Skip to main content

Tanium Threat Response

This Integration is part of the Tanium Threat Response Pack.#

Tanium Threat Response - This Integration works with Tanium Threat Response version below 3.0.159. In order to use Tanium Threat Response version 3.0.159 and above, use Tanium Threat Response V2 Integration.

Configure Tanium Threat Response in Cortex#

ParameterDescriptionRequired
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
urlHostname, IP address, or server URLTrue
credentialsUsernameTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
fetch_timeFirst fetch timestamp ({number} {time unit}, e.g., 12 hours, 7 days)False
filter_alerts_by_stateA comma-separated list of alert states to filter by in fetch incidents command. Possible options are: unresolved, in progress, resolved or suppressed. Empty list won't filter the incidents by state.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

tanium-tr-get-intel-doc-by-id#


Returns an intel document object based on ID.

Base Command#

tanium-tr-get-intel-doc-by-id

Input#
Argument NameDescriptionRequired
intel-doc-idThe intel document ID.Required
Context Output#
PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.
Command Example#

!tanium-tr-get-intel-doc-by-id intel-doc-id=2

Context Example#
{
"Tanium": {
"IntelDoc": {
"AlertCount": 0,
"CreatedAt": "2019-07-31T18:46:28.814Z",
"Description": "Detects usage of the NET.EXE utility to enumerate members of the local Administrators or Domain Administrators groups. Often used during post-compromise reconnaissance.",
"ID": 2,
"LabelIds": [
2,
3,
9,
16
],
"Name": "Administrator Account Enumeration",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:30.934Z"
}
}
}
Human Readable Output#

Intel Doc information#

IDNameDescriptionTypeAlert CountUnresolved Alert CountCreated AtUpdated AtLabel Ids
2Administrator Account EnumerationDetects usage of the NET.EXE utility to enumerate members of the local Administrators or Domain Administrators groups. Often used during post-compromise reconnaissance.002019-07-31T18:46:28.814Z2020-01-14T21:37:30.934Z2, 3, 9, 16

tanium-tr-list-intel-docs#


Returns a list of all intel documents.

Base Command#

tanium-tr-list-intel-docs

Input#
Argument NameDescriptionRequired
limitThe maximum number of intel documents to return.Optional
offsetThe offset number to begin listing intel documents.Optional
Context Output#
PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.
Command Example#

!tanium-tr-list-intel-docs limit=2

Context Example#
{
"Tanium": {
"IntelDoc": [
{
"AlertCount": 0,
"CreatedAt": "2020-01-14T21:37:32.263Z",
"ID": 99,
"LabelIds": [
2,
7,
11,
16
],
"Name": "Spooler Service Creating or Spawning Executables",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:32.263Z"
},
{
"AlertCount": 0,
"CreatedAt": "2020-01-14T21:37:32.075Z",
"ID": 98,
"LabelIds": [
2,
8,
16
],
"Name": "RunDll Creating MiniDump",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:32.075Z"
}
]
}
}
Human Readable Output#

Intel docs#

IDNameAlert CountUnresolved Alert CountCreated AtUpdated AtLabel Ids
99Spooler Service Creating or Spawning Executables002020-01-14T21:37:32.263Z2020-01-14T21:37:32.263Z2, 7, 11, 16
98RunDll Creating MiniDump002020-01-14T21:37:32.075Z2020-01-14T21:37:32.075Z2, 8, 16

tanium-tr-list-alerts#


Returns a list of all alerts.

Base Command#

tanium-tr-list-alerts

Input#
Argument NameDescriptionRequired
limitThe maximum number of alerts to return. The default value is 5.Optional
offsetThe offset number to begin listing alerts.Optional
computer-ip-addressFilter alerts by the specified computer IP addresses.Optional
computer-nameFilter alerts by the specified computer name.Optional
scan-config-idFilter alerts by the specified scan config ID.Optional
intel-doc-idFilter alerts by the specified intel document ID.Optional
severityFilter alerts by the specified severity.Optional
priorityFilter alerts by the specified priority.Optional
typeFilter alerts by the specified type.Optional
stateFilter alerts by the specified state. Can be "Unresolved", "In Progress", "Ignored", or "Resolved".Optional
Context Output#
PathTypeDescription
Tanium.Alert.PriorityStringThe priority of the alert.
Tanium.Alert.ComputerNameStringThe hostname of the computer that generated the alert.
Tanium.Alert.GUIDStringA globally unique identifier for this alert in the customer environment.
Tanium.Alert.AlertedAtDateThe moment that the alert was generated.
Tanium.Alert.UpdatedAtDateThe last time the alert state was updated.
Tanium.Alert.StateStringThe current state of the alert. For example, "unresolved", "inprogress", and so on.
Tanium.Alert.ComputerIpAddressStringThe IP address of the computer that generated the alert.
Tanium.Alert.TypeStringThe name of the alert type. For example, "detect.endpoint.match".
Tanium.Alert.IDNumberThe ID of the alert. For example, "123".
Tanium.Alert.CreatedAtDateThe date when the alert was received by the Detect product.
Tanium.Alert.IntelDocIdNumberThe intel document revision, if intelDocId is present.
Tanium.Alert.SeverityStringThe severity of the alert.
Command Example#

!tanium-tr-list-alerts limit=1

Context Example#
{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "172.0.0.0",
"ComputerName": "HOST_NAME",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2020-02-05T14:55:41.440Z"
}
}
}
Human Readable Output#

Alerts#

IDTypeSeverityPriorityAlerted AtCreated AtUpdated AtComputer Ip AddressComputer NameGUIDStateIntel Doc Id
1detect.matchinfohigh2019-09-22T14:01:31.000Z2019-09-22T14:01:59.768Z2020-02-05T14:55:41.440Z172.0.0.0HOST_NAMEa33e3482-556e-4e9d-bbbd-2fdbe330d492Unresolved64

tanium-tr-get-alert-by-id#


Returns an alert object based on alert ID.

Base Command#

tanium-tr-get-alert-by-id

Input#
Argument NameDescriptionRequired
alert-idThe alert ID.Required
Context Output#
PathTypeDescription
Tanium.Alert.PriorityStringThe priority of the alert.
Tanium.Alert.ComputerNameStringThe hostname of the computer that generated the alert.
Tanium.Alert.GUIDStringA globally unique identifier for this alert in the customer environment.
Tanium.Alert.AlertedAtDateThe date when the alert was generated.
Tanium.Alert.UpdatedAtDateThe date when the alert state was last updated.
Tanium.Alert.StateStringThe current state of the alert. For example, "unresolved", "inprogress".
Tanium.Alert.ComputerIpAddressStringThe IP address of the computer that generated the alert.
Tanium.Alert.TypeStringThe name of the alert type. For example, "detect.endpoint.match".
Tanium.Alert.IDNumberThe ID of the alert. For example, "123".
Tanium.Alert.CreatedAtDateThe date when the alert was received by the Detect product.
Tanium.Alert.IntelDocIdNumberThe intel document revision, if intelDocId is present.
Tanium.Alert.SeverityStringThe severity of the alert.
Command Example#

!tanium-tr-get-alert-by-id alert-id=1

Context Example#
{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "172.0.0.0",
"ComputerName": "HOST_NAME",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2020-02-05T14:55:41.440Z"
}
}
}
Human Readable Output#

Alert information#

IDTypeSeverityPriorityAlerted AtCreated AtUpdated AtComputer Ip AddressComputer NameGUIDStateIntel Doc Id
1detect.matchinfohigh2019-09-22T14:01:31.000Z2019-09-22T14:01:59.768Z2020-02-05T14:55:41.440Z172.0.0.0HOST_NAMEa33e3482-556e-4e9d-bbbd-2fdbe330d492Unresolved64

tanium-tr-alert-update-state#


Updates the state of a single alert.

