Skip to main content

Tanium Threat Response v2

This Integration is part of the Tanium Threat Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections. This Integration works with Tanium Threat Response version 3.0.159 and above. This integration was integrated and tested with versions 3.5.284 and 4.x of Tanium Threat Response v2.

Configure Tanium Threat Response v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Tanium Threat Response v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Hostname, IP address, or server URLTrue
    UsernameFalse
    PasswordFalse
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    Maximum number of incidents to fetch each timeFalse
    Alert states to filter by in fetch incidents command. Empty list won't filter the incidents by state.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    API VersionFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

tanium-tr-get-intel-doc-by-id#


Returns an intel document object based on ID.

Base Command#

tanium-tr-get-intel-doc-by-id

Input#

Argument NameDescriptionRequired
intel_doc_idThe intel document ID.Required

Context Output#

PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.

Command Example#

!tanium-tr-get-intel-doc-by-id intel_doc_id=509

Context Example#

{
"Tanium": {
"IntelDoc": {
"AlertCount": 0,
"Compiled": "{\"expressions\":[],\"terms\":[{\"condition\":\"contains\",\"negate\":false,\"value\":\"RouteTheCall\",\"object\":\"process\",\"property\":\"command_line\"},{\"condition\":\"ends with\",\"negate\":false,\"value\":\"\\\\rundll32.exe\",\"object\":\"process\",\"property\":\"path\"},{\"condition\":\"contains\",\"negate\":false,\"value\":\"zipfldr\",\"object\":\"process\",\"property\":\"command_line\"}],\"operator\":\"and\",\"text\":\"process.path ends with '\\\\\\\\rundll32.exe' AND process.command_line contains 'zipfldr' AND process.command_line contains 'RouteTheCall'\",\"syntax_version\":1}",
"Contents": "{\"id\":\"Zipfldr Library Proxy Execution via RouteTheCall\",\"name\":\"Zipfldr Library Proxy Execution via RouteTheCall\",\"description\":\"Detects the use of rundll32.exe to execute the RouteTheCall function in zipfldr.dll. This can be used for proxy execution to bypass AppLocker or to execute an arbitrary binary.\",\"contents\":\"process.path ends with '\\\\\\\\rundll32.exe' AND process.command_line contains 'zipfldr' AND process.command_line contains 'RouteTheCall'\",\"syntax_version\":1,\"mitreAttack\":{\"techniques\":[{\"id\":\"T1218\",\"name\":\"Signed Binary Proxy Execution\"},{\"id\":\"T1218.011\",\"name\":\"Signed Binary Proxy Execution: Rundll32\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\"},{\"id\":\"T1059.003\",\"name\":\"Command and Scripting Interpreter: Windows Command Shell\"}]},\"platforms\":[\"windows\"]}",
"CreatedAt": "2021-08-31T21:06:02.932Z",
"Description": "Detects the use of rundll32.exe to execute the RouteTheCall function in zipfldr.dll. This can be used for proxy execution to bypass AppLocker or to execute an arbitrary binary.",
"ID": 509,
"IntrinsicId": "Zipfldr Library Proxy Execution via RouteTheCall",
"IsSchemaValid": true,
"LabelIds": [
2,
7,
11,
16
],
"Md5": "f3ddf06be9e182ae7ddc16192dc5b846",
"MitreAttack": "{\"techniques\":[{\"id\":\"T1218\",\"name\":\"Signed Binary Proxy Execution\"},{\"id\":\"T1218.011\",\"name\":\"Signed Binary Proxy Execution: Rundll32\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\"},{\"id\":\"T1059.003\",\"name\":\"Command and Scripting Interpreter: Windows Command Shell\"}]}",
"Name": "Zipfldr Library Proxy Execution via RouteTheCall",
"Platforms": [
"windows"
],
"RevisionId": 1,
"Size": 795,
"SourceId": 2,
"Type": "tanium-signal",
"TypeVersion": "1.0",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2021-08-31T21:06:02.932Z"
}
}
}

Human Readable Output#

Intel Doc information#

IDNameTypeDescriptionAlert CountUnresolved Alert CountCreated AtUpdated AtLabel Ids
509Zipfldr Library Proxy Execution via RouteTheCalltanium-signalDetects the use of rundll32.exe to execute the RouteTheCall function in zipfldr.dll. This can be used for proxy execution to bypass AppLocker or to execute an arbitrary binary.002021-08-31T21:06:02.932Z2021-08-31T21:06:02.932Z2, 7, 11, 16

tanium-tr-list-intel-docs#


Returns a list of all intel documents.

Base Command#

tanium-tr-list-intel-docs

Input#

Argument NameDescriptionRequired
limitThe maximum number of intel documents to return. Default is 50.Optional
offsetThe offset number to begin listing intel documents. Default is 0.Optional
nameThe name of the intel document to show.Optional
descriptionThe description of the intel document to show.Optional
typeThe type of the intel document to show.Optional
label_idThe label Id of the intel document to show.Optional
mitre_technique_idThe mitre technique Id of the intel document to show.Optional

Context Output#

PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.

Command Example#

!tanium-tr-list-intel-docs

Context Example#

{
"Tanium": {
"IntelDoc": [
{
"AlertCount": 0,
"CreatedAt": "2021-09-26T20:42:12.761Z",
"ID": 538,
"IntrinsicId": "file",
"IsSchemaValid": true,
"Md5": "45d4f6197504b0cf17ca4425b27c4123",
"Name": "file",
"RevisionId": 1,
"Size": 2211,
"SourceId": 1,
"Type": "yara",
"TypeVersion": "3",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2021-09-26T20:42:12.761Z"
},
{
"AlertCount": 0,
"CreatedAt": "2021-09-26T15:40:18.967Z",
"ID": 537,
"IntrinsicId": "111-72ad-40cc-abbf-90846fa4afec",
"IsSchemaValid": true,
"Md5": "45d4f619750434cf17ca4425b27c4774",
"Name": "111-72ad-40cc-abbf-90846fa4a123",
"RevisionId": 11,
"Size": 2211,
"SourceId": 1,
"Type": "openioc",
"TypeVersion": "1.0",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2021-09-26T20:47:53.586Z"
}
]
}
}

Human Readable Output#

Intel docs#

IDNameTypeAlert CountUnresolved Alert CountCreated AtUpdated AtLabel Ids
538fileyara002021-09-26T20:42:12.761Z2021-09-26T20:42:12.761Z
537111-72ad-40cc-abbf-90846fa4afecopenioc002021-09-26T15:40:18.967Z2021-09-26T20:47:53.586Z
536CybOX-represented Indicator Created from OpenIOC Filestix002021-09-26T08:18:57.462Z2021-09-26T08:18:57.462Z
535CybOX-represented Indicator Created from OpenIOC Filestix002021-09-26T08:11:30.717Z2021-09-26T08:11:30.717Z
534CybOX-represented Indicator Created from OpenIOC Filestix002021-09-26T08:11:25.484Z2021-09-26T08:11:25.484Z
533CybOX-represented Indicator Created from OpenIOC Filestix002021-09-26T08:11:20.802Z2021-09-26T08:11:20.802Z
532file.yaraaaaaayara002021-09-26T08:09:54.927Z2021-09-26T08:09:54.927Z
531file.yaraayara002021-09-26T08:09:52.564Z2021-09-26T08:09:52.564Z
530yaryara002021-09-26T08:09:28.253Z2021-09-26T08:09:28.253Z
529file.yaryara002021-09-23T15:35:01.784Z2021-09-23T15:35:01.784Z
528file.stixyara002021-09-23T15:33:49.920Z2021-09-23T15:33:49.920Z
527file.stixyara002021-09-23T15:32:25.580Z2021-09-23T15:32:25.580Z
526CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T15:00:32.350Z2021-09-23T15:00:32.350Z
525CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T14:41:32.831Z2021-09-23T14:41:32.831Z
524CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T14:41:07.857Z2021-09-23T14:41:07.857Z
523CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T14:32:26.310Z2021-09-23T14:32:26.310Z
522CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T13:47:31.088Z2021-09-23T13:47:31.088Z
521STUXNET VIRUS (METHODOLOGY)openioc002021-09-23T12:18:03.865Z2021-09-23T12:18:03.865Z
520CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T12:04:08.473Z2021-09-23T12:04:08.473Z
519CybOX-represented Indicator Created from OpenIOC Filestix002021-09-23T12:03:50.295Z2021-09-23T12:03:50.295Z
518New Test5openioc002021-09-23T12:03:10.503Z2021-09-23T12:03:10.503Z
517New Test5openioc002021-09-23T07:21:07.201Z2021-09-23T07:21:07.201Z
516New Test5openioc002021-09-22T16:27:09.399Z2021-09-22T16:27:09.399Z
515New Test5openioc002021-09-22T07:52:58.242Z2021-09-22T07:52:58.242Z
514New Test5openioc002021-09-22T07:47:43.503Z2021-09-22T07:47:43.503Z
513RDP Enabled via Registry Modificationtanium-signal002021-09-22T07:47:02.110Z2021-09-22T07:47:02.110Z
512New Test5openioc002021-09-22T07:17:26.951Z2021-09-22T07:17:26.951Z
511New Test5openioc002021-09-19T06:33:12.579Z2021-09-19T06:33:12.579Z
510file.yaryara002021-09-12T14:02:03.769Z2021-09-12T14:02:03.769Z
509Zipfldr Library Proxy Execution via RouteTheCalltanium-signal002021-08-31T21:06:02.932Z2021-08-31T21:06:02.932Z2, 7, 11, 16
508Url Library Proxy Execution via OpenURLtanium-signal002021-08-31T21:06:02.639Z2021-08-31T21:06:02.639Z2, 7, 11, 16
507Url Library Proxy Execution via FileProtocolHandlertanium-signal002021-08-31T21:06:02.611Z2021-08-31T21:06:02.611Z2, 7, 11, 16
506Shell32 Library Proxy Execution via ShellExec_RunDLLtanium-signal002021-08-31T21:06:02.140Z2021-08-31T21:06:02.140Z2, 7, 11, 16
505Shdocvw Library Proxy Execution via OpenURLtanium-signal002021-08-31T21:06:02.116Z2021-08-31T21:06:02.116Z2, 7, 11, 16
504Pcwutl Library Proxy Execution via LaunchApplicationtanium-signal002021-08-31T21:06:01.540Z2021-08-31T21:06:01.540Z2, 7, 11, 16
503Ieframe Library Proxy Execution via OpenURLtanium-signal002021-08-31T21:06:00.862Z2021-08-31T21:06:00.862Z2, 7, 11, 16
502Reputation Malicious Hashesreputation002021-08-19T06:54:59.350Z2021-08-19T06:57:47.882Z
501file.yaryara002021-07-28T12:37:29.611Z2021-07-28T12:37:29.611Z
500file.yaryara002021-07-28T12:35:41.367Z2021-07-28T12:35:41.367Z
499file.yaryara002021-07-28T12:35:39.670Z2021-07-28T12:35:39.670Z
498Vssadmin Create Shadow Copytanium-signal002021-07-27T21:56:02.320Z2021-07-27T21:56:02.320Z2, 8, 16
497Volume Shadow Copy Creationtanium-signal002021-07-27T21:56:02.295Z2021-07-27T21:56:02.295Z2, 8, 16
496Remote Proxy Executiontanium-signal002021-07-27T21:56:01.712Z2021-07-27T21:56:01.712Z2, 7, 11, 16
495Non-Ssms Spawned SQL Client Tools PowerShell Sessiontanium-signal002021-07-27T21:56:01.246Z2021-07-27T21:56:01.246Z2, 7, 11, 16
494Non-Microsoft Signed Print Spooler Drivertanium-signal002021-07-27T21:56:01.227Z2021-07-27T21:56:01.227Z2, 6, 16
493file.yaryara002021-07-27T14:44:32.182Z2021-07-27T14:44:32.182Z
492file.yaryara002021-07-27T14:44:19.862Z2021-07-27T14:44:19.862Z
491file.yaryara002021-07-27T14:44:15.595Z2021-07-27T14:44:15.595Z
490file.yaryara002021-07-27T14:44:13.294Z2021-07-27T14:44:13.294Z
489CybOX-re presented Indicator Created from OpenIOC Filestix002021-07-27T14:42:43.888Z2021-07-27T14:42:43.888Z

tanium-tr-list-alerts#


Returns a list of all alerts.

Base Command#

tanium-tr-list-alerts

Input#

Argument NameDescriptionRequired
limitThe maximum number of alerts to return. Default is 5.Optional
offsetThe offset number to begin listing alerts.Optional
computer_ip_addressFilter alerts by the specified computer IP addresses.Optional
computer_nameFilter alerts by the specified computer name.Optional
scan_config_idFilter alerts by the specified scan config ID.Optional
intel_doc_idFilter alerts by the specified intel document ID.Optional
severityFilter alerts by the specified severity.Optional
priorityFilter alerts by the specified priority.Optional
typeFilter alerts by the specified type.Optional
stateFilter alerts by the specified state. Can be "Unresolved", "In Progress", "Dismissed" "Ignored", or "Resolved". Possible values are: Unresolved, In Progress, Ignored, Resolved, Dismissed.Optional

Context Output#

PathTypeDescription
Tanium.Alert.PriorityStringThe priority of the alert.
Tanium.Alert.ComputerNameStringThe hostname of the computer that generated the alert.
Tanium.Alert.GUIDStringA globally unique identifier for this alert in the customer environment.
Tanium.Alert.AlertedAtDateThe moment that the alert was generated.
Tanium.Alert.UpdatedAtDateThe last time the alert state was updated.
Tanium.Alert.StateStringThe current state of the alert. For example, "unresolved", "inprogress", and so on.
Tanium.Alert.ComputerIpAddressStringThe IP address of the computer that generated the alert.
Tanium.Alert.TypeStringThe name of the alert type. For example, "detect.endpoint.match".
Tanium.Alert.IDNumberThe ID of the alert. For example, "123".
Tanium.Alert.CreatedAtDateThe date when the alert was received by the Detect product.
Tanium.Alert.IntelDocIdNumberThe intel document revision, if intelDocId is present.
Tanium.Alert.SeverityStringThe severity of the alert.

