Tanium
App Vendor: Tanium
Connector Category: Endpoint
Connector Version: 1.10.0
API version: 2.0.0
Product Version: 7.4.0
Default Port: 443
Note
This app is currently released as a beta version.
About App
The Tanium app allows security teams to integrate with the Tanium enterprise application, for endpoint threat detection and security through various actions such as endpoint quarantine, mitigating malicious processes on the endpoint, and managing vulnerability reports, and assets.
The Tanium app in the Orchestrate application can perform the following actions:
Action Name | Description |
Get All Actions | This action retrieves all the available actions on the server. |
Get Issued Actions by ID | This action retrieves issued actions by ID. |
Create Action | This action creates an action to be issued to endpoints. |
Get All Computer Groups | This action retrieves all computer groups. |
Get Action Group by Name | This action retrieves an action group by its name. |
Get Action Groups | This action retrieves action groups. |
Get Action Group by ID | This action retrieves an action group by ID. |
Create Action Group | This action creates a new action group. |
Delete Action Group by ID | This action deletes an action group by ID. |
Get Whitelisted URLs | This action retrieves the allowed URLs. |
Add URL to Whitelist | This action adds a URL to an allowed list. |
Update URL Whitelist | This action updates the URL allowed list. |
Remove Whitelisted URL | This action removes a URL from the allowed list. |
Get all Packages | This action retrieves a list of all available packages. |
Get Package Files | This action retrieves all package files. |
Create Package | This action creates a package. |
Delete Package by Package ID | This action deletes a package using the package ID. |
Get Tanium Package by ID | This action retrieves a Tanium package using ID. |
Get All Tanium Solutions | This action retrieves all Tanium solutions. |
Get All software packages | This action retrieves all software packages from the deploy module. |
Get All Software Package Bundles | This action retrieves all software package bundles from the deploy module. |
Get a Piece of Evidence | This action retrieves a piece of evidence of malicious activity. |
Get Evidence List | This action gets an evidence list of all malicious activities. |
List Saved Evidence | This action retrieves saved evidence of malicious activities. |
Download File from Saved Evidence | This action downloads a file locally from saved evidence of malicious activity using the file ID. For this action, Tanium threat response is used. |
Download File from Live Host to Saved Evidence | This action downloads a file/process from the live host with an active connection to the saved evidence of a malicious activity. |
Get All Dashboards | This action retrieves all available dashboards. |
Get Dashboard Groups | This action retrieves a list of dashboard groups. |
Get Plugins | This action retrieves all plugin definitions on the server. |
Get Plugin Schedules | This action retrieves the plugin schedules. |
Get Question by ID | This action retrieves a question using an ID. |
Get Question Result by ID | This action retrieves a question result by ID. |
Get Saved Questions | This action retrieves all saved questions. |
Get Saved Question by Name | This action retrieves a saved question by name. |
Get Saved Question Results by ID | This action retrieves saved question results by ID. |
Parse a Question | This action parses a human-readable question. |
Create a New Question | This action creates a new question. |
Create Manual Group | This action creates a manual group. |
Get Manual Group by ID | This action retrieves a manual group by ID. |
Delete Manual Group by ID | This action deletes a manual group by ID. |
Create a Filter Group | This action creates a filter group. |
Get Filter Group by ID | This action retrieves a filter group by ID. |
Investigate Host Snapshot | This action retrieves information using a snapshot database ID. |
Get Local Snapshots List | This action retrieves a list of local snapshots of all the live hosts. |
Get a list of Snapshots | This action retrieves a list of snapshots from all the hosts. |
Capture Snapshot | This action creates a snapshot of connected endpoints. |
Get Report Export List | This action retrieves a report export list. |
Download an Exported Report | This action downloads an exported report. |
Get Vulnerability Details from the Results of a Report | This action retrieves vulnerability details from the results of a report. |
Get Connections | This action retrieves all active remote connections. |
Get All Live Connection Events | This action retrieves all events from a live connection. |
Create a Connection | This action creates a connection. |
Get Intel Endpoint Analysis | This action retrieves the intel analysis of an endpoint. |
Get Intel by ID | This action retrieves intel by ID. |
Get Alert Details | This action retrieves the details of an alert. |