Base Command#

tanium-tr-alert-update-state

Input#
Argument NameDescriptionRequired
alert-idThe ID of the alert to update.Required
stateThe new state for the alert. Can be "Unresolved", "In Progress", "Ignored", or "Resolved".Required
Context Output#
PathTypeDescription
Tanium.Alert.PriorityStringThe priority of the alert.
Tanium.Alert.ComputerNameStringThe hostname of the computer that generated the alert.
Tanium.Alert.GUIDStringA globally unique identifier for this alert in the customer environment.
Tanium.Alert.AlertedAtDateThe date when the alert was generated.
Tanium.Alert.UpdatedAtDateThe date when the alert state was last updated.
Tanium.Alert.StateStringThe current state of the alert. For example, "unresolved", "inprogress".
Tanium.Alert.ComputerIpAddressStringThe IP address of the computer that generated the alert.
Tanium.Alert.TypeStringThe name of the alert type. For example, "detect.endpoint.match".
Tanium.Alert.IDNumberThe ID of the alert. For example, "123".
Tanium.Alert.CreatedAtDateThe date when the alert was received by the Detect product.
Tanium.Alert.IntelDocIdNumberThe intel document revision, if intelDocId is present.
Tanium.Alert.SeverityStringThe severity of the alert.
Command Example#

!tanium-tr-alert-update-state alert-id=1 state=Unresolved

Context Example#
{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "172.0.0.0",
"ComputerName": "HOST_NAME",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2020-02-05T14:55:41.440Z"
}
}
}
Human Readable Output#

Alert state updated to Unresolved#

IDTypeSeverityPriorityAlerted AtCreated AtUpdated AtComputer Ip AddressComputer NameGUIDStateIntel Doc Id
1detect.matchinfohigh2019-09-22T14:01:31.000Z2019-09-22T14:01:59.768Z2020-02-05T14:55:41.440Z172.0.0.0HOST_NAMEa33e3482-556e-4e9d-bbbd-2fdbe330d492Unresolved64

tanium-tr-list-snapshots-by-connection#


Returns all snapshots of a single connection.

Base Command#

tanium-tr-list-snapshots-by-connection

Input#
Argument NameDescriptionRequired
limitThe maximum number of snapshots to return.Optional
offsetThe offset number to begin listing snapshots.Optional
connection-nameThe connection name.Required
Context Output#
PathTypeDescription
Tanium.Snapshot.ConnectionNameStringThe snapshot connection name.
Tanium.Snapshot.ErrorStringThe snapshot error message.
Tanium.Snapshot.IDStringThe snapshot id.
Tanium.Snapshot.StartedDateThe date when the snapshot was created.
Tanium.Snapshot.StateStringThe current state of the snapshot.
Command Example#

!tanium-tr-list-snapshots-by-connection connection-name=HOST_NAME limit=2

Context Example#
{
"Tanium": {
"Snapshot": [
{
"ConnectionName": "HOST_NAME",
"FileName": "2020_02_06T15.54.43.600Z.db",
"Started": "2020-02-06T15:54:43.600Z",
"State": "complete"
},
{
"ConnectionName": "HOST_NAME",
"Error": "Error checkpointing remote database",
"FileName": "2020_02_06T15.54.46.795Z.db",
"Started": "2020-02-06T15:54:46.795Z",
"State": "error"
}
]
}
}
Human Readable Output#

Snapshots#

File NameConnection NameStateStartedError
2020_02_06T15.54.43.600Z.dbHOST_NAMEcomplete2020-02-06T15:54:43.600Z
2020_02_06T15.54.46.795Z.dbHOST_NAMEerror2020-02-06T15:54:46.795ZError checkpointing remote database

tanium-tr-create-snapshot#


Captures a new snapshot by connection name.

Base Command#

tanium-tr-create-snapshot

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-create-snapshot connection-name=HOST_NAME

Human Readable Output#

Initiated snapshot creation request for HOST_NAME.

tanium-tr-delete-snapshot#


Deletes a snapshot by connection name and snapshot ID.

Base Command#

tanium-tr-delete-snapshot

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
snapshot-idThe snapshot ID.Required
Context Output#
PathTypeDescription
Tanium.Snapshot.IDStringThe snapshot ID.
Tanium.Snapshot.ConnectionNameStringThe connection name.
Tanium.Snapshot.DeletedBooleanWhether the snapshot has been deleted.
Command Example#

!tanium-tr-delete-snapshot connection-name=HOST_NAME snapshot-id=2020_02_06T15.54.43.600Z.db

Context Example#
{
"Tanium": {
"LocalSnapshot": {
"ConnectionName": "HOST_NAME",
"Deleted": True,
"FileName": "2020_02_06T15.54.43.600Z.db"
}
}
}
Human Readable Output#

Snapshot 2020_02_06T15.54.43.600Z.db deleted successfully.

tanium-tr-list-local-snapshots-by-connection#


Returns all local snapshots of a single connection.

Base Command#

tanium-tr-list-local-snapshots-by-connection

Input#
Argument NameDescriptionRequired
limitThe maximum number of local snapshots to return. The default value is 50.Optional
offsetThe offset number to begin listing local snapshots.Optional
connection-nameThe connection name.Required
Context Output#
PathTypeDescription
Tanium.LocalSnapshot.ConnectionNameStringThe snapshot connection name.
Tanium.LocalSnapshot.FileNameStringThe snapshot file name.
Command Example#

!tanium-tr-list-local-snapshots-by-connection connection-name=HOST_NAME limit=2

Context Example#
{
"Tanium": {
"LocalSnapshot": [
{
"ConnectionName": "HOST_NAME",
"Deleted": false,
"FileName": "2020_02_06T15.54.43.600Z.db"
},
{
"ConnectionName": "HOST_NAME",
"Deleted": false,
"FileName": "2020_01_09T15.25.13.535Z.db"
}
]
}
}
Human Readable Output#

Local snapshots#

File NameConnection Name
2020_02_06T15.54.43.600Z.dbHOST_NAME
2020_01_09T15.25.13.535Z.dbHOST_NAME

tanium-tr-delete-local-snapshot#


Deletes a local snapshot by directory name and file name.

Base Command#

tanium-tr-delete-local-snapshot

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
file-nameThe file name.Required
Context Output#
PathTypeDescription
Tanium.LocalSnapshot.FileNameStringThe snapshot file name.
Tanium.LocalSnapshot.DeletedBooleanWhether the local snapshot has been deleted.
Command Example#

!tanium-tr-delete-local-snapshot connection-name=HOST_NAME file-name=2020_02_06T15.54.43.600Z.db

Context Example#
{
"Tanium": {
"LocalSnapshot": {
"ConnectionName": "HOST_NAME",
"Deleted": true,
"FileName": "2020_02_06T15.54.43.600Z.db"
}
}
}
Human Readable Output#

Local snapshot from Directory HOST_NAME and File 2020_02_06T15.54.43.600Z.db is deleted successfully.

tanium-tr-list-connections#


Returns all connections.