Command Example#

!tanium-tr-list-alerts limit=2

Context Example#

{
"Tanium": {
"Alert": [
{
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "1.1.1.1",
"ComputerName": "host0",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2021-10-24T01:28:04.275Z"
},
{
"AlertedAt": "2020-02-29T15:29:59.000Z",
"ComputerIpAddress": "1.1.1.1",
"ComputerName": "host0",
"CreatedAt": "2020-02-29T15:30:29.893Z",
"GUID": "626821e1-6b0a-4afb-a1f9-8fb7ef741736",
"ID": 2,
"IntelDocId": 17,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2021-10-24T01:28:04.275Z"
}
]
}
}

Human Readable Output#

Alerts#

IDTypeSeverityPriorityAlerted AtCreated AtUpdated AtComputer Ip AddressComputer NameGUIDStateIntel Doc Id
1detect.matchinfohigh2019-09-22T14:01:31.000Z2019-09-22T14:01:59.768Z2021-10-24T01:28:04.275Z1.1.1.1host0a33e3482-556e-4e9d-bbbd-2fdbe330d492Unresolved64
2detect.matchinfohigh2020-02-29T15:29:59.000Z2020-02-29T15:30:29.893Z2021-10-24T01:28:04.275Z1.1.1.1host0626821e1-6b0a-4afb-a1f9-8fb7ef741736Unresolved17

tanium-tr-get-alert-by-id#


Returns an alert object based on alert ID.

Base Command#

tanium-tr-get-alert-by-id

Input#

Argument NameDescriptionRequired
alert_idThe alert ID.Required

Context Output#

PathTypeDescription
Tanium.Alert.PriorityStringThe priority of the alert.
Tanium.Alert.ComputerNameStringThe hostname of the computer that generated the alert.
Tanium.Alert.GUIDStringA globally unique identifier for this alert in the customer environment.
Tanium.Alert.AlertedAtDateThe date when the alert was generated.
Tanium.Alert.UpdatedAtDateThe date when the alert state was last updated.
Tanium.Alert.StateStringThe current state of the alert. For example, "unresolved", "inprogress".
Tanium.Alert.ComputerIpAddressStringThe IP address of the computer that generated the alert.
Tanium.Alert.TypeStringThe name of the alert type. For example, "detect.endpoint.match".
Tanium.Alert.IDNumberThe ID of the alert. For example, "123".
Tanium.Alert.CreatedAtDateThe date when the alert was received by the Detect product.
Tanium.Alert.IntelDocIdNumberThe intel document revision, if intelDocId is present.
Tanium.Alert.SeverityStringThe severity of the alert.

Command Example#

!tanium-tr-get-alert-by-id alert_id=1

Context Example#

{
"Tanium": {
"Alert": {
"AlertedAt": "2019-09-22T14:01:31.000Z",
"ComputerIpAddress": "1.1.1.1",
"ComputerName": "host0",
"CreatedAt": "2019-09-22T14:01:59.768Z",
"GUID": "a33e3482-556e-4e9d-bbbd-2fdbe330d492",
"ID": 1,
"IntelDocId": 64,
"Priority": "high",
"Severity": "info",
"State": "Unresolved",
"Type": "detect.match",
"UpdatedAt": "2021-10-24T01:28:04.275Z"
}
}
}

Human Readable Output#

Alert information#

IDTypeSeverityPriorityAlerted AtCreated AtUpdated AtComputer Ip AddressComputer NameGUIDStateIntel Doc Id
1detect.matchinfohigh2019-09-22T14:01:31.000Z2019-09-22T14:01:59.768Z2021-10-24T01:28:04.275Z1.1.1.1host0a33e3482-556e-4e9d-bbbd-2fdbe330d492Unresolved64

tanium-tr-alert-update-state#


Updates the state of the specified alerts.

Base Command#

tanium-tr-alert-update-state

Input#

Argument NameDescriptionRequired
alert_idsA comma-separated list of alert IDs to update.Required
stateThe new state for the alerts. Can be "Unresolved", "In Progress", "Dismissed", "Ignored", or "Resolved". Possible values are: dismissed, unresolved, inprogress, ignored, resolved.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-alert-update-state alert_ids=1 state=resolved

Human Readable Output#

Alert state updated to resolved.

tanium-tr-create-snapshot#


Captures a new snapshot by connection id.

Base Command#

tanium-tr-create-snapshot

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required

Context Output#

PathTypeDescription
Tanium.SnapshotTask.connectionStringConnection id of the snapshot.
Tanium.SnapshotTask.startTimeDateSnapshot start time.
Tanium.SnapshotTask.statusStringSnapshot creation task status.
Tanium.SnapshotTask.taskIdNumberSnapshot creation task id. You can get task status using `tanium-tr-get-task-by-id` command.

Command Example#

!tanium-tr-create-snapshot connection_id=remote:hostname:123:

Context Example#

{
"Tanium": {
"SnapshotTask": {
"connection": "remote:hostname:123:",
"startTime": "2021-10-07T12:22:29.550Z",
"status": "STARTED",
"taskId": 1177
}
}
}

Human Readable Output#

Initiated snapshot creation request for remote:hostname:123:. Task id: 1177.

tanium-tr-delete-snapshot#


Deletes a snapshot by connection name and snapshot ID.

Base Command#

tanium-tr-delete-snapshot

Input#

Argument NameDescriptionRequired
snapshot_idsThe snapshot IDs to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-delete-snapshot snapshot_ids=eda5ddce-0f8c-48e8-8dd5-6aa18681d539,3893fa77-4829-4e48-9364-40a16ad6cc0f

Human Readable Output#

Snapshot eda5ddce-0f8c-48e8-8dd5-6aa18681d539,3893fa77-4829-4e48-9364-40a16ad6cc0f deleted successfully.

tanium-tr-list-snapshots#


Returns all local snapshots of a single connection.

Base Command#

tanium-tr-list-snapshots

Input#

Argument NameDescriptionRequired
limitThe maximum number of local snapshots to return. Default is 50.Optional
offsetThe offset number to begin listing local snapshots. Default is 0.Optional

Context Output#

PathTypeDescription
Tanium.Snapshot.sizeStringThe snapshot size.
Tanium.Snapshot.createdStringThe snapshot creation date.
Tanium.Snapshot.completedStringThe snapshot completed date.
Tanium.Snapshot.nameStringThe snapshot name.
Tanium.Snapshot.isUploadBooleanIs the snapshot uplaod.
Tanium.Snapshot.evidenceTypeStringEvidence type.
Tanium.Snapshot.hostnameStringHxstname of the snapshot.
Tanium.Snapshot.connectionIdStringThe snapshot connection ID.
Tanium.Snapshot.recorderVersionStringRecorder Version.
Tanium.Snapshot.uuidStringThe snapshot uuid.

Command Example#

!tanium-tr-list-snapshots limit=2

Context Example#

{
"Tanium": {
"Snapshot": [
{
"completed": "2021-10-06T06:42:03.260Z",
"connectionId": "remote:hostname:123:",
"created": "2021-10-06T06:40:48.297Z",
"evidenceType": "snapshot",
"hostname": "hostname2",
"isUpload": false,
"name": "host1-1633502448297.db",
"recorderVersion": 2,
"size": 152064000,
"username": "administrator",
"uuid": "832dec40-1cc2-4e53-881a-7f61cba835bc"
},
{
"completed": "2021-10-06T06:43:21.474Z",
"connectionId": "remote:hostname:123:",
"created": "2021-10-06T06:42:07.010Z",
"evidenceType": "snapshot",
"hostname": "hostname1",
"isUpload": false,
"name": "host1-1633502527010.db",
"recorderVersion": 2,
"size": 152064000,
"username": "administrator",
"uuid": "340a3ac4-560d-430f-bd50-96615d763171"
}
]
}
}

Human Readable Output#

Snapshots:#

UuidNameEvidence TypeHostnameCreated
832dec40-1cc2-4e53-881a-7f61cba835bchost1-1633502448297.dbsnapshothostname22021-10-06T06:40:48.297Z
340a3ac4-560d-430f-bd50-96615d763171host2-1633502527010.dbsnapshothostname12021-10-06T06:42:07.010Z

tanium-tr-delete-local-snapshot#


Deletes a local snapshot by connection id.

Base Command#

tanium-tr-delete-local-snapshot

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-delete-local-snapshot connection_id=remote:hostname:123:

Human Readable Output#

Local snapshot of connection remote:hostname:123: was deleted successfully.

tanium-tr-list-connections#


Returns all connections.

Base Command#

tanium-tr-list-connections

Input#

Argument NameDescriptionRequired
limitThe maximum number of connections to return. Default is 50.Optional
offsetThe offset number to begin listing connections. Default is 0.Optional
statusComma-seperated list of statuses to get the connections that match only those statuses, for example status=connected,waiting. Possible values are: disconnected, timeout, waiting, connected.Optional
ipComma-seperated list of ips to get the connections that match only those ips, for example status=1.1.1.1,1.1.1.1.Optional
platformComma-seperated list of platforms to get the connections that match only those platforms, for example platform=Linux,Windows.Optional
hostnameComma-seperated list of hostnames to get the connections that match only those hostnames, for example hostname=host1,host2.Optional

Context Output#

PathTypeDescription
Tanium.Connection.idStringThe connection id.
Tanium.Connection.initiatedAtDateTime when the connection was first created.
Tanium.Connection.hostnameStringThe connection hostname.
Tanium.Connection.statusStringCurrent connection state.
Tanium.Connection.platformStringThe connection operating system.
Tanium.Connection.ipStringThe connection ip.
Tanium.Connection.connectedAtStringTime when the connection was connected.
Tanium.Connection.messageStringThe connection message describing the status.
Tanium.Connection.personaIdStringThe connection persona Id.
Tanium.Connection.clientIdStringThe client id.
Tanium.Connection.userIdStringThe connection user id.
Tanium.Connection.eidStringThe connection eid.
Tanium.Connection.hasToolsBooleanHas connection tools.

Command Example#

!tanium-tr-list-connections

Context Example#

{
"Tanium": {
"Connection": [
{
"clientId": "123",
"connectedAt": "2021-09-22T12:08:39.000Z",
"eid": "2",
"hasTools": true,
"hostname": "hostname",
"id": "remote:hostname:123:",
"initiatedAt": "2021-09-22T12:08:35.000Z",
"ip": "1.1.1.1",
"message": "The connection has been disconnected.",
"personaId": 0,
"platform": "Windows",
"status": "disconnected",
"userId": "1"
},
{
"clientId": "11111",
"hostname": "localhost",
"id": "remote:localhost:11111:",
"initiatedAt": "2021-09-09T08:17:38.000Z",
"ip": "1.2.3.4",
"message": "The connection has timed out.",
"personaId": 0,
"platform": "Linux",
"status": "timeout",
"userId": "1"
}
]
}
}

Human Readable Output#

Connections#

IdStatusHostnameMessageIpPlatformConnected At
rremote:hostname:123:disconnectedhostnameThe connection has been disconnected.1.1.1.1Windows2021-09-22T12:08:39.000Z
remote:localhost:1111:timeoutlocalhostThe connection has timed out.1.2.3.4Linux

tanium-tr-create-connection#


Creates a local or remote connection.

Base Command#

tanium-tr-create-connection

Input#

Argument NameDescriptionRequired
client_idClient id. Use tanium-tr-get-system-status to get all possible client_ids.Required
ipIP address to connect. Use tanium-tr-get-system-status to get all possible ips.Required
platformCommputers platform - "Windows", "Linux", etc.Required
hostnameHostname of the computer to connect. Use tanium-tr-get-system-status to get all possible hostnames.Required

Context Output#

PathTypeDescription
Tanium.Connection.idStringNew connection id.

Command Example#

!tanium-tr-create-connection client_id=123 ip=1.1.1.1 hostname=host1 platform=Windows

Context Example#

{
"Tanium": {
"Connection": {
"id": "remote:host1:123:"
}
}
}

Human Readable Output#

Initiated connection request to "remote:host1:123:".

tanium-tr-delete-connection#


Deletes a connection by connection id.

Base Command#

tanium-tr-delete-connection

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-delete-connection connection_id=remote:host1:123:

Human Readable Output#

Connection remote:host1:123: deleted successfully.

tanium-tr-close-connection#


Closes a connection by connection id.

Base Command#

tanium-tr-close-connection

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-close-connection connection_id=remote:host1:123:

Human Readable Output#

Connection remote:host1:123: closed successfully.

tanium-tr-list-labels#


Returns all available labels in the system.

Base Command#

tanium-tr-list-labels

Input#

Argument NameDescriptionRequired
limitThe maximum number of labels to return. Default is 50.Optional
offsetThe offset number to begin listing labels. Default is 0.Optional

Context Output#

PathTypeDescription
Tanium.Label.createdAtDateThe date when this label was created.
Tanium.Label.descriptionStringAn extended description of the label.
Tanium.Label.idNumberThe unique identifier for this label.
Tanium.Label.indicatorCountNumberThe number of indicator-based intel documents associated with this label, not including Tanium Signals.
Tanium.Label.nameStringThe display name of the label.
Tanium.Label.signalCountNumberThe number of Tanium Signal documents associated with this label.
Tanium.Label.updatedAtDateThe date when this label was last updated, not including the intel and signal counts.

Command Example#

!tanium-tr-list-labels limit=2

Context Example#

{
"Tanium": {
"Label": [
{
"createdAt": "2019-07-31T18:46:28.629Z",
"description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"id": 1,
"indicatorCount": 0,
"name": "Alpha",
"signalCount": 0,
"updatedAt": "2019-07-31T18:46:28.629Z"
},
{
"createdAt": "2019-07-31T18:46:28.629Z",
"description": "These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.",
"id": 2,
"indicatorCount": 0,
"name": "Beta",
"signalCount": 420,
"updatedAt": "2019-07-31T18:46:28.629Z"
}
]
}
}

Human Readable Output#

Labels#

NameDescriptionIdIndicator CountSignal CountCreated AtUpdated At
AlphaThese signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.1002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
BetaThese signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.204202019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z

tanium-tr-get-label-by-id#


Returns a label object based on label ID.

