Tanium v2
This Integration is part of the Tanium Pack.#
Tanium endpoint security and systems management This integration was integrated and tested with version 7.3.0 of Tanium server
Tanium v2 Playbooks
- Tanium - Ask Question
- Tanium - Get Saved Question Result
Use Cases
- Create questions, groups, packages, etc on the Tanium Server.
- Deploy packages to machines groups.
- Get information about sensors, packages, actions, hosts etc.
Detailed Description
Integration with Tanium REST API. Available from Tanium version 7.3.0. You can manage questions, actions, saved questions, packages and sensor information. The integration was tested with 4.x version of Tanium Threat Response, and is compatible with it. ## Configuration Parameters- Hostname - The network address of the Tanium server host.
- Domain - The Tanium user domain. Relevant when there is more than one domain inside Tanium.
- Credentials - The credentials should be the same as the Tanium client.
Configure Tanium v2 on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Tanium v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Hostname, IP address, or server URL.
- Domain
- Credentials OR API Token
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
Authentication Options
- Basic Authentication - to authenticate using basic authentication fill in the username and password into the corresponding fields and leave the API Token field empty. The username and password should be the same as the Tanium client.
-
OAuth 2.0 Authentication -
To use OAuth 2.0 follow the next steps:
- Follow the instructions here to create an API token.
- Paste the generated API Token into the API Token parameter in the instance configuration, and leave the username and password fields empty.
- Click the Test button to validate the instance configuration.
- Trusted IP Addresses: by default, the Tanium Server blocks API tokens from all addresses except registered Tanium Module Servers. To add allowed IP addresses for any API token, add the IP addresses to the api_token_trusted_ip_address_list global setting. To add allowed IP addresses for an individual API token, specify the IP addresses in the trusted_ip_addresses field of the api_token object.
- Expiration Time: by default, an api_token is valid for seven days. To change the expiration timeframe, edit the api_token_expiration_in_days global setting (minimum value is 1), or include a value with the expire_in_days field when you create the token.
- To edit a global setting in the Tanium platform, go to Administration -> Global Settings and search for the setting you would like to edit.
- For more information see the Tanium documentation .
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Returns a package object based on name or ID: tn-get-package
- Asks the server to parse the question text and choose the first parsed result as the question to run: tn-ask-question
- Returns the question result based on question ID: tn-get-question-result
- Returns a list of all sensors: tn-list-sensors
- Returns detailed information about a sensor object based on name or ID: tn-get-sensor
- Creates a saved question object: tn-create-saved-question
- Returns all saved questions: tn-list-saved-questions
- Returns the saved question result based on the saved question ID: tn-get-saved-question-result
- Returns all client details: tn-get-system-status
- Creates a package object: tn-create-package
- Returns all package information: tn-list-packages
- Returns a question object based on question ID: tn-get-question-metadata
- Returns all saved actions: tn-list-saved-actions
- Returns a saved action object based on name or ID: tn-get-saved-action
- Returns a saved question object based on name or ID: tn-get-saved-question-metadata
- Creates a saved action object: tn-create-saved-action
- Creates an action object based on the package name or the package ID: tn-create-action
- Returns all actions: tn-list-actions
- Returns an action object based on ID: tn-get-action
- Retrieves all saved action approval definitions on the server: tn-list-saved-actions-pending-approval
- Returns a group object based on ID or name: tn-get-group
- Creates a group object based on computers or IP addresses list: tn-create-manual-group
- Creates a group object based on text filter: tn-create-filter-based-group
- Returns all groups: tn-list-groups
- Deletes a group object: tn-delete-group
- Creates an action object, based on a package name or package ID: tn-create-action-by-host
1. tn-get-package
Returns a package object based on name or ID.
Base Command
tn-get-package
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the package. | Optional |
| id | The package ID. Package ID or package name is required. When both exist, ID is used. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TaniumPackage.Command | String | The command to run. |
| TaniumPackage.CommandTimeout | Number | Timeout in seconds for the command execution. |
| TaniumPackage.ContentSet.Id | Number | The ID of the content set to associate with the package. |
| TaniumPackage.ContentSet.Name | String | The name of the content set to associate with the package. |
| TaniumPackage.CreationTime | String | The time and date when this object was created in the database. |
| TaniumPackage.DisplayName | String | The name of the package that displays in the user interface. |
| TaniumPackage.ExpireSeconds | Number | Timeout in seconds for the action. |
| TaniumPackage.Files.Hash | String | The SHA-256 hash of the contents of the file. |
| TaniumPackage.Files.Id | Number | The unique ID of the package_file object. |
| TaniumPackage.Files.Name | String | The unique name of the package_file object. |
| TaniumPackage.ID | Number | The unique ID of the package_spec object. |
| TaniumPackage.LastModifiedBy | String | The user who most recently modified this object. |
| TaniumPackage.LastUpdate | String | The most recent time and date when this object was modified. |
| TaniumPackage.ModUser.Domain | String | The domain of the user who most recently modified this object |
| TaniumPackage.ModUser.Id | Number | The ID of the user who most recently modified this object |
| TaniumPackage.ModUser.Name | String | The name of the user who most recently modified this object |
| TaniumPackage.ModificationTime | String | The most recent time and date when this object was modified. |
| TaniumPackage.Name | String | The unique name of the package_spec object. |
| TaniumPackage.Parameters.Values | String | The parameter values. |
| TaniumPackage.Parameters.Label | String | Parameter description. |
| TaniumPackage.Parameters.Key | String | The attribute name of the parameter. |
| TaniumPackage.Parameters.ParameterType | String | The type of parameter. |
| TaniumPackage.SourceId | Number | The ID of the package into which the parameters are substituted. |
| TaniumPackage.VerifyExpireSeconds | Number | A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed. |
Command Example
!tn-get-package id=225
Context Example
{
"TaniumPackage": {
"Command": "cmd /c cscript ApplyWindowsQuarantine.vbs \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" \"$6\" \"$7\" \"$8\" \"$9\"",
"CommandTimeout": 180,
"ContentSet": {
"Id": 32,
"Name": "Incident Response"
},
"CreationTime": "2019-09-19T13:57:35Z",
"DisplayName": "Apply Windows IPsec Quarantine",
"ExpireSeconds": 780,
"Files": [
{
"Hash": "26cab9aaddf7d0e1ecf4113dee1ee976f6df9070a1f9edf3fa9e10bc63eb6a94",
"ID": 699,
"Name": "PortTester.exe"
},
{
"Hash": "7a2aaaf742831abf22918e4726181f25aa8b32c1dcb6b500824fe5e5ffec25fb",
"ID": 700,
"Name": "taniumquarantine.dat"
},
{
"Hash": "b2dfeab931f5938c52df84b8e6b157e698c508c7723b23505659e5ae659fcf6f",
"ID": 701,
"Name": "ApplyWindowsQuarantine.vbs"
}
],
"ID": 225,
"LastModifiedBy": "administrator",
