Tanium endpoint security and systems management
This integration was integrated and tested with version 7.3.0 of Tanium server
- Tanium - Ask Question
- Tanium - Get Saved Question Result
- Create questions, groups, packages, etc on the Tanium Server.
- Deploy packages to machines groups.
- Get information about sensors, packages, actions, hosts etc.
The integration was tested with 4.x version of Tanium Threat Response, and is compatible with it.
- Hostname - The network address of the Tanium server host.
- Domain - The Tanium user domain. Relevant when there is more than one domain inside Tanium.
- Credentials - The credentials should be the same as the Tanium client.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Tanium v2.
-
Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Hostname, IP address, or server URL.
- Domain
- Credentials OR API Token
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
- Basic Authentication - to authenticate using basic authentication fill in the username and password into the corresponding fields and leave the API Token field empty. The username and password should be the same as the Tanium client.
-
OAuth 2.0 Authentication - To use OAuth 2.0 follow the next steps:
- Follow the instructions here to create an API token.
- Paste the generated API Token into the API Token parameter in the instance configuration, and leave the username and password fields empty.
- Click the Test button to validate the instance configuration.
- Trusted IP Addresses: by default, the Tanium Server blocks API tokens from all addresses except registered Tanium Module Servers. To add allowed IP addresses for any API token, add the IP addresses to the api_token_trusted_ip_address_list global setting. To add allowed IP addresses for an individual API token, specify the IP addresses in the trusted_ip_addresses field of the api_token object.
- Expiration Time: by default, an api_token is valid for seven days. To change the expiration timeframe, edit the api_token_expiration_in_days global setting (minimum value is 1), or include a value with the expire_in_days field when you create the token.
- To edit a global setting in the Tanium platform, go to Administration -> Global Settings and search for the setting you would like to edit.
- For more information see the Tanium documentation.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Returns a package object based on name or ID: tn-get-package
- Asks the server to parse the question text and choose the first parsed result as the question to run: tn-ask-question
- Returns the question result based on question ID: tn-get-question-result
- Returns a list of all sensors: tn-list-sensors
- Returns detailed information about a sensor object based on name or ID: tn-get-sensor
- Creates a saved question object: tn-create-saved-question
- Returns all saved questions: tn-list-saved-questions
- Returns the saved question result based on the saved question ID: tn-get-saved-question-result
- Returns all client details: tn-get-system-status
- Creates a package object: tn-create-package
- Returns all package information: tn-list-packages
- Returns a question object based on question ID: tn-get-question-metadata
- Returns all saved actions: tn-list-saved-actions
- Returns a saved action object based on name or ID: tn-get-saved-action
- Returns a saved question object based on name or ID: tn-get-saved-question-metadata
- Creates a saved action object: tn-create-saved-action
- Creates an action object based on the package name or the package ID: tn-create-action
- Returns all actions: tn-list-actions
- Returns an action object based on ID: tn-get-action
- Retrieves all saved action approval definitions on the server: tn-list-saved-actions-pending-approval
- Returns a group object based on ID or name: tn-get-group
- Creates a group object based on computers or IP addresses list: tn-create-manual-group
- Creates a group object based on text filter: tn-create-filter-based-group
- Returns all groups: tn-list-groups
- Deletes a group object: tn-delete-group
- Creates an action object, based on a package name or package ID: tn-create-action-by-host
Returns a package object based on name or ID.
tn-get-package
Argument Name | Description | Required |
---|---|---|
name | The name of the package. | Optional |
id | The package ID. Package ID or package name is required. When both exist, ID is used. | Optional |
Path | Type | Description |
---|---|---|
TaniumPackage.Command | String | The command to run. |
TaniumPackage.CommandTimeout | Number | Timeout in seconds for the command execution. |
TaniumPackage.ContentSet.Id | Number | The ID of the content set to associate with the package. |
TaniumPackage.ContentSet.Name | String | The name of the content set to associate with the package. |
TaniumPackage.CreationTime | String | The time and date when this object was created in the database. |
TaniumPackage.DisplayName | String | The name of the package that displays in the user interface. |
TaniumPackage.ExpireSeconds | Number | Timeout in seconds for the action. |
TaniumPackage.Files.Hash | String | The SHA-256 hash of the contents of the file. |
TaniumPackage.Files.Id | Number | The unique ID of the package_file object. |
TaniumPackage.Files.Name | String | The unique name of the package_file object. |
TaniumPackage.ID | Number | The unique ID of the package_spec object. |
TaniumPackage.LastModifiedBy | String | The user who most recently modified this object. |
TaniumPackage.LastUpdate | String | The most recent time and date when this object was modified. |
TaniumPackage.ModUser.Domain | String | The domain of the user who most recently modified this object |
TaniumPackage.ModUser.Id | Number | The ID of the user who most recently modified this object |
TaniumPackage.ModUser.Name | String | The name of the user who most recently modified this object |
TaniumPackage.ModificationTime | String | The most recent time and date when this object was modified. |
TaniumPackage.Name | String | The unique name of the package_spec object. |
TaniumPackage.Parameters.Values | String | The parameter values. |
TaniumPackage.Parameters.Label | String | Parameter description. |
TaniumPackage.Parameters.Key | String | The attribute name of the parameter. |
TaniumPackage.Parameters.ParameterType | String | The type of parameter. |
TaniumPackage.SourceId | Number | The ID of the package into which the parameters are substituted. |
TaniumPackage.VerifyExpireSeconds | Number | A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed. |
!tn-get-package id=225