Base Command#

tanium-tr-list-connections

Input#
Argument NameDescriptionRequired
limitThe maximum number of connections to return.Optional
offsetThe offset number to begin listing connections.Optional
Context Output#
PathTypeDescription
Tanium.Connection.CreateTimeDateTime when the connection was first created.
Tanium.Connection.NameStringThe connection name.
Tanium.Connection.RemoteBooleanWhether it is a remote connection.
Tanium.Connection.StateStringCurrent connection state. Can be "closed", "pending", "active", "timeout", or "migrating".
Tanium.Connection.DeletedBooleanWhether the connection has been deleted.
Tanium.Connection.DestionationTypeStringThe destionation type (computer_name or ip_address).
Tanium.Connection.DSTStringThe connection's DST.
Tanium.Connection.OSNameStringThe connection's operating system.
Command Example#

!tanium-tr-list-connections limit=2

Context Example#
{
"Tanium": {
"Connection": [
{
"DST": "HOST_NAME",
"Name": "HOST_NAME",
"State": "timeout",
"Deleted": false,
"DestionationType": "computer-name",
"OSName": "Linux"
},
{
"DST": "HOST_NAME-2020_01_09T15.25.13.535Z.db",
"Name": "HOST_NAME-2020_01_09T15.25.13.535Z.db",
"State": "timeout",
"Deleted": false,
"DestionationType": "computer-name"
"OSName": "Linux"
}
]
}
}
Human Readable Output#

Connections#

NameStateDSTOS Name
HOST_NAMEtimeoutHOST_NAMELinux
HOST_NAME-2020_01_09T15.25.13.535Z.dbtimeoutHOST_NAME-2020_01_09T15.25.13.535Z.dbLinux

tanium-tr-get-connection-by-name#


Returns a connection object based on connection name.

Base Command#

tanium-tr-get-connection-by-name

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
Context Output#
PathTypeDescription
Tanium.Connection.CreateTimeDateTime when the connection was first created.
Tanium.Connection.NameStringThe connection name.
Tanium.Connection.RemoteBooleanWhether it is a remote connection.
Tanium.Connection.StateStringCurrent connection state. Can be "closed", "pending", "active", "timeout", or "migrating".
Tanium.Connection.DeletedBooleanWhether the connection has been deleted.
Tanium.Connection.DestionationTypeStringThe destionation type (computer_name or ip_address).
Tanium.Connection.DSTStringThe connection's DST.
Tanium.Connection.OSNameStringThe connection's operating system.
Command Example#

!tanium-tr-get-connection-by-name connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"Connection": {
"CreateTime": "2020-02-06T15:54:40.830Z",
"Name": "HOST_NAME",
"Deleted": false,
"OSName": "Windows",
"Remote": true,
"State": "active"
}
}
}
Human Readable Output#

Connection information#

NameStateRemoteCreate TimeOS Name
HOST_NAMEactivetrue2020-02-06T15:54:40.830ZWindows

tanium-tr-create-connection#


Creates a local or remote connection.

Base Command#

tanium-tr-create-connection

Input#
Argument NameDescriptionRequired
remoteWhether it is a remote connection. Can be "True" or "False".Required
destination-typeType of destination. Can be "ip_address" or "computer_name".Required
destinationComputer name or IP address.Required
connection-timeoutconnection timeout, in milliseconds.Optional
Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-create-connection destination=HOST_NAME destination-type=computer_name remote=False

Human Readable Output#

Initiated connection request to HOST_NAME.

tanium-tr-delete-connection#


Deletes a connection by connection name.

Base Command#

tanium-tr-delete-connection

Input#
Argument NameDescriptionRequired
connection-nameThe name of the connection.Required
Context Output#
PathTypeDescription
Tanium.Connection.NameStringThe connection name.
Tanium.Connection.DeletedBooleanWhether the connection has been deleted.
Command Example#

!tanium-tr-delete-connection connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"Connection": {
"Name": "HOST_NAME",
"Deleted": true
}
}
}
Human Readable Output#

Connection HOST_NAME deleted successfully.

tanium-tr-list-labels#


Returns all available labels in the system.

Base Command#

tanium-tr-list-labels

Input#
Argument NameDescriptionRequired
limitThe maximum number of labels to return.Optional
offsetThe offset number to begin listing labels.Optional
Context Output#
PathTypeDescription
Tanium.Label.CreatedAtDateThe date when this label was created.
Tanium.Label.DescriptionStringAn extended description of the label.
Tanium.Label.IDNumberThe unique identifier for this label.
Tanium.Label.IndicatorCountNumberThe number of indicator-based intel documents associated with this label, not including Tanium Signals.
Tanium.Label.NameStringThe display name of the label.
Tanium.Label.SignalCountNumberThe number of Tanium Signal documents associated with this label.
Tanium.Label.UpdatedAtDateThe date when this label was last updated, not including the intel and signal counts.
Command Example#

!tanium-tr-list-labels limit=2

Context Example#
{
"Tanium": {
"Label": [
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"ID": 1,
"IndicatorCount": 0,
"Name": "Alpha",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.",
"ID": 2,
"IndicatorCount": 0,
"Name": "Beta",
"SignalCount": 97,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
}
]
}
}
Human Readable Output#

Labels#

NameDescriptionIDIndicator CountSignal CountCreated AtUpdated At
AlphaThese signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.1002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
BetaThese signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.20972019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z

tanium-tr-get-label-by-id#


Returns a label object based on label ID.

Base Command#

tanium-tr-get-label-by-id

Input#
Argument NameDescriptionRequired
label-idThe label ID.Required
Context Output#
PathTypeDescription
Tanium.Label.CreatedAtDateThe date when this label was created.
Tanium.Label.DescriptionStringAn extended description of the label.
Tanium.Label.IDNumberThe unique identifier for this label.
Tanium.Label.IndicatorCountNumberThe number of indicator-based intel documents associated with this label, not including Tanium Signals.
Tanium.Label.NameStringThe display name of the label.
Tanium.Label.SignalCountNumberThe number of Tanium Signal documents associated with this label.
Tanium.Label.UpdatedAtDateThe date this label was last updated, not including the intel and signal counts.
Command Example#

!tanium-tr-get-label-by-id label-id=1

Context Example#
{
"Tanium": {
"Label": {
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"ID": 1,
"IndicatorCount": 0,
"Name": "Alpha",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
}
}
}
Human Readable Output#

Label information#

NameDescriptionIDIndicator CountSignal CountCreated AtUpdated At
AlphaThese signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.1002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z

tanium-tr-list-file-downloads#


Returns all downloaded files in the system.

Base Command#

tanium-tr-list-file-downloads

Input#
Argument NameDescriptionRequired
limitThe maximum number of files to return. The default value is 50.Optional
offsetOffset to start getting file downloads. The default is 0.Optional
hostFilter downloaded files by host.Optional
Context Output#
PathTypeDescription
Tanium.FileDownload.SizeNumberThe size of the file, in bytes.
Tanium.FileDownload.PathStringThe path of the file.
Tanium.FileDownload.DownloadedDateThe date when this file was downloaded.
Tanium.FileDownload.HostStringThe hostname of the downloaded file.
Tanium.FileDownload.CreatedDateThe date when the file was created.
Tanium.FileDownload.HashStringThe file hash.
Tanium.FileDownload.SPathStringThe file SPath.
Tanium.FileDownload.IDNumberThe downloaded file ID.
Tanium.FileDownload.LastModifiedDateThe date when the file was last modified.
Tanium.FileDownload.CreatedByStringThe user that created this file.
Tanium.FileDownload.CreatedByProcStringThe process path that created this file.
Tanium.FileDownload.LastModifiedByStringThe user that last modified this file.
Tanium.FileDownload.LastModifiedByProcStringThe process path that modified this file.
Tanium.FileDownload.CommentsStringAdditional comments for the downloaded file.
Tanium.FileDownload.TagsStringThe downloaded file tags.
Tanium.FileDownload.DeletedBooleanWhether the file download has been deleted.
Command Example#