Base Command#

tanium-tr-get-label-by-id

Input#

Argument NameDescriptionRequired
label_idThe label ID. (Use tanium-tr-intel-docs-labels-list command in order to get the available label IDs).Required

Context Output#

PathTypeDescription
Tanium.Label.createdAtDateThe date when this label was created.
Tanium.Label.descriptionStringAn extended description of the label.
Tanium.Label.idNumberThe unique identifier for this label.
Tanium.Label.indicatorCountNumberThe number of indicator-based intel documents associated with this label, not including Tanium Signals.
Tanium.Label.nameStringThe display name of the label.
Tanium.Label.signalCountNumberThe number of Tanium Signal documents associated with this label.
Tanium.Label.updatedAtDateThe date this label was last updated, not including the intel and signal counts.

Command Example#

!tanium-tr-get-label-by-id label_id=1

Context Example#

{
"Tanium": {
"Label": {
"createdAt": "2019-07-31T18:46:28.629Z",
"description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"id": 1,
"indicatorCount": 0,
"name": "Alpha",
"signalCount": 0,
"updatedAt": "2019-07-31T18:46:28.629Z"
}
}
}

Human Readable Output#

Label information#

NameDescriptionIdIndicator CountSignal CountCreated AtUpdated At
AlphaThese signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.1002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z

tanium-tr-list-file-downloads#


Returns all downloaded files in the system.

Base Command#

tanium-tr-list-file-downloads

Input#

Argument NameDescriptionRequired
limitThe maximum number of files to return. Default is 50.Optional
offsetOffset to start getting file downloads. Default is 0.Optional
sortColumn which to sort by.Optional
hostnameComma-seperated list of hostnames to get the downloaded files that match only those hostnames, for example hostname=host1,host2.Optional
hashComma-seperated list of hashes to get the downloaded files that match only those hashes, for example hash=123,456.Optional
process_time_startGet the downloaded files that match only to the process time start, for example process_time_start=2019-09-03T17:51:40.000Z.Optional

Context Output#

PathTypeDescription
Tanium.FileDownload.sizeNumberThe size of the file, in bytes.
Tanium.FileDownload.pathStringThe path of the file.
Tanium.FileDownload.downloadedDateThe date when this file was downloaded.
Tanium.FileDownload.hostnameStringThe hostname of the downloaded file.
Tanium.FileDownload.processCreationTimeDateThe date when the file was created.
Tanium.FileDownload.hashStringThe file hash.
Tanium.FileDownload.uuidNumberThe downloaded file uuid.
Tanium.FileDownload.lastModifiedDateThe date when the file was last modified.
Tanium.FileDownload.createdByStringThe user that created this file.
Tanium.FileDownload.createdByProcStringThe process path that created this file.
Tanium.FileDownload.lastModifiedByStringThe user that last modified this file.
Tanium.FileDownload.lastModifiedByProcStringThe process path that modified this file.
Tanium.FileDownload.evidenceTypeStringThe evidence type - file.

Command Example#

!tanium-tr-list-file-downloads limit=2

Context Example#

{
"Tanium": {
"FileDownload": [
{
"downloaded": "2020-01-15 13:04:02.827",
"evidenceType": "file",
"hash": "99297a0e626ca092ff1884ad28f54453",
"hostname": "host1",
"lastModified": "2020-01-15T08:57:19.000Z",
"path": "C:\\Program Files (x86)\\log1.txt",
"processCreationTime": "2019-09-03T17:51:40.000Z",
"size": 10485904,
"uuid": "c0531415-87a6-4d28-a226-b485784b1881"
},
{
"downloaded": "2020-01-15 18:17:10.595",
"evidenceType": "file",
"hash": "7d1677decbfaf1598ccd745fc197eb1c",
"hostname": "host2",
"lastModified": "2020-01-13T13:11:35.000Z",
"path": "C:\\Program Files (x86)\\log8.txt",
"processCreationTime": "2019-09-03T17:51:40.000Z",
"size": 10485940,
"uuid": "3043ef9c-78a9-4f19-8fb9-ddbab202d03b"
}
]
}
}

Human Readable Output#

File downloads#

UuidPathEvidence TypeHostnameProcess Creation TimeSize
c0531415-87a6-4d28-a226-b485784b1881C:\Program Files (x86)\log1.txtfilehost12019-09-03T17:51:40.000Z10485904
3043ef9c-78a9-4f19-8fb9-ddbab202d03bC:\Program Files (x86)\log8.txtfilehost22019-09-03T17:51:40.000Z10485940

tanium-tr-get-downloaded-file#


Gets the actual content of a downloaded file by file ID. Downloaded file password: infected.

Base Command#

tanium-tr-get-downloaded-file

Input#

Argument NameDescriptionRequired
file_idThe file ID.Required

Context Output#

PathTypeDescription
File.EntryIDStringFile entry ID.
File.ExtensionStringThe extension of the file.
File.InfoStringInformation about the file.
File.MD5StringThe MD5 hash of the file.
File.NameStringThe name of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.SSDeepStringThe SSDeep hash of the file (same as displayed in file entries).
File.SizeNumberThe size of the file in bytes.
File.TypeStringThe file type.

Command Example#

!tanium-tr-get-downloaded-file file_id=c0531415-87a6-4d28-a226-b485784b1881

Context Example#

{
"File": {
"EntryID": "7608@e99f97d1-7225-4c75-896c-3c960febbe8c",
"Extension": "zip",
"Info": "application/zip",
"MD5": "217cac2e10c1d11ed55ab2ede6bdb0ea",
"Name": "c0531415-87a6-4d28-a226-b485784b1881.zip",
"SHA1": "20808150526b092f5e4e19c82af2e9b2a1303e89",
"SHA256": "40c605face875cd53f07c1301ffc9fce0ed5b12a65c729fe73895e44cdcdebdf",
"SHA512": "50415634cae426da763a39532f3d22eeea5a79a8868044f6b3ffca8b528cce92cbe9f4d7b98d6d1cb49a705f3182b2c43f84f628acd748fb78e6cca85939b10c",
"SSDeep": "12288:npzKFzLrU/2fzXVPkrnjuYyTNW+o4T5SD7BDy6PFP8NjglLSAK:npeFzLI/6FknjuY4nojJm6NP8NjQi",
"Size": 598728,
"Type": "Zip archive data, at least v2.0 to extract"
}
}

Human Readable Output#

tanium-tr-list-events-by-connection#


Queries events for a connection.

Base Command#

tanium-tr-list-events-by-connection

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required
typeThe type of event. Can be "File", "Network", "Registry", "Process", "Driver", "Combined", "DNS", or "Image". The default is "Combined". Possible values are: File, Network, Registry, Process, Driver, Combined, DNS, Image. Default is combined.Required
limitThe maximum number of events to return. Default is 50.Optional
offsetOffset to start getting the result set. Default is 0.Optional
filterAdvanced search that filters according to event fields. For example: [['process_id', 'gt', '30'], ['username', 'ne', 'administrator']]. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time (UTC). Optional operators: eq (equals), ne (does not equal); for integers/date: gt (greater than), gte (greater than or equals), ls (less than), lse (less than or equals); for strings: co (contains), nc (does not contain). .Optional
matchWhether the results should fit all filters or at least one filter. Possible values are: all, any. Default is all.Optional
sortA comma-separated list of fields to sort on prefixed by +/- for ascending or descending and ordered by priority left to right. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time (UTC).Optional
fieldsA comma-separated list of fields on which to search. Optional fields: process_id, process_name, process_hash, process_command_line, username, process_name, create_time.Optional

Context Output#

PathTypeDescription
TaniumEvent.idStringThe ID of the event.
TaniumEvent.groupNameStringThe group name of the event.
TaniumEvent.fileStringThe path of the file in the event.
TaniumEvent.operationStringThe event operation.
TaniumEvent.processIdNumberThe ID of the process.
TaniumEvent.pidNumberThe ID of the process.
TaniumEvent.processPathStringThe path of the process.
TaniumEvent.processTableIdNumberThe ID of the process table.
TaniumEvent.timestampDateThe date when the event was created.
TaniumEvent.userNameStringThe username associated with the event.
TaniumEvent.remoteAddressStringThe network event destination address.
TaniumEvent.remoteAddressPortNumberThe network event destination port.
TaniumEvent.localAddressStringThe network event source address.
TaniumEvent.localAddressPortNumberThe network event source port.
TaniumEvent.keyPathStringThe registry key path.
TaniumEvent.valueNameStringThe registry value name.
TaniumEvent.exitCodeNumberThe process exit code.
TaniumEvent.processCommandLineStringThe process command line.
TaniumEvent.parentCommandLineStringThe parent command line.
TaniumEvent.processHashStringThe hash value of the process.
TaniumEvent.hashesStringThe hashes of the driver.
TaniumEvent.imageLoadedStringThe image loaded path of the driver.
TaniumEvent.signatureStringThe signature of the driver.
TaniumEvent.signedBooleanWhether the driver is signed.
TaniumEvent.eventIdNumberThe ID of the event.
TaniumEvent.eventOpcodeNumberThe event opcode.
TaniumEvent.eventRecordIdNumberThe ID of the event record.
TaniumEvent.eventTaskIdNumberThe ID of the event task.
TaniumEvent.queryStringThe query of the DNS.
TaniumEvent.responseStringThe response of the DNS.
TaniumEvent.imagePathStringThe image path.
TaniumEvent.createTimeDateThe process creation time
TaniumEvent.endTimeDateThe process end time.
TaniumEvent.eventTaskNameStringThe name of the event task.
TaniumEvent.hashStringThe process hash.

Command Example#

!tanium-tr-list-events-by-connection connection_id=remote:hostname:123: type=File limit=2

Context Example#

{
"TaniumEvent": [
{
"eventOperationId": 0,
"file": "C:\\Windows\\f1.dat",
"groupName": "NT AUTHORITY",
"id": "4611686018470089188",
"operation": "Create",
"pid": 736,
"processPath": "C:\\Windows\\t.exe",
"processTableId": "72057594038528503",
"timestamp": "2021-07-18 07:28:04.007",
"timestampRaw": 1626593284007,
"userName": "LOCAL SERVICE"
},
{
"eventOperationId": 1,
"file": "C:\\Windows\\f2.dat",
"groupName": "NT AUTHORITY",
"id": "4611686018470089189",
"operation": "Write",
"pid": 736,
"processPath": "C:\\Windows\\d.exe",
"processTableId": "72057594038528503",
"timestamp": "2021-07-18 07:28:04.007",
"timestampRaw": 1626593284007,
"userName": "LOCAL SERVICE"
}
]
}

Human Readable Output#

Events for remote:hostname:123:#

IdFileTimestampProcess Table IdProcess PathUser Name
4611686018470089188C:\Windows\f1.dat2021-07-18 07:28:04.00772057594038528503C:\Windows\t.exeLOCAL SERVICE
4611686018470089189C:\Windows\f2.dat2021-07-18 07:28:04.00772057594038528503C:\Windows\d.exeLOCAL SERVICE

tanium-tr-get-file-download-info#


Gets the metadata of a file download.

Base Command#

tanium-tr-get-file-download-info

Input#

Argument NameDescriptionRequired
file_idFile download ID.Required

Context Output#

PathTypeDescription
Tanium.FileDownload.sizeNumberThe size of the file, in bytes.
Tanium.FileDownload.pathStringThe path of the file.
Tanium.FileDownload.downloadedDateThe date when this file was downloaded.
Tanium.FileDownload.hostnameStringThe hostname of the downloaded file.
Tanium.FileDownload.processCreationTimeDateThe date when the file was created.
Tanium.FileDownload.hashStringThe file hash.
Tanium.FileDownload.uuidNumberThe downloaded file uuid.
Tanium.FileDownload.lastModifiedDateThe date when the file was last modified.
Tanium.FileDownload.createdByStringThe user that created this file.
Tanium.FileDownload.createdByProcStringThe process path that created this file.
Tanium.FileDownload.lastModifiedByStringThe user that last modified this file.
Tanium.FileDownload.lastModifiedByProcStringThe process path that modified this file.
Tanium.FileDownload.evidenceTypeStringThe evidence type - file.

Command Example#

!tanium-tr-get-file-download-info file_id=c0531415-87a6-4d28-a226-b485784b1881

Context Example#

{
"Tanium": {
"FileDownload": {
"downloaded": "2020-01-15 13:04:02.827",
"evidenceType": "file",
"hash": "123456789",
"hostname": "host1",
"lastModified": "2020-01-15T08:57:19.000Z",
"path": "C:\\log1.txt",
"processCreationTime": "2019-09-03T17:51:40.000Z",
"size": 10485904,
"uuid": "c0531415-87a6-4d28-a226-b485784b1881"
}
}
}

Human Readable Output#

File download#

UuidPathEvidence TypeHostnameProcess Creation TimeSize
c0531415-87a6-4d28-a226-b485784b1881C:\log1.txtfilehost12019-09-03T17:51:40.000Z10485904

tanium-tr-get-process-info#


Get information for a process.