{ "TaniumPackage": { "Command": "cmd /c cscript ApplyWindowsQuarantine.vbs \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" \"$6\" \"$7\" \"$8\" \"$9\"", "CommandTimeout": 180, "ContentSet": { "Id": 32, "Name": "Incident Response" }, "CreationTime": "2019-09-19T13:57:35Z", "DisplayName": "Apply Windows IPsec Quarantine", "ExpireSeconds": 780, "Files": [ { "Hash": "26cab9aaddf7d0e1ecf4113dee1ee976f6df9070a1f9edf3fa9e10bc63eb6a94", "ID": 699, "Name": "PortTester.exe" }, { "Hash": "7a2aaaf742831abf22918e4726181f25aa8b32c1dcb6b500824fe5e5ffec25fb", "ID": 700, "Name": "taniumquarantine.dat" }, { "Hash": "b2dfeab931f5938c52df84b8e6b157e698c508c7723b23505659e5ae659fcf6f", "ID": 701, "Name": "ApplyWindowsQuarantine.vbs" } ], "ID": 225, "LastModifiedBy": "administrator", "LastUpdate": "2019-09-19T13:57:35Z", "ModificationTime": "2019-09-19T13:57:35Z", "Name": "Apply Windows IPsec Quarantine", "Parameters": [ { "Key": "$1", "Label": "Apply Custom Config (below)", "ParameterType": "com.tanium.components.parameters::CheckBoxParameter", "Values": null }, { "Key": null, "Label": null, "ParameterType": "com.tanium.components.parameters::SeparatorParameter", "Values": null }, { "Key": "$2", "Label": "Allow All DHCP", "ParameterType": "com.tanium.components.parameters::CheckBoxParameter", "Values": null }, { "Key": "$3", "Label": "Allow All DNS", "ParameterType": "com.tanium.components.parameters::CheckBoxParameter", "Values": null }, { "Key": "$4", "Label": "Allow All Tanium Servers", "ParameterType": "com.tanium.components.parameters::CheckBoxParameter", "Values": null }, { "Key": "$5", "Label": "Validate Tanium Server Availability", "ParameterType": "com.tanium.components.parameters::CheckBoxParameter", "Values": null }, { "Key": "$6", "Label": "Notification Message", "ParameterType": "com.tanium.components.parameters::TextAreaParameter", "Values": null }, { "Key": "$7", "Label": "Custom Quarantine Rules", "ParameterType": "com.tanium.components.parameters::TextAreaParameter", "Values": null }, { "Key": "$8", "Label": "Alternate Tanium Servers", "ParameterType": "com.tanium.components.parameters::TextInputParameter", "Values": null }, { "Key": "$9", "Label": "VPN Servers", "ParameterType": "com.tanium.components.parameters::TextInputParameter", "Values": null } ], "SourceId": 0, "VerifyExpireSeconds": 600 } }
Command | CommandTimeout | ContentSet | CreationTime | DisplayName | ExpireSeconds | ID | LastModifiedBy | LastUpdate | ModUser | ModificationTime | Name | SourceId | VerifyExpireSeconds |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
cmd /c cscript ApplyWindowsQuarantine.vbs "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" | 180 | Id: 32 Name: Incident Response |
2019-09-19T13:57:35Z | Apply Windows IPsec Quarantine | 780 | 225 | administrator | 2019-09-19T13:57:35Z | 2019-09-19T13:57:35Z | Apply Windows IPsec Quarantine | 0 | 600 |
Key | Label | ParameterType | Values |
---|---|---|---|
$1 | Apply Custom Config (below) | com.tanium.components.parameters::CheckBoxParameter | |
com.tanium.components.parameters::SeparatorParameter | |||
$2 | Allow All DHCP | com.tanium.components.parameters::CheckBoxParameter | |
$3 | Allow All DNS | com.tanium.components.parameters::CheckBoxParameter | |
$4 | Allow All Tanium Servers | com.tanium.components.parameters::CheckBoxParameter | |
$5 | Validate Tanium Server Availability | com.tanium.components.parameters::CheckBoxParameter | |
$6 | Notification Message | com.tanium.components.parameters::TextAreaParameter | |
$7 | Custom Quarantine Rules | com.tanium.components.parameters::TextAreaParameter | |
$8 | Alternate Tanium Servers | com.tanium.components.parameters::TextInputParameter | |
$9 | VPN Servers | com.tanium.components.parameters::TextInputParameter |
Hash | ID | Name |
---|---|---|
26cab9aaddf7d0e1ecf4113dee1ee976f6df9070a1f9edf3fa9e10bc63eb6a94 | 699 | PortTester.exe |
7a2aaaf742831abf22918e4726181f25aa8b32c1dcb6b500824fe5e5ffec25fb | 700 | taniumquarantine.dat |
b2dfeab931f5938c52df84b8e6b157e698c508c7723b23505659e5ae659fcf6f | 701 | ApplyWindowsQuarantine.vbs |
Asks the server to parse the question text and choose the first parsed result as the question to run.
tn-ask-question
Argument Name | Description | Required |
---|---|---|
question-text | The question text. | Required |
parameters | The question parameters. For example, sensor1{key1=val1;key2=val2};sensor2{key1=val1}. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Question.ID | Number | The unique ID of the question object. |
!tn-ask-question question-text=`Get IP Address from all machines`
{ "Tanium.Question": { "ID": 50500 } }
New question created. ID = 50500
Returns the question result based on question ID.
tn-get-question-result
Argument Name | Description | Required |
---|---|---|
question-id | The question ID. | Required |
Path | Type | Description |
---|---|---|
Tanium.QuestionResult.QuestionID | Number | The unique ID of the question object. |
Tanium.QuestionResult.Results | Unknown | The question results. |
Tanium.QuestionResult.Status | String | The status of the question request. Can be: "Completed" or "Pending". |
!tn-get-question-result question-id=50477
{ "Tanium.QuestionResult": { "QuestionID": "50477", "Status": "Pending" } }
Question is still executing, Question id: 50477
Returns a list of all sensors.
tn-list-sensors
Argument Name | Description | Required |
---|---|---|
limit | The maximum number of sensors to return. | Optional |
Path | Type | Description |
---|---|---|
TaniumSensor.Category | String | The category that includes this sensor. |
TaniumSensor.ContentSetId | Number | The ID of the content set to associate with the sensor. |
TaniumSensor.ContentSetName | String | The name of the content set to associate with the sensor. |
TaniumSensor.CreationTime | String | The time and date when this object was created in the database. |
TaniumSensor.Description | String | A description for the sensor. |
TaniumSensor.Hash | String | The hash ID of the sensor. |
TaniumSensor.ID | Number | The unique ID of the sensor object. |
TaniumSensor.IgnoreCaseFlag | Boolean | Whether to ignore the case flag of the sensor. Default is 1, which means the case flag is ignored. |
TaniumSensor.KeepDuplicatesFlag | Boolean | Whether to keep duplicate values in the sensor results. Default is 1 which keeps duplicate values instead of returning each unique value once. |
TaniumSensor.LastModifiedBy | String | The name of the user who last modified this object. |
TaniumSensor.MaxAgeSeconds | Number | The maximum age in seconds a sensor result is invalid. When results are half this value, the sensor is re-evaluated. |
TaniumSensor.ModUserDomain | String | The domain of the user who most recently modified this object. |
TaniumSensor.ModUserId | Number | The ID of the user who most recently modified this object. |
TaniumSensor.ModUserName | String | The name of user who most recently modified this object. |
TaniumSensor.ModificationTime | String | The most recent time and date when this object was modified. |
TaniumSensor.Name | String | The name of the sensor. |
TaniumSensor.SourceId | Number | The ID of the sensor into which the parameters are substituted. If specified, source_hash may be omitted. |
!tn-list-sensors limit=1
{ "TaniumSensor": [ { "Category": "Network", "ContentSetId": 10, "ContentSetName": "Network", "CreationTime": "2019-07-17T20:13:49Z", "Description": "Returns the SSID (name) of a wireless network a machine is connected to.\nExample: linksys", "Hash": "1466668831", "ID": 232, "IgnoreCaseFlag": true, "KeepDuplicatesFlag": false, "LastModifiedBy": "administrator", "MaxAgeSeconds": 900, "ModUserDomain": "EC2AMAZ-N5ETQVT", "ModUserId": 1, "ModUserName": "administrator", "ModificationTime": "2019-07-17T20:13:49Z", "Name": "Wireless Network Connected SSID", "SourceId": 0 } ] }
Category | ContentSetId | ContentSetName | CreationTime | Description | Hash | ID | IgnoreCaseFlag | KeepDuplicatesFlag | LastModifiedBy | MaxAgeSeconds | ModUserDomain | ModUserId | ModUserName | ModificationTime | Name | SourceId |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Network | 10 | Network | 2019-07-17T20:13:49Z | Returns the SSID (name) of a wireless network a machine is connected to. Example: linksys |
1466668831 | 232 | true | false | administrator | 900 | EC2AMAZ-N5ETQVT | 1 | administrator | 2019-07-17T20:13:49Z | Wireless Network Connected SSID | 0 |
Returns detailed information about a sensor object based on name or ID.