"LastUpdate": "2019-09-19T13:57:35Z",
"ModificationTime": "2019-09-19T13:57:35Z",
"Name": "Apply Windows IPsec Quarantine",
"Parameters": [
{
"Key": "$1",
"Label": "Apply Custom Config (below)",
"ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
"Values": null
},
{
"Key": null,
"Label": null,
"ParameterType": "com.tanium.components.parameters::SeparatorParameter",
"Values": null
},
{
"Key": "$2",
"Label": "Allow All DHCP",
"ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
"Values": null
},
{
"Key": "$3",
"Label": "Allow All DNS",
"ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
"Values": null
},
{
"Key": "$4",
"Label": "Allow All Tanium Servers",
"ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
"Values": null
},
{
"Key": "$5",
"Label": "Validate Tanium Server Availability",
"ParameterType": "com.tanium.components.parameters::CheckBoxParameter",
"Values": null
},
{
"Key": "$6",
"Label": "Notification Message",
"ParameterType": "com.tanium.components.parameters::TextAreaParameter",
"Values": null
},
{
"Key": "$7",
"Label": "Custom Quarantine Rules",
"ParameterType": "com.tanium.components.parameters::TextAreaParameter",
"Values": null
},
{
"Key": "$8",
"Label": "Alternate Tanium Servers",
"ParameterType": "com.tanium.components.parameters::TextInputParameter",
"Values": null
},
{
"Key": "$9",
"Label": "VPN Servers",
"ParameterType": "com.tanium.components.parameters::TextInputParameter",
"Values": null
}
],
"SourceId": 0,
"VerifyExpireSeconds": 600
}
}
Human Readable Output
Package information
| Command | CommandTimeout | ContentSet | CreationTime | DisplayName | ExpireSeconds | ID | LastModifiedBy | LastUpdate | ModUser | ModificationTime | Name | SourceId | VerifyExpireSeconds |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| cmd /c cscript ApplyWindowsQuarantine.vbs "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" | 180 |
Id: 32
Name: Incident Response |
2019-09-19T13:57:35Z | Apply Windows IPsec Quarantine | 780 | 225 | administrator | 2019-09-19T13:57:35Z | 2019-09-19T13:57:35Z | Apply Windows IPsec Quarantine | 0 | 600 |
Parameters information
| Key | Label | ParameterType | Values |
|---|---|---|---|
| $1 | Apply Custom Config (below) | com.tanium.components.parameters::CheckBoxParameter | |
| com.tanium.components.parameters::SeparatorParameter | |||
| $2 | Allow All DHCP | com.tanium.components.parameters::CheckBoxParameter | |
| $3 | Allow All DNS | com.tanium.components.parameters::CheckBoxParameter | |
| $4 | Allow All Tanium Servers | com.tanium.components.parameters::CheckBoxParameter | |
| $5 | Validate Tanium Server Availability | com.tanium.components.parameters::CheckBoxParameter | |
| $6 | Notification Message | com.tanium.components.parameters::TextAreaParameter | |
| $7 | Custom Quarantine Rules | com.tanium.components.parameters::TextAreaParameter | |
| $8 | Alternate Tanium Servers | com.tanium.components.parameters::TextInputParameter | |
| $9 | VPN Servers | com.tanium.components.parameters::TextInputParameter |
Files information
| Hash | ID | Name |
|---|---|---|
| 26cab9aaddf7d0e1ecf4113dee1ee976f6df9070a1f9edf3fa9e10bc63eb6a94 | 699 | PortTester.exe |
| 7a2aaaf742831abf22918e4726181f25aa8b32c1dcb6b500824fe5e5ffec25fb | 700 | taniumquarantine.dat |
| b2dfeab931f5938c52df84b8e6b157e698c508c7723b23505659e5ae659fcf6f | 701 | ApplyWindowsQuarantine.vbs |
2. tn-ask-question
Asks the server to parse the question text and choose the first parsed result as the question to run.
Base Command
tn-ask-question
Input
| Argument Name | Description | Required |
|---|---|---|
| question-text | The question text. | Required |
| parameters | The question parameters. For example, sensor1{key1=val1;key2=val2};sensor2{key1=val1}. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Question.ID | Number | The unique ID of the question object. |
Command Example
!tn-ask-question question-text=`Get IP Address from all machines`
Context Example
{
"Tanium.Question": {
"ID": 50500
}
}
Human Readable Output
New question created. ID = 50500
3. tn-get-question-result
Returns the question result based on question ID.
Base Command
tn-get-question-result
Input
| Argument Name | Description | Required |
|---|---|---|
| question-id | The question ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.QuestionResult.QuestionID | Number | The unique ID of the question object. |
| Tanium.QuestionResult.Results | Unknown | The question results. |
| Tanium.QuestionResult.Status | String | The status of the question request. Can be: "Completed" or "Pending". |
Command Example
!tn-get-question-result question-id=50477
Context Example
{
"Tanium.QuestionResult": {
"QuestionID": "50477",
"Status": "Pending"
}
}
Human Readable Output
Question is still executing, Question id: 50477
4. tn-list-sensors
Returns a list of all sensors.
Base Command
tn-list-sensors
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of sensors to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TaniumSensor.Category | String | The category that includes this sensor. |
| TaniumSensor.ContentSetId | Number | The ID of the content set to associate with the sensor. |
| TaniumSensor.ContentSetName | String | The name of the content set to associate with the sensor. |
| TaniumSensor.CreationTime | String | The time and date when this object was created in the database. |
| TaniumSensor.Description | String | A description for the sensor. |
| TaniumSensor.Hash | String | The hash ID of the sensor. |
| TaniumSensor.ID | Number | The unique ID of the sensor object. |
| TaniumSensor.IgnoreCaseFlag | Boolean | Whether to ignore the case flag of the sensor. Default is 1, which means the case flag is ignored. |
| TaniumSensor.KeepDuplicatesFlag | Boolean | Whether to keep duplicate values in the sensor results. Default is 1 which keeps duplicate values instead of returning each unique value once. |
| TaniumSensor.LastModifiedBy | String | The name of the user who last modified this object. |
| TaniumSensor.MaxAgeSeconds | Number | The maximum age in seconds a sensor result is invalid. When results are half this value, the sensor is re-evaluated. |
| TaniumSensor.ModUserDomain | String | The domain of the user who most recently modified this object. |
| TaniumSensor.ModUserId | Number | The ID of the user who most recently modified this object. |
| TaniumSensor.ModUserName | String | The name of user who most recently modified this object. |
| TaniumSensor.ModificationTime | String | The most recent time and date when this object was modified. |
| TaniumSensor.Name | String | The name of the sensor. |
| TaniumSensor.SourceId | Number | The ID of the sensor into which the parameters are substituted. If specified, source_hash may be omitted. |
Command Example
!tn-list-sensors limit=1
Context Example
{
"TaniumSensor": [
{
"Category": "Network",
"ContentSetId": 10,
"ContentSetName": "Network",
"CreationTime": "2019-07-17T20:13:49Z",
"Description": "Returns the SSID (name) of a wireless network a machine is connected to.\nExample: linksys",
"Hash": "1466668831",
"ID": 232,
"IgnoreCaseFlag": true,
"KeepDuplicatesFlag": false,
"LastModifiedBy": "administrator",
"MaxAgeSeconds": 900,
"ModUserDomain": "EC2AMAZ-N5ETQVT",
"ModUserId": 1,
"ModUserName": "administrator",
"ModificationTime": "2019-07-17T20:13:49Z",
"Name": "Wireless Network Connected SSID",
"SourceId": 0
}
]
}
Human Readable Output
Sensors
| Category | ContentSetId | ContentSetName | CreationTime | Description | Hash | ID | IgnoreCaseFlag | KeepDuplicatesFlag | LastModifiedBy | MaxAgeSeconds | ModUserDomain | ModUserId | ModUserName | ModificationTime | Name | SourceId |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Network | 10 | Network | 2019-07-17T20:13:49Z |
Returns the SSID (name) of a wireless network a machine is connected to.