!tanium-tr-list-file-downloads host=HOST_NAME limit=2 offset=1

Context Example#
{
"Tanium": {
"FileDownload": [
{
"Created": "2020-01-02 15:39:57.289",
"CreatedBy": "NT AUTHORITY\\LOCAL SERVICE",
"CreatedByProc": "C:\\Windows\\System32\\svchost.exe",
"Downloaded": "2020-01-02 15:40:29.003",
"Hash": "2ae2da9237309b13b9a9d52d1358c826",
"Host": "HOST_NAME",
"ID": 4,
"LastModified": "2020-01-02 15:39:57.289",
"LastModifiedBy": "NT AUTHORITY\\LOCAL SERVICE",
"LastModifiedByProc": "C:\\Windows\\System32\\svchost.exe",
"Path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive1.dat",
"SPath": "6ae86937-611f-45e9-900c-3ba57298f264.zip",
"Size": 2048,
"Deleted": false
},
{
"Created": "Tue, 03 Sep 2019 17:51:40 GMT",
"Downloaded": "2020-01-15 13:04:02.827",
"Hash": "99297a0e626ca092ff1884ad28f54453",
"Host": "HOST_NAME",
"ID": 6,
"LastModified": "Wed, 15 Jan 2020 08:57:19 GMT",
"Path": "C:\\Program Files (x86)\\Tanium\\Tanium Client\\Logs\\log1.txt",
"SPath": "c0531415-87a6-4d28-a226-b485784b1881.zip",
"Size": 10485904,
"Deleted": true
}
]
}
}
Human Readable Output#

File downloads#

IDHostPathHashDownloadedSizeCreatedCreated ByCreated By ProcLast ModifiedLast Modified ByLast Modified By ProcS Path
4HOST_NAMEC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2ae2da9237309b13b9a9d52d1358c8262020-01-02 15:40:29.00320482020-01-02 15:39:57.289NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe2020-01-02 15:39:57.289NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe6ae86937-611f-45e9-900c-3ba57298f264.zip
6HOST_NAMEC:\Program Files (x86)\Tanium\Tanium Client\Logs\log1.txt99297a0e626ca092ff1884ad28f544532020-01-15 13:04:02.82710485904Tue, 03 Sep 2019 17:51:40 GMTWed, 15 Jan 2020 08:57:19 GMTc0531415-87a6-4d28-a226-b485784b1881.zip

tanium-tr-get-downloaded-file#


Gets the actual content of a downloaded file by file ID.

Base Command#

tanium-tr-get-downloaded-file

Input#
Argument NameDescriptionRequired
file-idThe file ID.Required
Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-get-downloaded-file file-id=4

Context Example#
{
"File": {
"EntryID": "8389@b32fdf18-1c65-43af-8918-7f85a1fab951",
"Extension": "zip",
"Info": "application/zip",
"MD5": "216923cc567afe1009e7c90c105450f5",
"Name": "lastalive1.dat.zip",
"SHA1": "f7d257dc94ea0b650f62cc87264861b593a341c8",
"SHA256": "5d0051b4c596e06217bdb3e48196b0515a7983f18a8ea7477bc33c837e0202e5",
"SHA512": "269669cda90658e1bfea8ff85f27f8f68320ccd3b54c64a00037204fa3b5422634d9107806ddad585fa0d5c7fe7aa7fa240afb4142c6ff02537b039d176bd482",
"SSDeep": "6:5jPRX/CSkILyratwQte+zetPYwCRXgLrCDh/+loUn:5jtCCPtTzep33vCDJaoUn",
"Size": 253,
"Type": "Zip archive data, at least v2.0 to extract"
}
}
Human Readable Output#

tanium-tr-list-events-by-connection#


Queries events for a connection.

Base Command#

tanium-tr-list-events-by-connection

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
event-typeThe type of event. Can be "File", "Network", "Registry", "Process", "Driver", "Security", "Combined", "DNS", or "Image". The default is "Combined".Required
limitThe maximum number of events to return. The default value is 50.Optional
offsetOffset to start getting the result set. The default is 0.Optional
filterAdvanced search that filters according to event fields. For example: [['process_id', 'gt', '30'], ['username', 'ne', 'administrator']]. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time (UTC). Optional operators: eq (equals), ne (does not equal); for integers/date: gt (greater than), gte (greater than or equals), ls (less than), lse (less than or equals); for strings: co (contains), nc (does not contain).Optional
matchWhether the results should fit all filters or at least one filter.Optional
sortA comma-separated list of fields to sort on prefixed by +/- for ascending or descending and ordered by priority left to right. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time (UTC).Optional
fieldsA comma-separated list of fields on which to search. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time.Optional
Context Output#
PathTypeDescription
TaniumEvent.DomainStringThe domain of the event.
TaniumEvent.FileStringThe path of the file in the event.
TaniumEvent.OperationStringThe event operation.
TaniumEvent.ProcessIDNumberThe ID of the process.
TaniumEvent.ProcessNameStringThe name of the process.
TaniumEvent.ProcessTableIDNumberThe ID of the process table.
TaniumEvent.TimestampDateThe date when the event was created.
TaniumEvent.UsernameStringThe username associated with the event.
TaniumEvent.DestinationAddressStringThe network event destination address.
TaniumEvent.DestinationPortNumberThe network event destination port.
TaniumEvent.SourceAddressStringThe network event source address.
TaniumEvent.SourcePortNumberThe network event source port.
TaniumEvent.KeyPathStringThe registry key path.
TaniumEvent.ValueNameStringThe registry value name.
TaniumEvent.ExitCodeNumberThe process exit code.
TaniumEvent.ProcessCommandLineStringThe process command line.
TaniumEvent.ProcessHashStringThe hash value of the process.
TaniumEvent.SIDNumberThe process SID.
TaniumEvent.HashesStringThe hashes of the driver.
TaniumEvent.ImageLoadedStringThe image loaded path of the driver.
TaniumEvent.SignatureStringThe signature of the driver.
TaniumEvent.SignedBooleanWhether the driver is signed.
TaniumEvent.EventIDNumberThe ID of the event.
TaniumEvent.EventOpcodeNumberThe event opcode.
TaniumEvent.EventRecordIDNumberThe ID of the event record.
TaniumEvent.EventTaskIDNumberThe ID of the event task.
TaniumEvent.QueryStringThe query of the DNS.
TaniumEvent.ResponseStringThe response of the DNS.
TaniumEvent.ImagePathStringThe image path.
TaniumEvent.CreationTimeDateThe process creation time
TaniumEvent.EndTimeDateThe process end time.
TaniumEvent.EventTaskNameStringThe name of the event task.
TaniumEvent.Property.NameStringThe name of the event's property
TaniumEvent.Property.ValueStringThe value of the event's property
Command Example#

!tanium-tr-list-events-by-connection connection-name=HOST_NAME event-type=Process limit=2

Context Example#
{
"Tanium": {
"Event": [
{
"Domain": "root",
"Type": "Process",
"CreationTime": "2020-03-02 16:05:37.574",
"EndTime": "2020-03-03 11:28:28.413",
"ExitCode": 0,
"ProcessCommandLine": "sleep 0.1",
"ProcessID": 13136,
"ProcessName": "/usr/bin/sleep",
"ProcessTableID": 17191168,
"SID": 5,
"Username": "root"
},
{
"Domain": "root",
"Type": "Process",
"CreationTime": "2020-03-02 23:09:33.153",
"EndTime": "2020-03-03 08:48:05.624",
"ExitCode": 0,
"ProcessCommandLine": "sleep 0.1",
"ProcessHash": "BEA3A5351BBE28622A560FF5F18C805E",
"ProcessID": 4229,
"ProcessName": "/usr/bin/sleep",
"ProcessTableID": 17232881,
"SID": 5,
"Username": "root"
}
]
}
}
Human Readable Output#

Events for HOST_NAME#

DomainTypeProcess Table IDProcess Command LineProcess IDProcess NameExit CodeSIDUsernameCreation TimeEnd Time
rootProcess17191168sleep 0.113136/usr/bin/sleep05root2020-03-02 16:05:37.5742020-03-03 11:28:28.413
rootProcess17232881sleep 0.14229/usr/bin/sleep05root2020-03-02 23:09:33.1532020-03-03 08:48:05.624

tanium-tr-get-file-download-info#


Gets the metadata of a file download. You must supply either the path or id agument for the command to run successfully.

