Fortinet Document Library

Version:


Table of Contents

2.0.1
Copy Link

About the connector

Tanium is an endpoint security and systems management solution.

This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.

Version information

Connector Version: 2.0.1

FortiSOAR™ Version Tested on: 5.0.0-866 

Tanium Versions Tested on: 6.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.1

Following enhancements have been made to the Tanium connector in version 2.0.1:

  • Added the following new operation and playbook: Ask Question.

  • Updated the input parameters for the following operations:

    • Get Computer Information
    • Get Running Processes
    • Get Installed Softwares
    • Execute Package on Machine
  • Playbooks have been renamed in this version of the connector.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-rapid7-insightidr 

Prerequisites to configuring the connector

  • You must have the IP or FQDN of the Tanium API server to which you will connect and perform automated operations and the credentials (Username-Password pair) to access that server.
  • You must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Tanium connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details.

Parameter Description
Server URL IP address or FQDN of the Tanium API server to which you will connect and perform the automated operations.
Port Port number that is used to connect to the Tanium API server.
Defaults to 443.
Username Username to access the Tanium API server to which you will connect and perform the automated operations.
Password Password to access the Tanium API server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Computer Information Retrieves details of a specific computer, such as Computer ID, BIOs Name, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. get_sys_info
Investigation
Ask Question Asks a question and performs a text search in the Tanium API server based on the question text that you have specified. ask_question
Investigation
Get Running Processes Retrieves details about all the processes running on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. get_processes
Investigation
Get Installed Softwares Retrieves details about all installed software on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. get_softwares
Investigation
Issue a Saved Question Issues a saved Tanium question with the ID you have specified and fetches the latest results from the Tanium API server. run_query
Investigation
Reissue Action Reissues the action with the ID you have specified and fetches the latest results from the Tanium API server. run_action
Miscellaneous
Execute Package on a Machine Executes a package with the specified name and inputs in the JSON format on a specified machine based on the input parameters, such as machine name, IP address, etc that you have specified. run_script
Miscellaneous

The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py. Running the cyops_forwarder.py script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.

operation: Get Computer Information

Input parameters

Parameter Description
Sensors List of sensors that must be read from the machine.
The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version'].
You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines.
For more information on sensor creation, refer to Tanium documentation (Sensor Creation).
Get Information By Specify the method to identify the machine for which you want to retrieve information from the machine from the Tanium API server. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine for which you want to retrieve information from the machine from the Tanium API server:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine from which you want to retrieve data.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine from which you want to retrieve data.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine from which you want to retrieve data.

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Ask Question

Input parameters

Parameter Description
Question Text Exact question text that you want to search in the Tanium API server.

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. 

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Get Running Processes

Input parameters

Parameter Description
Get Information By Specify the method to identify the machine for which you want to retrieve data about the processes that are running from the Tanium API server. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine for which you want to retrieve data about the processes that are running from the Tanium API server:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine from which you want to retrieve data about the processes that are running.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine from which you want to retrieve data about the processes that are running.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine from which you want to retrieve data about the processes that are running.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Get Installed Softwares

Input parameters

Parameter Description
Get Information By Specify the method to identify the machine for which you want to retrieve data about the software installed from the Tanium API server. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine for which you want to retrieve data about the software installed from the Tanium API server:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine from which you want to retrieve data about the software installed.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine from which you want to retrieve data about the software installed.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine from which you want to retrieve data about the software installed.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Issue a Saved Question

Input parameters

Parameter Description
Saved Question Id ID of the question to be issued whose latest results you want to fetch from the Tanium API server.
To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Reissue Action

Input parameters

Parameter Description
Action Id ID of the action to be reissued and whose latest results you want to fetch from the Tanium API server.
To get the ID of a previously run action, log on to Tanium Console > Actions > Action History.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Execute Package on Machine

Input parameters

Parameter Description
Package Name Name of the package that you want to execute on the specified machine.
To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'.
Inputs to the package in json format Inputs to the package that you want to execute on the specified machine. Inputs must be provided in the JSON format.
For example, {\"param1\": \"value1\"}.
To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list.
Get Information By Specify the method to identify the machine on which you want to execute the package. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine on which you want to execute the package:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine on which you want to run the package.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine on which you want to run the package.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine on which you want to run the package.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

Included playbooks

The Sample - Tanium - 2.0.1 playbook collection comes bundled with the Tanium connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tanium connector.