Example: linksys |
1466668831 | 232 | true | false | administrator | 900 | EC2AMAZ-N5ETQVT | 1 | administrator | 2019-07-17T20:13:49Z | Wireless Network Connected SSID | 0 |
5. tn-get-sensor
Returns detailed information about a sensor object based on name or ID.
Base Command
tn-get-sensor
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The sensor ID. | Optional |
| name | The name of the sensor. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TaniumSensor.Category | String | The category that includes this sensor. |
| TaniumSensor.ContentSetId | Number | The ID of the content_set to associate with the sensor. |
| TaniumSensor.ContentSetName | String | The name of the content_set to associate with the sensor. |
| TaniumSensor.CreationTime | String | The date and time when this object was created in the database. |
| TaniumSensor.Description | String | A description for the sensor. |
| TaniumSensor.Hash | String | The hash id of the sensor |
| TaniumSensor.ID | Number | The unique ID of the sensor object. |
| TaniumSensor.IgnoreCaseFlag | Boolean | Ignore the case flag. Default is 1, which means the case flag is ignored. |
| TaniumSensor.KeepDuplicatesFlag | Boolean | Keep duplicates flag in the sensor results. Default is 1, which preserves duplicate values in sensor results instead of only returning each unique value once. |
| TaniumSensor.LastModifiedBy | String | The name of the user who last modified this object. |
| TaniumSensor.MaxAgeSeconds | Number | The maximum age in seconds of a sensor result before it is invalid. When results are half this value, the sensor is re-evaluated. |
| TaniumSensor.ModUserDomain | String | The domain of the user who most recently modified this object. |
| TaniumSensor.ModUserId | Number | The ID of the user who most recently modified this object. |
| TaniumSensor.ModUserName | String | The name of the user who most recently modified this object. |
| TaniumSensor.ModificationTime | String | The most recent time and date when this object was modified. |
| TaniumSensor.Name | String | The name of the sensor. |
| TaniumSensor.Parameters.Key | String | The attribute name of the parameter. |
| TaniumSensor.Parameters.Label | String | The description of the parameter. |
| TaniumSensor.Parameters.Values | String | The values of the parameter. |
| TaniumSensor.Parameters.ParameterType | String | The type of parameter. |
| TaniumSensor.SourceId | Number | The ID of the sensor into which the parameters are substituted. If specified, source_hash may be omitted. |
Command Example
!tn-get-sensor id=204
Context Example
{
"TaniumSensor": {
"Category": "Applications",
"ContentSetId": 11,
"ContentSetName": "Software",
"CreationTime": "2019-07-17T20:13:49Z",
"Description": "The version string of applications which match the parameter given.\nExample: 11.5.502.146",
"Hash": "2387001299",
"ID": 204,
"IgnoreCaseFlag": true,
"KeepDuplicatesFlag": false,
"LastModifiedBy": "administrator",
"MaxAgeSeconds": 900,
"ModUserDomain": "EC2AMAZ-N5ETQVT",
"ModUserId": 1,
"ModUserName": "administrator",
"ModificationTime": "2019-07-17T20:13:49Z",
"Name": "Installed Application Version",
"Parameters": [
{
"Key": "application",
"Label": "Application Name",
"ParameterType": "com.tanium.components.parameters::TextInputParameter",
"Values": null
}
],
"SourceId": 0
}
}
Human Readable Output
Sensor information
| Category | ContentSetId | ContentSetName | CreationTime | Description | Hash | ID | IgnoreCaseFlag | KeepDuplicatesFlag | LastModifiedBy | MaxAgeSeconds | ModUserDomain | ModUserId | ModUserName | ModificationTime | Name | SourceId |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Applications | 11 | Software | 2019-07-17T20:13:49Z |
The version string of applications which match the parameter given.
Example: 11.5.502.146 |
2387001299 | 204 | true | false | administrator | 900 | EC2AMAZ-N5ETQVT | 1 | administrator | 2019-07-17T20:13:49Z | Installed Application Version | 0 |
Parameter information
| Key | Label | ParameterType | Values |
|---|---|---|---|
| application | Application Name | com.tanium.components.parameters::TextInputParameter |
6. tn-create-saved-question
Creates a saved question object.
Base Command
tn-create-saved-question
Input
| Argument Name | Description | Required |
|---|---|---|
| question-id | The question ID. | Required |
| name | Name of the saved question to create. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedQuestion.ID | Number | The ID of the saved question. |
| Tanium.SavedQuestion.Name | String | The name of the saved question. |
Command Example
!tn-create-saved-question name=ip_all_machines question-id=50477
Context Example
{
"Tanium.SavedQuestion": {
"ID": 450,
"name": "ip_all_machines"
}
}
Human Readable Output
Question saved. ID = 450
7. tn-list-saved-questions
Returns all saved questions.