Get All Alerts | This action retrieves all alerts. |
Get Users | This action retrieves users. |
Get User Details | This action retrieves the details of a user. |
Get User Groups | This action retrieves all of the user groups. |
List All Available Sensors | This action retrieves all available Sensors. |
Create Sensor | This action creates a new sensor. |
Get Audit Logs | This action retrieves audit logs. |
Get total count of clients | This action retrieves the total count of all available clients. |
Get LDAP Sync Connectors | This action retrieves all the LDAP synchronization connectors. |
Get Saved Actions | This action retrieves saved actions in Tanium. |
Get Process Details | This action retrieves the details of a process. |
Get Current Deployments | This action retrieves the current deployments. |
Get Benchmarks | This action retrieves benchmarks. |
Get Vulnerability Sources | This action retrieves the vulnerability sources. |
Get All Notifications | This action retrieves all notifications. |
Create Parameterized Questions | This action creates a question with parameters. |
Get Sensor by Name | This action gets sensor data by name. |
Generic Action | This is a generic action that transcends the actions implemented by making a request to any endpoint. |
Get Action Result Info | This action retrieves information for an action that matches the specified ID. |
Get Action Results | This action retrieves results for an action that matches the specified ID. |
Prerequisites
All the actions configured in the Tanium app relate to private APIs. Tanium Enterprise subscription is required to access the private APIs.
Configuration Parameters
The following configuration parameters are required for the Tanium app to communicate with Tanium enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Tanium. Example: <https://<host.<tld>> | Text | Required | |
Username | Enter the username to access Tanium. Example: Sample username | Text | Required | |
Password | Enter the password to access Tanium. Example: psswd | Password | Required | |
AD domain | Enter the Active Directory domain. | Text | Optional | |
TLS verification | Choose your preference to verify SSL while making requests. It is recommended to set this option to yes. If no is passed, it may result in an incorrect establishment of the connection, potentially causing it to become broken. Example: No | Boolean | Required | Allowed values:
Default value: No |
API Token | Enter the API token to access Tanium. Example: token-efa439XXXXXXXXXXXXXXXXXXXXXXX704b | Password | Optional | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Tanium. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Get All Actions
This action lists all available actions. Optionally you can provide dates (in epoch) to search before or after.
Action Input Parameters
Parameters | Description | Field Type | Required/Optional | Comments |
After Date Epoch | Enter an epoch date after the actions must show. Example: 1637092946 | Integer | Optional | |
Before Date Epoch | Enter an epoch date before which the actions must show. Example: 1681144489 | Integer | Optional |
Action: Get Issued Actions by ID
This action retrieves issued actions by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Action ID | Enter the action ID. Example: 161 | Text | Required |
Example Request
[
{
“id”: “161”
}
]Action: Create Action
This action creates an action to be issued to endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Action Name | Enter the name of the action to be performed. Example: Sample Action | Text | Required |
|
Action Group | Enter an action group to further limit the results. When the action is issued, this field is combined (AND) with the group specified in the target_group field. Example: 3 | Integer | Required | |
Package Spec ID | The package deployed by this action. The server accepts packages that require parameters, even if you do not specify the parameters, the server does not validate any parameters or its contents. Example: 73 | Integer | Required | |
Target Group | Enter the group of machines to target. When the action is issued, this field is combined (AND) with the group specified in the action_group field. Example: 1 | Integer | Required | |
Package Spec Parameters | Provide a list of key-value parameters to pass in parameterized package spec. Example: [{"key" : "$1","value" : "TestTagForWindowsEndpoints"},{"key" : "$2","value" : "TestTagForLinuxEndpoints"}] | List | Optional | |
Extra Parameters | Provide additional parameters in key-value pairs. | Key Value | Optional |
Example Request
{
"action_group" : {
"id" : 3
},
"package_spec" : {
"source_id" : 73,
"parameters" : [
{
"key" : "$1",
"value" : "TestTagForWindowsEndpoints"
},
{
"key" : "$2",
"value" : "TestTagForLinuxEndpoints"
}
]
},
"name" : "Sample Action",
"expire_seconds" : 3600,
"target_group" : {
"id" : 1
}
}Action: Get All Computer Groups
This action retrieves all computer groups.