Base Command#

tanium-tr-get-process-info

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required
ptidThe process table ID.Required

Context Output#

PathTypeDescription
Tanium.ProcessInfo.childrenCountNumberNuber of process children.
Tanium.ProcessInfo.contextStringProcess tree context.
Tanium.ProcessInfo.createTimeDateTime when the process was created.
Tanium.ProcessInfo.createTimeRawDateTimestamp when the process was created.
Tanium.ProcessInfo.dnsEventsCountNumberNumber of DNS events in the process.
Tanium.ProcessInfo.driverEventsCountNumberNumber of Driver events in the process.
Tanium.ProcessInfo.endTimeDateProcess termination time.
Tanium.ProcessInfo.endTimeRawDateProcess termination timestamp.
Tanium.ProcessInfo.exitCodeNumberProcess exit code.
Tanium.ProcessInfo.fileEventsCountNumberNumber of File events in the process.
Tanium.ProcessInfo.groupNameStringProcess group name.
Tanium.ProcessInfo.hashTypeNameStringHash type.
Tanium.ProcessInfo.idStringProcess id at the tanium system.
Tanium.ProcessInfo.imageEventsCountNumberNumber of Image events in the process.
Tanium.ProcessInfo.networkEventsCountNumberNumber of network events in the process.
Tanium.ProcessInfo.parentProcessTableIdStringParent process table id.
Tanium.ProcessInfo.pidNumberThe ID of the process.
Tanium.ProcessInfo.processEventsCountNumberNumber of process events in the process.
Tanium.ProcessInfo.processHashStringProcess hash.
Tanium.ProcessInfo.processPathStringThe process path.
Tanium.ProcessInfo.processTableIdStringThe ID of the process table.
Tanium.ProcessInfo.registryEventsCountNumberNumber of registry events in the process.
Tanium.ProcessInfo.securityEventsCountNumberNumber of security events in the process.
Tanium.ProcessInfo.uniqueProcessIdStringUnique process id.
Tanium.ProcessInfo.userNameStringThe username who created the process.

Command Example#

!tanium-tr-get-process-info ptid=72057594038510321 connection_id=remote:hostname:123:

Context Example#

{
"Tanium": {
"ProcessInfo": {
"childrenCount": 0,
"context": "node",
"createTime": "2021-07-09 12:38:19.372",
"createTimeRaw": 1625834299372,
"dnsEventsCount": 0,
"driverEventsCount": 0,
"endTime": "2021-07-09 12:39:49.413",
"endTimeRaw": 1625834389413,
"exitCode": 0,
"fileEventsCount": 0,
"groupName": "NT AUTHORITY",
"hashTypeName": "MD5",
"id": "72057594038510321",
"imageEventsCount": 0,
"networkEventsCount": 0,
"parentProcessTableId": "72057594038528485",
"pid": 3648,
"processEventsCount": 1,
"processHash": "e1bce838cd2695999ab34215bf94b501",
"processPath": "C:\\test.exe",
"processTableId": "72057594038510321",
"registryEventsCount": 0,
"securityEventsCount": 0,
"uniqueProcessId": "-8410859473941295552",
"userName": "LOCAL SERVICE"
}
}
}

Human Readable Output#

Process information for process with PTID 72057594038510321#

PidProcess Table IdParent Process Table IdProcess Path
36487205759403851032172057594038528485C:\test.exe

tanium-tr-get-events-by-process#


Gets the events for a process.

Base Command#

tanium-tr-get-events-by-process

Input#

Argument NameDescriptionRequired
connection_idThe connection name.Required
ptidThe process instance ID.Required
typeThe type of event. Can be "File", "Network", "Registry", "Process", "Driver", "Combined", "DNS", or "Image". The default is "Combined". Possible values are: File, Network, Registry, Process, Driver, Combined, DNS, Image. Default is combined.Required
limitThe maximum number of events to return. Default is 50.Optional
offsetThe offset number to begin listing events. Default is 0.Optional

Context Output#

PathTypeDescription
Tanium.ProcessEvent.idNumberThe ID of the event.
Tanium.ProcessEvent.detailUnknownThe event details.
Tanium.ProcessEvent.operationStringThe event operation.
Tanium.ProcessEvent.timestampDateTime when the event was created.
Tanium.ProcessEvent.typeStringThe event type.

Command Example#

!tanium-tr-get-events-by-process connection_id=remote:hostname:123: type=Process ptid=72057594038528485 limit=2

Context Example#

{
"Tanium": {
"ProcessEvent": [
{
"detail": "4428: C:\\test.exe",
"id": "72057594038510294",
"operation": "CreateChild",
"timestamp": "2021-07-09 12:20:05.490",
"timestampRaw": 1625833205490,
"type": "Process"
},
{
"detail": "1792: C:\\test.exe",
"id": "72057594038510295",
"operation": "CreateChild",
"timestamp": "2021-07-09 12:20:05.541",
"timestampRaw": 1625833205541,
"type": "Process"
}
]
}
}

Human Readable Output#

Events for process 72057594038528485#

IdDetailTypeTimestampOperation
720575940385102944428: C:\test.exeProcess2021-07-09 12:20:05.490CreateChild
720575940385102951792: C:\test.exeProcess2021-07-09 12:20:05.541CreateChild

tanium-tr-get-process-children#


Gets the children of this process instance.

Base Command#

tanium-tr-get-process-children

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required
ptidThe process table ID.Required
limitThe maximum number of entries to return. Default is 50.Optional
offsetThe offset number to begin listing entries. Default is 0.Optional

Context Output#

PathTypeDescription
Tanium.ProcessChildren.childrenCountNumberNuber of process children.
Tanium.ProcessChildren.contextStringProcess tree context.
Tanium.ProcessChildren.createTimeDateTime when the process was created.
Tanium.ProcessChildren.createTimeRawDateTimestamp when the process was created.
Tanium.ProcessChildren.dnsEventsCountNumberNumber of DNS events in the process.
Tanium.ProcessChildren.driverEventsCountNumberNumber of Driver events in the process.
Tanium.ProcessChildren.endTimeDateProcess termination time.
Tanium.ProcessChildren.endTimeRawDateProcess termination timestamp.
Tanium.ProcessChildren.exitCodeNumberProcess exit code.
Tanium.ProcessChildren.fileEventsCountNumberNumber of File events in the process.
Tanium.ProcessChildren.groupNameStringProcess group name.
Tanium.ProcessChildren.hashTypeNameStringHash type.
Tanium.ProcessChildren.idStringProcess id at the tanium system.
Tanium.ProcessChildren.imageEventsCountNumberNumber of Image events in the process.
Tanium.ProcessChildren.networkEventsCountNumberNumber of network events in the process.
Tanium.ProcessChildren.parentProcessTableIdStringParent process table id.
Tanium.ProcessChildren.pidNumberThe ID of the process.
Tanium.ProcessChildren.processEventsCountNumberNumber of process events in the process.
Tanium.ProcessChildren.processHashStringProcess hash.
Tanium.ProcessChildren.processPathStringThe process path.
Tanium.ProcessChildren.processTableIdStringThe ID of the process table.
Tanium.ProcessChildren.registryEventsCountNumberNumber of registry events in the process.
Tanium.ProcessChildren.securityEventsCountNumberNumber of security events in the process.
Tanium.ProcessChildren.uniqueProcessIdStringUnique process id.
Tanium.ProcessChildren.userNameStringThe username who created the process.

Command Example#

!tanium-tr-get-process-children connection_id=remote:hostname:123: ptid=72057594038528485

Context Example#

{
"Tanium": {
"ProcessChildren": [
{
"childrenCount": 0,
"context": "child",
"createTime": "2021-07-18 07:26:12.820",
"createTimeRaw": 1626593172820,
"dnsEventsCount": 0,
"driverEventsCount": 0,
"endTime": "2021-07-18 07:26:13.483",
"endTimeRaw": 1626593173483,
"exitCode": 0,
"fileEventsCount": 0,
"groupName": "NT AUTHORITY",
"hashTypeName": "MD5",
"id": "72057594038528483",
"imageEventsCount": 0,
"networkEventsCount": 0,
"parentProcessTableId": "72057594038528485",
"pid": 5284,
"processCommandLine": "\"Logon.exe\" /flags:0x0 /state0:0xa3856855 /state1:0x41c64e6d",
"processEventsCount": 1,
"processHash": "b38dfcf985d8ae5b1a17c264981e61c7",
"processPath": "C:\\Logon1.exe",
"processTableId": "72057594038528483",
"registryEventsCount": 39,
"securityEventsCount": 0,
"uniqueProcessId": "-5151524022684478300",
"userName": "SYSTEM"
},
{
"childrenCount": 0,
"context": "child",
"createTime": "2021-07-18 07:25:43.456",
"createTimeRaw": 1626593143456,
"dnsEventsCount": 0,
"driverEventsCount": 0,
"endTime": "2021-07-18 07:26:56.000",
"endTimeRaw": 1626593216000,
"fileEventsCount": 0,
"groupName": "NT AUTHORITY",
"hashTypeName": "MD5",
"id": "72057594038528482",
"imageEventsCount": 0,
"networkEventsCount": 0,
"parentProcessTableId": "72057594038528485",
"pid": 2856,
"processCommandLine": "C:\\test.exe -secured -Embedding",
"processEventsCount": 1,
"processHash": "e1bce838cd2695999ab34215bf94b501",
"processPath": "C:\\test.exe",
"processTableId": "72057594038528482",
"registryEventsCount": 0,
"securityEventsCount": 0,
"uniqueProcessId": "-5151647460044567768",
"userName": "LOCAL SERVICE"
}
]
}
}

Human Readable Output#

Children for process with PTID 72057594038528485#

PidProcess Table IdParent Process Table Id
52847205759403852848372057594038528485
28567205759403852848272057594038528485

tanium-tr-get-parent-process#


Gets information for the parent process.

Base Command#

tanium-tr-get-parent-process

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required
ptidThe process table ID.Required

Context Output#

PathTypeDescription
Tanium.ProcessParent.childrenCountNumberNuber of process children.
Tanium.ProcessParent.contextStringProcess tree context.
Tanium.ProcessParent.createTimeDateTime when the process was created.
Tanium.ProcessParent.createTimeRawDateTimestamp when the process was created.
Tanium.ProcessParent.dnsEventsCountNumberNumber of DNS events in the process.
Tanium.ProcessParent.driverEventsCountNumberNumber of Driver events in the process.
Tanium.ProcessParent.endTimeDateProcess termination time.
Tanium.ProcessParent.endTimeRawDateProcess termination timestamp.
Tanium.ProcessParent.exitCodeNumberProcess exit code.
Tanium.ProcessParent.fileEventsCountNumberNumber of File events in the process.
Tanium.ProcessParent.groupNameStringProcess group name.
Tanium.ProcessParent.hashTypeNameStringHash type.
Tanium.ProcessParent.idStringProcess id at the tanium system.
Tanium.ProcessParent.imageEventsCountNumberNumber of Image events in the process.
Tanium.ProcessParent.networkEventsCountNumberNumber of network events in the process.
Tanium.ProcessParent.parentProcessTableIdStringParent process table id.
Tanium.ProcessParent.pidNumberThe ID of the process.
Tanium.ProcessParent.processEventsCountNumberNumber of process events in the process.
Tanium.ProcessParent.processHashStringProcess hash.
Tanium.ProcessParent.processPathStringThe process path.
Tanium.ProcessParent.processTableIdStringThe ID of the process table.
Tanium.ProcessParent.registryEventsCountNumberNumber of registry events in the process.
Tanium.ProcessParent.securityEventsCountNumberNumber of security events in the process.
Tanium.ProcessParent.uniqueProcessIdStringUnique process id.
Tanium.ProcessParent.userNameStringThe username who created the process.

Command Example#

!tanium-tr-get-parent-process connection_id=remote:hostname:123: ptid=72057594038510321

Context Example#

{
"Tanium": {
"ProcessParent": {
"childrenCount": 5664,
"context": "parent",
"createTime": "2021-07-18 07:26:55.000",
"createTimeRaw": 1626593215000,
"dnsEventsCount": 0,
"driverEventsCount": 0,
"fileEventsCount": 0,
"id": "72057594038528485",
"imageEventsCount": 0,
"networkEventsCount": 0,
"parentProcessTableId": "0",
"pid": -2,
"processEventsCount": 1,
"processPath": "<Pruned Process>",
"processTableId": "72057594038528485",
"registryEventsCount": 0,
"securityEventsCount": 0,
"uniqueProcessId": "-5151340193789247490"
}
}
}

Human Readable Output#

Parent process for process with PTID 72057594038510321#

IdPidProcess Table IdParent Process Table Id
72057594038528485-2720575940385284850

tanium-tr-get-process-tree#


Gets the process tree for the process instance.

Base Command#

tanium-tr-get-process-tree

Input#

Argument NameDescriptionRequired
connection_idThe connection id.Required
ptidThe process instance ID.Required
contextThe process context. Can be parent, node, siblings, children. Possible values are: parent, node, siblings, children.Optional

Context Output#

PathTypeDescription
Tanium.ProcessTree.childrenCountNumberNuber of process children.
Tanium.ProcessTree.contextStringProcess tree context.
Tanium.ProcessTree.createTimeDateTime when the process was created.
Tanium.ProcessTree.createTimeRawDateTimestamp when the process was created.
Tanium.ProcessTree.dnsEventsCountNumberNumber of DNS events in the process.
Tanium.ProcessTree.driverEventsCountNumberNumber of Driver events in the process.
Tanium.ProcessTree.endTimeDateProcess termination time.
Tanium.ProcessTree.endTimeRawDateProcess termination timestamp.
Tanium.ProcessTree.exitCodeNumberProcess exit code.
Tanium.ProcessTree.fileEventsCountNumberNumber of File events in the process.
Tanium.ProcessTree.groupNameStringProcess group name.
Tanium.ProcessTree.hashTypeNameStringHash type.
Tanium.ProcessTree.idStringProcess id at the tanium system.
Tanium.ProcessTree.imageEventsCountNumberNumber of Image events in the process.
Tanium.ProcessTree.networkEventsCountNumberNumber of network events in the process.
Tanium.ProcessTree.parentProcessTableIdStringParent process table id.
Tanium.ProcessTree.pidNumberThe ID of the process.
Tanium.ProcessTree.processEventsCountNumberNumber of process events in the process.
Tanium.ProcessTree.processHashStringProcess hash.
Tanium.ProcessTree.processPathStringThe process path.
Tanium.ProcessTree.processTableIdStringThe ID of the process table.
Tanium.ProcessTree.registryEventsCountNumberNumber of registry events in the process.
Tanium.ProcessTree.securityEventsCountNumberNumber of security events in the process.
Tanium.ProcessTree.uniqueProcessIdStringUnique process id.
Tanium.ProcessTree.userNameStringThe username who created the process.