Base Command
tn-list-saved-questions
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of saved questions to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedQuestion.ArchiveEnabledFlag | Boolean | Whether archiving is enabled for the saved question. |
| Tanium.SavedQuestion.ArchiveOwner | String | The name of the user that owns the archive. Archives can be shared between users with identical management rights groups. |
| Tanium.SavedQuestion.ExpireSeconds | Number | The duration in seconds before each question expires. Default value is 600. |
| Tanium.SavedQuestion.ID | Number | The unique ID of the question object. |
| Tanium.SavedQuestion.IssueSeconds | Number | The time in seconds to reissue the question when active. Default value is 120. |
| Tanium.SavedQuestion.IssueSecondsNeverFlag | Boolean | Whether the question is not reissued automatically. Default is 1 (not reissued). |
| Tanium.SavedQuestion.KeepSeconds | Number | The number of seconds to save the data results in the archive. |
| Tanium.SavedQuestion.ModTime | String | The most recent time and date when this object was modified. |
| Tanium.SavedQuestion.ModUserDomain | String | The domain of the user who most recently modified this object. |
| Tanium.SavedQuestion.ModUserId | Number | The ID of the user who most recently modified this object. |
| Tanium.SavedQuestion.ModUserName | String | The name of user who most recently modified this object. |
| Tanium.SavedQuestion.MostRecentQuestionId | Number | The ID of the most recently issued question object generated by the saved question. |
| Tanium.SavedQuestion.Name | String | The name of the saved question object. |
| Tanium.SavedQuestion.QueryText | String | The textual representation of the question. |
| Tanium.SavedQuestion.QuestionId | Number | The ID of the question from which to create the saved question. |
| Tanium.SavedQuestion.RowCountFlag | Boolean | If the value is true, only the row count data is saved when archiving this question. |
| Tanium.SavedQuestion.SortColumn | Number | The default sort column, if no sort order is specified. |
| Tanium.SavedQuestion.UserId | Number | The ID of the user who owns this object. |
| Tanium.SavedQuestion.UserName | String | The name of the user who owns this object. |
Command Example
!tn-list-saved-questions limit=1
Context Example
{
"Tanium.SavedQuestion": [
{
"ArchiveEnabledFlag": false,
"ExpireSeconds": 600,
"ID": 130,
"IssueSeconds": 120,
"IssueSecondsNeverFlag": false,
"KeepSeconds": 0,
"ModTime": "2019-07-17T20:43:06Z",
"MostRecentQuestionId": 19563,
"Name": "SCCM - Client Cache Size",
"QueryText": "Get SCCM Cache Size from all machines",
"QuestionId": 19563,
"RowCountFlag": false,
"SortColumn": 0,
"UserId": 1,
"UserName": "administrator"
}
]
}
Human Readable Output
Saved questions
| ArchiveEnabledFlag | ArchiveOwner | ExpireSeconds | ID | IssueSeconds | IssueSecondsNeverFlag | KeepSeconds | ModTime | MostRecentQuestionId | Name | QueryText | QuestionId | RowCountFlag | SortColumn | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| false | 600 | 130 | 120 | false | 0 | 2019-07-17T20:43:06Z | 19563 | SCCM - Client Cache Size | Get SCCM Cache Size from all machines | 19563 | false | 0 | 1 | administrator |
8. tn-get-saved-question-result
Returns the saved question result based on the saved question ID.
Base Command
tn-get-saved-question-result
Input
| Argument Name | Description | Required |
|---|---|---|
| question-id | The saved question ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedQuestionResult.SavedQuestionID | Number | The ID of the saved question. |
| Tanium.SavedQuestionResult.Results | Unknown | The saved question results. |
| Tanium.SavedQuestionResult.Status | String | Status of the question request. Can be: "Completed" or "Pending". |
Command Example
!tn-get-saved-question-result question-id=130
Context Example
{
"Tanium.SavedQuestionResult": {
"SavedQuestionID": "130",
"Status": "Completed"
}
}
Human Readable Output
question results:
**No entries.**
9. tn-get-system-status
Returns all client details.
Base Command
tn-get-system-status
Input
| Argument Name | Description | Required |
|---|
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Client.ComputerId | Number | The computer ID of the client. |
| Tanium.Client.FullVersion | String | The Tanium Client version. |
| Tanium.Client.HostName | String | The computer hostname. |
| Tanium.Client.IpAddressClient | String | The IP address of the client returned from a sensor on the client. |
| Tanium.Client.IpAddressServer | String | The IP address of the client that was recorded on the server during the last registration. |
| Tanium.Client.LastRegistration | Date | The most recent time that the client registered with the server. |
| Tanium.Client.Status | String | The status of the client. Can be: "Blocked", "Leader" "Normal", "Slow link". |
Command Example
!tn-get-system-status
Context Example
{
"Tanium.Client": [
{
"ComputerId": 9065264,
"FullVersion": "7.2.314.3476",
"HostName": "ec2amaz-kgmro60",
"IpAddressClient": "127.0.0.1",
"IpAddressServer": "127.0.0.1",
"LastRegistration": "2019-11-27T15:06:08Z",
"Status": "Leader"
},
{
"ComputerId": 2232836718,
"FullVersion": "7.2.314.3476",
"HostName": "HOSTNAME",
"IpAddressClient": "127.0.0.1",
"IpAddressServer": "127.0.0.1",
"LastRegistration": "2019-11-27T15:06:09Z",
"Status": "Leader"
}
]
}
Human Readable Output
System status
| ComputerId | FullVersion | HostName | IpAddressClient | IpAddressServer | LastRegistration | Status |
|---|---|---|---|---|---|---|
| 9065264 | 7.2.314.3476 | ec2amaz-kgmro60 | 127.0.0.1 | 127.0.0.1 | 2019-11-27T15:06:08Z | Leader |
| 2232836718 | 7.2.314.3476 | HOSTNAME | 127.0.0.1 | 127.0.0.1 | 2019-11-27T15:06:09Z | Leader |
10. tn-create-package
Creates a package object.
Base Command
tn-create-package
Input
| Argument Name | Description | Required |
|---|---|---|
| command | The command to execute. | Required |
| name | The name of the package to create. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| TaniumPackage.Command | String | The command to run. |
| TaniumPackage.CommandTimeout | Number | Timeout in seconds for the command execution. |
| TaniumPackage.ContentSet.Id | Number | The ID of the content set to associate with the package. |
| TaniumPackage.ContentSet.Name | String | The name of the content set to associate with the package. |
| TaniumPackage.CreationTime | String | The time and date when this object was created in the database. |
| TaniumPackage.DisplayName | String | The name of the package that displays in the user interface. |
| TaniumPackage.ExpireSeconds | Number | Timeout in seconds for the action expiry. |
| TaniumPackage.ID | Number | The unique ID of the package_spec object. |
| TaniumPackage.LastModifiedBy | String | The user who most recently modified this object. |
| TaniumPackage.LastUpdate | String | The most recent time and date when this object was modified. |
| TaniumPackage.ModUser.Domain | String | The domain of the user who most recently modified this object. |
| TaniumPackage.ModUser.Id | Number | The ID of the user who most recently modified this object |
| TaniumPackage.ModUser.Name | String | The name of the user who most recently modified this object |
| TaniumPackage.ModificationTime | String | The most recent time and date when this object was modified. |
| TaniumPackage.Name | String | The unique name of the package_spec object. |
| TaniumPackage.SourceId | Number | The ID of the package into which the parameters are substituted. |
| TaniumPackage.VerifyExpireSeconds | Number | A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed. |
Command Example
!tn-create-package command=cls name=clear_screen
Context Example
{
"TaniumPackage": {
"Command": "cls",
"CommandTimeout": 600,
"ContentSet": {
"Id": 2,
"Name": ""
},
"CreationTime": "2019-11-27T15:06:14Z",
"DisplayName": "clear_screen",
"ExpireSeconds": 3600,
"ID": 1220,
"LastModifiedBy": "administrator",
"LastUpdate": "2019-11-27T15:06:14Z",
"ModificationTime": "2019-11-27T15:06:14Z",
"Name": "clear_screen",
"SourceId": 0,
"VerifyExpireSeconds": 3600
}
}
Human Readable Output
Package information
| Command | CommandTimeout | ContentSet | CreationTime | DisplayName | ExpireSeconds | Files | ID | LastModifiedBy | LastUpdate | ModUser | ModificationTime | Name | Parameters | SourceId | VerifyExpireSeconds |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| cls | 600 |
Id: 2
Name: |
2019-11-27T15:06:14Z | clear_screen | 3600 | 1220 | administrator | 2019-11-27T15:06:14Z | 2019-11-27T15:06:14Z | clear_screen | 0 | 3600 |
Parameters information
**No entries.**
Files information
**No entries.**
11. tn-list-packages
Returns all package information.
