About the connector
Tanium is an endpoint security and systems management solution.
This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.
Version information
Connector Version: 2.0.0
FortiSOAR™ Versions Tested on: 4.11.0
Tanium Versions Tested on: 6.1
Release Notes for version 2.0.0
Following enhancements have been made to the Tanium Connector in version 2.0.0:
-
Added description to the playbooks.
-
Added required tooltips and placeholder messages in connector steps.
-
Updated the connector code with the zeep library.
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-tanium
For the detailed procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the IP or FQDN of the Tanium API server to which you will connect and perform automated operations and the credentials (Username-Password pair) to access that server.
- You must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the Tanium connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Tanium API Server |
IP address or FQDN of the Tanium API server to which you will connect and perform the automated operations. |
| Tanium API Port |
Port number that is used to connect to the Tanium API server.
Defaults to 443. |
| Username |
Username to access the Tanium API server to which you will connect and perform the automated operations. |
| Password |
Password to access the Tanium API server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Computer Information |
Retrieves details of a specific computer, such as Computer ID, BIOs Name, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. |
get_sys_info
Investigation |
| Get Running Processes |
Retrieves details about all the processes running on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. |
get_processes
Investigation |
| Get Installed Software |
Retrieves details about all installed software on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. |
get_softwares
Investigation |
| Issue Saved Question |
Issues a saved Tanium question with the specified id and fetches the latest results from the Tanium API server. |
run_query
Investigation |
| Reissue Action |
Reissues the action with the specified id and fetches the latest results from the Tanium API server. |
run_action
Miscellaneous |
| Execute Package on a Machine |
Executes the package with the specified name on a machine. |
run_script
Miscellaneous |
The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py. Running the cyops_forwarder.py script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.
operation: Get Computer Information
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine from which you want to retrieve data.
If you do not specify atleast one of the three inputs: machine_name, ip_address, or mac_address, the API fetches the information for all endpoints. |
| ip_address |
IP address of the machine from which you want to retrieve data. |
| mac_address |
Mac address of the machine from which you want to retrieve data.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
| sensors |
List of parameters that must be read from the machine.
The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version'].
You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines.
For more information on sensor creation, refer to Tanium documentation (Sensor Creation). |
Output
A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.
Following image displays a sample output:
operation: Get Running Processes
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine from which you want to retrieve data about the processes that are running. |
| ip_address |
IP address of the machine from which you want to retrieve data about the processes that are running. |
| mac_address |
Mac address of the machine from which you want to retrieve data about the processes that are running. |
Output
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.
Following image displays a sample output:
operation: Get Installed Softwares
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine from which you want to retrieve data about the software installed. |
| ip_address |
IP address of the machine from which you want to retrieve data about the software installed. |
| mac_address |
Mac address of the machine from which you want to retrieve data about the software installed.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
Output
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.
Following image displays a sample output:
operation: Issue Saved Question
Input parameters
| Parameter |
Description |
| saved_question_id |
ID of the question to be reissued.
To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question. |
Output
A json with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.
For example, if the id of a question GET Installed Applications FROM all machines WITH Computer Name matching "WIN-52BQOBLA9FT", the following image displays the sample output:
operation: Reissue Action
Input parameters
| Parameter |
Description |
| Action Id |
ID of the action to be reissued.
To get the ID of a previously run action, log on to Tanium Console > Actions > Action History. |
Output
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:
operation: Execute Package on Machine
Input parameters
| Parameter |
Description |
| machine_name |
Hostname of the machine on which you want to run the package. |
| ip_address |
IP address of the machine on which you want to run the package. |
| mac_address |
Mac address of the machine on which you want to run the package.
You must specify at least one of the following parameters: machine_name, ip_address, or mac_address. |
| package_name |
Name of the package to be run.
To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'. |
| package_inputs |
Inputs to the package in json format.
For example, {\"param1\": \"value1\"}.
To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list. |
Output
A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.
For example, when a Registry - Create Key action on machine matching the hostname is reissued, the following image displays the sample output:
Included playbooks
The Sample - Tanium - 1.0.0 playbook collection comes bundled with the Tanium connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tanium connector.
- 1.1 Get data from Tanium
- 1.2 Update Incident with Asset Data: This playbook updates some custom fields in the
Incident module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json in the connector package.
- 2.1 Execute Tanium Package
- 2.2 Execute Package On Machine
- 3 Get All Assets
- 4 Get Data for a Machine and Add as Asset: This playbook adds the machine details in the
Asset module in FortiSOAR™.
- 5 Issue Saved Question
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Troubleshooting
Connector functions fail with the ‘Could not get result from the Tanium Server before timeout’ error
This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium API server. In this case, all questions that you ask to the Tanium API server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.