tn-get-sensor
Argument Name | Description | Required |
---|---|---|
id | The sensor ID. | Optional |
name | The name of the sensor. | Optional |
Path | Type | Description |
---|---|---|
TaniumSensor.Category | String | The category that includes this sensor. |
TaniumSensor.ContentSetId | Number | The ID of the content_set to associate with the sensor. |
TaniumSensor.ContentSetName | String | The name of the content_set to associate with the sensor. |
TaniumSensor.CreationTime | String | The date and time when this object was created in the database. |
TaniumSensor.Description | String | A description for the sensor. |
TaniumSensor.Hash | String | The hash id of the sensor |
TaniumSensor.ID | Number | The unique ID of the sensor object. |
TaniumSensor.IgnoreCaseFlag | Boolean | Ignore the case flag. Default is 1, which means the case flag is ignored. |
TaniumSensor.KeepDuplicatesFlag | Boolean | Keep duplicates flag in the sensor results. Default is 1, which preserves duplicate values in sensor results instead of only returning each unique value once. |
TaniumSensor.LastModifiedBy | String | The name of the user who last modified this object. |
TaniumSensor.MaxAgeSeconds | Number | The maximum age in seconds of a sensor result before it is invalid. When results are half this value, the sensor is re-evaluated. |
TaniumSensor.ModUserDomain | String | The domain of the user who most recently modified this object. |
TaniumSensor.ModUserId | Number | The ID of the user who most recently modified this object. |
TaniumSensor.ModUserName | String | The name of the user who most recently modified this object. |
TaniumSensor.ModificationTime | String | The most recent time and date when this object was modified. |
TaniumSensor.Name | String | The name of the sensor. |
TaniumSensor.Parameters.Key | String | The attribute name of the parameter. |
TaniumSensor.Parameters.Label | String | The description of the parameter. |
TaniumSensor.Parameters.Values | String | The values of the parameter. |
TaniumSensor.Parameters.ParameterType | String | The type of parameter. |
TaniumSensor.SourceId | Number | The ID of the sensor into which the parameters are substituted. If specified, source_hash may be omitted. |
!tn-get-sensor id=204
{ "TaniumSensor": { "Category": "Applications", "ContentSetId": 11, "ContentSetName": "Software", "CreationTime": "2019-07-17T20:13:49Z", "Description": "The version string of applications which match the parameter given.\nExample: 11.5.502.146", "Hash": "2387001299", "ID": 204, "IgnoreCaseFlag": true, "KeepDuplicatesFlag": false, "LastModifiedBy": "administrator", "MaxAgeSeconds": 900, "ModUserDomain": "EC2AMAZ-N5ETQVT", "ModUserId": 1, "ModUserName": "administrator", "ModificationTime": "2019-07-17T20:13:49Z", "Name": "Installed Application Version", "Parameters": [ { "Key": "application", "Label": "Application Name", "ParameterType": "com.tanium.components.parameters::TextInputParameter", "Values": null } ], "SourceId": 0 } }
Category | ContentSetId | ContentSetName | CreationTime | Description | Hash | ID | IgnoreCaseFlag | KeepDuplicatesFlag | LastModifiedBy | MaxAgeSeconds | ModUserDomain | ModUserId | ModUserName | ModificationTime | Name | SourceId |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Applications | 11 | Software | 2019-07-17T20:13:49Z | The version string of applications which match the parameter given. Example: 11.5.502.146 |
2387001299 | 204 | true | false | administrator | 900 | EC2AMAZ-N5ETQVT | 1 | administrator | 2019-07-17T20:13:49Z | Installed Application Version | 0 |
Key | Label | ParameterType | Values |
---|---|---|---|
application | Application Name | com.tanium.components.parameters::TextInputParameter |
Creates a saved question object.
tn-create-saved-question
Argument Name | Description | Required |
---|---|---|
question-id | The question ID. | Required |
name | Name of the saved question to create. | Required |
Path | Type | Description |
---|---|---|
Tanium.SavedQuestion.ID | Number | The ID of the saved question. |
Tanium.SavedQuestion.Name | String | The name of the saved question. |
!tn-create-saved-question name=ip_all_machines question-id=50477
{ "Tanium.SavedQuestion": { "ID": 450, "name": "ip_all_machines" } }
Question saved. ID = 450
Returns all saved questions.
tn-list-saved-questions
Argument Name | Description | Required |
---|---|---|
limit | The maximum number of saved questions to return. | Optional |
Path | Type | Description |
---|---|---|
Tanium.SavedQuestion.ArchiveEnabledFlag | Boolean | Whether archiving is enabled for the saved question. |
Tanium.SavedQuestion.ArchiveOwner | String | The name of the user that owns the archive. Archives can be shared between users with identical management rights groups. |
Tanium.SavedQuestion.ExpireSeconds | Number | The duration in seconds before each question expires. Default value is 600. |
Tanium.SavedQuestion.ID | Number | The unique ID of the question object. |
Tanium.SavedQuestion.IssueSeconds | Number | The time in seconds to reissue the question when active. Default value is 120. |
Tanium.SavedQuestion.IssueSecondsNeverFlag | Boolean | Whether the question is not reissued automatically. Default is 1 (not reissued). |
Tanium.SavedQuestion.KeepSeconds | Number | The number of seconds to save the data results in the archive. |
Tanium.SavedQuestion.ModTime | String | The most recent time and date when this object was modified. |
Tanium.SavedQuestion.ModUserDomain | String | The domain of the user who most recently modified this object. |
Tanium.SavedQuestion.ModUserId | Number | The ID of the user who most recently modified this object. |
Tanium.SavedQuestion.ModUserName | String | The name of user who most recently modified this object. |
Tanium.SavedQuestion.MostRecentQuestionId | Number | The ID of the most recently issued question object generated by the saved question. |
Tanium.SavedQuestion.Name | String | The name of the saved question object. |
Tanium.SavedQuestion.QueryText | String | The textual representation of the question. |
Tanium.SavedQuestion.QuestionId | Number | The ID of the question from which to create the saved question. |
Tanium.SavedQuestion.RowCountFlag | Boolean | If the value is true, only the row count data is saved when archiving this question. |
Tanium.SavedQuestion.SortColumn | Number | The default sort column, if no sort order is specified. |
Tanium.SavedQuestion.UserId | Number | The ID of the user who owns this object. |
Tanium.SavedQuestion.UserName | String | The name of the user who owns this object. |
!tn-list-saved-questions limit=1
{ "Tanium.SavedQuestion": [ { "ArchiveEnabledFlag": false, "ExpireSeconds": 600, "ID": 130, "IssueSeconds": 120, "IssueSecondsNeverFlag": false, "KeepSeconds": 0, "ModTime": "2019-07-17T20:43:06Z", "MostRecentQuestionId": 19563, "Name": "SCCM - Client Cache Size", "QueryText": "Get SCCM Cache Size from all machines", "QuestionId": 19563, "RowCountFlag": false, "SortColumn": 0, "UserId": 1, "UserName": "administrator" } ] }
ArchiveEnabledFlag | ArchiveOwner | ExpireSeconds | ID | IssueSeconds | IssueSecondsNeverFlag | KeepSeconds | ModTime | MostRecentQuestionId | Name | QueryText | QuestionId | RowCountFlag | SortColumn | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
false | 600 | 130 | 120 | false | 0 | 2019-07-17T20:43:06Z | 19563 | SCCM - Client Cache Size | Get SCCM Cache Size from all machines | 19563 | false | 0 | 1 | administrator |
Returns the saved question result based on the saved question ID.
tn-get-saved-question-result
Argument Name | Description | Required |
---|---|---|
question-id | The saved question ID. | Required |
Path | Type | Description |
---|---|---|
Tanium.SavedQuestionResult.SavedQuestionID | Number | The ID of the saved question. |
Tanium.SavedQuestionResult.Results | Unknown | The saved question results. |
Tanium.SavedQuestionResult.Status | String | Status of the question request. Can be: "Completed" or "Pending". |
!tn-get-saved-question-result question-id=130
{ "Tanium.SavedQuestionResult": { "SavedQuestionID": "130", "Status": "Completed" } }
**No entries.**
Returns all client details.