Base Command
tn-list-packages
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of packages to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TaniumPackage.Command | String | The command to run. |
| TaniumPackage.CommandTimeout | Number | Timeout in seconds for the command execution. |
| TaniumPackage.ContentSet.Id | Number | The ID of the content set to associate with the package. |
| TaniumPackage.ContentSet.Name | String | The name of the content set to associate with the package. |
| TaniumPackage.CreationTime | String | The time and date when this object was created in the database. |
| TaniumPackage.DisplayName | String | The name of the package that displays in the user interface. |
| TaniumPackage.ExpireSeconds | Number | Timeout in seconds for the action expiry. |
| TaniumPackage.ID | Number | The unique ID of the package_spec object. |
| TaniumPackage.LastModifiedBy | String | The user who most recently modified this object. |
| TaniumPackage.LastUpdate | String | The most recent time and date when this object was modified. |
| TaniumPackage.ModUser.Domain | String | The domain of the user who most recently modified this object. |
| TaniumPackage.ModUser.Id | Number | The ID of the user who most recently modified this object. |
| TaniumPackage.ModUser.Name | String | The name of the user who most recently modified this object. |
| TaniumPackage.ModificationTime | String | The most recent time and date when this object was modified. |
| TaniumPackage.Name | String | The unique name of the package_spec object. |
| TaniumPackage.SourceId | Number | The ID of the package into which the parameters are substituted. |
| TaniumPackage.VerifyExpireSeconds | Number | A verification failure timeout. The time begins with the start of the action. If the action cannot be verified by the timeout, the action status is reported as failed. |
Command Example
!tn-list-packages limit=1
Context Example
{
"TaniumPackage": [
{
"Command": "/bin/bash run-add-intel-package.sh 2>&1",
"CommandTimeout": 600,
"ContentSet": {
"Id": 8,
"Name": "Detect Service"
},
"CreationTime": "2019-07-23T20:40:17Z",
"DisplayName": "Detect Intel for Unix Revision 4 Delta",
"ExpireSeconds": 2400,
"ID": 132,
"LastModifiedBy": "administrator",
"LastUpdate": "2019-07-23T20:40:17Z",
"ModificationTime": "2019-07-23T20:40:17Z",
"Name": "Detect Intel for Unix Revision 4 Delta",
"SourceId": 0,
"VerifyExpireSeconds": 3600
}
]
}
Human Readable Output
Packages
| Command | CommandTimeout | ContentSet | CreationTime | DisplayName | ExpireSeconds | ID | LastModifiedBy | LastUpdate | ModUser | ModificationTime | Name | SourceId | VerifyExpireSeconds |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /bin/bash run-add-intel-package.sh 2>&1 | 600 |
Id: 8
Name: Detect Service |
2019-07-23T20:40:17Z | Detect Intel for Unix Revision 4 Delta | 2400 | 132 | administrator | 2019-07-23T20:40:17Z | 2019-07-23T20:40:17Z | Detect Intel for Unix Revision 4 Delta | 0 | 3600 |
12. tn-get-question-metadata
Returns a question object based on question ID.
Base Command
tn-get-question-metadata
Input
| Argument Name | Description | Required |
|---|---|---|
| question-id | The question ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Question.ID | Number | The unique ID of the question object. |
| Tanium.Question.Expiration | Date | The date the question expires. |
| Tanium.Question.ExpireSeconds | Number | The number of seconds before the question expires. Default is 600. |
| Tanium.Question.ForceComputerIdFlag | Boolean | Whether to force the question to be a counting question if only one selection is present. Default is not to force. If the question object is an instance of a saved question, this field is derived from the saved question |
| Tanium.Question.IsExpired | Boolean | Whether the question has expired. |
| Tanium.Question.QueryText | String | The textual representation of the question. |
| Tanium.Question.SavedQuestionId | Number | The ID of the saved question derived from this question. |
| Tanium.Question.UserId | Number | The ID of the user who created / issued this question. |
| Tanium.Question.UserName | String | The name of the user who created / issued this question. |
Command Example
!tn-get-question-metadata question-id=50477
Context Example
{
"Tanium.Question": {
"Expiration": "2019-11-27T14:16:24Z",
"ExpireSeconds": 0,
"ForceComputerIdFlag": false,
"ID": 50477,
"IsExpired": true,
"QueryText": "Get IP Address from all machines",
"SavedQuestionId": 450,
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Question results
| Expiration | ExpireSeconds | ForceComputerIdFlag | ID | IsExpired | QueryText | SavedQuestionId | UserId | UserName |
|---|---|---|---|---|---|---|---|---|
| 2019-11-27T14:16:24Z | 0 | false | 50477 | true | Get IP Address from all machines | 450 | 1 | administrator |
13. tn-list-saved-actions
Returns all saved actions.