Action Input Parameters
This action does not require any input parameters.
Action: Get Action Group by Name
This action retrieves an action group by its name.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Action Group | Enter the action group name. Example: Sample Action Group | Text | Required |
Example Request
[
{
“name”: “Sample Action Group”
}
]Action: Get Action Groups
This action retrieves action groups.
Action Input Parameters
This action does not require any input parameters.
Action: Get Action Group by ID
This action retrieves an action group by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Action Group ID | Enter the ID to retrieve the action group. Example: 15 | Integer | Required |
Example Request
[
{
“group_id”: 15
}
]Action: Create Action Group
This action creates a new action group.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Group Name | Enter the name of the group you want to create. Example: Sample Action Group | Text | Required |
Example Request
[
{
"name" : "Sample Action Group"
}
]Action: Delete Action Group by ID
This action deletes an action group using ID.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Action Group ID | Enter the action group ID. Example: 5 | Integer | Required |
Example Request
[
{
“action_group_id”: 5
}
]Action: Get Whitelisted URLs
This action retrieves the allowed list of URLs.
Action Input Parameters
This action does not require any input parameters.
Action: Add URL to Whitelist
This action adds a URL to the allowed list.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL to an allowed list. Example: www.security.com | Text | Required | |
Frequency of Download | Enter the frequency of download in seconds. Example: 18000 | Integer | Optional | |
Frequency of Expiration | Enter the frequency of expiration in seconds. Example: 604800 | Integer | Optional |
Example Request
[
{
“url”: "www.security.com",
“download_seconds“: 18000,
“expire_seconds“: 604800
}
]Action: Update URL whitelist
This action updates the allowed list of a URL.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
URL ID | Enter the URL ID. Example: 123 | Integer | Required | |
Download Frequency | Enter the frequency of download in seconds. Example: 18000 | Integer | Optional | |
Expiration Frequency | Enter the frequency of expiration in seconds. Example: 604800 | Integer | Optional |
Example Request
[
{
“url_id”: 123,
“download_seconds“: 18000,
“expire_seconds“: 604800
}
]Action: Get Action Results
This action retrieves results for an action that matches the specified ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Action ID | Enter the action ID. Example: 475933 | Text | Optional |
Action: Get Action Result Info
This action retrieves information for an action that matches the specified ID.
Parameter | Description | Field Type | Required/Optional | Comments |
Action ID | Enter the action ID. Example: 475933 | Text | Optional |
Action: Remove Whitelisted URL
This action removes a URL from the allowed list.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
URL ID | Enter the URL ID. Example: 10 | Integer | Required |
Example Request
[
{
“url_id”: 10
}
]Action: Get all Packages
This action retrieves a list of all available packages.
Action Input Parameters
This action does not require any input parameters.
Action: Get Package Files
This action retrieves all package files.
Action Input Parameters
This action does not require any input parameters.
Action: Create Package
This action creates a package.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Package Name | Enter the name of the package to add to Tanium. Example: Sample package | Text | Required | |
Additional Parameters | Additional parameters and details to add the package being created. | Key Value | Optional |
Example Request
[
{
"name" : "Sample package"
"command" : "cmd /c cscript.exe remove-sample-files.vbs",
"expire_seconds" : 6004800,
"command_timeout" : 180
}
]Action: Delete Package by Package ID
This action deletes a package using package ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Package ID | Enter the package ID to delete the package. Example: 25 | Text | Required |
Example Request
[
{
“Package_id”: “25”
}
]Action: Get Tanium Package by ID
This action retrieves a Tanium package by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Package ID | Enter the package ID. Example: 10 | Text | Required |
Example Request
[
{
“id”: "10"
}
]Action: Get All Tanium Solutions
This action can be used to retrieve all Tanium solutions.