tn-get-system-status
Argument Name | Description | Required |
---|
Path | Type | Description |
---|---|---|
Tanium.Client.ComputerId | Number | The computer ID of the client. |
Tanium.Client.FullVersion | String | The Tanium Client version. |
Tanium.Client.HostName | String | The computer hostname. |
Tanium.Client.IpAddressClient | String | The IP address of the client returned from a sensor on the client. |
Tanium.Client.IpAddressServer | String | The IP address of the client that was recorded on the server during the last registration. |
Tanium.Client.LastRegistration | Date | The most recent time that the client registered with the server. |
Tanium.Client.Status | String | The status of the client. Can be: "Blocked", "Leader" "Normal", "Slow link". |
!tn-get-system-status
{ "Tanium.Client": [ { "ComputerId": 9065264, "FullVersion": "7.2.314.3476", "HostName": "ec2amaz-kgmro60", "IpAddressClient": "127.0.0.1", "IpAddressServer": "127.0.0.1", "LastRegistration": "2019-11-27T15:06:08Z", "Status": "Leader" }, { "ComputerId": 2232836718, "FullVersion": "7.2.314.3476", "HostName": "HOSTNAME", "IpAddressClient": "127.0.0.1", "IpAddressServer": "127.0.0.1", "LastRegistration": "2019-11-27T15:06:09Z", "Status": "Leader" } ] }
ComputerId | FullVersion | HostName | IpAddressClient | IpAddressServer | LastRegistration | Status |
---|---|---|---|---|---|---|
9065264 | 7.2.314.3476 | ec2amaz-kgmro60 | 127.0.0.1 | 127.0.0.1 | 2019-11-27T15:06:08Z | Leader |
2232836718 | 7.2.314.3476 | HOSTNAME | 127.0.0.1 | 127.0.0.1 | 2019-11-27T15:06:09Z | Leader |
Creates a package object.
tn-create-package
Argument Name | Description | Required |
---|---|---|
command | The command to execute. | Required |
name | The name of the package to create. | Required |
Path | Type | Description |
---|---|---|
TaniumPackage.Command | String | The command to run. |
TaniumPackage.CommandTimeout | Number | Timeout in seconds for the command execution. |
TaniumPackage.ContentSet.Id | Number | The ID of the content set to associate with the package. |
TaniumPackage.ContentSet.Name | String | The name of the content set to associate with the package. |
TaniumPackage.CreationTime | String | The time and date when this object was created in the database. |
TaniumPackage.DisplayName | String | The name of the package that displays in the user interface. |
TaniumPackage.ExpireSeconds | Number | Timeout in seconds for the action expiry. |
TaniumPackage.ID | Number | The unique ID of the package_spec object. |
TaniumPackage.LastModifiedBy | String | The user who most recently modified this object. |
TaniumPackage.LastUpdate | String | The most recent time and date when this object was modified. |
TaniumPackage.ModUser.Domain | String | The domain of the user who most recently modified this object. |
TaniumPackage.ModUser.Id | Number | The ID of the user who most recently modified this object |
TaniumPackage.ModUser.Name | String | The name of the user who most recently modified this object |
TaniumPackage.ModificationTime | String | The most recent time and date when this object was modified. |
TaniumPackage.Name | String | The unique name of the package_spec object. |
TaniumPackage.SourceId | Number | The ID of the package into which the parameters are substituted. |
TaniumPackage.VerifyExpireSeconds | Number | A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed. |
!tn-create-package command=cls name=clear_screen
{ "TaniumPackage": { "Command": "cls", "CommandTimeout": 600, "ContentSet": { "Id": 2, "Name": "" }, "CreationTime": "2019-11-27T15:06:14Z", "DisplayName": "clear_screen", "ExpireSeconds": 3600, "ID": 1220, "LastModifiedBy": "administrator", "LastUpdate": "2019-11-27T15:06:14Z", "ModificationTime": "2019-11-27T15:06:14Z", "Name": "clear_screen", "SourceId": 0, "VerifyExpireSeconds": 3600 } }
Command | CommandTimeout | ContentSet | CreationTime | DisplayName | ExpireSeconds | Files | ID | LastModifiedBy | LastUpdate | ModUser | ModificationTime | Name | Parameters | SourceId | VerifyExpireSeconds |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
cls | 600 | Id: 2 Name: |
2019-11-27T15:06:14Z | clear_screen | 3600 | 1220 | administrator | 2019-11-27T15:06:14Z | 2019-11-27T15:06:14Z | clear_screen | 0 | 3600 |
**No entries.**
**No entries.**
Returns all package information.
tn-list-packages
Argument Name | Description | Required |
---|---|---|
limit | The maximum number of packages to return. | Optional |
Path | Type | Description |
---|---|---|
TaniumPackage.Command | String | The command to run. |
TaniumPackage.CommandTimeout | Number | Timeout in seconds for the command execution. |
TaniumPackage.ContentSet.Id | Number | The ID of the content set to associate with the package. |
TaniumPackage.ContentSet.Name | String | The name of the content set to associate with the package. |
TaniumPackage.CreationTime | String | The time and date when this object was created in the database. |
TaniumPackage.DisplayName | String | The name of the package that displays in the user interface. |
TaniumPackage.ExpireSeconds | Number | Timeout in seconds for the action expiry. |
TaniumPackage.ID | Number | The unique ID of the package_spec object. |
TaniumPackage.LastModifiedBy | String | The user who most recently modified this object. |
TaniumPackage.LastUpdate | String | The most recent time and date when this object was modified. |
TaniumPackage.ModUser.Domain | String | The domain of the user who most recently modified this object. |
TaniumPackage.ModUser.Id | Number | The ID of the user who most recently modified this object. |
TaniumPackage.ModUser.Name | String | The name of the user who most recently modified this object. |
TaniumPackage.ModificationTime | String | The most recent time and date when this object was modified. |
TaniumPackage.Name | String | The unique name of the package_spec object. |
TaniumPackage.SourceId | Number | The ID of the package into which the parameters are substituted. |
TaniumPackage.VerifyExpireSeconds | Number | A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed. |
!tn-list-packages limit=1
{ "TaniumPackage": [ { "Command": "/bin/bash run-add-intel-package.sh 2>&1", "CommandTimeout": 600, "ContentSet": { "Id": 8, "Name": "Detect Service" }, "CreationTime": "2019-07-23T20:40:17Z", "DisplayName": "Detect Intel for Unix Revision 4 Delta", "ExpireSeconds": 2400, "ID": 132, "LastModifiedBy": "administrator", "LastUpdate": "2019-07-23T20:40:17Z", "ModificationTime": "2019-07-23T20:40:17Z", "Name": "Detect Intel for Unix Revision 4 Delta", "SourceId": 0, "VerifyExpireSeconds": 3600 } ] }
Command | CommandTimeout | ContentSet | CreationTime | DisplayName | ExpireSeconds | ID | LastModifiedBy | LastUpdate | ModUser | ModificationTime | Name | SourceId | VerifyExpireSeconds |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
/bin/bash run-add-intel-package.sh 2>&1 | 600 | Id: 8 Name: Detect Service |
2019-07-23T20:40:17Z | Detect Intel for Unix Revision 4 Delta | 2400 | 132 | administrator | 2019-07-23T20:40:17Z | 2019-07-23T20:40:17Z | Detect Intel for Unix Revision 4 Delta | 0 | 3600 |
Returns a question object based on question ID.