Command Example#

!tanium-tr-get-process-tree connection_id=remote:hostname:123: ptid=72057594038528485

Context Example#

{
"Tanium": {
"ProcessTree": [
{
"childrenCount": 5664,
"context": "node",
"createTime": "2021-07-18 07:26:55.000",
"createTimeRaw": 1626593215000,
"dnsEventsCount": 0,
"driverEventsCount": 0,
"fileEventsCount": 0,
"id": "72057594038528485",
"imageEventsCount": 0,
"networkEventsCount": 0,
"parentProcessTableId": "0",
"pid": -2,
"processEventsCount": 1,
"processPath": "<Pruned Process>",
"processTableId": "72057594038528485",
"registryEventsCount": 0,
"securityEventsCount": 0,
"uniqueProcessId": "-5151340193789247490"
},
{
"childrenCount": 0,
"context": "child",
"createTime": "2021-07-18 07:26:12.820",
"createTimeRaw": 1626593172820,
"dnsEventsCount": 0,
"driverEventsCount": 0,
"endTime": "2021-07-18 07:26:13.483",
"endTimeRaw": 1626593173483,
"exitCode": 0,
"fileEventsCount": 0,
"groupName": "NT AUTHORITY",
"hashTypeName": "MD5",
"id": "72057594038528483",
"imageEventsCount": 0,
"networkEventsCount": 0,
"parentProcessTableId": "72057594038528485",
"pid": 5284,
"processCommandLine": "\"LogonUI.exe\" /flags:0x0 /state0:0xa3856855 /state1:0x41c64e6d",
"processEventsCount": 1,
"processHash": "b38dfcf985d8ae5b1a17c264981e61c7",
"processPath": "C:\\Windows\\System32\\LogonUI.exe",
"processTableId": "72057594038528483",
"registryEventsCount": 39,
"securityEventsCount": 0,
"uniqueProcessId": "-5151524022684478300",
"userName": "SYSTEM"
}
]
}
}

Human Readable Output#

Process information for process with PTID 72057594038528485#

IdPidProcess Table IdParent Process Table Id
72057594038528485-2720575940385284850
7205759403852848352847205759403852848372057594038528485

tanium-tr-event-evidence-list#


Returns a list of all available evidence in the system.

Base Command#

tanium-tr-event-evidence-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of evidences to return. Default is 50.Optional
offsetOffset to start getting the events result set. Default is 0.Optional
sortA comma-separated list of fields by which to sort, using +/- prefixes for ascending/descending, in order of priority (left to right).Optional
hostnameComma-seperated list of hostnames to get the event evidences that match only those hostnames, for example hostname=123,456.Optional
typeGet the event evidences that match only to a specific type, for example type=file.Optional

Context Output#

PathTypeDescription
Tanium.Evidence.nameStringThe evidence name.
Tanium.Evidence.uuidStringThe evidence UUID.
Tanium.Evidence.createdAtDateTime when the process was created.
Tanium.Evidence.hostnameStringThe evidence connection hostname.
Tanium.Evidence.evidenceTypeNumberThe evidence type.
Tanium.Evidence.sizeNumberThe evidence size.

Command Example#

!tanium-tr-event-evidence-list limit=3

Context Example#

{
"Tanium": {
"Evidence": [
{
"createdAt": "2021-10-06T06:40:48.297Z",
"evidenceType": "snapshot",
"hostname": "host1",
"name": "host1.db",
"size": 152064000,
"username": "administrator",
"uuid": "832dec40-1cc2-4e53-881a-7f61cba835bc"
},
{
"createdAt": "2021-10-06T06:42:07.010Z",
"evidenceType": "snapshot",
"hostname": "host2",
"name": "host2.db",
"size": 152064000,
"username": "administrator",
"uuid": "340a3ac4-560d-430f-bd50-96615d763171"
},
{
"createdAt": "2021-10-07T12:15:30.711Z",
"evidenceType": "snapshot",
"hostname": "host3",
"name": "host3.db",
"size": 152064000,
"username": "administrator",
"uuid": "cf4d8628-8527-4014-8ed2-bdca6c592488"
}
]
}
}

Human Readable Output#

Evidence list#

UuidNameEvidence TypeHostnameCreated AtUsername
832dec40-1cc2-4e53-881a-7f61cba835bchost1.dbsnapshothost12021-10-06T06:40:48.297Zadministrator
340a3ac4-560d-430f-bd50-96615d763171host2.dbsnapshothost22021-10-06T06:42:07.010Zadministrator
cf4d8628-8527-4014-8ed2-bdca6c592488host3.dbsnapshothost32021-10-07T12:15:30.711Zadministrator

tanium-tr-event-evidence-get-properties#


Returns event evidence properties for IOC generation.

Base Command#

tanium-tr-event-evidence-get-properties

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Tanium.EvidenceProperties.typeStringThe evidence property type.
Tanium.EvidenceProperties.valueStringThe evidence property value.

Command Example#

!tanium-tr-event-evidence-get-properties

Context Example#

{
"Tanium": {
"EvidenceProperties": [
{
"type": "MD5Hash",
"value": "92ee791a630830452485e8e375f8db35"
},
{
"type": "MD5Hash",
"value": "e1bce838cd2695999ab34215bf94b501"
},
{
"type": "MD5Hash",
"value": "0e1853d3339d2963d2bc6ac1fdc1c811"
},
{
"type": "MD5Hash",
"value": "41b0ade03cd365a5cc99f748c5ffcadc"
},
{
"type": "MD5Hash",
"value": "a9a89cb1838373c365f2b8af72b1f1c2"
}
]
}
}

Human Readable Output#

Evidence Properties#

TypeValue
MD5Hash92ee791a630830452485e8e375f8db35
MD5Hashe1bce838cd2695999ab34215bf94b501
MD5Hash0e1853d3339d2963d2bc6ac1fdc1c811
MD5Hash41b0ade03cd365a5cc99f748c5ffcadc
MD5Hasha9a89cb1838373c365f2b8af72b1f1c2

tanium-tr-get-evidence-by-id#


Gets event evidence by evidence ID.

Base Command#

tanium-tr-get-evidence-by-id

Input#

Argument NameDescriptionRequired
evidence_idThe ID of the evidence.Required

Context Output#

PathTypeDescription
Tanium.Evidence.commandlineStringProcess command line.
Tanium.Evidence.createTimeDateTime when the process was created.
Tanium.Evidence.createTimeRawNumberTimestamp when the process was created.
Tanium.Evidence.createdDateTime when the event was created.
Tanium.Evidence.domainStringEvent domain.
Tanium.Evidence.eventtypeStringThe event type.
Tanium.Evidence.evidencetypeStringThe evidence type.
Tanium.Evidence.exitCodeNumberProcess exit code.
Tanium.Evidence.hostnameStringConnection host name.
Tanium.Evidence.summaryStringEvidence summary.
Tanium.Evidence.timestampDateEveidence creation date.
Tanium.Evidence.typeStringThe evidence type.
Tanium.Evidence.usernameStringEvidence creator Username.
Tanium.Evidence.utctimecreatedDateEvidence creation utc date.
Tanium.Evidence.uuidStringThe evidence UUID.

Command Example#

!tanium-tr-get-evidence-by-id evidence_id=b684f9be-80ee-483d-8dca-a4d5cd3aeaa6

Context Example#

{
"Tanium": {
"Evidence": {
"createTime": "2021-07-07 11:00:01.973",
"createTimeRaw": 1625655601973,
"created": "2021-10-05T10:44:36.697Z",
"endTime": "2021-07-07 11:01:32.006",
"endTimeRaw": 1625655692006,
"eventtype": "ProcessEvent",
"evidencetype": "event",
"exitCode": 0,
"groupName": "NT AUTHORITY",
"hash": "e1bce838cd2695999ab34215bf94b501",
"hashTypeName": "MD5",
"hostname": "host1",
"id": "72057594038506412",
"parentCommandLine": "<Pruned Process>",
"parentPath": "<Pruned Process>",
"parentPid": -2,
"parentProcessTableId": "72057594038528485",
"pid": 6056,
"processPath": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"processTableId": "72057594038506412",
"recorderid": "72057594038506412",
"summary": "Test description.",
"userName": "NETWORK SERVICE",
"username": "administrator",
"uuid": "b684f9be-80ee-483d-8dca-a4d5cd3aeaa6"
}
}
}

Human Readable Output#

Evidence information#

UuidHostnameUsernameSummaryCreatedProcess Table Id
b684f9be-80ee-483d-8dca-a4d5cd3aeaa6host1administratorTest description.2021-10-05T10:44:36.697Z72057594038506412

tanium-tr-create-evidence#


Creates an event evidence from process.

Base Command#

tanium-tr-create-evidence

Input#

Argument NameDescriptionRequired
connection_idThe id of the connection.Required
ptidThe process instance ID.Required
hostnameThe hostname of the connection.Required
summaryThe summary of the event evidence.Optional

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-create-evidence ptid=72057594038510321 connection_id=remote:hostname:123: hostname=host1 summary="Create Process"

Human Readable Output#

Evidence have been created.

tanium-tr-delete-evidence#


Deletes event evidences from tanium.

Base Command#

tanium-tr-delete-evidence

Input#

Argument NameDescriptionRequired
evidence_idsThe IDs of the evidences to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-delete-evidence evidence_ids=53630ca0-e55a-4f6d-9451-d1c2c277530b

Human Readable Output#

Evidence 53630ca0-e55a-4f6d-9451-d1c2c277530b has been deleted successfully.

tanium-tr-request-file-download#


Requests a new file download.

Base Command#

tanium-tr-request-file-download

Input#

Argument NameDescriptionRequired
pathPath to file.Required
connection_idConnection id.Required

Context Output#

PathTypeDescription
Tanium.FileDownloadTask.compressStringIs file compressed.
Tanium.FileDownloadTask.connectionStringThe file download host.
Tanium.FileDownloadTask.taskIdNumberID of the file download task.
Tanium.FileDownloadTask.pathsStringThe file download paths.
Tanium.FileDownloadTask.startTimeDateDownload start time.
Tanium.FileDownloadTask.statusStringStatus of the file download request.

Command Example#

!tanium-tr-request-file-download connection_id=remote:hostname:123: path="C:\\Users\\Administrator\\Desktop\\testD.txt"

Context Example#

{
"Tanium": {
"FileDownloadTask": {
"compress": "true",
"connection": "remote:hostname:123:",
"paths": [
"C:\\Users\\Administrator\\Desktop\\testD.txt"
],
"startTime": "2021-10-07T12:23:06.824Z",
"status": "STARTED",
"taskId": 1178
}
}
}

Human Readable Output#

Download request of file C:\Users\Administrator\Desktop\testD.txt has been sent successfully. Task id: 1178.

tanium-tr-delete-file-download#


Deletes a file download.

Base Command#

tanium-tr-delete-file-download

Input#

Argument NameDescriptionRequired
file_idFile download ID.Required

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-delete-file-download file_id=0367c8b2-eed9-4124-b173-1c83cbf3ba6f

Human Readable Output#

Delete request of file with ID 0367c8b2-eed9-4124-b173-1c83cbf3ba6f has been sent successfully.

tanium-tr-list-files-in-directory#


Gets a list of files in the given directory.

Base Command#

tanium-tr-list-files-in-directory

Input#

Argument NameDescriptionRequired
pathPath to the directory.Required
connection_idConnection id.Required
limitThe maximum number of files to return. Default is 50.Optional
offsetOffset to start getting files. Default is 0.Optional

Context Output#

PathTypeDescription
Tanium.File.connectionIdStringConnection ID.
Tanium.File.createdDateDateTime the file was created.
Tanium.File.modifiedDateDateThe date that the file was last modified.
Tanium.File.nameStringThe file name.
Tanium.File.pathStringThe file path.
Tanium.File.permissionsNumberThe file permissions.
Tanium.File.sizeNumberThe file size.
Tanium.File.typeStringThe file type.

Command Example#

!tanium-tr-list-files-in-directory connection_id=remote:hostname:123: path=`C:\Users\Administrator\Desktop\` limit=2

Context Example#

{
"Tanium": {
"File": [
{
"connectionId": "remote:hostname:123:",
"createdDate": "2020-02-06T08:34:17.000Z",
"modifiedDate": "2018-08-12T11:11:02.000Z",
"name": "ChromeSetup.exe",
"path": "C:\\Users\\Administrator\\Desktop\\",
"permissions": 438,
"size": 1130840,
"type": "FILE"
},
{
"connectionId": "remote:hostname:123:",
"createdDate": "2020-01-07T11:53:20.000Z",
"modifiedDate": "2020-01-07T11:53:46.000Z",
"name": "test.txt",
"path": "C:\\Users\\Administrator\\Desktop\\",
"permissions": 438,
"size": 11,
"type": "FILE"
}
]
}
}

Human Readable Output#

Files in directory C:\Users\Administrator\Desktop\#

NamePathConnection IdCreated DateModified DatePermissionsSize
ChromeSetup.exeC:\Users\Administrator\Desktop\ remote:hostname:123:2020-02-06T08:34:17.000Z2018-08-12T11:11:02.000Z4381130840
test.txtC:\Users\Administrator\Desktop\ remote:hostname:123:2020-01-07T11:53:20.000Z2020-01-07T11:53:46.000Z43811

tanium-tr-get-file-info#


Gets information about a file from a remote connection.

Base Command#

tanium-tr-get-file-info

Input#

Argument NameDescriptionRequired
connection_idThe ID of the connection. Default is Connection id..Required
pathThe path to the file. Default is Path to file..Required

Context Output#

PathTypeDescription
Tanium.File.canonicalPathStringThe file path.
Tanium.File.cidStringCid.
Tanium.File.connectionIdStringConnection ID.
Tanium.File.createdDateDateTime the file was created.
Tanium.File.modifiedDateDateThe date that the file was last modified.
Tanium.File.nameStringThe file name.
Tanium.File.pathStringThe file path.
Tanium.File.permissionsNumberThe file permissions.
Tanium.File.sizeNumberThe file size.
Tanium.File.typeStringThe file type.
Tanium.File.sessionIdStringSession ID.