Action Input Parameters
This action does not require any input parameters.
Action: Get All Software Packages
This action retrieves all software packages from the deploy module.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional |
Action: Get All Software Package Bundles
This action retrieves all software package bundles from the deploy module.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional |
Action: Get a Piece of Evidence
This action retrieves a piece of evidence of malicious activity.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Evidence ID | Enter the evidence ID. Example: 12 | Text | Required |
Example Request
[
{
“eid”: “12”
}
]Action: Get Evidence List
This action retrieves an evidence list of malicious activities.
Action Input Parameters
This action does not require any input parameters.
Action: List Saved Evidence
This action retrieves saved evidence of malicious activities.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Limit | Enter the limit for retrieved results. Example: 25 | Text | Required |
Example Request
[
{
“limit”: “25”
}
]Action: Download File from Saved Evidence
This action downloads a file locally from saved evidence of malicious activity using the file ID. For this action, the Tanium threat response is used.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
File ID | Enter the integer file ID. Example: 1 | Text | Required |
Example Request
[
{
“fid”: “1”
}
]Action: Download File from Live Host to Saved Evidence
This action downloads a file or process from a live host with an active connection to saved evidence of malicious activity.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Connection ID | Enter the connection ID. Example: 3 | Text | Required | |
File path | Enter the file path of a file to download from the live host. Example: C:\Users\asweigart\details.csv | Text | Required |
Example Request
[
{
“cid”: “3”,
“file_path“: “C:\Users\asweigart\details.csv“
}
]Action: Get All Dashboards
This action retrieves all available dashboards.
Action Input Parameters
This action does not require any input parameters.
Action: Get Dashboard Groups
This action retrieves a list of dashboard groups.
Action Input Parameters
This action does not require any input parameters.
Action: Get Plugins
This action retrieves all plugins.
Action Input Parameters
This action does not require any input parameters.
Action: Get Plugin Schedules
This action retrieves the plugin schedules.
Action Input Parameters
This action does not require any input parameters.
Action: Get Question by ID
This action retrieves a question by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Question ID | Enter the question ID. Example: 2 | Integer | Required |
Example Request
[
{
“question_id”:2
}
]Action: Get Question Result by ID
This action retrieves question results by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Question ID | Enter the question ID. Example: 12 | Integer | Optional | |
Time to Wait | Enter the time in minutes to wait to gather all results from Tanium. Example: 20 | Integer | Optional |
Example Request
[
{
“question_id”: 2,
“time_to_wait“: 20
}
]Action: Get Saved Questions
This action retrieves all saved questions.
Action Input Parameters
This action does not require any input parameters.