Base Command
tn-list-saved-actions
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximin number of saved actions to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedAction.ActionGroupId | Number | The ID of the group of clients to target. |
| Tanium.SavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
| Tanium.SavedAction.ApproverId | Number | The ID of the user to approve the saved action. |
| Tanium.SavedAction.ApproverName | String | The name of the user to approve the saved action. |
| Tanium.SavedAction.CreationTime | Date | The time and date when this object was created in the database. |
| Tanium.SavedAction.EndTime | Date | The time and date to stop issuing actions. |
| Tanium.SavedAction.ExpireSeconds | Number | The duration from the start time before the action expires. |
| Tanium.SavedAction.ID | Number | The unique ID of the saved action object. |
| Tanium.SavedAction.LastActionId | Number | The ID of the action object that was issued last. |
| Tanium.SavedAction.LastActionStartTime | Date | The start time and date of the action object that was issued last. |
| Tanium.SavedAction.LastAaction.TargetGroupId | Number | The target group of the action object that was issued last. |
| Tanium.SavedAction.LastStartTime | Date | The most recent date and time that the action started. |
| Tanium.SavedAction.Name | String | The name of the saved_action object. |
| Tanium.SavedAction.NextStartTime | Date | The next time and date when the action will start. |
| Tanium.SavedAction.PackageId | Number | The ID of the package deployed by the saved action. |
| Tanium.SavedAction.PackageName | String | The name of the package deployed by the saved action. |
| Tanium.SavedAction.PackageSourceHash | String | The source hash of the package deployed by the saved action. |
| Tanium.SavedAction.StartTime | Date | The time and date when the action became active. An empty string or null starts immediately. |
| Tanium.SavedAction.Status | Number | The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted. |
| Tanium.SavedAction.TargetGroupId | Number | The group of machines to target. |
| Tanium.SavedAction.UserId | Number | The ID of the user who created the saved action. |
| Tanium.SavedAction.UserName | String | The ID of the user who created the saved action. |
Command Example
!tn-list-saved-actions limit=1
Context Example
{
"Tanium.SavedAction": [
{
"ActionGroupId": 432,
"ApprovedFlag": false,
"ApproverId": 0,
"CreationTime": "2019-09-25T16:56:59Z",
"EndTime": "Never",
"ExpireSeconds": 600,
"ID": 353,
"LastActionId": 7206,
"LastActionStartTime": "Never",
"LastStartTime": "Never",
"Name": "Trace - Start Session [Linux]",
"NextStartTime": "Never",
"PackageId": 728,
"PackageName": "Trace - Start Session [Linux]",
"PackageSourceHash": "f3931b6451967b74b522887e1f00f4a59b2fae730a5c277577bb804c7f484c61",
"StartTime": "2019-09-25T16:57:31Z",
"Status": 0,
"TargetGroupId": 14652,
"UserId": 1,
"UserName": "administrator"
}
]
}
Human Readable Output
Saved actions
| ActionGroupId | ApprovedFlag | ApproverId | ApproverName | CreationTime | EndTime | ExpireSeconds | ID | LastActionId | LastActionStartTime | LastStartTime | Name | NextStartTime | PackageId | PackageName | PackageSourceHash | StartTime | Status | TargetGroupId | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 432 | false | 0 | 2019-09-25T16:56:59Z | Never | 600 | 353 | 7206 | Never | Never | Trace - Start Session [Linux] | Never | 728 | Trace - Start Session [Linux] | f3931b6451967b74b522887e1f00f4a59b2fae730a5c277577bb804c7f484c61 | 2019-09-25T16:57:31Z | 0 | 14652 | 1 | administrator |
14. tn-get-saved-action
Returns a saved action object based on name or ID.
Base Command
tn-get-saved-action
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The saved action ID. | Optional |
| name | The saved action name. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedAction.ActionGroupId | Number | The ID of the group of clients to target. |
| Tanium.SavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
| Tanium.SavedAction.ApproverId | Number | The ID of the user to approve the saved action. |
| Tanium.SavedAction.ApproverName | String | The name of the user to approve the saved action. |
| Tanium.SavedAction.CreationTime | Date | The time and date when this object was created in the database. |
| Tanium.SavedAction.EndTime | Date | The time and date to stop issuing actions. |
| Tanium.SavedAction.ExpireSeconds | Number | The duration from the start time before the action expires. |
| Tanium.SavedAction.ID | Number | The unique ID of the saved_action object. |
| Tanium.SavedAction.LastActionId | Number | The ID of the action object that was issued last. |
| Tanium.SavedAction.LastActionStartTime | Date | The start time and date of the action object that was issued last. |
| Tanium.SavedAction.LastAaction.TargetGroupId | Number | The target group of the action object that was issued last. |
| Tanium.SavedAction.LastStartTime | Date | The most recent date and time that the action started. |
| Tanium.SavedAction.Name | String | The name of the saved action object. |
| Tanium.SavedAction.NextStartTime | Date | The next time and date when the action will start. |
| Tanium.SavedAction.PackageId | Number | The ID of the package deployed by the saved action. |
| Tanium.SavedAction.PackageName | String | The name of the package deployed by the saved action. |
| Tanium.SavedAction.PackageSourceHash | String | The source hash of the package deployed by the saved action. |
| Tanium.SavedAction.StartTime | Date | The time amd date when the action became active. An empty string or null starts immediately. |
| Tanium.SavedAction.Status | Number | The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted. |
| Tanium.SavedAction.TargetGroupId | Number | The group of machines to target. |
| Tanium.SavedAction.UserId | Number | The ID of the user who created the saved action. |
| Tanium.SavedAction.UserName | String | The ID of the user who created the saved action. |
Command Example
!tn-get-saved-action id=5
Context Example
{
"Tanium.SavedAction": {
"ActionGroupId": 315,
"ApprovedFlag": true,
"ApproverId": 1,
"ApproverName": "administrator",
"CreationTime": "2019-07-17T20:14:36Z",
"EndTime": "Never",
"ExpireSeconds": 4500,
"ID": 5,
"LastActionId": 5,
"LastActionStartTime": "Never",
"LastStartTime": "Never",
"Name": "Distribute Python - Tools [Linux]",
"NextStartTime": "2019-11-27T16:14:38",
"PackageId": 56,
"PackageName": "Python - Tools [Linux]",
"PackageSourceHash": "package-hash",
"StartTime": "2019-07-17T20:14:38Z",
"Status": 1,
"TargetGroupId": 243,
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Saved action information
| ActionGroupId | ApprovedFlag | ApproverId | ApproverName | CreationTime | EndTime | ExpireSeconds | ID | LastActionId | LastActionStartTime | LastStartTime | Name | NextStartTime | PackageId | PackageName | PackageSourceHash | StartTime | Status | TargetGroupId | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 315 | true | 1 | administrator | 2019-07-17T20:14:36Z | Never | 4500 | 5 | 5 | Never | Never | Distribute Python - Tools [Linux] | 2019-11-27T16:14:38 | 56 | Python - Tools [Linux] | 10d2ca59b744491a80af4f4df7e19698b86cc779c34984aa56ece55250f1b659 | 2019-07-17T20:14:38Z | 1 | 243 | 1 | administrator |
15. tn-get-saved-question-metadata
Returns a saved question object based on name or ID.