Command Example#

!tanium-tr-get-file-info connection_id=remote:hostname:123: path="C:\\log1.txt"

Context Example#

{
"Tanium": {
"File": {
"canonicalPath": "C:\\log1.txt",
"cid": "d65ba018-346c-497e-8f18-252036fd87f9",
"connectionId": "remote:hostname:123:",
"createdDate": "2019-09-03T17:51:40.000Z",
"modifiedDate": "2021-09-27T19:36:07.000Z",
"name": "C:\\log1.txt",
"path": "C:\\log1.txt",
"permissions": 438,
"sessionId": "1ce0f8e7-c180-4467-bf8e-0a313c4eb5f4",
"size": 2913,
"type": "FILE"
}
}
}

Human Readable Output#

Information for file C:\log1.txt#

PathNameConnection IdTypeCreated DateModified Date
C:\log1.txtC:\log1.txtremote:hostname:123:FILE2019-09-03T17:51:40.000Z2021-09-27T19:36:07.000Z

tanium-tr-delete-file-from-endpoint#


Deletes a file from the given endpoint.

Base Command#

tanium-tr-delete-file-from-endpoint

Input#

Argument NameDescriptionRequired
connection_idConnection ID.Required
pathPath to file.Required

Context Output#

There is no context output for this command.

Command Example#

``!tanium-tr-delete-file-from-endpoint connection_id=remote:hostname:123: path=C:\Users\Administrator\Desktop\to_delete.txt````

Human Readable Output#

Delete request of file C:\Users\Administrator\Desktop\to_delete.txt from endpoint remote:hostname:123: has been sent successfully.

tanium-tr-intel-docs-labels-list#


List all labels for the identified intel document.

Base Command#

tanium-tr-intel-docs-labels-list

Input#

Argument NameDescriptionRequired
intel_doc_idList the label IDs for the intel document with this ID.Required

Context Output#

PathTypeDescription
Tanium.IntelDocLabel.IntelDocIDStringThe requested intel doc ID.
Tanium.IntelDocLabel.LabelsList.IDNumberThe unique identifier for this label.
Tanium.IntelDocLabel.LabelsList.NameStringThe display name of the label.
Tanium.IntelDocLabel.LabelsList.DescriptionStringAn extended description of the label.
Tanium.IntelDocLabel.LabelsList.IndicatorCountNumberThe number of indicator-based intel documents associated with this label, not including Tanium Signals.
Tanium.IntelDocLabel.LabelsList.SignalCountNumberThe number of Tanium Signal documents associated with this label.
Tanium.IntelDocLabel.LabelsList.CreatedAtDateThe date this label was created.
Tanium.IntelDocLabel.LabelsList.UpdatedAtDateThe date this label was last updated, not including the intel and signal counts.

Command Example#

!tanium-tr-intel-docs-labels-list intel_doc_id=509

Context Example#

{
"Tanium": {
"IntelDocLabel": {
"IntelDocID": "509",
"LabelsList": [
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"ID": 1,
"IndicatorCount": 0,
"Name": "Alpha",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.",
"ID": 2,
"IndicatorCount": 0,
"Name": "Beta",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.644Z",
"Description": "MITRE ATT&CK matrix category",
"ID": 7,
"IndicatorCount": 0,
"Name": "Defense Evasion",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.644Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.660Z",
"Description": "MITRE ATT&CK matrix category",
"ID": 11,
"IndicatorCount": 0,
"Name": "Execution",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.660Z"
},
{
"CreatedAt": "2020-01-14T21:37:30.528Z",
"Description": "These signals are built for Windows hosts.",
"ID": 16,
"IndicatorCount": 0,
"Name": "Windows",
"SignalCount": 0,
"UpdatedAt": "2020-01-14T21:37:30.528Z"
}
]
}
}
}

Human Readable Output#

Intel doc (509) labels#

IDNameDescriptionIndicator CountSignal CountCreated AtUpdated At
1AlphaThese signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
2BetaThese signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
7Defense EvasionMITRE ATT&CK matrix category002019-07-31T18:46:28.644Z2019-07-31T18:46:28.644Z
11ExecutionMITRE ATT&CK matrix category002019-07-31T18:46:28.660Z2019-07-31T18:46:28.660Z
16WindowsThese signals are built for Windows hosts.002020-01-14T21:37:30.528Z2020-01-14T21:37:30.528Z

tanium-tr-intel-docs-add-label#


Create a new label association for the identified intel document.

Base Command#

tanium-tr-intel-docs-add-label

Input#

Argument NameDescriptionRequired
intel_doc_idAssociate the new label with the intel document with this ID.Required
label_idThe ID of the new label to associate with the target intel document. (Use tanium-tr-intel-docs-labels-list command in order to get the available label IDs).Required

Context Output#

PathTypeDescription
Tanium.IntelDocLabel.IntelDocIDStringThe requested intel doc ID.
Tanium.IntelDocLabel.LabelsList.IDNumberThe unique identifier for this label.
Tanium.IntelDocLabel.LabelsList.NameStringThe display name of the label.
Tanium.IntelDocLabel.LabelsList.DescriptionStringAn extended description of the label.
Tanium.IntelDocLabel.LabelsList.IndicatorCountNumberThe number of indicator-based intel documents associated with this label, not including Tanium Signals.
Tanium.IntelDocLabel.LabelsList.SignalCountNumberThe number of Tanium Signal documents associated with this label.
Tanium.IntelDocLabel.LabelsList.CreatedAtDateThe date this label was created.
Tanium.IntelDocLabel.LabelsList.UpdatedAtDateThe date this label was last updated, not including the intel and signal counts.

Command Example#

!tanium-tr-intel-docs-add-label intel_doc_id=509 label_id=1

Context Example#

{
"Tanium": {
"IntelDocLabel": {
"IntelDocID": "509",
"LabelsList": [
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.",
"ID": 1,
"IndicatorCount": 0,
"Name": "Alpha",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.",
"ID": 2,
"IndicatorCount": 0,
"Name": "Beta",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.644Z",
"Description": "MITRE ATT&CK matrix category",
"ID": 7,
"IndicatorCount": 0,
"Name": "Defense Evasion",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.644Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.660Z",
"Description": "MITRE ATT&CK matrix category",
"ID": 11,
"IndicatorCount": 0,
"Name": "Execution",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.660Z"
},
{
"CreatedAt": "2020-01-14T21:37:30.528Z",
"Description": "These signals are built for Windows hosts.",
"ID": 16,
"IndicatorCount": 0,
"Name": "Windows",
"SignalCount": 0,
"UpdatedAt": "2020-01-14T21:37:30.528Z"
}
]
}
}
}

Human Readable Output#

Successfully created a new label (1) association for the identified intel document (509).#

IDNameDescriptionIndicator CountSignal CountCreated AtUpdated At
1AlphaThese signals have been tested and reviewed internally for syntax. Little or no testing of expected alert generation has been conducted. These signals are not included on the external feed.002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
2BetaThese signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
7Defense EvasionMITRE ATT&CK matrix category002019-07-31T18:46:28.644Z2019-07-31T18:46:28.644Z
11ExecutionMITRE ATT&CK matrix category002019-07-31T18:46:28.660Z2019-07-31T18:46:28.660Z
16WindowsThese signals are built for Windows hosts.002020-01-14T21:37:30.528Z2020-01-14T21:37:30.528Z

tanium-tr-intel-docs-remove-label#


Delete a label association for the identified intel document.

Base Command#

tanium-tr-intel-docs-remove-label

Input#

Argument NameDescriptionRequired
intel_doc_idRemove the label from the intel document with this ID.Required
label_idThe ID of the label to disassociate from the target intel document. (Use tanium-tr-intel-docs-labels-list command in order to get the available label IDs).Required

Context Output#

PathTypeDescription
Tanium.IntelDocLabel.IntelDocIDStringRequested doc ID.
Tanium.IntelDocLabel.LabelsList.CreatedAtDateDate when label was created.
Tanium.IntelDocLabel.LabelsList.DescriptionStringLabel description.
Tanium.IntelDocLabel.LabelsList.IDNumberLabel ID.
Tanium.IntelDocLabel.LabelsList.IndicatorCountNumberNumber of related indicators.
Tanium.IntelDocLabel.LabelsList.NameStringLabel name.
Tanium.IntelDocLabel.LabelsList.SignalCountNumberNumber of related signal counts.
Tanium.IntelDocLabel.LabelsList.UpdatedAtDateDate when label was last updated.

Command Example#

!tanium-tr-intel-docs-remove-label intel_doc_id=509 label_id=1

Context Example#

{
"Tanium": {
"IntelDocLabel": {
"IntelDocID": "509",
"LabelsList": [
{
"CreatedAt": "2019-07-31T18:46:28.629Z",
"Description": "These signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.",
"ID": 2,
"IndicatorCount": 0,
"Name": "Beta",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.629Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.644Z",
"Description": "MITRE ATT&CK matrix category",
"ID": 7,
"IndicatorCount": 0,
"Name": "Defense Evasion",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.644Z"
},
{
"CreatedAt": "2019-07-31T18:46:28.660Z",
"Description": "MITRE ATT&CK matrix category",
"ID": 11,
"IndicatorCount": 0,
"Name": "Execution",
"SignalCount": 0,
"UpdatedAt": "2019-07-31T18:46:28.660Z"
},
{
"CreatedAt": "2020-01-14T21:37:30.528Z",
"Description": "These signals are built for Windows hosts.",
"ID": 16,
"IndicatorCount": 0,
"Name": "Windows",
"SignalCount": 0,
"UpdatedAt": "2020-01-14T21:37:30.528Z"
}
]
}
}
}

Human Readable Output#

Successfully removed the label (1) association for the identified intel document (509).#

IDNameDescriptionIndicator CountSignal CountCreated AtUpdated At
2BetaThese signals have been tested and reviewed internally for syntax. Internal testing of expected alert generation has been verified. Testing on internal systems for false positives has been conducted and tuned if necessary. These signals are included on the external feed.002019-07-31T18:46:28.629Z2019-07-31T18:46:28.629Z
7Defense EvasionMITRE ATT&CK matrix category002019-07-31T18:46:28.644Z2019-07-31T18:46:28.644Z
11ExecutionMITRE ATT&CK matrix category002019-07-31T18:46:28.660Z2019-07-31T18:46:28.660Z
16WindowsThese signals are built for Windows hosts.002020-01-14T21:37:30.528Z2020-01-14T21:37:30.528Z

tanium-tr-intel-doc-create#


Add a new intel document to the system by providing its document contents.

Base Command#

tanium-tr-intel-doc-create

Input#

Argument NameDescriptionRequired
entry_idThe file entry ID.Required
file_extensionThe suffix at the end of a filename. (Available file types - yara, stix, ioc). Possible values are: ioc, yara, stix.Required

Context Output#

PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.
Tanium.IntelDoc.revisionIdNumberThe number of times the contents of the intel with this ID have been updated.
Tanium.IntelDoc.TypeStringThe shortened type name of the intel. For example, "openioc", "stix", "yara".
Tanium.IntelDoc.typeVersionStringThe version number of the intel type. For example, "1.0", "2.3", etc.
Tanium.IntelDoc.intrinsicIdStringThe unique identifier claimed by the intel document, such as a guid or other built-in ID.
Tanium.IntelDoc.Md5StringThe hex digest of the MD5 sum of the contents of the document that represents this intel.
Tanium.IntelDoc.SizeStringThe size of the intel document contents, in bytes.

Command Example#

!tanium-tr-intel-doc-create entry_id=7173@e99f97d1-7225-4c75-896c-3c960febbe8c file_extension=yara

Context Example#

{
"Tanium": {
"IntelDoc": {
"AlertCount": 0,
"CreatedAt": "2021-07-18T10:27:41.742Z",
"ID": 438,
"IntrinsicId": "file.yara",
"IsSchemaValid": true,
"Md5": "2bfe1da12a94fa4be3e9bcf6f59d024a",
"Name": "file.yara",
"RevisionId": 22,
"Size": 3271,
"SourceId": 1,
"Type": "yara",
"TypeVersion": "3",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2021-10-07T12:23:35.947Z"
}
}
}

Human Readable Output#

Intel Doc information#

IDNameTypeAlert CountUnresolved Alert CountCreated AtUpdated At
438file.yarayara002021-07-18T10:27:41.742Z2021-10-24T09:00:52.609Z

tanium-tr-intel-doc-update#


Update the contents of an existing intel document by providing the document contents.

Base Command#

tanium-tr-intel-doc-update

Input#

Argument NameDescriptionRequired
intel_doc_idThe ID of the intel document to update.Required
entry_idThe file entry ID.Required
file_extensionThe suffix at the end of a filename. (Available file types - yara, stix, ioc). Possible values are: ioc, yara, stix.Optional

Context Output#

PathTypeDescription
Tanium.IntelDoc.AlertCountNumberThe number of alerts that currently exist for this intel.
Tanium.IntelDoc.CreatedAtDateThe date at which this intel was first added to the system.
Tanium.IntelDoc.DescriptionStringThe description of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.IDNumberThe unique identifier for this intel in this instance of the system.
Tanium.IntelDoc.LabelIdsNumberThe IDs of all labels applied to this intel.
Tanium.IntelDoc.NameStringThe name of the intel, as declared in the document or as updated by a user.
Tanium.IntelDoc.UnresolvedAlertCountNumberThe number of unresolved alerts that currently exist for this intel.
Tanium.IntelDoc.UpdatedAtDateThe date when this intel was last updated.
Tanium.IntelDoc.revisionIdNumberThe number of times the contents of the intel with this ID have been updated.
Tanium.IntelDoc.TypeStringThe shortened type name of the intel. For example, "openioc", "stix", "yara".
Tanium.IntelDoc.typeVersionStringThe version number of the intel type. For example, "1.0", "2.3", etc.
Tanium.IntelDoc.intrinsicIdStringThe unique identifier claimed by the intel document, such as a guid or other built-in ID.
Tanium.IntelDoc.Md5StringThe hex digest of the MD5 sum of the contents of the document that represents this intel.
Tanium.IntelDoc.SizeStringThe size of the intel document contents, in bytes.