Action: Get Saved Question by Name
This action retrieves a saved question by name.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Saved Question Name | Enter the name of the saved question. Example: Modify Tanium Client Setting | Text | Required |
Example Request
[
{
“name”: “Modify Tanium Client Setting”
}
]Action: Get Saved Question Results by ID
This action retrieves saved question results by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Question ID | Enter the saved question ID to retrieve the results. Example: 10 | Integer | Required | |
Time to Wait | Enter the time in minutes to wait to retrieve all results from Tanium. Example: 20 | Integer | Optional |
Example Request
[
{
“question_id”: 10,
“time_to_wait“: 20
}
]Action: Parse a Question
This action parses a human-readable question.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Question | Enter the question to parse on the Tanium server. Example: Get Operating System from all machines | Text | Required |
Example Request
[
{
“query_text”: “Get Operating System from all machines”
}
]Action: Create a New Question
This action creates a new question.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Question | Enter the question to pass on the Tanium server. Example: Get Operating System from all machines | Any | Required |
Example Request
[
{
“parsed_question”: “Get Operating System from all machines”
}
]Action: Create Manual Group
This action creates a manual group.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Manual Group Name | Enter the manual group name to create the manual group. Example: Compromised Computers | Text | Required | |
List of Computers | Enter the list of computers to add to this group. Example: $LIST[sample76.tam.local,sample77.tam.local,sample78.tam.local] | Any | Required |
Example Request
[
{
“group_name”: “CN”,
“computer_spec“: {"computer_name" : "system76.tam.local", "id" : 5, "ip_address" : "10.10.10.76"}
}
]Action: Get Manual Group by ID
This action retrieves a manual group by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Manual Group ID | Enter the manual group ID. Example: 5 | Integer | Required |
Example Request
[
{
“group_id”: 5
}
]Action: Delete Manual Group by ID
This action deletes a manual group by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Manual Group ID | Enter the manual group ID to retrieve the manual group. Example: 5 | Integer | Required |
Example Request
[
{
“group_id”: 5
}
]Action: Create a Filter Group
This action creates a filter group.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter Group Specfication | Enter the specifications for the filter in JSON format. Example: $JSON[{"id" : 4, "text": "evidence"}] | Any | Required |
Example Request
[
{
“filter_group_spec”: {"id" : 4, "text": "evidence"}
}
]Action: Get Filter Group by ID
This action retrieves a filter group by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Group ID | Enter the group ID to retrieve a filter group. Example: 10 | Integer | Required |
Example Request
[
{
“group_id”: 10
}
]Action: Investigate Host Snapshot
This action retrieves information using a snapshot database ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Snapshot database ID | Enter the snapshot database ID. Example: local-11A-Desktop.addc.secops.ml-2020_09_23T10.00.31.891Z.db | Text | Required |
Example Request
[
{
“snapshot_db_id”: “local-11A-Desktop.addc.secops.ml-2020_09_23T10.00.31.891Z.db”
}
]Action: Get Local Snapshots list
This action retrieves a list of local snapshots of all the live hosts.
Action Input Parameters
This action does not require any input parameters.
Action: Get a List of Snapshots
This action retrieves a list of snapshots from all the hosts.
Action Input Parameters
This action does not require any input parameters.
Action: Capture Snapshot
This action creates a snapshot of connected endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Connection ID | Enter the connection ID. Example: 11A-Desktop.addc.secops.ml | Text | Required |
Example Request
[
{
“cid”: “11A-Desktop.addc.secops.ml”
}
]Action: Get Report Export List
This action retrieves the report export list.
Action Input Parameters
This action does not require any input parameters.
Action: Download an Exported Report
This action downloads an exported report.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID. Example: 262936 | Integer | Required | |
File Name | Enter the file name. Example: TaniumExecWrapper_Linux32 | Text | Optional |
Example Request
[
{
“id”: 262936,
“file_name“: “TaniumExecWrapper_Linux32“
}
]Action: Get Vulnerability Details from the Results of a Report
This action retrieves vulnerability details from the results of a report.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Bundle Hash | Enter the bundle hash. Example: 23f873d6 | Text | Required | |
CVE ID | Enter the CVE ID. Example: CVE-2020-9633 | Text | Required |
Example Request
[
{
“bundle_hash”: “23f873d6”,
“cve_id“: “CVE-2020-9633"
}
]Action: Get Connections
This action retrieves all active remote connections.
Action Input Parameters
This action does not require any input parameters.
