: "Error executing action "Get Task Details". Reason: action ran into a timeout during execution. Pending tasks: {tasks that are still in progress}. Please increase the timeout in IDE."

General

Create Connection

Create connection to the endpoint in Tanium.

Entities

This action runs on the Hostname and IP Address entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result N/A
Script result Available
Script result
Script result name Value
is_success True/False
Case wall

The action provides the following output messages:

Output message Message description

Successfully created a connection for the following entities: LIST_OF_SUCCESSFUL_ENTITIES

No suitable entities were found in the scope.

Action succeeded.

Action wasn't able to create a connection for the following entities: LIST_OF_FAILED_ENTITIES

Error executing action "Create Connection". Reason: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

List Connections

List endpoint connections in Tanium.

Entities

This action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment N/A
Case wall link N/A
Case wall table N/A
Enrichment table N/A
JSON result N/A
Script result Available
Script result
Script result name Value
is_success True/False
Case wall

The action provides the following output messages:

Output message Message description

Successfully found connections in INTEGRATION

No connections were found in INTEGRATION

Action succeeded.
Error executing action "List Connections". Reason: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.