About the connector
Tanium is an endpoint security and systems management solution.
This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.
Version information
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Tanium Versions: 6.1 and later
Release Notes for version 1.0.1
Following enhancements have been made to the Tanium Connector in version 1.0.1:
- Masked the text entered in the Password field on the
Configuration page.
- Added a link to the online help.
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of Tanium server and credentials to access the URL.
- You must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Tanium API Server |
IP/FQDN of the Tanium API server. |
| Tanium API Port |
Port number of the Tanium API server.
Defaults to 443. |
| Username |
Username to access the endpoint. |
| Password |
Password to access the endpoint. |
| Verify SSL |
Verify SSL connection to the Tanium API server.
Defaults to True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Computer Information |
Get information, such as Computer ID, BIOs Name, about the specified machine. You can specify the list of parameters you want to retrieve for a machine. |
get_sys_info
Investigation |
| Get Running Processes |
Get information about all the processes running on the specified machine. |
get_processes
Investigation |
| Get Installed Software |
Get information about all the software installed on the specified machine. |
get_softwares
Investigation |
| Issue Saved Question |
Issues a saved Tanium question with the specified id and fetches the latest results. |
run_query
Investigation |
| Reissue Action |
Reissues the action with the specified id and fetches the latest results. |
run_query
Miscellaneous |
| Execute Package on a Machine |
Executes the package with the specified name on a machine. |
run_script
Miscellaneous |
The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py. Running the cyops_forwarder.py script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.
operation: Get Computer Information
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine from which you want to retrieve data.
If you do not specify atleast one of the three inputs: machine_name, ip_address, or mac_address, the API fetches the information for all endpoints. |
| ip_address |
IP address of the machine from which you want to retrieve data. |
| mac_address |
Mac address of the machine from which you want to retrieve data.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
| sensors |
List of parameters that must be read from the machine.
The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version'].
You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines.
For more information on sensor creation, refer to Tanium documentation (Sensor Creation). |
Output
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.
Following image displays a sample output:
operation: Get Running Processes
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine from which you want to retrieve data about the processes that are running. |
| ip_address |
IP address of the machine from which you want to retrieve data about the processes that are running. |
| mac_address |
Mac address of the machine from which you want to retrieve data about the processes that are running. |
Output
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.
Following image displays a sample output:
operation: Get Installed Softwares
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine from which you want to retrieve data about the software installed. |
| ip_address |
IP address of the machine from which you want to retrieve data about the software installed. |
| mac_address |
Mac address of the machine from which you want to retrieve data about the software installed.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
Output
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.
Following image displays a sample output:
operation: Issue Saved Question
Input parameters
| Parameter |
Description |
| saved_question_id |
ID of the question to be reissued.
To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question. |
Output
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.
For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT", the following image displays the sample output:
operation: Reissue Action
Input parameters
| Parameter |
Description |
| Action Id |
ID of the action to be reissued.
To get the ID of a previously run action, log on to Tanium Console > Actions > Action History. |
Output
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:
operation: Execute Package on Machine
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine on which you want to run the package. |
| ip_address |
IP address of the machine on which you want to run the package. |
| mac_address |
Mac address of the machine on which you want to run the package.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
| package_name |
Name of the package to be run.
To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'. |
| package_inputs |
Inputs to the package in json format.
For example, {\"param1\": \"value1\"}.
To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list. |
Output
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:
Included playbooks
The following playbooks come bundled with the Tanium connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Orchestration and Playbooks section in FortiSOAR™ after importing the Tanium connector.
- Get Data for a Machine and add as asset: This playbook adds the machine details in the
Asset module in FortiSOAR™.
- Issue Saved Question
- Execute Package On Machine
- Get Data from Tanium
- Get All Assets
- Update Incident with Asset Data: This playbook updates some custom fields in the
Incident module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json in the connector package.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Troubleshooting
suds.TypeNotFound: Type not found.
The tanium connector operations throws this error because of minor differences between the wsdl for different Tanium versions. The default wsdl shipped with the connector is for Tanium version 7.0. For the TypeNotFound error, replace the console.wsdl file located at tanium/files with the wsdl from your Tanium server and then add the connector again. To get the wsdl file, refer to Tanium documentation (Tanium WSDL File).
Connector functions fail with the ‘Could not get result from the Tanium Server before timeout’ error
This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium server. In this case, all questions that you ask to the Tanium server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.