  • Ask Question
  • Execute Package on Machine
  • Get Asset Details
  • Get Computer Information
  • Get Installed Softwares
  • Get Running Processes
  • Issue Saved Question
  • Reissue Action
  • Update Incident with Asset Data:  This playbook updates some custom fields in the Incident module. A sample incident module with these fields is available at <tanium>/playbooks/TaniumIncidents.json in the connector package.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Troubleshooting

Connector functions fail with the ‘Could not get result from the Tanium Server before timeout’ error

This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium API server. In this case, all the questions that you ask to the Tanium API server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.

About the connector

Tanium is an endpoint security and systems management solution.

This document provides information about the Tanium connector, which facilitates automated interactions, with a Tanium server using FortiSOAR™ playbooks. Add the Tanium connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically getting information about processes running on a machine, or uploading a file from a Mac or Linux machine to a specified location.

Version information

Connector Version: 2.0.1

FortiSOAR™ Version Tested on: 5.0.0-866 

Tanium Versions Tested on: 6.1

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.1

Following enhancements have been made to the Tanium connector in version 2.0.1:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-rapid7-insightidr 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Tanium connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details.

Parameter Description
Server URL IP address or FQDN of the Tanium API server to which you will connect and perform the automated operations.
Port Port number that is used to connect to the Tanium API server.
Defaults to 443.
Username Username to access the Tanium API server to which you will connect and perform the automated operations.
Password Password to access the Tanium API server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get Computer Information Retrieves details of a specific computer, such as Computer ID, BIOs Name, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. get_sys_info
Investigation
Ask Question Asks a question and performs a text search in the Tanium API server based on the question text that you have specified. ask_question
Investigation
Get Running Processes Retrieves details about all the processes running on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. get_processes
Investigation
Get Installed Softwares Retrieves details about all installed software on a particular machine, from the Tanium API server, based on the input parameters, such as machine name, IP address, etc that you have specified. get_softwares
Investigation
Issue a Saved Question Issues a saved Tanium question with the ID you have specified and fetches the latest results from the Tanium API server. run_query
Investigation
Reissue Action Reissues the action with the ID you have specified and fetches the latest results from the Tanium API server. run_action
Miscellaneous
Execute Package on a Machine Executes a package with the specified name and inputs in the JSON format on a specified machine based on the input parameters, such as machine name, IP address, etc that you have specified. run_script
Miscellaneous

The Tanium connector also includes a sample FortiSOAR™ forwarder: cyops_forwarder.py. Running the cyops_forwarder.py script starts a socket listener on port 5000. You can leverage the socket listener to forward results and logs from the Tanium server automatically to FortiSOAR™ using the ‘Tanium Connect’ solution. For more information on the Tanium Connect solution, refer to Tanium documentation (Tanium Connect User Guide). If you have installed the Tanium Connect solution, you can create a Connection that forwards the results from the Tanium server automatically to this socket listener, which in turn forwards this data to a FortiSOAR™ API URL. You can write a playbook to include the same API trigger and take appropriate action based on your use case.

operation: Get Computer Information

Input parameters

Parameter Description
Sensors List of sensors that must be read from the machine.
The following information is retrieved from the specified machine by default: ['Computer ID', 'Computer Name', 'IP Address', 'Operating System', 'CPU Details', 'System UUID', 'Computer Serial Number', 'MAC Address', 'BIOS Name', 'BIOS Version'].
You can provide an alternate list of parameters by setting this variable. The list of sensors that you specify must be present in the Tanium supported list, and you must deploy the required packages on the client machines.
For more information on sensor creation, refer to Tanium documentation (Sensor Creation).
Get Information By Specify the method to identify the machine for which you want to retrieve information from the machine from the Tanium API server. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine for which you want to retrieve information from the machine from the Tanium API server:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine from which you want to retrieve data.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine from which you want to retrieve data.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine from which you want to retrieve data.