Command Example#

!tanium-tr-intel-doc-update entry_id=7173@e99f97d1-7225-4c75-896c-3c960febbe8c intel_doc_id=438 file_extension=yara

Context Example#

{
"Tanium": {
"IntelDoc": {
"AlertCount": 0,
"CreatedAt": "2021-07-18T10:27:41.742Z",
"ID": 438,
"IntrinsicId": "file.yara",
"IsSchemaValid": true,
"Md5": "2bfe1da12a94fa4be3e9bcf6f59d024a",
"Name": "file.yara",
"RevisionId": 23,
"Size": 3271,
"SourceId": 1,
"Type": "yara",
"TypeVersion": "3",
"UnresolvedAlertCount": 0,
"UpdatedAt": "2021-10-07T12:23:39.573Z"
}
}
}

Human Readable Output#

Intel Doc information#

IDNameTypeAlert CountUnresolved Alert CountCreated AtUpdated At
438file.yarayara002021-07-18T10:27:41.742Z2021-10-07T12:23:39.573Z

tanium-tr-intel-doc-delete#


Remove an intel document from the system by providing its ID

Base Command#

tanium-tr-intel-doc-delete

Input#

Argument NameDescriptionRequired
intel_doc_idThe file entry ID.Required

Context Output#

None

Command Example#

!tanium-tr-intel-doc-delete intel_doc_id=509

Context Example#

None

Human Readable Output#

Intel Doc deleted#

tanium-tr-start-quick-scan#


Scan a computer group for hashes in intel document. Computer groups can be viewed by navigating to Administration -> Computer Groups in the Threat-Response product console. Computer group names and IDs can also be retrieved by using the tn-list-groups command in the Tanium integration.

Base Command#

tanium-tr-start-quick-scan

Input#

Argument NameDescriptionRequired
intel_doc_idThe intel document ID.Required
computer_group_nameThe name of a Tanium computer group. See command description for possible ways to retrieve this value.Required

Context Output#

PathTypeDescription
Tanium.QuickScan.IntelDocIdNumberThe unique identifier for this intel in this instance of the system.
Tanium.QuickScan.ComputerGroupIdNumberThe ID of a Tanium computer group.
Tanium.QuickScan.IDNumberThe ID of the quick scan.
Tanium.QuickScan.AlertCountNumberThe number of alerts returned from the quick scan.
Tanium.QuickScan.CreatedAtDateThe date the quick scan was created.
Tanium.QuickScan.UserIdNumberThe user ID which initiated the quick scan.
Tanium.QuickScan.QuestionIdNumberThe ID of the quick scan question.

Command Example#

!tanium-tr-start-quick-scan intel_doc_id=509 computer_group_name="All Computers"

Context Example#

{
"Tanium": {
"QuickScan": {
"AlertCount": 0,
"ComputerGroupId": 1,
"CreatedAt": "2022-01-05T19:53:43.049Z",
"ID": 1000239,
"IntelDocId": 509,
"QuestionId": 2025697,
"UserId": 64
}
}
}

Human Readable Output#

Quick Scan started#

AlertCountComputerGroupIdCreatedAtIDIntelDocIdQuestionIdUserId
012022-01-05T19:53:43.049Z1000239509202569764

tanium-tr-intel-deploy#


Deploys intel using the service account context.

Base Command#

tanium-tr-intel-deploy

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!tanium-tr-intel-deploy

Human Readable Output#

Successfully deployed intel.

tanium-tr-intel-deploy-status#


Displays status of last intel deployment.

Base Command#

tanium-tr-intel-deploy-status

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Tanium.IntelDeployStatus.CreatedAtDateThe creation date of the last intel deployment.
Tanium.IntelDeployStatus.ModifiedAtDateThe modification date of the last intel deployment.
Tanium.IntelDeployStatus.CurrentRevisionNumberRevision number, incremented each time the intel is modified
Tanium.IntelDeployStatus.CurrentSizeNumberThe size of the intel document contents, in bytes.

Command Example#

!tanium-tr-intel-deploy-status

Context Example#

{
"Tanium": {
"IntelDeployStatus": {
"CreatedAt": "2021-05-02T19:18:00.685Z",
"CurrentRevision": 855,
"CurrentSize": 1187840,
"ModifiedAt": "2021-10-06T15:07:43.248Z"
}
}
}

Human Readable Output#

Intel deploy status#

Created AtModified AtCurrent RevisionCurrent Size
2021-05-02T19:18:00.685Z2021-10-06T15:07:43.248Z8551187840

tanium-tr-get-task-by-id#


Get task by ID.

Base Command#

tanium-tr-get-task-by-id

Input#

Argument NameDescriptionRequired
task_idThe task ID.Required

Context Output#

PathTypeDescription
Tanium.Task.createdAtDateThe date at which this task was first added to the system.
Tanium.Task.idNumberThe unique identifier for this task in this instance of the system.
Tanium.Task.updatedAtDateThe date when this task was last updated.
Tanium.Task.startTimeDateThe date when this task started.
Tanium.Task.endTimeDateThe date when this task ended.
Tanium.Task.errorStringTask errors.
Tanium.Task.statusStringTask status.
Tanium.Task.typeStringTask type.
Tanium.Task.metadataUnknownTask metadata.
Tanium.Task.resultsUnknownTask results.

Command Example#

!tanium-tr-get-task-by-id task_id=833

Context Example#

{
"Tanium": {
"Task": {
"createdAt": "2021-09-05T13:46:16.603Z",
"endTime": "2021-09-05T13:46:16.900Z",
"id": 833,
"metadata": {
"compress": "true",
"connection": "remote:hostname:123:",
"paths": [
"C:\\test.exe"
]
},
"results": {
"completed": [
"C:\\test.exe"
],
"failed": [],
"fileResults": [
{
"finalPath": "C:\\04828d87-a384-4a8b-a874-2438bf8b16ab.zip",
"response": {
"avgBytesPerSecond": 0,
"source": "C:\\test.exe",
"target": "C:\\temp\\36e80439-8866-4ada-9229-fb1e08f1a3f9",
"totalBytes": 55808,
"totalTimeMs": 205,
"transferHash": "a84417ee9d039891af43b267896db921a40838d8a17cc1be29785d031e5944d4"
}
}
]
},
"startTime": "2021-09-05T13:46:16.606Z",
"status": "COMPLETED",
"type": "fileDownload",
"updatedAt": "2021-09-05T13:46:16.603Z"
}
}
}

Human Readable Output#

Task information#

IdStatus
833COMPLETED

tanium-tr-get-system-status#


Get system status, to retrieve all possible connection's client ids, hostnames, ips.

Base Command#

tanium-tr-get-system-status

Input#

Argument NameDescriptionRequired
limitThe maximum number of entries to return. Default is 50.Optional
offsetThe offset number to begin listing entries. Default is 0.Optional
statusComma-seperated list of statuses to get the system-status that match only those statuses, for example status=Blocked,Leader.Optional
ip_serverComma-seperated list of ip servers to get the system-status that match only those ip servers, for example ip_server=1.1.1.1,2.2.2.2.Optional
ip_clientComma-seperated list of ip clients to get the system-status that match only those ip clients, for example ip_client=1.1.1.1,2.2.2.2.Optional
hostnameComma-seperated list of hostnames to get the system-status that match only those hostnames, for example hostname=host1,host2.Optional
portport to get the system-status that match only this port, for example port=80.Optional

Context Output#

PathTypeDescription
Tanium.SystemStatus.clientIdNumberClient id to use when creating new connection.
Tanium.SystemStatus.computerIdNumberComputer ID.
Tanium.SystemStatus.hostNameStringHostname to connect.
Tanium.SystemStatus.ipaddressClientStringClient IP address.
Tanium.SystemStatus.ipaddressServerStringServer IP address.
Tanium.SystemStatus.lastRegistrationDateHost last registration time.
Tanium.SystemStatus.portNumberNumberConnection port number.
Tanium.SystemStatus.protocolVersionNumberConnection protocol version.
Tanium.SystemStatus.publicKeyValidBooleanIs public key valid.
Tanium.SystemStatus.statusStringHost status.

Command Example#

!tanium-tr-get-system-status

Context Example#

{
"Tanium": {
"SystemStatus": [
{
"clientId": 11111,
"computerId": 11111,
"fullVersion": "7.2.314.3476",
"hostName": "tanium",
"ipaddressClient": "1.1.1.1",
"ipaddressServer": "1.1.1.1",
"lastRegistration": "2021-10-07T12:23:13Z",
"portNumber": 17472,
"protocolVersion": 314,
"publicKeyValid": true,
"receiveState": "None",
"registeredWithTls": false,
"sendState": "None",
"status": "Leader"
},
{
"clientId": 22222,
"computerId": 22222,
"fullVersion": "7.4.5.1204",
"hostName": "hostname1",
"ipaddressClient": "1.2.3.4",
"ipaddressServer": "1.2.3.4",
"lastRegistration": "2021-10-07T12:23:12Z",
"portNumber": 17472,
"protocolVersion": 315,
"publicKeyValid": true,
"receiveState": "None",
"registeredWithTls": true,
"sendState": "None",
"status": "Leader"
}
]
}
}

Human Readable Output#

Reporting clients#

Host NameClient IdIpaddress ClientIpaddress ServerPort Number
taniumlinux111111.1.1.11.1.1.117472
hostname12222221.2.3.41.2.3.417472

tanium-tr-get-response-actions#


Returns the Response Actions matching the specified filters

Base Command#

tanium-tr-get-response-actions

Input#

Argument NameDescriptionRequired
offsetOffset to start getting response actions (default is '0').Optional
limitMax number of response actions to return (default is '50').Optional
sort_orderSpecify whether to sort by column in ascending or descending order (default is 'desc'). Possible values are: asc, desc. Default is desc.Optional
partial_computer_nameFilter on a partial computer name.Optional
statusFilter on status.Optional
typeFilter on type.Optional

Context Output#

PathTypeDescription
Tanium.ResponseActions.idString
Tanium.ResponseActions.typeString
Tanium.ResponseActions.statusString
Tanium.ResponseActions.computerNameString
Tanium.ResponseActions.userIdString
Tanium.ResponseActions.userNameString
Tanium.ResponseActions.results.taskIdsString
Tanium.ResponseActions.results.actionIdsString
Tanium.ResponseActions.results.snapshotNameString
Tanium.ResponseActions.results.uuidString
Tanium.ResponseActions.expirationTimeDate
Tanium.ResponseActions.createdAtDate
Tanium.ResponseActions.updatedAtDate
Tanium.ResponseActions.eidString

tanium-tr-response-action-gather-snapshot#


Creates a "gatherSnapshot" Response Action for the specified host

Base Command#

tanium-tr-response-action-gather-snapshot

Input#

Argument NameDescriptionRequired
computer_nameTarget computer name.Required
expiration_timeTime unit to specify how long a snapshot should persist (i.e. "7 days", "1 month". Default is "7 days").Optional

Context Output#

PathTypeDescription
Tanium.ResponseActions.typeString
Tanium.ResponseActions.computerNameString
Tanium.ResponseActions.optionsString
Tanium.ResponseActions.statusString
Tanium.ResponseActions.userIdString
Tanium.ResponseActions.userNameString
Tanium.ResponseActions.resultsString
Tanium.ResponseActions.expirationTimeDate
Tanium.ResponseActions.createdAtDate
Tanium.ResponseActions.updatedAtDate
Tanium.ResponseActions.idString
Tanium.ResponseActions.eidString

Breaking changes from the previous version of this integration - Tanium Threat Response v2#

The following sections list the changes in this version.

Commands#

The following commands were removed in this version:#

  • tanium-tr-list-snapshots-by-connection
  • tanium-tr-list-local-snapshots-by-connection
  • tanium-tr-get-connection-by-name
  • tanium-tr-get-parent-process-tree
  • tanium-tr-list-evidence
  • tanium-tr-get-process-timeline
  • tanium-tr-get-download-file-request-status - this command was replaced by tanium-tr-get-task-by-id.

Arguments#

The following arguments were removed in this version:#

In the tanium-tr-get-intel-doc-by-id command:

  • intel-doc-id - this argument was replaced by intel_doc_id.

In the tanium-tr-list-alerts command:

  • computer-ip-address - this argument was replaced by computer_ip_address.
  • computer-name - this argument was replaced by computer_name.
  • scan-config-id - this argument was replaced by scan_config_id.
  • intel-doc-id - this argument was replaced by intel_doc_id.

In the tanium-tr-get-alert-by-id command:

  • alert-id - this argument was replaced by alert_id.

In the tanium-tr-alert-update-state command:

  • alert-id - this argument was replaced by alert_ids.

In the tanium-tr-create-snapshot command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-delete-snapshot command:

  • connection-name - this argument was replaced by connection_id.
  • snapshot-id - this argument was replaced by snapshot_ids.

In the tanium-tr-delete-local-snapshot command:

  • connection-name - this argument was replaced by connection_id.
  • file-name - this argument was removed.

In the tanium-tr-create-connection command:

  • remote - this argument was removed.
  • destination-type - this argument was removed.
  • destination - this argument was removed.
  • connection-timeout - this argument was removed.
  • This command receiving new arguments: client_id, ip, platform, hostname.

In the tanium-tr-delete-connection command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-label-by-id command:

  • label-id - this argument was replaced by label_id.

In the tanium-tr-list-file-downloads command:

  • host - this argument was removed.

In the tanium-tr-get-downloaded-file command:

  • file-id - this argument was replaced by file_id.

In the tanium-tr-list-events-by-connection command:

  • connection-name - this argument was replaced by connection_id.
  • event-type - this argument was replaced by type.

In the tanium-tr-get-file-download-info command:

  • host - this argument was removed.
  • path - this argument was removed.
  • id - this argument was replaced by file_id.

In the tanium-tr-get-process-info command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-events-by-process command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-process-children command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-parent-process command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-process-tree command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-evidence-by-id command:

  • evidence-id - this argument was replaced by evidence_id.

In the tanium-tr-create-evidence command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-delete-evidence command:

  • evidence-id - this argument was replaced by evidence_ids.

In the tanium-tr-request-file-download command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-delete-file-download command:

  • file-id - this argument was replaced by file_id.

