Tanium is an endpoint security and systems management solution.
This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.
Connector Version: 2.0.0
FortiSOAR™ Versions Tested on: 4.11.0
Tanium Versions Tested on: 6.1
Following enhancements have been made to the Tanium Connector in version 2.0.0:
Added description to the playbooks.
Added required tooltips and placeholder messages in connector steps.
Updated the connector code with the zeep
library.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-tanium
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Tanium API Server | IP address or FQDN of the Tanium API server to which you will connect and perform the automated operations. |
Tanium API Port | Port number that is used to connect to the Tanium API server. Defaults to 443. |
Username | Username to access the Tanium API server to which you will connect and perform the automated operations. |
Password | Password to access the Tanium API server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Computer Information | Retrieves details of a specific computer, such as Computer ID, BIOs Name, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. | get_sys_info Investigation |
Get Running Processes | Retrieves details about all the processes running on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. | get_processes Investigation |
Get Installed Software | Retrieves details about all installed software on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. | get_softwares Investigation |
Issue Saved Question | Issues a saved Tanium question with the specified id and fetches the latest results from the Tanium API server. | run_query Investigation |
Reissue Action | Reissues the action with the specified id and fetches the latest results from the Tanium API server. | run_action Miscellaneous |
Execute Package on a Machine | Executes the package with the specified name on a machine. | run_script Miscellaneous |
The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py
. Running the cyops_forwarder.py
script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection
that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data. If you do not specify atleast one of the three inputs: machine_name , ip_address , or mac_address , the API fetches the information for all endpoints. |
ip_address | IP address of the machine from which you want to retrieve data. |
mac_address | Mac address of the machine from which you want to retrieve data. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
sensors | List of parameters that must be read from the machine. The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version']. You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines. For more information on sensor creation, refer to Tanium documentation (Sensor Creation). |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the processes that are running. |
ip_address | IP address of the machine from which you want to retrieve data about the processes that are running. |
mac_address | Mac address of the machine from which you want to retrieve data about the processes that are running. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the software installed. |
ip_address | IP address of the machine from which you want to retrieve data about the software installed. |
mac_address | Mac address of the machine from which you want to retrieve data about the software installed. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
saved_question_id | ID of the question to be reissued. To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.
For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT"
, the following image displays the sample output:
Parameter | Description |
---|---|
Action Id | ID of the action to be reissued. To get the ID of a previously run action, log on to Tanium Console > Actions > Action History. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine on which you want to run the package. |
ip_address | IP address of the machine on which you want to run the package. |
mac_address | Mac address of the machine on which you want to run the package. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
package_name | Name of the package to be run. To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'. |
package_inputs | Inputs to the package in json format. For example, {\"param1\": \"value1\"} .To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
The Sample - Tanium - 1.0.0
playbook collection comes bundled with the Tanium connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tanium connector.
Incident
module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json
in the connector package.Asset
module in FortiSOAR™.Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium API server. In this case, all questions that you ask to the Tanium API server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.
Tanium is an endpoint security and systems management solution.
This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.
Connector Version: 2.0.0
FortiSOAR™ Versions Tested on: 4.11.0
Tanium Versions Tested on: 6.1
Following enhancements have been made to the Tanium Connector in version 2.0.0:
Added description to the playbooks.
Added required tooltips and placeholder messages in connector steps.
Updated the connector code with the zeep
library.
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum
command to install connectors:
yum install cyops-connector-tanium
For the detailed procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Tanium API Server | IP address or FQDN of the Tanium API server to which you will connect and perform the automated operations. |
Tanium API Port | Port number that is used to connect to the Tanium API server. Defaults to 443. |
Username | Username to access the Tanium API server to which you will connect and perform the automated operations. |
Password | Password to access the Tanium API server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Computer Information | Retrieves details of a specific computer, such as Computer ID, BIOs Name, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. | get_sys_info Investigation |
Get Running Processes | Retrieves details about all the processes running on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. | get_processes Investigation |
Get Installed Software | Retrieves details about all installed software on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. | get_softwares Investigation |
Issue Saved Question | Issues a saved Tanium question with the specified id and fetches the latest results from the Tanium API server. | run_query Investigation |
Reissue Action | Reissues the action with the specified id and fetches the latest results from the Tanium API server. | run_action Miscellaneous |
Execute Package on a Machine | Executes the package with the specified name on a machine. | run_script Miscellaneous |
The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py
. Running the cyops_forwarder.py
script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection
that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data. If you do not specify atleast one of the three inputs: machine_name , ip_address , or mac_address , the API fetches the information for all endpoints. |
ip_address | IP address of the machine from which you want to retrieve data. |
mac_address | Mac address of the machine from which you want to retrieve data. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
sensors | List of parameters that must be read from the machine. The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version']. You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines. For more information on sensor creation, refer to Tanium documentation (Sensor Creation). |
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the processes that are running. |
ip_address | IP address of the machine from which you want to retrieve data about the processes that are running. |
mac_address | Mac address of the machine from which you want to retrieve data about the processes that are running. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine from which you want to retrieve data about the software installed. |
ip_address | IP address of the machine from which you want to retrieve data about the software installed. |
mac_address | Mac address of the machine from which you want to retrieve data about the software installed. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.
Following image displays a sample output:
Parameter | Description |
---|---|
saved_question_id | ID of the question to be reissued. To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.
For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT"
, the following image displays the sample output:
Parameter | Description |
---|---|
Action Id | ID of the action to be reissued. To get the ID of a previously run action, log on to Tanium Console > Actions > Action History. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
Parameter | Description |
---|---|
machine_name | Hostname of the machine on which you want to run the package. |
ip_address | IP address of the machine on which you want to run the package. |
mac_address | Mac address of the machine on which you want to run the package. You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
package_name | Name of the package to be run. To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'. |
package_inputs | Inputs to the package in json format. For example, {\"param1\": \"value1\"} .To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list. |
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key
action on machine matching the hostname is reissued, the following image displays the sample output:
The Sample - Tanium - 1.0.0
playbook collection comes bundled with the Tanium connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tanium connector.
Incident
module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json
in the connector package.Asset
module in FortiSOAR™.Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium API server. In this case, all questions that you ask to the Tanium API server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.