Tanium is an endpoint security and systems management solution.
This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Tanium Versions: 6.1 and later
Following enhancements have been made to the Tanium Connector in version 1.0.1:
Configuration
page.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Tanium API Server | IP/FQDN of the Tanium API server. |
Tanium API Port | Port number of the Tanium API server. Defaults to 443. |
Username | Username to access the endpoint. |
Password | Password to access the endpoint. |
Verify SSL | Verify SSL connection to the Tanium API server. Defaults to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Computer Information | Get information, such as Computer ID, BIOs Name, about the specified machine. You can specify the list of parameters you want to retrieve for a machine. | get_sys_info Investigation |
Get Running Processes | Get information about all the processes running on the specified machine. | get_processes Investigation |
Get Installed Software | Get information about all the software installed on the specified machine. | get_softwares Investigation |
Issue Saved Question | Issues a saved Tanium question with the specified id and fetches the latest results. | run_query Investigation |
Reissue Action | Reissues the action with the specified id and fetches the latest results. | run_query Miscellaneous |
Execute Package on a Machine | Executes the package with the specified name on a machine. | run_script Miscellaneous |
The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py
. Running the cyops_forwarder.py
script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection
that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data. If you do not specify atleast one of the three inputs: machine_name , ip_address , or mac_address , the API fetches the information for all endpoints. |
ip_address | IP address of the machine from which you want to retrieve data. |
mac_address | Mac address of the machine from which you want to retrieve data. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
sensors | List of parameters that must be read from the machine. The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version']. You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines. For more information on sensor creation, refer to Tanium documentation (Sensor Creation). |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the processes that are running. |
ip_address | IP address of the machine from which you want to retrieve data about the processes that are running. |
mac_address | Mac address of the machine from which you want to retrieve data about the processes that are running. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the software installed. |
ip_address | IP address of the machine from which you want to retrieve data about the software installed. |
mac_address | Mac address of the machine from which you want to retrieve data about the software installed. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
saved_question_id | ID of the question to be reissued. To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.
For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT"
, the following image displays the sample output:
Parameter | Description |
---|---|
Action Id | ID of the action to be reissued. To get the ID of a previously run action, log on to Tanium Console > Actions > Action History. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine on which you want to run the package. |
ip_address | IP address of the machine on which you want to run the package. |
mac_address | Mac address of the machine on which you want to run the package. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
package_name | Name of the package to be run. To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'. |
package_inputs | Inputs to the package in json format. For example, {\"param1\": \"value1\"} .To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
The following playbooks come bundled with the Tanium connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Orchestration and Playbooks section in FortiSOAR™ after importing the Tanium connector.
Asset
module in FortiSOAR™.Incident
module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json
in the connector package.Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
The tanium connector operations throws this error because of minor differences between the wsdl for different Tanium versions. The default wsdl shipped with the connector is for Tanium version 7.0. For the TypeNotFound
error, replace the console.wsdl
file located at tanium/files
with the wsdl from your Tanium server and then add the connector again. To get the wsdl file, refer to Tanium documentation (Tanium WSDL File).
This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium server. In this case, all questions that you ask to the Tanium server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.
Tanium is an endpoint security and systems management solution.
This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Tanium Versions: 6.1 and later
Following enhancements have been made to the Tanium Connector in version 1.0.1:
Configuration
page.
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Tanium API Server | IP/FQDN of the Tanium API server. |
Tanium API Port | Port number of the Tanium API server. Defaults to 443. |
Username | Username to access the endpoint. |
Password | Password to access the endpoint. |
Verify SSL | Verify SSL connection to the Tanium API server. Defaults to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Computer Information | Get information, such as Computer ID, BIOs Name, about the specified machine. You can specify the list of parameters you want to retrieve for a machine. | get_sys_info Investigation |
Get Running Processes | Get information about all the processes running on the specified machine. | get_processes Investigation |
Get Installed Software | Get information about all the software installed on the specified machine. | get_softwares Investigation |
Issue Saved Question | Issues a saved Tanium question with the specified id and fetches the latest results. | run_query Investigation |
Reissue Action | Reissues the action with the specified id and fetches the latest results. | run_query Miscellaneous |
Execute Package on a Machine | Executes the package with the specified name on a machine. | run_script Miscellaneous |
The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py
. Running the cyops_forwarder.py
script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection
that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data. If you do not specify atleast one of the three inputs: machine_name , ip_address , or mac_address , the API fetches the information for all endpoints. |
ip_address | IP address of the machine from which you want to retrieve data. |
mac_address | Mac address of the machine from which you want to retrieve data. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
sensors | List of parameters that must be read from the machine. The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version']. You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines. For more information on sensor creation, refer to Tanium documentation (Sensor Creation). |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the processes that are running. |
ip_address | IP address of the machine from which you want to retrieve data about the processes that are running. |
mac_address | Mac address of the machine from which you want to retrieve data about the processes that are running. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the software installed. |
ip_address | IP address of the machine from which you want to retrieve data about the software installed. |
mac_address | Mac address of the machine from which you want to retrieve data about the software installed. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
saved_question_id | ID of the question to be reissued. To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.
For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT"
, the following image displays the sample output:
Parameter | Description |
---|---|
Action Id | ID of the action to be reissued. To get the ID of a previously run action, log on to Tanium Console > Actions > Action History. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine on which you want to run the package. |
ip_address | IP address of the machine on which you want to run the package. |
mac_address | Mac address of the machine on which you want to run the package. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
package_name | Name of the package to be run. To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'. |
package_inputs | Inputs to the package in json format. For example, {\"param1\": \"value1\"} .To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list. |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
The following playbooks come bundled with the Tanium connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Orchestration and Playbooks section in FortiSOAR™ after importing the Tanium connector.
Asset
module in FortiSOAR™.Incident
module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json
in the connector package.Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
The tanium connector operations throws this error because of minor differences between the wsdl for different Tanium versions. The default wsdl shipped with the connector is for Tanium version 7.0. For the TypeNotFound
error, replace the console.wsdl
file located at tanium/files
with the wsdl from your Tanium server and then add the connector again. To get the wsdl file, refer to Tanium documentation (Tanium WSDL File).
This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium server. In this case, all questions that you ask to the Tanium server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.