In the tanium-tr-list-files-in-directory command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-get-file-info command:

  • connection-name - this argument was replaced by connection_id.

In the tanium-tr-delete-file-from-endpoint command:

  • connection-name - this argument was replaced by connection_id.

The behavior of the following arguments was changed:#

In the tanium-tr-list-intel-docs command:

  • limit - The default value changed to '50'.

Outputs#

The following outputs were removed in this version:#

In the tanium-tr-list-connections command:

  • Tanium.Connection.CreateTime - this output was removed.
  • Tanium.Connection.Name - this output was replaced by Tanium.Connection.hostname.
  • Tanium.Connection.Remote - this output was removed.
  • Tanium.Connection.State - this output was replaced by Tanium.Connection.status.
  • Tanium.Connection.Deleted - this output was removed.
  • Tanium.Connection.DestionationType - this output was removed.
  • Tanium.Connection.DST - this output was removed.
  • Tanium.Connection.OSName - this output was replaced by Tanium.Connection.platform.

In the tanium-tr-list-labels command:

  • Tanium.Label.CreatedAt - this output was replaced by Tanium.Label.createdAt.
  • Tanium.Label.Description - this output was replaced by Tanium.Label.description.
  • Tanium.Label.ID - this output was replaced by Tanium.Label.id.
  • Tanium.Label.IndicatorCount - this output was replaced by Tanium.Label.indicatorCount.
  • Tanium.Label.Name - this output was replaced by Tanium.Label.name.
  • Tanium.Label.SignalCount - this output was replaced by Tanium.Label.signalCount.
  • Tanium.Label.UpdatedAt - this output was replaced by Tanium.Label.updatedAt.

In the tanium-tr-get-label-by-id command:

  • Tanium.Label.CreatedAt - this output was replaced by Tanium.Label.createdAt.
  • Tanium.Label.Description - this output was replaced by Tanium.Label.description.
  • Tanium.Label.ID - this output was replaced by Tanium.Label.id.
  • Tanium.Label.IndicatorCount - this output was replaced by Tanium.Label.indicatorCount.
  • Tanium.Label.Name - this output was replaced by Tanium.Label.name.
  • Tanium.Label.SignalCount - this output was replaced by Tanium.Label.signalCount.
  • Tanium.Label.UpdatedAt - this output was replaced by Tanium.Label.updatedAt.

In the tanium-tr-list-file-downloads command:

  • Tanium.FileDownload.Size - this output was replaced by Tanium.FileDownload.size.
  • Tanium.FileDownload.Path - this output was replaced by Tanium.FileDownload.path.
  • Tanium.FileDownload.Downloaded - this output was replaced by Tanium.FileDownload.downloaded.
  • Tanium.FileDownload.Host - this output was replaced by Tanium.FileDownload.hostname.
  • Tanium.FileDownload.Created - this output was replaced by Tanium.FileDownload.processCreationTime.
  • Tanium.FileDownload.Hash - this output was replaced by Tanium.FileDownload.hash.
  • Tanium.FileDownload.SPath - this output was removed.
  • Tanium.FileDownload.ID - this output was replaced by Tanium.FileDownload.uuid.
  • Tanium.FileDownload.LastModified - this output was replaced by Tanium.FileDownload.lastModified.
  • Tanium.FileDownload.CreatedBy - this output was replaced by Tanium.FileDownload.createdBy.
  • Tanium.FileDownload.CreatedByProc - this output was replaced by Tanium.FileDownload.createdByProc.
  • Tanium.FileDownload.LastModifiedBy - this output was replaced by Tanium.FileDownload.lastModifiedBy.
  • Tanium.FileDownload.LastModifiedByProc - this output was replaced by Tanium.FileDownload.lastModifiedByProc.
  • Tanium.FileDownload.Comments - this output was removed.
  • Tanium.FileDownload.Tags - this output was removed.
  • Tanium.FileDownload.Deleted - this output was removed.

In the tanium-tr-list-events-by-connection command:

  • TaniumEvent.Domain - this output was removed.
  • TaniumEvent.File - this output was replaced by TaniumEvent.file.
  • TaniumEvent.Operation - this output was replaced by TaniumEvent.operation.
  • TaniumEvent.ProcessID - this output was replaced by TaniumEvent.pid.
  • TaniumEvent.ProcessName - this output was removed.
  • TaniumEvent.ProcessTableID - this output was replaced by TaniumEvent.processTableId.
  • TaniumEvent.Timestamp - this output was removed.
  • TaniumEvent.Username - this output was replaced by TaniumEvent.userName.
  • TaniumEvent.DestinationAddress - this output was replaced by TaniumEvent.remoteAddress.
  • TaniumEvent.DestinationPort - this output was replaced by TaniumEvent.remoteAddressPort.
  • TaniumEvent.SourceAddress - this output was replaced by TaniumEvent.localAddress.
  • TaniumEvent.SourcePort - this output was replaced by TaniumEvent.localAddressPort.
  • TaniumEvent.KeyPath - this output was replaced by TaniumEvent.keyPath.
  • TaniumEvent.ValueName - this output was replaced by TaniumEvent.valueName.
  • TaniumEvent.ExitCode - this output was replaced by TaniumEvent.exitCode.
  • TaniumEvent.ProcessCommandLine - this output was replaced by TaniumEvent.processCommandLine.
  • TaniumEvent.ProcessHash - this output was removed.
  • TaniumEvent.SID - this output was removed.
  • TaniumEvent.Hashes - this output was replaced by TaniumEvent.hashes.
  • TaniumEvent.ImageLoaded - this output was replaced by TaniumEvent.imageLoaded.
  • TaniumEvent.Signature - this output was replaced by TaniumEvent.signature.
  • TaniumEvent.Signed - this output was replaced by TaniumEvent.signed.
  • TaniumEvent.EventID - this output was replaced by TaniumEvent.eventId.
  • TaniumEvent.EventOpcode - this output was replaced by TaniumEvent.eventOpcode.
  • TaniumEvent.EventRecordID - this output was replaced by TaniumEvent.eventRecordId.
  • TaniumEvent.EventTaskID - this output was replaced by TaniumEvent.eventTaskId.
  • TaniumEvent.Query - this output was replaced by TaniumEvent.query.
  • TaniumEvent.Response - this output was replaced by TaniumEvent.response.
  • TaniumEvent.ImagePath - this output was replaced by TaniumEvent.imagePath.
  • TaniumEvent.CreationTime - this output was replaced by TaniumEvent.createTime.
  • TaniumEvent.EndTime - this output was replaced by TaniumEvent.endTime.
  • TaniumEvent.EventTaskName - this output was replaced by TaniumEvent.eventTaskName.
  • TaniumEvent.Property.Name - this output was removed.
  • TaniumEvent.Property.Value - this output was removed.

In the tanium-tr-get-file-download-info command:

  • Tanium.FileDownload.Size - this output was replaced by Tanium.FileDownload.size.
  • Tanium.FileDownload.Path - this output was replaced by Tanium.FileDownload.path.
  • Tanium.FileDownload.Downloaded - this output was replaced by Tanium.FileDownload.downloaded.
  • Tanium.FileDownload.Host - this output was replaced by Tanium.FileDownload.hostname.
  • Tanium.FileDownload.Created - this output was replaced by Tanium.FileDownload.processCreationTime.
  • Tanium.FileDownload.Hash - this output was replaced by Tanium.FileDownload.hash.
  • Tanium.FileDownload.SPath - this output was removed.
  • Tanium.FileDownload.ID - this output was replaced by Tanium.FileDownload.uuid.
  • Tanium.FileDownload.LastModified - this output was replaced by Tanium.FileDownload.lastModified.
  • Tanium.FileDownload.CreatedBy - this output was replaced by Tanium.FileDownload.createdBy.
  • Tanium.FileDownload.CreatedByProc - this output was replaced by Tanium.FileDownload.createdByProc.
  • Tanium.FileDownload.LastModifiedBy - this output was replaced by Tanium.FileDownload.lastModifiedBy.
  • Tanium.FileDownload.LastModifiedByProc - this output was replaced by Tanium.FileDownload.lastModifiedByProc.
  • Tanium.FileDownload.Comments - this output was removed.
  • Tanium.FileDownload.Tags - this output was removed.
  • Tanium.FileDownload.Deleted - this output was removed.

In the tanium-tr-get-process-info command:

  • Tanium.Process.CreateTime - this output was replaced by Tanium.ProcessInfo.createTime.
  • Tanium.Process.Domain - this output was removed.
  • Tanium.Process.ExitCode - this output was replaced by Tanium.ProcessInfo.exitCode.
  • Tanium.Process.ProcessCommandLine - this output was removed.
  • Tanium.Process.ProcessID - this output was replaced by Tanium.ProcessInfo.pid.
  • Tanium.Process.ProcessName - this output was removed.
  • Tanium.Process.ProcessTableId - this output was replaced by Tanium.ProcessInfo.processTableId.
  • Tanium.Process.SID - this output was removed
  • Tanium.Process.Username - this output was replaced by Tanium.ProcessInfo.userName.

In the tanium-tr-get-events-by-process command:

  • Tanium.ProcessEvent.ID - this output was replaced by Tanium.ProcessEvent.id.
  • Tanium.ProcessEvent.Detail - this output was replaced by Tanium.ProcessEvent.detail.
  • Tanium.ProcessEvent.Operation - this output was replaced by Tanium.ProcessEvent.operation.
  • Tanium.ProcessEvent.Timestamp - this output was replaced by Tanium.ProcessEvent.timestamp.
  • Tanium.ProcessEvent.Type - this output was replaced by Tanium.ProcessEvent.type.

In the tanium-tr-get-process-children command:

  • Tanium.ProcessChildren.ID - this output was replaced by Tanium.ProcessChildren.id.
  • Tanium.ProcessChildren.Name - this output was removed.
  • Tanium.ProcessChildren.PID - this output was replaced by Tanium.ProcessChildren.pid.
  • Tanium.ProcessChildren.PTID - this output was replaced by Tanium.ProcessChildren.parentProcessTableId.
  • Tanium.ProcessChildren.Parent - this output was removed.

In the tanium-tr-get-parent-process command:

  • Tanium.Process.CreateTime - this output was replaced by Tanium.ProcessParent.createTime.
  • Tanium.Process.Domain - this output was removed.
  • Tanium.Process.ExitCode - this output was replaced by Tanium.ProcessParent.exitCode.
  • Tanium.Process.ProcessCommandLine - this output was removed.
  • Tanium.Process.ProcessID - this output was replaced by Tanium.ProcessParent.pid.
  • Tanium.Process.ProcessName - this output was removed.
  • Tanium.Process.ProcessTableId - this output was replaced by Tanium.ProcessParent.processTableId.
  • Tanium.Process.SID - this output was removed.
  • Tanium.Process.Username - this output was replaced by Tanium.ProcessParent.userName.

In the tanium-tr-get-process-tree command:

  • Tanium.ProcessTree.ID - this output was replaced by Tanium.ProcessTree.id.
  • Tanium.ProcessTree.Name - this output was removed.
  • Tanium.ProcessTree.PID - this output was replaced by Tanium.ProcessTree.pid.
  • Tanium.ProcessTree.PTID - this output was replaced by Tanium.ProcessTree.parentProcessTableId.
  • Tanium.ProcessTree.Parent - this output was removed.
  • Tanium.ProcessTree.Children - this output was replaced by Tanium.ProcessTree.childrenCount.

In the tanium-tr-get-evidence-by-id command:

  • Tanium.Evidence.ID - this output was replaced by Tanium.Evidence.uuid.
  • Tanium.Evidence.CreatedAt - this output was replaced by Tanium.Evidence.createTime.
  • Tanium.Evidence.LastModified - this output was removed.
  • Tanium.Evidence.User - this output was replaced by Tanium.Evidence.username.
  • Tanium.Evidence.ConnectionName - this output was replaced by Tanium.Evidence.hostname.
  • Tanium.Evidence.Type - this output was replaced by Tanium.Evidence.type.
  • Tanium.Evidence.ProcessTableId - this output was removed.
  • Tanium.Evidence.Timestamp - this output was replaced by Tanium.Evidence.timestamp.
  • Tanium.Evidence.Summary - this output was replaced by Tanium.Evidence.summary.
  • Tanium.Evidence.Comments - this output was removed.
  • Tanium.Evidence.Tags - this output was removed.
  • Tanium.Evidence.Deleted - this output was removed.

In the tanium-tr-request-file-download command:

  • Tanium.FileDownload.Path - this output was replaced by Tanium.FileDownloadTask.paths.
  • Tanium.FileDownload.ConnectionName - this output was replaced by Tanium.FileDownloadTask.connection.
  • Tanium.FileDownload.Downloaded - this output was removed.
  • Tanium.FileDownload.Status - this output was replaced by Tanium.FileDownloadTask.status.
  • Tanium.FileDownload.ID - this output was replaced by Tanium.FileDownloadTask.taskId.

In the tanium-tr-list-files-in-directory command:

  • Tanium.File.Created - this output was replaced by Tanium.File.createdDate.
  • Tanium.File.Size - this output was replaced by Tanium.File.size.
  • Tanium.File.IsDirectory - this output was replaced by Tanium.File.type.
  • Tanium.File.LastModified - this output was replaced by Tanium.File.modifiedDate.
  • Tanium.File.Path - this output was replaced by Tanium.File.path.
  • Tanium.File.Permissions - this output was replaced by Tanium.File.permissions.
  • Tanium.File.ConnectionName - this output was replaced by Tanium.File.connectionId.
  • Tanium.File.Deleted - this output was removed.

In the tanium-tr-get-file-info command:

  • Tanium.File.Created - this output was replaced by Tanium.File.createdDate.
  • Tanium.File.Size - this output was replaced by Tanium.File.size.
  • Tanium.File.IsDirectory - this output was replaced by Tanium.File.type.
  • Tanium.File.LastModified - this output was replaced by Tanium.File.modifiedDate.
  • Tanium.File.Path - this output was replaced by Tanium.File.path.
  • Tanium.File.ConnectionName - this output was replaced by Tanium.File.connectionId.
  • Tanium.File.Deleted - this output was removed.