Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

Tanium is an endpoint security and systems management solution.

This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Tanium Versions: 6.1 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Tanium Connector in version 1.0.1:

  • Masked the text entered in the Password field on the Configuration page.
  • Added a link to the online help.

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of Tanium server and credentials to access the URL.
  • You must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:

 

Parameter Description
Tanium API Server IP/FQDN of the Tanium API server.
Tanium API Port Port number of the Tanium API server.
Defaults to 443.
Username Username to access the endpoint.
Password Password to access the endpoint.
Verify SSL Verify SSL connection to the Tanium API server.
Defaults to True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Computer Information Get information, such as Computer ID, BIOs Name, about the specified machine. You can specify the list of parameters you want to retrieve for a machine. get_sys_info
Investigation
Get Running Processes Get information about all the processes running on the specified machine. get_processes
Investigation
Get Installed Software Get information about all the software installed on the specified machine. get_softwares
Investigation
Issue Saved Question Issues a saved Tanium question with the specified id and fetches the latest results. run_query
Investigation
Reissue Action Reissues the action with the specified id and fetches the latest results. run_query
Miscellaneous
Execute Package on a Machine Executes the package with the specified name on a machine. run_script
Miscellaneous

 

The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py. Running the cyops_forwarder.py script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.

 

operation: Get Computer Information

Input parameters

 

Parameter Description
machine_name Hostname of the machine from which you want to retrieve data.
If you do not specify atleast one of the three inputs: machine_name, ip_address, or mac_address, the API fetches the information for all endpoints.
ip_address IP address of the machine from which you want to retrieve data.
mac_address Mac address of the machine from which you want to retrieve data.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address.
sensors List of parameters that must be read from the machine.
The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version'].
You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines.
For more information on sensor creation, refer to Tanium documentation (Sensor Creation).

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.

Following image displays a sample output:

 

Sample output of the Get Computer Information operation

operation: Get Running Processes

Input parameters

 

Parameter Description
machine_name Hostname of the machine from which you want to retrieve data about the processes that are running.
ip_address IP address of the machine from which you want to retrieve data about the processes that are running.
mac_address Mac address of the machine from which you want to retrieve data about the processes that are running.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.

Following image displays a sample output:

 

Sample output of the Get Running Processes operation

 

operation: Get Installed Softwares

Input parameters

 

Parameter Description
machine_name Hostname of the machine from which you want to retrieve data about the software installed.
ip_address IP address of the machine from which you want to retrieve data about the software installed.
mac_address Mac address of the machine from which you want to retrieve data about the software installed.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.

Following image displays a sample output:

 

Sample output of the Get Installed Softwares operation

 

operation: Issue Saved Question

Input parameters

 

Parameter Description
saved_question_id ID of the question to be reissued.
To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.

For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT", the following image displays the sample output:

 

Sample output of the Issue Saved Question operation

 

operation: Reissue Action

Input parameters

 

Parameter Description
Action Id ID of the action to be reissued.
To get the ID of a previously run action, log on to Tanium Console > Actions > Action History.

 

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:

 

Sample output of the Reissue Action operation

 

operation: Execute Package on Machine

Input parameters

 

Parameter Description
machine_name Hostname of the machine on which you want to run the package.
ip_address IP address of the machine on which you want to run the package.
mac_address Mac address of the machine on which you want to run the package.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address.
package_name Name of the package to be run.
To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'.
package_inputs Inputs to the package in json format.
For example, {\"param1\": \"value1\"}.
To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:

 

Sample output of the Execute Package on Machine operation

 

Included playbooks

The following playbooks come bundled with the Tanium connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Orchestration and Playbooks section in FortiSOAR™ after importing the Tanium connector.

  • Get Data for a Machine and add as asset: This playbook adds the machine details in the Asset module in FortiSOAR™.
  • Issue Saved Question
  • Execute Package On Machine
  • Get Data from Tanium
  • Get All Assets
  • Update Incident with Asset Data: This playbook updates some custom fields in the Incident module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json in the connector package.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Troubleshooting

suds.TypeNotFound: Type not found.

The tanium connector operations throws this error because of minor differences between the wsdl for different Tanium versions. The default wsdl shipped with the connector is for Tanium version 7.0. For the TypeNotFound error, replace the console.wsdl file located at tanium/files with the wsdl from your Tanium server and then add the connector again. To get the wsdl file, refer to Tanium documentation (Tanium WSDL File).