tn-get-question-metadata
Argument Name | Description | Required |
---|---|---|
question-id | The question ID. | Required |
Path | Type | Description |
---|---|---|
Tanium.Question.ID | Number | The unique ID of the question object. |
Tanium.Question.Expiration | Date | The date the question expires. |
Tanium.Question.ExpireSeconds | Number | The number of seconds before the question expires. Default is 600. |
Tanium.Question.ForceComputerIdFlag | Boolean | Whether to force the question to be a counting question if only one selection is present. Default is not to force. If the question object is an instance of a saved question, this field is derived from the saved question |
Tanium.Question.IsExpired | Boolean | Whether the question has expired. |
Tanium.Question.QueryText | String | The textual representation of the question. |
Tanium.Question.SavedQuestionId | Number | The ID of the saved question derived from this question. |
Tanium.Question.UserId | Number | The ID of the user who created / issued this question. |
Tanium.Question.UserName | String | The name of the user who created / issued this question. |
!tn-get-question-metadata question-id=50477
{ "Tanium.Question": { "Expiration": "2019-11-27T14:16:24Z", "ExpireSeconds": 0, "ForceComputerIdFlag": false, "ID": 50477, "IsExpired": true, "QueryText": "Get IP Address from all machines", "SavedQuestionId": 450, "UserId": 1, "UserName": "administrator" } }
Expiration | ExpireSeconds | ForceComputerIdFlag | ID | IsExpired | QueryText | SavedQuestionId | UserId | UserName |
---|---|---|---|---|---|---|---|---|
2019-11-27T14:16:24Z | 0 | false | 50477 | true | Get IP Address from all machines | 450 | 1 | administrator |
Returns all saved actions.
tn-list-saved-actions
Argument Name | Description | Required |
---|---|---|
limit | The maximin number of saved actions to return. | Optional |
Path | Type | Description |
---|---|---|
Tanium.SavedAction.ActionGroupId | Number | The ID of the group of clients to target. |
Tanium.SavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
Tanium.SavedAction.ApproverId | Number | The ID of the user to approve the saved action. |
Tanium.SavedAction.ApproverName | String | The name of the user to approve the saved action. |
Tanium.SavedAction.CreationTime | Date | The time and date when this object was created in the database. |
Tanium.SavedAction.EndTime | Date | The time and date to stop issuing actions. |
Tanium.SavedAction.ExpireSeconds | Number | The duration from the start time before the action expires. |
Tanium.SavedAction.ID | Number | The unique ID of the saved action object. |
Tanium.SavedAction.LastActionId | Number | The ID of the action object that was issued last. |
Tanium.SavedAction.LastActionStartTime | Date | The start time and date of the action object that was issued last. |
Tanium.SavedAction.LastAaction.TargetGroupId | Number | The target group of the action object that was issued last. |
Tanium.SavedAction.LastStartTime | Date | The most recent date and time that the action started. |
Tanium.SavedAction.Name | String | The name of the saved_action object. |
Tanium.SavedAction.NextStartTime | Date | The next time and date when the action will start. |
Tanium.SavedAction.PackageId | Number | The ID of the package deployed by the saved action. |
Tanium.SavedAction.PackageName | String | The name of the package deployed by the saved action. |
Tanium.SavedAction.PackageSourceHash | String | The source hash of the package deployed by the saved action. |
Tanium.SavedAction.StartTime | Date | The time and date when the action became active. An empty string or null starts immediately. |
Tanium.SavedAction.Status | Number | The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted. |
Tanium.SavedAction.TargetGroupId | Number | The group of machines to target. |
Tanium.SavedAction.UserId | Number | The ID of the user who created the saved action. |
Tanium.SavedAction.UserName | String | The ID of the user who created the saved action. |
!tn-list-saved-actions limit=1
{ "Tanium.SavedAction": [ { "ActionGroupId": 432, "ApprovedFlag": false, "ApproverId": 0, "CreationTime": "2019-09-25T16:56:59Z", "EndTime": "Never", "ExpireSeconds": 600, "ID": 353, "LastActionId": 7206, "LastActionStartTime": "Never", "LastStartTime": "Never", "Name": "Trace - Start Session [Linux]", "NextStartTime": "Never", "PackageId": 728, "PackageName": "Trace - Start Session [Linux]", "PackageSourceHash": "f3931b6451967b74b522887e1f00f4a59b2fae730a5c277577bb804c7f484c61", "StartTime": "2019-09-25T16:57:31Z", "Status": 0, "TargetGroupId": 14652, "UserId": 1, "UserName": "administrator" } ] }
ActionGroupId | ApprovedFlag | ApproverId | ApproverName | CreationTime | EndTime | ExpireSeconds | ID | LastActionId | LastActionStartTime | LastStartTime | Name | NextStartTime | PackageId | PackageName | PackageSourceHash | StartTime | Status | TargetGroupId | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
432 | false | 0 | 2019-09-25T16:56:59Z | Never | 600 | 353 | 7206 | Never | Never | Trace - Start Session [Linux] | Never | 728 | Trace - Start Session [Linux] | f3931b6451967b74b522887e1f00f4a59b2fae730a5c277577bb804c7f484c61 | 2019-09-25T16:57:31Z | 0 | 14652 | 1 | administrator |
Returns a saved action object based on name or ID.
tn-get-saved-action
Argument Name | Description | Required |
---|---|---|
id | The saved action ID. | Optional |
name | The saved action name. | Optional |
Path | Type | Description |
---|---|---|
Tanium.SavedAction.ActionGroupId | Number | The ID of the group of clients to target. |
Tanium.SavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
Tanium.SavedAction.ApproverId | Number | The ID of the user to approve the saved action. |
Tanium.SavedAction.ApproverName | String | The name of the user to approve the saved action. |
Tanium.SavedAction.CreationTime | Date | The time and date when this object was created in the database. |
Tanium.SavedAction.EndTime | Date | The time and date to stop issuing actions. |
Tanium.SavedAction.ExpireSeconds | Number | The duration from the start time before the action expires. |
Tanium.SavedAction.ID | Number | The unique ID of the saved_action object. |
Tanium.SavedAction.LastActionId | Number | The ID of the action object that was issued last. |
Tanium.SavedAction.LastActionStartTime | Date | The start time and date of the action object that was issued last. |
Tanium.SavedAction.LastAaction.TargetGroupId | Number | The target group of the action object that was issued last. |
Tanium.SavedAction.LastStartTime | Date | The most recent date and time that the action started. |
Tanium.SavedAction.Name | String | The name of the saved action object. |
Tanium.SavedAction.NextStartTime | Date | The next time and date when the action will start. |
Tanium.SavedAction.PackageId | Number | The ID of the package deployed by the saved action. |
Tanium.SavedAction.PackageName | String | The name of the package deployed by the saved action. |
Tanium.SavedAction.PackageSourceHash | String | The source hash of the package deployed by the saved action. |
Tanium.SavedAction.StartTime | Date | The time amd date when the action became active. An empty string or null starts immediately. |
Tanium.SavedAction.Status | Number | The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted. |
Tanium.SavedAction.TargetGroupId | Number | The group of machines to target. |
Tanium.SavedAction.UserId | Number | The ID of the user who created the saved action. |
Tanium.SavedAction.UserName | String | The ID of the user who created the saved action. |
!tn-get-saved-action id=5
{ "Tanium.SavedAction": { "ActionGroupId": 315, "ApprovedFlag": true, "ApproverId": 1, "ApproverName": "administrator", "CreationTime": "2019-07-17T20:14:36Z", "EndTime": "Never", "ExpireSeconds": 4500, "ID": 5, "LastActionId": 5, "LastActionStartTime": "Never", "LastStartTime": "Never", "Name": "Distribute Python - Tools [Linux]", "NextStartTime": "2019-11-27T16:14:38", "PackageId": 56, "PackageName": "Python - Tools [Linux]", "PackageSourceHash": "package-hash", "StartTime": "2019-07-17T20:14:38Z", "Status": 1, "TargetGroupId": 243, "UserId": 1, "UserName": "administrator" } }
ActionGroupId | ApprovedFlag | ApproverId | ApproverName | CreationTime | EndTime | ExpireSeconds | ID | LastActionId | LastActionStartTime | LastStartTime | Name | NextStartTime | PackageId | PackageName | PackageSourceHash | StartTime | Status | TargetGroupId | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
315 | true | 1 | administrator | 2019-07-17T20:14:36Z | Never | 4500 | 5 | 5 | Never | Never | Distribute Python - Tools [Linux] | 2019-11-27T16:14:38 | 56 | Python - Tools [Linux] | 10d2ca59b744491a80af4f4df7e19698b86cc779c34984aa56ece55250f1b659 | 2019-07-17T20:14:38Z | 1 | 243 | 1 | administrator |
Returns a saved question object based on name or ID.
