Tanium V2
App Vendor: Tanium
App Category: IT Services
Connector Version: 1.4.1
API Version: 2.0.0
The Tanium Connector allows security teams to integrate with the Tanium enterprise application, for endpoint threat detection and security through various actions such as endpoint quarantine, and snapshot management.
The Tanium app built for the Orchestrate application helps security teams to perform asset management-related actions on the Tanium application and enable security orchestration workflows. You can execute the following actions using the app.
Action Name | Description |
|---|---|
Quarantine an Endpoint | This action quarantines an endpoint. |
Get All Snapshots | This action retrieves all snapshot metadata. |
Create a Snapshot | This action creates a new snapshot on a remote endpoint. |
Create a User Connection | This action creates a user to connect with an endpoint using target information. |
Get List of User Connections | This action retrieves the list of user connections. This action returns the Endpoint ID, IP address, Client ID, and platform information. |
Get Evidence | This action retrieves saved evidence. Evidence may include snapshots, files, events, etc. |
Configuration Parameters
The following configuration parameters are required for the Tanium connector to communicate with the Tanium application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for the Tanium application. Example: "https://<host>.<tld>" | Text | Required | |
Username | Enter the username to access the Tanium application. Example: "john" | Text | Optional | |
Password | Enter the password to authenticate the Tanium application. | Password | Optional | |
API Token | Enter the API Token for the Tanium application. | Text | Optional | |
AD Domain | Enter the Active Directory Domain for the Tanium application. | Text | Optional | |
TLS Verification | Enter the preference to either verify or skip the TLS certificate verification. | Text | Optional | Allowed values:
Default value: no |
Action: Quarantine an Endpoint
This action quarantines an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Computer Name | Enter the computer name to quarantine. Example: "11A-Desktop.addc.secops.int" | Text | Required | |
Platform | Enter the platform type for the computer. Example: "windows" | Text | Required | Allowed values:
|
Example Input
[
{
"platform": "windows",
"computer_name": "11A-Desktop.addc.secops.int",
}
]Action: Get All Snapshots
This action retrieves all snapshot metadata.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Result Limit | Enter the result limit. Example: "3" | Text | Optional | Default value:
|
Example Input
[
{
"result_limit": "3"
}
]Action: Create a Snapshot
This action creates a new snapshot on a remote endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Connection ID | Enter the connection ID to link the snapshot. Example: "remote:10A-Desktop.addc.secops.ml:1454856669" | Text | Required |
Example Input
[
{
"connection_id": "remote:10A-Desktop.addc.secops.ml:1454856669"
}
]Action: Create a User Connection
This action creates a user to connect with an endpoint using target information.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Target Hostname | Enter the targeted username to create a user connection. Example: "10-A Desktop" | Text | Required | |
Client ID | Enter a unique ID for the client. Example: "1454856669" | Text | Required | Client ID is a 10-digit unique ID. |
Endpoint Platform | Enter the platform for the endpoint to create a user connection. Example: "windows" | Text | Required | Allowed values:
|
IP Address | Enter the IP address to create the user connection. Example: "1.1.1.1" | Text | Required |
Example Input
[
{
"platform": "windows",
"client_id": "1454856669",
"ip_address": "10.100.3.13",
"target_hostname": "10A-Desktop"
}
]Action: Get List of User Connections
This action retrieves the list of user connections. This action returns the Endpoint ID, IP address, Client ID, and platform information.
Action Input Parameters
No input parameters are not required for this action.
Action: Get Evidence
This action retrieves saved evidence. Evidence may include snapshots, files, events, etc.
Action Input Parameters
No input parameters are not required for this action.