 

Connector functions fail with the ‘Could not get result from the Tanium Server before timeout’ error

This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium server. In this case, all questions that you ask to the Tanium server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.

 

About the connector

Tanium is an endpoint security and systems management solution.

This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Tanium Versions: 6.1 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the Tanium Connector in version 1.0.1:

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:

 

Parameter Description
Tanium API Server IP/FQDN of the Tanium API server.
Tanium API Port Port number of the Tanium API server.
Defaults to 443.
Username Username to access the endpoint.
Password Password to access the endpoint.
Verify SSL Verify SSL connection to the Tanium API server.
Defaults to True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Computer Information Get information, such as Computer ID, BIOs Name, about the specified machine. You can specify the list of parameters you want to retrieve for a machine. get_sys_info
Investigation
Get Running Processes Get information about all the processes running on the specified machine. get_processes
Investigation
Get Installed Software Get information about all the software installed on the specified machine. get_softwares
Investigation
Issue Saved Question Issues a saved Tanium question with the specified id and fetches the latest results. run_query
Investigation
Reissue Action Reissues the action with the specified id and fetches the latest results. run_query
Miscellaneous
Execute Package on a Machine Executes the package with the specified name on a machine. run_script
Miscellaneous

 

The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py. Running the cyops_forwarder.py script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.

 

operation: Get Computer Information

Input parameters

 

Parameter Description
machine_name Hostname of the machine from which you want to retrieve data.
If you do not specify atleast one of the three inputs: machine_name, ip_address, or mac_address, the API fetches the information for all endpoints.
ip_address IP address of the machine from which you want to retrieve data.
mac_address Mac address of the machine from which you want to retrieve data.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address.
sensors List of parameters that must be read from the machine.
The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version'].
You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines.
For more information on sensor creation, refer to Tanium documentation (Sensor Creation).

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.

Following image displays a sample output:

 

Sample output of the Get Computer Information operation

operation: Get Running Processes

Input parameters

 

Parameter Description
machine_name Hostname of the machine from which you want to retrieve data about the processes that are running.
ip_address IP address of the machine from which you want to retrieve data about the processes that are running.
mac_address Mac address of the machine from which you want to retrieve data about the processes that are running.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.

Following image displays a sample output:

 

Sample output of the Get Running Processes operation

 

operation: Get Installed Softwares

Input parameters

 

Parameter Description
machine_name Hostname of the machine from which you want to retrieve data about the software installed.
ip_address IP address of the machine from which you want to retrieve data about the software installed.
mac_address Mac address of the machine from which you want to retrieve data about the software installed.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.

Following image displays a sample output:

 

Sample output of the Get Installed Softwares operation

 

operation: Issue Saved Question

Input parameters

 

Parameter Description
saved_question_id ID of the question to be reissued.
To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.

For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT", the following image displays the sample output:

 

Sample output of the Issue Saved Question operation

 

operation: Reissue Action

Input parameters

 

Parameter Description
Action Id ID of the action to be reissued.
To get the ID of a previously run action, log on to Tanium Console > Actions > Action History.

 

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:

 

Sample output of the Reissue Action operation

 

operation: Execute Package on Machine

Input parameters

 

Parameter Description
machine_name Hostname of the machine on which you want to run the package.
ip_address IP address of the machine on which you want to run the package.
mac_address Mac address of the machine on which you want to run the package.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address.
package_name Name of the package to be run.
To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'.
package_inputs Inputs to the package in json format.
For example, {\"param1\": \"value1\"}.
To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list.

 

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:

 

Sample output of the Execute Package on Machine operation

 

Included playbooks

The following playbooks come bundled with the Tanium connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Orchestration and Playbooks section in FortiSOAR™ after importing the Tanium connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

Troubleshooting

suds.TypeNotFound: Type not found.

The tanium connector operations throws this error because of minor differences between the wsdl for different Tanium versions. The default wsdl shipped with the connector is for Tanium version 7.0. For the TypeNotFound error, replace the console.wsdl file located at tanium/files with the wsdl from your Tanium server and then add the connector again. To get the wsdl file, refer to Tanium documentation (Tanium WSDL File).

 

Connector functions fail with the ‘Could not get result from the Tanium Server before timeout’ error

This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium server. In this case, all questions that you ask to the Tanium server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium server.