Base Command#

tanium-tr-get-file-download-info

Input#
Argument NameDescriptionRequired
hostThe hostname of the downloaded file.Required
pathThe path of the file.Optional
idFile download ID.Optional
Context Output#
PathTypeDescription
Tanium.FileDownload.SizeNumberThe size of the file, in bytes.
Tanium.FileDownload.PathStringThe path of the file.
Tanium.FileDownload.DownloadedDateThe date when this file was downloaded.
Tanium.FileDownload.HostStringThe hostname of the downloaded file.
Tanium.FileDownload.CreatedDateThe date when the file was created.
Tanium.FileDownload.HashStringThe file hash.
Tanium.FileDownload.SPathStringThe file SPath.
Tanium.FileDownload.IDNumberThe downloaded file ID.
Tanium.FileDownload.LastModifiedDateThe date when the file was last modified.
Tanium.FileDownload.CreatedByStringThe user that created this file.
Tanium.FileDownload.CreatedByProcStringThe process path that created this file.
Tanium.FileDownload.LastModifiedByStringThe user that last modified this file.
Tanium.FileDownload.LastModifiedByProcStringThe process path that modified this file.
Tanium.FileDownload.CommentsStringThe downloaded file comments.
Tanium.FileDownload.TagsStringThe downloaded file tags.
Tanium.FileDownload.DeletedBooleanWhether the file download has been deleted.
Command Example#

!tanium-tr-get-file-download-info host=HOST_NAME id=4

Context Example#
{
"Tanium": {
"FileDownload": {
"Created": "2020-01-02 15:39:57.289",
"CreatedBy": "NT AUTHORITY\\LOCAL SERVICE",
"CreatedByProc": "C:\\Windows\\System32\\svchost.exe",
"Downloaded": "2020-01-02 15:40:29.003",
"Hash": "2ae2da9237309b13b9a9d52d1358c826",
"Host": "HOST_NAME",
"ID": 4,
"LastModified": "2020-01-02 15:39:57.289",
"LastModifiedBy": "NT AUTHORITY\\LOCAL SERVICE",
"LastModifiedByProc": "C:\\Windows\\System32\\svchost.exe",
"Path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive1.dat",
"SPath": "6ae86937-611f-45e9-900c-3ba57298f264.zip",
"Size": 2048,
"Deleted": false
}
}
}
Human Readable Output#

File download metadata for file C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat#

IDHostPathHashDownloadedSizeCreatedCreated ByCreated By ProcLast ModifiedLast Modified ByLast Modified By ProcS Path
4HOST_NAMEC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2ae2da9237309b13b9a9d52d1358c8262020-01-02 15:40:29.00320482020-01-02 15:39:57.289NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe2020-01-02 15:39:57.289NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exe6ae86937-611f-45e9-900c-3ba57298f264.zip

tanium-tr-get-process-info#


Get information for a process.

Base Command#

tanium-tr-get-process-info

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
ptidThe process instance ID.Required
Context Output#
PathTypeDescription
Tanium.Process.CreateTimeDateTime when the process was created.
Tanium.Process.DomainStringThe domain of the process.
Tanium.Process.ExitCodeNumberThe process exit code.
Tanium.Process.ProcessCommandLineStringThe process command line.
Tanium.Process.ProcessIDNumberThe ID of the process.
Tanium.Process.ProcessNameStringFile of the process.
Tanium.Process.ProcessTableIdNumberThe ID of the process table.
Tanium.Process.SIDStringThe security ID of the process.
Tanium.Process.UsernameStringThe username who created the process.
Command Example#

!tanium-tr-get-process-info ptid=667680 connection-name=HOST_NAME limit=5

Context Example#
{
"Tanium": {
"Process": {
"CreateTime": "2020-01-22 16:16:07.553",
"Domain": "NT AUTHORITY",
"ExitCode": 0,
"ProcessCommandLine": "System",
"ProcessID": 4,
"ProcessName": "System",
"ProcessTableId": 667680,
"SID": "S-1-5-18",
"Username": "SYSTEM"
}
}
}
Human Readable Output#

Process information for process with PTID 667680#

Process IDProcess NameProcess Command LineProcess Table IdSIDUsernameDomainExit CodeCreate Time
4SystemSystem667680S-1-5-18SYSTEMNT AUTHORITY02020-01-22 16:16:07.553

tanium-tr-get-events-by-process#


Gets the events for a process.

Base Command#

tanium-tr-get-events-by-process

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
ptidThe process instance ID.Required
limitThe maximum number of events to return.Optional
offsetThe offset number to begin listing events.Optional
Context Output#
PathTypeDescription
Tanium.ProcessEvent.IDNumberThe ID of the event.
Tanium.ProcessEvent.DetailUnknownThe event details.
Tanium.ProcessEvent.OperationStringThe event operation.
Tanium.ProcessEvent.TimestampDateTime when the event was created.
Tanium.ProcessEvent.TypeStringThe event type.
Command Example#

!tanium-tr-get-events-by-process ptid=667680 connection-name=HOST_NAME limit=1

Context Example#
{
"Tanium": {
"ProcessEvent": {
"Detail": "4: System",
"ID": 667680,
"Operation": "CreateProcess",
"Timestamp": "2020-01-22 16:16:07.553",
"Type": "Process"
}
}
}
Human Readable Output#

Events for process 667680#

IDDetailTypeTimestampOperation
6676804: SystemProcess2020-01-22 16:16:07.553CreateProcess

tanium-tr-get-process-children#


Gets the children of this process instance.

Base Command#

tanium-tr-get-process-children

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
ptidThe process instance ID.Required
Context Output#
PathTypeDescription
Tanium.ProcessChildren.IDNumberThe ID of the process.
Tanium.ProcessChildren.NameStringFile of the process.
Tanium.ProcessChildren.PIDNumberThe PID of the process.
Tanium.ProcessChildren.PTIDNumberThe process instance ID.
Tanium.ProcessChildren.ParentStringThe parent process name.
Command Example#

!tanium-tr-get-process-children ptid=667680 connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"ProcessChildren": [
{
"ID": 667681,
"Name": "0: Unknown Process",
"PID": 0,
"PTID": 667681,
"Parent": "4: System"
},
{
"ID": 667682,
"Name": "1: Pruned Process",
"PID": 1,
"PTID": 667682,
"Parent": "4: System"
},
{
"ID": 667683,
"Name": "392: smss.exe",
"PID": 392,
"PTID": 667683,
"Parent": "4: System"
}
]
}
}
Human Readable Output#

Children for process with PTID 667680#

IDNamePIDPTIDParentChildren Count
6676810: Unknown Process06676814: System0
6676821: Pruned Process16676824: System0
667683392: smss.exe3926676834: System0

tanium-tr-get-parent-process#


Gets information for the parent process.