Base Command
tn-get-saved-question-metadata
Input
| Argument Name | Description | Required |
|---|---|---|
| question-id | The saved question ID. | Optional |
| question-name | The saved question name. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedQuestion.ArchiveEnabledFlag | Boolean | Whether to enable archiving. |
| Tanium.SavedQuestion.ArchiveOwner | String | The name of the user that owns the archive. Archives can be shared between users with identical management rights groups. |
| Tanium.SavedQuestion.ExpireSeconds | Number | The duration in seconds before each question expires. Default value is 600. |
| Tanium.SavedQuestion.ID | Number | The unique ID of the saved_question object. |
| Tanium.SavedQuestion.IssueSeconds | Number | The number of seconds to reissue the question when active. Default value is 120. |
| Tanium.SavedQuestion.IssueSecondsNeverFlag | Boolean | Whether the question is reissued automatically. If value is 1, the question is not reissued automatically. |
| Tanium.SavedQuestion.KeepSeconds | Number | The number of seconds to save the data results in the archive. |
| Tanium.SavedQuestion.ModTime | String | The most recent time and date when the object was modified. |
| Tanium.SavedQuestion.ModUserDomain | String | The domain of the user who most recently modified this object. |
| Tanium.SavedQuestion.ModUserId | Number | The ID of the user who most recently modified this object. |
| Tanium.SavedQuestion.ModUserName | String | The name of user who most recently modified this object. |
| Tanium.SavedQuestion.MostRecentQuestionId | Number | The ID of the most recently issued question object generated by this saved_question. |
| Tanium.SavedQuestion.Name | String | The name of the saved_question object. |
| Tanium.SavedQuestion.QueryText | String | The textual representation of the question. |
| Tanium.SavedQuestion.QuestionId | Number | The ID of the question from which to create the saved question. |
| Tanium.SavedQuestion.RowCountFlag | Boolean | Whether the row count data is saved when archiving this question. |
| Tanium.SavedQuestion.SortColumn | Number | The column to use as the default sort column, if no sort order is specified. |
| Tanium.SavedQuestion.UserId | Number | The ID of the user who owns this object. |
| Tanium.SavedQuestion.UserName | String | The name of the user who owns this object. |
Command Example
!tn-get-saved-question-metadata question-id=130
Context Example
{
"Tanium.SavedQuestion": {
"ArchiveEnabledFlag": false,
"ExpireSeconds": 600,
"ID": 130,
"IssueSeconds": 120,
"IssueSecondsNeverFlag": false,
"KeepSeconds": 0,
"ModTime": "2019-07-17T20:43:06Z",
"MostRecentQuestionId": 50501,
"Name": "SCCM - Client Cache Size",
"QueryText": "Get SCCM Cache Size from all machines",
"QuestionId": 50501,
"RowCountFlag": false,
"SortColumn": 0,
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Saved question information
| ArchiveEnabledFlag | ExpireSeconds | ID | IssueSeconds | IssueSecondsNeverFlag | KeepSeconds | ModTime | MostRecentQuestionId | Name | QueryText | QuestionId | RowCountFlag | SortColumn | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| false | 600 | 130 | 120 | false | 0 | 2019-07-17T20:43:06Z | 50501 | SCCM - Client Cache Size | Get SCCM Cache Size from all machines | 50501 | false | 0 | 1 | administrator |
16. tn-create-saved-action
Creates a saved action object.
Base Command
tn-create-saved-action
Input
| Argument Name | Description | Required |
|---|---|---|
| action-group-id | The action group ID. | Required |
| package-id | The package ID. | Required |
| name | The name of the action. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.SavedAction.ActionGroupId | Number | The ID of the group of clients to target. |
| Tanium.SavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
| Tanium.SavedAction.ApproverId | Number | The ID of the user to approve the saved action. |
| Tanium.SavedAction.ApproverName | String | The name of the user to approve the saved action. |
| Tanium.SavedAction.CreationTime | Date | The date and time when this object was created in the database. |
| Tanium.SavedAction.EndTime | Date | The date and time to stop issuing actions. |
| Tanium.SavedAction.ExpireSeconds | Number | The duration from the start time before the action expires. |
| Tanium.SavedAction.ID | Number | The unique ID of the saved_action object. |
| Tanium.SavedAction.LastActionId | Number | The ID of the action object that was issued last. |
| Tanium.SavedAction.LastActionStartTime | Date | The start time of the action object that was issued last. |
| Tanium.SavedAction.LastAaction.TargetGroupId | Number | The target group of the action object that was issued last. |
| Tanium.SavedAction.LastStartTime | Date | The most recent date and time that the action started. |
| Tanium.SavedAction.Name | String | The name of the saved action object. |
| Tanium.SavedAction.NextStartTime | Date | The next date and time when the action will start. |
| Tanium.SavedAction.PackageId | Number | The ID of the package deployed by the saved action. |
| Tanium.SavedAction.PackageName | String | The name of the package deployed by the saved action. |
| Tanium.SavedAction.PackageSourceHash | String | The source hash of the package deployed by the saved action. |
| Tanium.SavedAction.StartTime | Date | The date and time when the action became active. An empty string or null starts immediately. |
| Tanium.SavedAction.Status | Number | The status of the saved action. Can be: "0" for Enabled, "1" for Disabled, or "2" for Deleted. |
| Tanium.SavedAction.TargetGroupId | Number | The group of machines to target. |
| Tanium.SavedAction.UserId | Number | The ID of the user who created the saved action. |
| Tanium.SavedAction.UserName | String | The ID of the user who created the saved action. |
Command Example
!tn-create-saved-action package-id=102 action-group-id=1
Context Example
{
"Tanium.SavedAction": {
"ActionGroupId": 1,
"ApprovedFlag": false,
"ApproverId": 0,
"CreationTime": "2019-11-27T15:06:18Z",
"EndTime": "Never",
"ExpireSeconds": 0,
"ID": 641,
"LastActionId": 19880,
"LastActionStartTime": "Never",
"LastStartTime": "Never",
"NextStartTime": "Never",
"PackageId": 1221,
"PackageName": "SCCM - Force Software Update Compliance State Refresh",
"PackageSourceHash": "package-hash",
"StartTime": "2019-11-27T15:06:18Z",
"Status": 0,
"TargetGroupId": 0,
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Saved action created
| ActionGroupId | ApprovedFlag | ApproverId | CreationTime | EndTime | ExpireSeconds | ID | LastActionId | LastActionStartTime | LastStartTime | NextStartTime | PackageId | PackageName | PackageSourceHash | StartTime | Status | TargetGroupId | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | false | 0 | 2019-11-27T15:06:18Z | Never | 0 | 641 | 19880 | Never | Never | Never | 1221 | SCCM - Force Software Update Compliance State Refresh | edbf105f4648298e582015aaed927cbf3e8bbbc3666c5d52c7c5e5ad1910ae6a | 2019-11-27T15:06:18Z | 0 | 0 | 1 | administrator |
17. tn-create-action
Creates an action object based on the package name or the package ID.