tn-get-saved-question-metadata
Argument Name | Description | Required |
---|---|---|
question-id | The saved question ID. | Optional |
question-name | The saved question name. | Optional |
Path | Type | Description |
---|---|---|
Tanium.SavedQuestion.ArchiveEnabledFlag | Boolean | Whether to enable archiving. |
Tanium.SavedQuestion.ArchiveOwner | String | The name of the user that owns the archive. Archives can be shared between users with identical management rights groups. |
Tanium.SavedQuestion.ExpireSeconds | Number | The duration in seconds before each question expires. Default value is 600. |
Tanium.SavedQuestion.ID | Number | The unique ID of the saved_question object. |
Tanium.SavedQuestion.IssueSeconds | Number | The number of seconds to reissue the question when active. Default value is 120. |
Tanium.SavedQuestion.IssueSecondsNeverFlag | Boolean | Whether the question is reissued automatically. If value is 1, the question is not reissued automatically. |
Tanium.SavedQuestion.KeepSeconds | Number | The number of seconds to save the data results in the archive. |
Tanium.SavedQuestion.ModTime | String | The most recent time and date when the object was modified. |
Tanium.SavedQuestion.ModUserDomain | String | The domain of the user who most recently modified this object. |
Tanium.SavedQuestion.ModUserId | Number | The ID of the user who most recently modified this object. |
Tanium.SavedQuestion.ModUserName | String | The name of user who most recently modified this object. |
Tanium.SavedQuestion.MostRecentQuestionId | Number | The ID of the most recently issued question object generated by this saved_question. |
Tanium.SavedQuestion.Name | String | The name of the saved_question object. |
Tanium.SavedQuestion.QueryText | String | The textual representation of the question. |
Tanium.SavedQuestion.QuestionId | Number | The ID of the question from which to create the saved question. |
Tanium.SavedQuestion.RowCountFlag | Boolean | Whether the row count data is saved when archiving this question. |
Tanium.SavedQuestion.SortColumn | Number | The column to use as the default sort column, if no sort order is specified. |
Tanium.SavedQuestion.UserId | Number | The ID of the user who owns this object. |
Tanium.SavedQuestion.UserName | String | The name of the user who owns this object. |
!tn-get-saved-question-metadata question-id=130
{ "Tanium.SavedQuestion": { "ArchiveEnabledFlag": false, "ExpireSeconds": 600, "ID": 130, "IssueSeconds": 120, "IssueSecondsNeverFlag": false, "KeepSeconds": 0, "ModTime": "2019-07-17T20:43:06Z", "MostRecentQuestionId": 50501, "Name": "SCCM - Client Cache Size", "QueryText": "Get SCCM Cache Size from all machines", "QuestionId": 50501, "RowCountFlag": false, "SortColumn": 0, "UserId": 1, "UserName": "administrator" } }
ArchiveEnabledFlag | ExpireSeconds | ID | IssueSeconds | IssueSecondsNeverFlag | KeepSeconds | ModTime | MostRecentQuestionId | Name | QueryText | QuestionId | RowCountFlag | SortColumn | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
false | 600 | 130 | 120 | false | 0 | 2019-07-17T20:43:06Z | 50501 | SCCM - Client Cache Size | Get SCCM Cache Size from all machines | 50501 | false | 0 | 1 | administrator |
Creates a saved action object.
tn-create-saved-action
Argument Name | Description | Required |
---|---|---|
action-group-id | The action group ID. | Required |
package-id | The package ID. | Required |
name | The name of the action. | Optional |
Path | Type | Description |
---|---|---|
Tanium.SavedAction.ActionGroupId | Number | The ID of the group of clients to target. |
Tanium.SavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
Tanium.SavedAction.ApproverId | Number | The ID of the user to approve the saved action. |
Tanium.SavedAction.ApproverName | String | The name of the user to approve the saved action. |
Tanium.SavedAction.CreationTime | Date | The date and time when this object was created in the database. |
Tanium.SavedAction.EndTime | Date | The date and time to stop issuing actions. |
Tanium.SavedAction.ExpireSeconds | Number | The duration from the start time before the action expires. |
Tanium.SavedAction.ID | Number | The unique ID of the saved_action object. |
Tanium.SavedAction.LastActionId | Number | The ID of the action object that was issued last. |
Tanium.SavedAction.LastActionStartTime | Date | The start time of the action object that was issued last. |
Tanium.SavedAction.LastAaction.TargetGroupId | Number | The target group of the action object that was issued last. |
Tanium.SavedAction.LastStartTime | Date | The most recent date and time that the action started. |
Tanium.SavedAction.Name | String | The name of the saved action object. |
Tanium.SavedAction.NextStartTime | Date | The next date and time when the action will start. |
Tanium.SavedAction.PackageId | Number | The ID of the package deployed by the saved action. |
Tanium.SavedAction.PackageName | String | The name of the package deployed by the saved action. |
Tanium.SavedAction.PackageSourceHash | String | The source hash of the package deployed by the saved action. |
Tanium.SavedAction.StartTime | Date | The date and time when the action became active. An empty string or null starts immediately. |
Tanium.SavedAction.Status | Number | The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted. |
Tanium.SavedAction.TargetGroupId | Number | The group of machines to target. |
Tanium.SavedAction.UserId | Number | The ID of the user who created the saved action. |
Tanium.SavedAction.UserName | String | The ID of the user who created the saved action. |
!tn-create-saved-action package-id=102 action-group-id=1
{ "Tanium.SavedAction": { "ActionGroupId": 1, "ApprovedFlag": false, "ApproverId": 0, "CreationTime": "2019-11-27T15:06:18Z", "EndTime": "Never", "ExpireSeconds": 0, "ID": 641, "LastActionId": 19880, "LastActionStartTime": "Never", "LastStartTime": "Never", "NextStartTime": "Never", "PackageId": 1221, "PackageName": "SCCM - Force Software Update Compliance State Refresh", "PackageSourceHash": "package-hash", "StartTime": "2019-11-27T15:06:18Z", "Status": 0, "TargetGroupId": 0, "UserId": 1, "UserName": "administrator" } }
ActionGroupId | ApprovedFlag | ApproverId | CreationTime | EndTime | ExpireSeconds | ID | LastActionId | LastActionStartTime | LastStartTime | NextStartTime | PackageId | PackageName | PackageSourceHash | StartTime | Status | TargetGroupId | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | false | 0 | 2019-11-27T15:06:18Z | Never | 0 | 641 | 19880 | Never | Never | Never | 1221 | SCCM - Force Software Update Compliance State Refresh | edbf105f4648298e582015aaed927cbf3e8bbbc3666c5d52c7c5e5ad1910ae6a | 2019-11-27T15:06:18Z | 0 | 0 | 1 | administrator |
Creates an action object based on the package name or the package ID.