Base Command#

tanium-tr-get-parent-process

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
ptidThe process instance ID.Required
Context Output#
PathTypeDescription
Tanium.Process.CreateTimeDateTime when the process was created.
Tanium.Process.DomainStringThe domain of the process.
Tanium.Process.ExitCodeNumberThe process exit code.
Tanium.Process.ProcessCommandLineStringThe process command line.
Tanium.Process.ProcessIDNumberThe ID of the process.
Tanium.Process.ProcessNameStringFile of the process.
Tanium.Process.ProcessTableIdNumberThe ID of the process table.
Tanium.Process.SIDStringThe security ID of the process.
Tanium.Process.UsernameStringThe username who created the process.
Command Example#

!tanium-tr-get-parent-process ptid=667681 connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"ParentProcess": {
"CreateTime": "2020-01-22 16:16:07.553",
"Domain": "NT AUTHORITY",
"ExitCode": 0,
"ProcessCommandLine": "System",
"ProcessID": 4,
"ProcessName": "System",
"ProcessTableId": 667680,
"SID": "S-1-5-18",
"Username": "SYSTEM"
}
}
}
Human Readable Output#

Process information for process with PTID 667681#

Process IDProcess NameProcess Command LineProcess Table IdSIDUsernameDomainExit CodeCreate Time
4SystemSystem667680S-1-5-18SYSTEMNT AUTHORITY02020-01-22 16:16:07.553

tanium-tr-get-parent-process-tree#


Gets the parent process tree for the process instance.

Base Command#

tanium-tr-get-parent-process-tree

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
ptidThe process instance ID.Required
Context Output#
PathTypeDescription
Tanium.ParentProcessTree.IDNumberThe parent process ID.
Tanium.ParentProcessTree.NameStringFile of the parent process.
Tanium.ParentProcessTree.PIDNumberThe parent process PID.
Tanium.ParentProcessTree.PTIDNumberThe parent process instance ID.
Tanium.ParentProcessTree.ParentStringThe parent process name.
Tanium.ParentProcessTree.ChildrenUnknownThe parent process children.
Command Example#

!tanium-tr-get-parent-process-tree ptid=667681 connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"ParentProcessTree": {
"Children": [
{
"Children": [],
"ID": 667681,
"Name": "0: Unknown Process",
"PID": 0,
"PTID": 667681,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667682,
"Name": "1: Pruned Process",
"PID": 1,
"PTID": 667682,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667683,
"Name": "392: smss.exe",
"PID": 392,
"PTID": 667683,
"Parent": "4: System"
}
],
"ID": 667680,
"Name": "4: System",
"PID": 4,
"PTID": 667680
}
}
}
Human Readable Output#

Parent process for process with PTID 667681#

IDNamePIDPTID
6676804: System4667680

Processes with the same parent#

IDNamePIDPTIDParentChildren Count
6676810: Unknown Process06676814: System0
6676821: Pruned Process16676824: System0
667683392: smss.exe3926676834: System0

tanium-tr-get-process-tree#


Gets the process tree for the process instance.

Base Command#

tanium-tr-get-process-tree

Input#
Argument NameDescriptionRequired
connection-nameThe connection name.Required
ptidThe process instance ID.Required
Context Output#
PathTypeDescription
Tanium.ProcessTree.IDNumberThe process ID.
Tanium.ProcessTree.NameStringFile of the process.
Tanium.ProcessTree.PIDNumberThe process PID.
Tanium.ProcessTree.PTIDNumberThe process instance ID.
Tanium.ProcessTree.ParentStringThe parent process name.
Tanium.ProcessTree.ChildrenUnknownThe process children.
Command Example#

!tanium-tr-get-process-tree ptid=667680 connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"ProcessTree": {
"Children": [
{
"Children": [],
"ID": 667681,
"Name": "0: Unknown Process",
"PID": 0,
"PTID": 667681,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667682,
"Name": "1: Pruned Process",
"PID": 1,
"PTID": 667682,
"Parent": "4: System"
},
{
"Children": [],
"ID": 667683,
"Name": "392: smss.exe",
"PID": 392,
"PTID": 667683,
"Parent": "4: System"
}
],
"ID": 667680,
"Name": "4: System",
"PID": 4,
"PTID": 667680
}
}
}
Human Readable Output#

Process information for process with PTID 667680#

IDNamePIDPTID
6676804: System4667680

Children for process with PTID 667680#

IDNamePIDPTIDParentChildren Count
6676810: Unknown Process06676814: System0
6676821: Pruned Process16676824: System0
667683392: smss.exe3926676834: System0

tanium-tr-list-evidence#


Returns a list of all available evidence in the system.

Base Command#

tanium-tr-list-evidence

Input#
Argument NameDescriptionRequired
limitThe maximum number of evidences to return. The default value is 50.Optional
offsetOffset to start getting the events result set. The default is 0.Optional
sortA comma-separated list of fields by which to sort, using +/- prefixes for ascending/descending, in order of priority (left to right).Optional
Context Output#
PathTypeDescription
Tanium.Evidence.IDNumberThe evidence ID.
Tanium.Evidence.CreatedAtDateTime when the process was created.
Tanium.Evidence.LastModifiedDateThe date that the file was last modified.
Tanium.Evidence.UserStringThe user of the evidence.
Tanium.Evidence.ConnectionNameStringThe evidence connection name.
Tanium.Evidence.TypeNumberThe evidence type.
Tanium.Evidence.ProcessTableIdNumberThe evidence process table ID.
Tanium.Evidence.TimestampDateThe evidence timestamp.
Tanium.Evidence.SummaryStringThe evidence summary.
Tanium.Evidence.CommentsStringThe evidence comments.
Tanium.Evidence.TagsStringThe evidence tags.
Tanium.Evidence.DeletedBooleanWhether the evident has been deleted.
Command Example#

!tanium-tr-list-evidence limit=2 offset=1 sort=+id

Context Example#
{
"Tanium": {
"Evidence": [
{
"ConnectionName": "HOST_NAME",
"CreatedAt": "2020-01-02 15:40:03",
"ID": 2,
"ProcessTableId": 45632561,
"Summary": "CreateProcess: C:\\Windows\\SysWOW64\\cmd.exe",
"Timestamp": "2020-01-02 15:39:28.809",
"Type": 2,
"UpdatedAt": "2020-01-02 15:40:03",
"User": "actionapprover",
"Deleted": false
},
{
"ConnectionName": "HOST_NAME",
"CreatedAt": "2020-01-13 18:02:01",
"ID": 13,
"ProcessTableId": 4563722,
"Summary": "CreateProcess: C:\\Windows\\System32\\wsqmcons.exe",
"Timestamp": "2020-01-13 18:00:01.010",
"Type": 2,
"UpdatedAt": "2020-01-13 18:02:01",
"User": "HOST_NAME\\administrator",
"Deleted": false
}
]
}
}
Human Readable Output#

Evidence List#

IDTimestampConntection NameUserSummaryTypeCreated AtUpdated AtProcess Table Id
22020-01-02 15:39:28.809HOST_NAMEactionapproverCreateProcess: C:\Windows\SysWOW64\cmd.exe22020-01-02 15:40:032020-01-02 15:40:0345632561
132020-01-13 18:00:01.010HOST_NAMEHOST_NAME\administratorCreateProcess: C:\Windows\System32\wsqmcons.exe22020-01-13 18:02:012020-01-13 18:02:014563722

tanium-tr-get-evidence-by-id#


Gets evidence by evidence ID.