Action: Get All Live Connection Events
This action retrieves all events from a live connection.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Connection ID | Enter the connection ID. Example: 5 | Text | Required | |
Type of Event | Enter the type of event. Example: file | Text | Required | Allowed values:
|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional |
Example Request
[
{
“cid”: “5”,
“type“: “file“
}
]Action: Create a Connection
This action creates a connection.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Destination Type | Enter the type of destination. Example: computer_name | Text | Required | Allowed values:
|
Computer Name or IP address | Enter the computer name or IP address. Example: computer name: system76.tam.local , IP address: 10.10.10.76 | Text | Required | |
Remote Connection | Optional preference to choose if this is a remote connection. | Boolean | Optional | Allowed values:
Default value: yes |
Example Request
[
{
“dstType”: “computer_name”,
“dst”: “system76.tam.local”,
“Remote connection“: yes
}
]Action: Get Intel Endpoint Analysis
This action retrieves the intel analysis of an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Intel ID | Enter the intel ID. Example: 78293 | Text | Required |
Example Request
[
{
“intel_id”: “78293”
}
]Action: Get Intel by ID
This action retrieves intel by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Intel ID | Enter the intel ID. Example: 10 | Integer | Required |
Example Request
[
{
“intel_id”: 10
}
]Action: Get Alert Details
This action retrieves the details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: 123 | Text | Required |
Example Request
[
{
“alert_id”: “123”
}
]Action: Get All Alerts
This action retrieves all alerts.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Fetch intel details | Optional preference whether you want to pull intel details like TTP from Tanium. | Boolean | Optional |
|
Query parameters | Enter additional query parameters in the form of key-value pairs to filter results. | Key Value | Optional |
Action: Get Users
This action retrieves all users.
Action Input Parameters
This action does not require any input parameters.
Action: Get User Details
This action retrieves the details of a user.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID. Example: 1 | Integer | Required |
Example Request
[
{
“user_id”: 1
}
]Action: Get User Groups
This action retrieves all of the user groups.
Action Input Parameters
This action does not require any input parameters.
Action: List All Available Sensors
This action retrieves all available Sensors.
Action Input Parameters
This action does not require any input parameters.
Action: Create Sensor
This action creates a new Sensor.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Sensor Specification | Enter the sensor specification in JSON format. Example: $JSON[{"category" : "Tanium Diagnostics", "content_set" : {"id" : 2, "name" : "Default" }] | Any | Required |
Example Request
[
{
“Sensor”:
{
"category": "Tanium Diagnostics",
"content_set":
{
"id" : 2,
"name": "Default"
}
}
}
]Action: Get Audit Logs
This action retrieves audit logs.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID. Example: 1234 | Integer | Required | |
Type | Enter the log type. Example: content_set | Text | Required | Allowed values:
|
Example Request
[
{
“id”: 1234,
“type“: “content_set“
}
]Action: Get Total Count of Clients
This action retrieves the total count of all available clients.
Action Input Parameters
This action does not require any input parameters.
Action: Get LDAP Sync Connectors
This action retrieves all LDAP synchronization connectors.
Action Input Parameters
This action does not require any input parameters.
Action: Get Saved Actions
This action retrieves saved actions in Tanium.
Action Input Parameters
This action does not require any input parameters.
Action: Get Process Details
This action retrieves the details of a process
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Connection ID | Enter the connection ID. Example: 45323 | Text | Required | |
Process Instance ID | Enter the process instance ID. Example: 14 | Text | Required |
Example Request
[
{
“cid”: “45323”,
“ptid“: “14“
}
]Action: Get Current Deployments
This action retrieves the current deployments.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional |
Action: Get Benchmarks
This action retrieves benchmarks.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional |
Action: Get Vulnerability Sources
This action retrieves the vulnerability sources.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query Parameters | Enter the query parameters in the form of key-value pairs to filter the results. | Key Value | Optional |
Action: Get All Notifications
This action retrieves all notifications.
Action Input Parameters
This action does not require any input parameters.
Action: Create Parameterized Question
This action creates a question with parameters. The result is provided as a question ID.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query Text | Enter the query text to create a question with parameters. Example: Get Computer Name and Operating System from all machines | Text | Required |
Example Request
[
{
"query_text": "Get Computer Name and Operating System from all machines"
}
]Action: Get Sensor by Name
This action retrieves the details of a sensor by providing its name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Sensor Name | Enter the sensor name to retrieve its details. Example: SCCM Client Version | Text | Required | You can retrieve the Sensor Name using the Create Sensor action. |
Example Request
[
{
"sensor_name": "SCCM Client Version"
}
]