tn-create-action
Argument Name | Description | Required |
---|---|---|
package-id | The package ID. | Optional |
package-name | The package name. | Optional |
parameters | The package parameters. For example, $1=Value1;$2=Value2;$3=Value3. | Optional |
target-group-id | The target group ID to deploy the package. | Optional |
target-group-name | The target group name to deploy the package. Target group and action group ID are required. Target group can passed by name or ID. Note - the target group should be different than "All Computers" or "Default". | Optional |
action-group-id | The action group ID to deploy the package. | Required |
action-name | The action name. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Action.ActionGroupId | Number | The id of the parent group of machines to target. |
Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
Tanium.Action.ApproverId | Number | The id of the approver of this action. |
Tanium.Action.ApproverName | String | The name of the approver of this action. |
Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
Tanium.Action.ID | Number | The unique ID of the action object. |
Tanium.Action.Name | String | The action name. |
Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
Tanium.Action.PackageName | String | The name of the package deployed by this action. |
Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
Tanium.Action.StartTime | String | The date and time when the action became active. |
Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
Tanium.Action.UserId | Number | The ID of the user who issued this action. |
Tanium.Action.UserName | String | The name of the user who issued this action. |
!tn-create-action action-group-id=1 action-name=`Trace - Install Endpoint Certificate [Windows]` package-id=225 target-group-name=`Windows machines`
{ "Tanium.Action": { "ActionGroupId": 1, "ActionGroupName": "All Computers", "ApproverId": 1, "CreationTime": "2019-11-27T15:06:19Z", "ExpirationTime": "2001-01-01T00:13:00Z", "ExpireSeconds": 780, "HistorySavedQuestionId": 0, "ID": 19886, "Name": "Trace - Install Endpoint Certificate [Windows] via Demisto API", "PackageId": 1222, "PackageName": "Apply Windows IPsec Quarantine", "SavedActionId": 642, "StartTime": "2001-01-01T00:00:00Z", "Status": "Pending", "StoppedFlag": false, "TargetGroupId": 11719, "TargetGroupName": "Windows machines", "UserDomain": "EC2AMAZ-N5ETQVT", "UserId": 1, "UserName": "administrator" } }
ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | All Computers | 1 | 2019-11-27T15:06:19Z | 2001-01-01T00:13:00Z | 780 | 0 | 19886 | Trace - Install Endpoint Certificate [Windows] via Demisto API | 1222 | Apply Windows IPsec Quarantine | 642 | 2001-01-01T00:00:00Z | Pending | false | 11719 | Windows machines | EC2AMAZ-N5ETQVT | 1 | administrator |
Returns all actions.
tn-list-actions
Argument Name | Description | Required |
---|---|---|
limit | The maximum number of actions to return. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Action.ActionGroupId | Number | The ID of the parent group of machines to target. |
Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
Tanium.Action.ApproverId | Number | The ID of the approver of this action. |
Tanium.Action.ApproverName | String | The name of the approver of this action. |
Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
Tanium.Action.ID | Number | The unique ID of the action object. |
Tanium.Action.Name | String | The action name. |
Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
Tanium.Action.PackageName | String | The name of the package deployed by this action. |
Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
Tanium.Action.StartTime | String | The date and time when the action became active. |
Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
Tanium.Action.UserId | Number | The ID of the user who issued this action. |
Tanium.Action.UserName | String | The name of the user who issued this action. |
!tn-list-actions limit=1
{ "Tanium.Action": [ { "ActionGroupId": 432, "ActionGroupName": "Tanium Threat Response", "ApproverId": 1, "ApproverName": "administrator", "CreationTime": "2019-08-15T10:39:03Z", "ExpirationTime": "2019-08-15T10:50:03Z", "ExpireSeconds": 660, "HistorySavedQuestionId": 239, "ID": 1144, "Name": "Trace - Install Endpoint Certificate [Windows]", "PackageId": 220, "PackageName": "Trace - Install Endpoint Certificate [Windows]", "SavedActionId": 31, "StartTime": "2019-08-15T10:39:03Z", "Status": "Closed", "StoppedFlag": false, "TargetGroupId": 423, "TargetGroupName": "Default", "UserDomain": "EC2AMAZ-N5ETQVT", "UserId": 1, "UserName": "administrator" } ] }
ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
432 | Tanium Threat Response | 1 | administrator | 2019-08-15T10:39:03Z | 2019-08-15T10:50:03Z | 660 | 239 | 1144 | Trace - Install Endpoint Certificate [Windows] | 220 | Trace - Install Endpoint Certificate [Windows] | 31 | 2019-08-15T10:39:03Z | Closed | false | 423 | Default | EC2AMAZ-N5ETQVT | 1 | administrator |
Returns an action object based on ID.
tn-get-action
Argument Name | Description | Required |
---|---|---|
id | The action ID. | Required |
Path | Type | Description |
---|---|---|
Tanium.Action.ActionGroupId | Number | The ID of the parent group of machines to target. |
Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
Tanium.Action.ApproverId | Number | The ID of the approver of this action. |
Tanium.Action.ApproverName | String | The name of the approver of this action. |
Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
Tanium.Action.ID | Number | The unique ID of the action object. |
Tanium.Action.Name | String | The action name. |
Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
Tanium.Action.PackageName | String | The name of the package deployed by this action. |
Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
Tanium.Action.StartTime | String | The date and time when the action became active. |
Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
Tanium.Action.UserId | Number | The ID of the user who issued this action. |
Tanium.Action.UserName | String | The name of the user who issued this action. |
!tn-get-action id=2
{ "Tanium.Action": { "ActionGroupId": 3, "ActionGroupName": "Default", "ApproverId": 1, "ApproverName": "administrator", "CreationTime": "2018-12-10T13:21:01Z", "ExpirationTime": "2018-12-10T14:26:57Z", "ExpireSeconds": 3900, "HistorySavedQuestionId": 19, "ID": 2, "Name": "Distribute Tanium Standard Utilities (Linux)", "PackageId": 21, "PackageName": "Distribute Tanium Standard Utilities (Linux)", "SavedActionId": 2, "StartTime": "2018-12-10T13:21:57Z", "Status": "Closed", "StoppedFlag": false, "TargetGroupId": 15, "TargetGroupName": "Default", "UserDomain": "EC2AMAZ-N5ETQVT", "UserId": 1, "UserName": "administrator" } }
ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3 | Default | 1 | administrator | 2018-12-10T13:21:01Z | 2018-12-10T14:26:57Z | 3900 | 19 | 2 | Distribute Tanium Standard Utilities (Linux) | 21 | Distribute Tanium Standard Utilities (Linux) | 2 | 2018-12-10T13:21:57Z | Closed | false | 15 | Default | EC2AMAZ-N5ETQVT | 1 | administrator |
Retrieves all saved action approval definitions on the server.
tn-list-saved-actions-pending-approval
Argument Name | Description | Required |
---|---|---|
limit | The maximum number of saved actions to return. | Optional |
Path | Type | Description |
---|---|---|
Tanium.PendingSavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
Tanium.PendingSavedAction.ID | Number | The unique ID of the saved action object. |
Tanium.PendingSavedAction.Name | String | The name of the saved action object. |
Tanium.PendingSavedAction.OwnerUserId | Number | The ID of the user who owns this object. |
!tn-list-saved-actions-pending-approval limit=1
{ "Tanium.PendingSavedAction": [ { "ApprovedFlag": false, "ID": 164, "Name": "Deploy Kill Process", "OwnerUserId": 1 } ] }
ApprovedFlag | ID | Name | OwnerUserId |
---|---|---|---|
false | 164 | Deploy Kill Process | 1 |
Returns a group object based on ID or name.
tn-get-group
Argument Name | Description | Required |
---|---|---|
id | The group ID. | Optional |
name | Name of group. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Group.ID | Unknown | The unique ID of the group object. |
Tanium.Group.Name | String | The name of the group. |
Tanium.Group.Text | String | A description of the clients that this group represents. |
Tanium.Group.Type | String | The type of the group. |
Tanium.Group.Deleted | Boolean | Whether the group is deleted. True if deleted. |
!tn-get-group name=`linux machines`
{ "Tanium.Group": { "Deleted": false, "ID": 11721, "Name": "linux machines", "Text": " OS Platform equals linux", "Type": "Manual group" } }
Deleted | ID | Name | Text | Type |
---|---|---|---|---|
false | 11721 | linux machines | OS Platform equals linux | Manual group |
Creates a group object based on computers or IP addresses list.