Base Command#

tanium-tr-get-evidence-by-id

Input#
Argument NameDescriptionRequired
evidence-idThe ID of the evidence.Required
Context Output#
PathTypeDescription
Tanium.Evidence.IDNumberThe evidence ID.
Tanium.Evidence.CreatedAtDateTime when the process was created.
Tanium.Evidence.LastModifiedDateThe date that the file was last modified.
Tanium.Evidence.UserStringThe user of the evidence.
Tanium.Evidence.ConnectionNameStringThe evidence connection name.
Tanium.Evidence.TypeNumberThe evidence type.
Tanium.Evidence.ProcessTableIdNumberThe evidence process table ID.
Tanium.Evidence.TimestampDateThe evidence timestamp.
Tanium.Evidence.SummaryStringThe evidence summary.
Tanium.Evidence.CommentsStringThe evidence comments.
Tanium.Evidence.TagsStringThe evidence tags.
Tanium.Evidence.DeletedBooleanWhether the evident has been deleted.
Command Example#

!tanium-tr-get-evidence-by-id evidence-id=2

Context Example#
{
"Tanium": {
"Evidence": {
"CreatedAt": "2020-01-02 15:40:03",
"ConnectionName": "HOST_NAME",
"ProcessTableId": 45632561,
"ID": 2,
"Summary": "CreateProcess: C:\\Windows\\SysWOW64\\cmd.exe",
"Timestamp": "2020-01-02 15:39:28.809",
"Type": 2,
"UpdatedAt": "2020-01-02 15:40:03",
"User": "actionapprover",
"Deleted": false
}
}
}
Human Readable Output#

Label information#

IDTimestampConnection NameUserSummaryTypeCreated AtUpdated AtProcess Table Id
22020-01-02 15:39:28.809HOST_NAMEactionapproverCreateProcess: C:\Windows\SysWOW64\cmd.exe22020-01-02 15:40:032020-01-02 15:40:0345632561

tanium-tr-create-evidence#


Creates an evidence.

Base Command#

tanium-tr-create-evidence

Input#
Argument NameDescriptionRequired
connection-nameThe name of the connection.Required
ptidThe process instance ID.Required
Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-create-evidence connection-name=HOST_NAME connection-name=HOST_NAME ptid=13538572

Human Readable Output#

Evidence have been created.

tanium-tr-delete-evidence#


Deletes an evidence.

Base Command#

tanium-tr-delete-evidence

Input#
Argument NameDescriptionRequired
evidence-idThe ID of the evidence.Required
Context Output#
PathTypeDescription
Tanium.Evidence.IDStringThe evidence ID.
Tanium.Evidence.DeletedBooleanWhether the evidence has been deleted.
Command Example#

!tanium-tr-delete-evidence evidence-id=1

Context Example#
{
"Tanium": {
"Evidence": {
"ID": 2,
"Deleted": true
}
}
}
Human Readable Output#

Evidence 1 has been deleted successfully.

tanium-tr-request-file-download#


Requests a new file download.

Base Command#

tanium-tr-request-file-download

Input#
Argument NameDescriptionRequired
pathPath to file.Required
connection-nameConnection name.Required
Context Output#
PathTypeDescription
Tanium.FileDownload.PathStringThe file download path.
Tanium.FileDownload.ConnectionNameStringThe file download connection name.
Tanium.FileDownload.DownloadedDateDate of the download request.
Tanium.FileDownload.StatusStringStatus of the file download request.
Tanium.FileDownload.IDNumberID of the file download.
Command Example#

!tanium-tr-request-file-download connection-name=HOST_NAME path=dev/autofs

Context Example#
{
"Tanium": {
"FileDownload": {
"Downloaded": "2020-02-06 16:05:40.227674",
"ConnectionName": "HOST_NAME",
"Path": "dev/autofs"
}
}
}
Human Readable Output#

Download request of file autofs has been sent successfully.

tanium-tr-delete-file-download#


Deletes a file download.

Base Command#

tanium-tr-delete-file-download

Input#
Argument NameDescriptionRequired
file-idFile download ID.Required
Context Output#
PathTypeDescription
Tanium.FileDownload.IDStringThe file download ID.
Tanium.FileDownload.DeletedBooleanWhether the file download has been deleted.
Command Example#

!tanium-tr-delete-file-download file-id=3

Context Example#
{
"Tanium": {
"FileDownload": {
"ID": 3,
"Deleted": true
}
}
}
Human Readable Output#

Delete request of file with ID 3 has been sent successfully.

tanium-tr-list-files-in-directory#


Gets a list of files in the given directory.

Base Command#

tanium-tr-list-files-in-directory

Input#
Argument NameDescriptionRequired
pathPath to the directory.Required
connection-nameConnection name.Required
limitThe maximum number of files to return. The default value is 50.Optional
offsetOffset to start getting files. The default is 0.Optional
Context Output#
PathTypeDescription
Tanium.File.CreatedDateTime the file was created.
Tanium.File.SizeNumberThe file size.
Tanium.File.IsDirectoryBooleanWhether or not the file is a directory.
Tanium.File.LastModifiedDateThe date that the file was last modified.
Tanium.File.PathBooleanThe file path.
Tanium.File.PermissionsDateThe file permissions.
Tanium.File.ConnectionNameStringThe host of the file.
Tanium.File.DeletedBooleanWhether the file has been deleted.
Command Example#

!tanium-tr-list-files-in-directory path=`C:\Program Files (x86)\Tanium\Tanium Client\` connection-name=HOST_NAME limit=2

Context Example#
{
"Tanium": {
"File": [
{
"Created": "1970-01-19 03:25:44",
"IsDirectory": false,
"LastModified": "1970-01-19 03:25:44",
"Path": ".detect-engine.lock",
"Permissions": "rw-rw-rw-",
"Size": 0,
"Deleted": false
},
{
"Created": "1970-01-18 21:02:12",
"IsDirectory": true,
"LastModified": "1970-01-19 07:10:05",
"Path": "Downloads",
"Permissions": "rw-rw-rw-",
"Size": 393216,
"Deleted": false
}
]
}
}
Human Readable Output#

Files in directory C:\Program Files (x86)\Tanium\Tanium Client\#

PathSizeCreatedLast ModifiedPermissionsIs Directory
.detect-engine.lock01970-01-19 03:25:441970-01-19 03:25:44rw-rw-rw-false
Downloads3932161970-01-18 21:02:121970-01-19 07:10:05rw-rw-rw-true

tanium-tr-get-file-info#


Gets information about a file from a remote connection.

Base Command#

tanium-tr-get-file-info

Input#
Argument NameDescriptionRequired
connection-nameThe name of the connection.Required
pathThe path to the file.Required
Context Output#
PathTypeDescription
Tanium.File.CreatedDateThe file creation timestamp.
Tanium.File.SizeNumberThe file size.
Tanium.File.IsDirectoryBooleanWhether or not the file is a directory.
Tanium.File.LastModifiedDateThe date that the file was last modified.
Tanium.File.PathStringThe file path.
Tanium.File.ConnectionNameStringThe host of the file.
Tanium.File.DeletedBooleanWhether the file has been deleted.
Command Example#

!tanium-tr-get-file-info connection-name=HOST_NAME path=`C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe`

Context Example#
{
"Tanium": {
"File": {
"Created": "1970-01-18 20:01:58",
"IsDirectory": false,
"LastModified": "1970-01-18 20:01:58",
"Size": 4938736
"Path": "C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe",
"ConnectionName": "HOST_NAME",
"Deleted": false
}
}
}
Human Readable Output#

Information for file C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe#

PathSizeCreatedLast ModifiedIs DirectoryConnection Name
C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe49387361970-01-18 20:01:581970-01-18 20:01:58falseHOST_NAME

tanium-tr-delete-file-from-endpoint#


Deletes a file from the given endpoint.