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. All data for a given machine is against a Tanium generated id for the host as the key.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Ask Question

Input parameters

Parameter Description
Question Text Exact question text that you want to search in the Tanium API server.

Output

A JSON with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same for easy reference. 

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Get Running Processes

Input parameters

Parameter Description
Get Information By Specify the method to identify the machine for which you want to retrieve data about the processes that are running from the Tanium API server. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine for which you want to retrieve data about the processes that are running from the Tanium API server:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine from which you want to retrieve data about the processes that are running.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine from which you want to retrieve data about the processes that are running.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine from which you want to retrieve data about the processes that are running.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the processes are the keys, with process data against them.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Get Installed Softwares

Input parameters

Parameter Description
Get Information By Specify the method to identify the machine for which you want to retrieve data about the software installed from the Tanium API server. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine for which you want to retrieve data about the software installed from the Tanium API server:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine from which you want to retrieve data about the software installed.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine from which you want to retrieve data about the software installed.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine from which you want to retrieve data about the software installed.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. Tanium generated ids for the machines are the keys, with installed software data against them.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Issue a Saved Question

Input parameters

Parameter Description
Saved Question Id ID of the question to be issued whose latest results you want to fetch from the Tanium API server.
To get the ID of a saved question, log on to Tanium Console > Authoring > Saved Question.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated. rawXML is value of the ‘ResultXML’ key from the Tanium SOAP API call. jsonData is a json formatted version of the same with keys as column names from the xml result.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Reissue Action

Input parameters

Parameter Description
Action Id ID of the action to be reissued and whose latest results you want to fetch from the Tanium API server.
To get the ID of a previously run action, log on to Tanium Console > Actions > Action History.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

operation: Execute Package on Machine

Input parameters

Parameter Description
Package Name Name of the package that you want to execute on the specified machine.
To get the package name, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its 'Package Name'.
Inputs to the package in json format Inputs to the package that you want to execute on the specified machine. Inputs must be provided in the JSON format.
For example, {\"param1\": \"value1\"}.
To get the list of inputs to a package, log on to Tanium Console > Authoring > Packages. Edit any package to get its details, including its input list.
Get Information By Specify the method to identify the machine on which you want to execute the package. You can choose from Computer Name, IP Address, or MAC address.
Value Specify the value of the method that you have chosen to identify the machine on which you want to execute the package:
  • If you have chosen Computer Name in the Get Information By field, then specify the hostname of the machine on which you want to run the package.
  • If you have chosen IP Address in the Get Information By field, then specify the IP address of the machine on which you want to run the package.
  • If you have chosen MAC Address in the Get Information By field, then specify the MAC address of the machine on which you want to run the package.

Output

A json with keys ‘jsonData’ and ‘rawXml’ is generated similar to the other operations. ‘jsonData’ contains the action id and status that is parsed from the ‘rawXml’ after the command has completed or timed out. The timeout has been set to five minutes.

The output contains the following populated JSON schema:

     "rawXml": "", 
     "jsonData": {} 
}

Included playbooks

The Sample - Tanium - 2.0.1 playbook collection comes bundled with the Tanium connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Tanium connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Troubleshooting

Connector functions fail with the ‘Could not get result from the Tanium Server before timeout’ error

This error occurs if the time on your FortiSOAR™ instance is ahead of the time that is on the Tanium API server. In this case, all the questions that you ask to the Tanium API server would be reported as expired. To solve this issue, you must synchronize the time of your FortiSOAR™ instance with that on the Tanium API server.