tn-create-manual-group
Argument Name | Description | Required |
---|---|---|
group-name | The name of the group to create. | Required |
computer-names | Comma separated list of hosts. For example, Host1,Host2. | Optional |
ip-addresses | Comma separated list of IP addresses. For example, 12.12.12.12,10.1.1.1. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Group.ID | Number | The unique ID of the group object. |
!tn-create-manual-group group-name=group11 computer-names=host1,host2
{ "Tanium.Group": { "Deleted": false, "ID": 31825, "Name": "group11", "Type": "Manual group" } }
Deleted | ID | Name | Type |
---|---|---|---|
false | 31825 | group11 | Manual group |
Creates a group object based on text filter.
tn-create-filter-based-group
Argument Name | Description | Required |
---|---|---|
text-filter | The text filter-based computer group. For example, operating system contains windows. | Required |
group-name | Name of the group to create. | Required |
Path | Type | Description |
---|---|---|
Tanium.Group.ID | Number | The unique ID of the group object. |
!tn-create-filter-based-group group-name=linux_machines text-filter=`operating system contains linux`
{ "Tanium.Group": { "ID": 31826, "Type": "Manual group" } }
ID | Type |
---|---|
31826 | Manual group |
Returns all groups.
tn-list-groups
Argument Name | Description | Required |
---|---|---|
limit | The maximum number of groups to return. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Group.ID | Number | The unique ID of the group object. |
Tanium.Group.Name | String | The name of the group. |
Tanium.Group.Text | String | A description of the clients that this group represents. |
Tanium.Group.Type | String | The type of the group. |
Tanium.Group.Deleted | Boolean | whether the group is deleted. True if deleted. |
!tn-list-groups limit=1
{ "Tanium.Group": [ { "Deleted": false, "ID": 315, "Name": "Default", "Type": "Action group" } ] }
Deleted | ID | Name | Text | Type |
---|---|---|---|---|
false | 315 | Default | Action group |
Deletes a group object.
tn-delete-group
Argument Name | Description | Required |
---|---|---|
id | The group ID. | Required |
There are no context output for this command.
!tn-delete-group id=31822
{ "Tanium.Group": { "Deleted": true, "ID": 31822 } }
Group has been deleted. ID = 31822
Creates an action object, based on a package name or package ID.
tn-create-action-by-host
Argument Name | Description | Required |
---|---|---|
package-id | The package ID. | Optional |
package-name | The package name. Target group is required and can passed by name or ID. When both exist, the ID is used. Note the target group should be different than "All Computers" or "Default". | Optional |
parameters | Package parameters. For example, $1=Value1;$2=Value2;$3=Value3. | Optional |
action-group-id | The action group ID to deploy the package. | Required |
hostname | The hostname to deploy the package. Hostname or IP address is required. | Optional |
ip-address | The IP address of the host to deploy the package. | Optional |
expiration-time | Expiration time (in seconds) for the package. | Optional |
action-name | The action name. | Optional |
Path | Type | Description |
---|---|---|
Tanium.Action.ActionGroupId | Number | The id of the parent group of machines to target. |
Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
Tanium.Action.ApproverId | Number | The id of the approver of this action. |
Tanium.Action.ApproverName | String | The name of the approver of this action. |
Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
Tanium.Action.ID | Number | The unique ID of the action object. |
Tanium.Action.Name | String | The action name. |
Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
Tanium.Action.PackageName | String | The name of the package deployed by this action. |
Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
Tanium.Action.StartTime | String | The date and time when the action became active. |
Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
Tanium.Action.UserId | Number | The ID of the user who issued this action. |
Tanium.Action.UserName | String | The name of the user who issued this action. |
!tn-create-action-by-host action-group-id=1 action-name=`Trace - Install Endpoint Certificate [Windows]` package-id=225 ip-address=127.0.0.1
{ "Tanium.Action": { "ActionGroupId": 1, "ActionGroupName": "All Computers", "ApproverId": 1, "CreationTime": "2019-11-27T15:06:19Z", "ExpirationTime": "2001-01-01T00:13:00Z", "ExpireSeconds": 780, "HistorySavedQuestionId": 0, "ID": 19881, "Name": "Trace - Install Endpoint Certificate [Windows] via Demisto API", "PackageId": 1222, "PackageName": "Apply Windows IPsec Quarantine", "SavedActionId": 642, "StartTime": "2001-01-01T00:00:00Z", "Status": "Pending", "StoppedFlag": false, "TargetGroupId": 31823, "TargetGroupName": "Default", "UserDomain": "EC2AMAZ-N5ETQVT", "UserId": 1, "UserName": "administrator" } }
ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | All Computers | 1 | 2019-11-27T15:06:19Z | 2001-01-01T00:13:00Z | 780 | 0 | 19881 | Trace - Install Endpoint Certificate [Windows] via Demisto API | 1222 | Apply Windows IPsec Quarantine | 642 | 2001-01-01T00:00:00Z | Pending | false | 31823 | Default | EC2AMAZ-N5ETQVT | 1 | administrator |
Get device actions result.
tn-get-action-result
Argument Name | Description | Required |
---|---|---|
id | The device ID. | Required |
Path | Type | Description |
---|---|---|
Tanium.ActionResult.now | Date | The action result time. |
Tanium.ActionResult.max_available_age | String | The maximum action result age. |
Tanium.ActionResult.result_sets.age | Number | The age of the action result. |
Tanium.ActionResult.result_sets.id | Number | The result sets ID. |
Tanium.ActionResult.result_sets.report_count | Number | The result sets report count. |
Tanium.ActionResult.result_sets.saved_question_id | Number | The result sets saved question ID. |
Tanium.ActionResult.result_sets.question_id | Number | The result sets question ID. |
Tanium.ActionResult.result_sets.archived_question_id | Number | The result sets archived question ID. |
Tanium.ActionResult.result_sets.seconds_since_issued | Number | The result sets seconds since issued. |
Tanium.ActionResult.result_sets.issue_seconds | Number | The result sets issued seconds. |
Tanium.ActionResult.result_sets.expire_seconds | Number | The result sets expire seconds. |
Tanium.ActionResult.result_sets.tested | Number | The result sets tested. |
Tanium.ActionResult.result_sets.passed | Number | The result sets passed. |
Tanium.ActionResult.result_sets.mr_tested | Number | The result sets mr tested. |
Tanium.ActionResult.result_sets.mr_passed | Number | The result sets mr passed. |
Tanium.ActionResult.result_sets.estimated_total | Number | The result sets estimated total. |
Tanium.ActionResult.result_sets.select_count | Number | The result sets select count. |
Tanium.ActionResult.result_sets.error_count | Number | The result sets error count. |
Tanium.ActionResult.result_sets.no_results_count | Number | The result sets no results count. |
Tanium.ActionResult.result_sets.columns.hash | Number | The result sets columns hash. |
Tanium.ActionResult.result_sets.columns.name | String | The result sets columns name. |
Tanium.ActionResult.result_sets.columns.type | Number | The result sets columns type. |
Tanium.ActionResult.result_sets.filtered_row_count | Number | The result sets filtered row count. |
Tanium.ActionResult.result_sets.filtered_row_count_machines | Number | The result sets filtered row count machines. |
Tanium.ActionResult.result_sets.row_count | Number | The result sets row count. |
Tanium.ActionResult.result_sets.row_count_machines | Number | The result sets row count machines. |
Tanium.ActionResult.result_sets.item_count | Number | The result sets item count. |
Tanium.ActionResult.result_sets.rows.id | Number | The action results row ID. |
Tanium.ActionResult.result_sets.rows.cid | Number | The action results computer ID. |
Tanium.ActionResult.result_sets.rows.data.text | Number | The action results status. |
Tanium.ActionResult.ID | String | The action results ID. |
!tn-get-action-result id=1