Base Command#

tanium-tr-delete-file-from-endpoint

Input#
Argument NameDescriptionRequired
connection-nameConnection name.Required
pathPath to file.Required
Context Output#
PathTypeDescription
Tanium.File.PathStringThe file path.
Tanium.File.ConnectionNameStringThe host of the file.
Tanium.File.DeletedBooleanWhether the file has been deleted.
Command Example#

!tanium-tr-delete-file-from-endpoint path=`C:\Program Files (x86)\Tanium\Tanium Client\Logs\log0.txt` connection-name=HOST_NAME

Context Example#
{
"Tanium": {
"File": {
"Path": "C:\Program Files (x86)\Tanium\Tanium Client\Logs\log0.txt",
"ConnectionName": "HOST_NAME",
"Deleted": true
}
}
}
Human Readable Output#

Delete request of file C:\Program Files (x86)\Tanium\Tanium Client\Logs\log0.txt from endpoint HOST_NAME has been sent successfully.

tanium-tr-get-process-timeline#


Gets the process timeline.

Base Command#

tanium-tr-get-process-timeline

Input#
Argument NameDescriptionRequired
connection-nameConnection name.Required
ptidProcess table ID.Required
categoryThe event categories to retrieve. Can be "File", "DNS", "Registry", "Network", "Image", or "Process".Required
limitThe maximum number of events to return. The default value is 50.Optional
offsetOffset to start getting the events. The default is 0.Optional
Context Output#
PathTypeDescription
Tanium.ProcessTimeline.ProcessTableIDNumberThe process instance ID.
Tanium.ProcessTimeline.ConnectionNameStringThe connection name of the process.
Tanium.ProcessTimeline.DateDateEvents date of the process.
Tanium.ProcessTimeline.EventStringEvent of the process.
Tanium.ProcessTimeline.CategoryStringThe event category of the process.
Command Example#

!tanium-tr-get-process-timeline ptid=13530396 connection-name=HOST_NAME category=Process limit=2

Context Example#
{
"Tanium": {
"ProcessTimeline": [
{
"Category": "Process",
"Date": "2020-02-05 10:16:02.319000",
"Event": [
"Process started by root\\root"
]
},
{
"Category": "Process",
"Date": "2020-02-05 10:17:00.000000",
"Event": [
"Process ended"
]
}
]
}
}
Human Readable Output#

Timeline data for process with PTID 13530396#

DateEventCategory
2020-02-05 10:16:02.319000Process started by root\rootProcess
2020-02-05 10:17:00.000000Process endedProcess

tanium-tr-get-download-file-request-status#


Gets the status of the download file request.

Base Command#

tanium-tr-get-download-file-request-status

Input#
Argument NameDescriptionRequired
request-dateDate of the download file request, or example: 2019-09-23T12:55:08.622Required
connection-nameThe connection to which the request was made.Optional
pathThe file path.Optional
Context Output#
PathTypeDescription
Tanium.DownloadFile.IDNumberID of the file download.
Tanium.DownloadFile.ConnectionNameStringHost of the file.
Tanium.DownloadFile.PathStringPath of the file.
Tanium.DownloadFile.StatusStringStatus of the file download request.
Tanium.DownloadFile.DownloadedDateThe date of the download request.
Command Example#

!tanium-tr-get-download-file-request-status request-date=2019-09-23T12:55:08.622

Context Example#
{
"Tanium": {
"FileDownload": {
"Downloaded": "2020-01-02 15:40:18.052",
"ID": 3,
"Status": "Completed",
"Path": "C:\Program Files (x86)\Tanium\Tanium Client\Logs\log1.txt",
"ConnectionName": "HOST_NAME"
}
}
}
Human Readable Output#

File download request status#

IDConnection NameStatusPathDownloaded
3HOST_NAMECompletedC:\Program Files (x86)\Tanium\Tanium Client\Logs\log1.txt2020-01-02 15:40:18.052

tanium-tr-intel-doc-create#


Add a new intel document to the system by providing its document contents.

Base Command#

tanium-tr-intel-doc-create

Input#
Argument NameDescriptionRequired
entry-idThe file entry ID.Required
file_extensionThe suffix at the end of a filename. (Available file types - yara, stix, ioc)Required
Context Output#
PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.TypeStringThe shortened type name of the intel. For example, "openioc", "stix", "yara".
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.
Command Example#

!tanium-tr-intel-doc-create entry-id=7173@e99f97d1-7225-4c75-896c-3c960febbe8c file_extension=ioc

Context Example#
{
"Tanium": {
"IntelDoc": {
"AlertCount": 0,
"CreatedAt": "2019-07-31T18:46:28.814Z",
"Description": "Detects usage of the NET.EXE utility to enumerate members of the local Administrators or Domain Administrators groups. Often used during post-compromise reconnaissance.",
"ID": 2,
"LabelIds": [
2,
3,
9,
16
],
"Name": "Administrator Account Enumeration",
"Type": "openioc",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2020-01-14T21:37:30.934Z"
}
}
}
Human Readable Output#

Intel Doc uploaded#

IDNameDescriptionTypeAlert CountUnresolved Alert CountCreated AtUpdated AtLabel Ids
2Administrator Account EnumerationDetects usage of the NET.EXE utility to enumerate members of the local Administrators or Domain Administrators groups. Often used during post-compromise reconnaissance.openioc002019-07-31T18:46:28.814Z2020-01-14T21:37:30.934Z2, 3, 9, 16

tanium-tr-start-quick-scan#


Scan a computer group for hashes in intel document. Computer groups can be viewed by navigating to Administration -> Computer Groups in the UI. Computer group names and IDs can also be retrieved by using the tn-list-groups command in the Tanium integration.

Base Command#

tanium-tr-start-quick-scan

Input#
Argument NameDescriptionRequired
intel-doc-idThe intel document ID.Required
computer-group-nameThe name of a Tanium computer group. See command description for possible ways to retrieve this value.Required
Context Output#
PathTypeDescription
Tanium.QuickScan.AlertCountNumberThe number of alerts returned from the quick scan.
Tanium.QuickScan.ComputerGroupIdNumberThe ID of a Tanium computer group.
Tanium.QuickScan.CreatedAtDateThe date the quick scan was created.
Tanium.QuickScan.IDNumberThe ID of the quick scan.
Tanium.QuickScan.IntelDocIdNumberThe unique identifier for this intel in the instance of the system.
Tanium.QuickScan.QuestionIDNumberThe ID of the quick scan question.
Tanium.QuickScan.UserIDNumberThe user ID which initiated the quick scan.
Command Example#

!tanium-tr-start-quick-scan intel-doc-id=2 computer-group-name="All Computers"

Context Example#
{
"Tanium": {
"QuickScan": {
"AlertCount": 0,
"ComputerGroupId": 1
"CreatedAt": "2019-07-31T18:46:28.814Z",
"ID": 5,
"IntelDocId": 2
"QuestionID": 4,
"UserID": 3
}
}
}
Human Readable Output#

Quick Scan started#

Alert CountComputerGroupIdCreatedAtIDIntelDocIdQuestionIDUserID
012019-07-31T18:46:28.814Z5243