Base Command
tn-create-action
Input
| Argument Name | Description | Required |
|---|---|---|
| package-id | The package ID. | Optional |
| package-name | The package name. | Optional |
| parameters | The package parameters. For example, $1=Value1;$2=Value2;$3=Value3. | Optional |
| target-group-id | The target group ID to deploy the package. | Optional |
| target-group-name | The target group name to deploy the package. Target group and action group ID are required. Target group can passed by name or ID. Note - the target group should be different than "All Computers" or "Default". | Optional |
| action-group-id | The action group ID to deploy the package. | Required |
| action-name | The action name. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Action.ActionGroupId | Number | The id of the parent group of machines to target. |
| Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
| Tanium.Action.ApproverId | Number | The id of the approver of this action. |
| Tanium.Action.ApproverName | String | The name of the approver of this action. |
| Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
| Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
| Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
| Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
| Tanium.Action.ID | Number | The unique ID of the action object. |
| Tanium.Action.Name | String | The action name. |
| Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
| Tanium.Action.PackageName | String | The name of the package deployed by this action. |
| Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
| Tanium.Action.StartTime | String | The date and time when the action became active. |
| Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
| Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
| Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
| Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
| Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
| Tanium.Action.UserId | Number | The ID of the user who issued this action. |
| Tanium.Action.UserName | String | The name of the user who issued this action. |
Command Example
!tn-create-action action-group-id=1 action-name=`Trace - Install Endpoint Certificate [Windows]` package-id=225 target-group-name=`Windows machines`
Context Example
{
"Tanium.Action": {
"ActionGroupId": 1,
"ActionGroupName": "All Computers",
"ApproverId": 1,
"CreationTime": "2019-11-27T15:06:19Z",
"ExpirationTime": "2001-01-01T00:13:00Z",
"ExpireSeconds": 780,
"HistorySavedQuestionId": 0,
"ID": 19886,
"Name": "Trace - Install Endpoint Certificate [Windows] via Demisto API",
"PackageId": 1222,
"PackageName": "Apply Windows IPsec Quarantine",
"SavedActionId": 642,
"StartTime": "2001-01-01T00:00:00Z",
"Status": "Pending",
"StoppedFlag": false,
"TargetGroupId": 11719,
"TargetGroupName": "Windows machines",
"UserDomain": "EC2AMAZ-N5ETQVT",
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Action created
| ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | All Computers | 1 | 2019-11-27T15:06:19Z | 2001-01-01T00:13:00Z | 780 | 0 | 19886 | Trace - Install Endpoint Certificate [Windows] via Demisto API | 1222 | Apply Windows IPsec Quarantine | 642 | 2001-01-01T00:00:00Z | Pending | false | 11719 | Windows machines | EC2AMAZ-N5ETQVT | 1 | administrator |
18. tn-list-actions
Returns all actions.
Base Command
tn-list-actions
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of actions to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Action.ActionGroupId | Number | The ID of the parent group of machines to target. |
| Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
| Tanium.Action.ApproverId | Number | The ID of the approver of this action. |
| Tanium.Action.ApproverName | String | The name of the approver of this action. |
| Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
| Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
| Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
| Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
| Tanium.Action.ID | Number | The unique ID of the action object. |
| Tanium.Action.Name | String | The action name. |
| Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
| Tanium.Action.PackageName | String | The name of the package deployed by this action. |
| Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
| Tanium.Action.StartTime | String | The date and time when the action became active. |
| Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
| Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
| Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
| Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
| Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
| Tanium.Action.UserId | Number | The ID of the user who issued this action. |
| Tanium.Action.UserName | String | The name of the user who issued this action. |
Command Example
!tn-list-actions limit=1
Context Example
{
"Tanium.Action": [
{
"ActionGroupId": 432,
"ActionGroupName": "Tanium Threat Response",
"ApproverId": 1,
"ApproverName": "administrator",
"CreationTime": "2019-08-15T10:39:03Z",
"ExpirationTime": "2019-08-15T10:50:03Z",
"ExpireSeconds": 660,
"HistorySavedQuestionId": 239,
"ID": 1144,
"Name": "Trace - Install Endpoint Certificate [Windows]",
"PackageId": 220,
"PackageName": "Trace - Install Endpoint Certificate [Windows]",
"SavedActionId": 31,
"StartTime": "2019-08-15T10:39:03Z",
"Status": "Closed",
"StoppedFlag": false,
"TargetGroupId": 423,
"TargetGroupName": "Default",
"UserDomain": "EC2AMAZ-N5ETQVT",
"UserId": 1,
"UserName": "administrator"
}
]
}
Human Readable Output
Actions
| ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 432 | Tanium Threat Response | 1 | administrator | 2019-08-15T10:39:03Z | 2019-08-15T10:50:03Z | 660 | 239 | 1144 | Trace - Install Endpoint Certificate [Windows] | 220 | Trace - Install Endpoint Certificate [Windows] | 31 | 2019-08-15T10:39:03Z | Closed | false | 423 | Default | EC2AMAZ-N5ETQVT | 1 | administrator |
19. tn-get-action
Returns an action object based on ID.
Base Command
tn-get-action
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The action ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Action.ActionGroupId | Number | The ID of the parent group of machines to target. |
| Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
| Tanium.Action.ApproverId | Number | The ID of the approver of this action. |
| Tanium.Action.ApproverName | String | The name of the approver of this action. |
| Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
| Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
| Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
| Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
| Tanium.Action.ID | Number | The unique ID of the action object. |
| Tanium.Action.Name | String | The action name. |
| Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
| Tanium.Action.PackageName | String | The name of the package deployed by this action. |
| Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
| Tanium.Action.StartTime | String | The date and time when the action became active. |
| Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
| Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
| Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
| Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
| Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
| Tanium.Action.UserId | Number | The ID of the user who issued this action. |
| Tanium.Action.UserName | String | The name of the user who issued this action. |
Command Example
!tn-get-action id=2
Context Example
{
"Tanium.Action": {
"ActionGroupId": 3,
"ActionGroupName": "Default",
"ApproverId": 1,
"ApproverName": "administrator",
"CreationTime": "2018-12-10T13:21:01Z",
"ExpirationTime": "2018-12-10T14:26:57Z",
"ExpireSeconds": 3900,
"HistorySavedQuestionId": 19,
"ID": 2,
"Name": "Distribute Tanium Standard Utilities (Linux)",
"PackageId": 21,
"PackageName": "Distribute Tanium Standard Utilities (Linux)",
"SavedActionId": 2,
"StartTime": "2018-12-10T13:21:57Z",
"Status": "Closed",
"StoppedFlag": false,
"TargetGroupId": 15,
"TargetGroupName": "Default",
"UserDomain": "EC2AMAZ-N5ETQVT",
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Action information
| ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3 | Default | 1 | administrator | 2018-12-10T13:21:01Z | 2018-12-10T14:26:57Z | 3900 | 19 | 2 | Distribute Tanium Standard Utilities (Linux) | 21 | Distribute Tanium Standard Utilities (Linux) | 2 | 2018-12-10T13:21:57Z | Closed | false | 15 | Default | EC2AMAZ-N5ETQVT | 1 | administrator |
20. tn-list-saved-actions-pending-approval
Retrieves all saved action approval definitions on the server.
Base Command
tn-list-saved-actions-pending-approval
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of saved actions to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.PendingSavedAction.ApprovedFlag | Boolean | Whether the saved action is approved. True is approved. |
| Tanium.PendingSavedAction.ID | Number | The unique ID of the saved action object. |
| Tanium.PendingSavedAction.Name | String | The name of the saved action object. |
| Tanium.PendingSavedAction.OwnerUserId | Number | The ID of the user who owns this object. |
Command Example
!tn-list-saved-actions-pending-approval limit=1
Context Example
{
"Tanium.PendingSavedAction": [
{
"ApprovedFlag": false,
"ID": 164,
"Name": "Deploy Kill Process",
"OwnerUserId": 1
}
]
}
Human Readable Output
Saved actions pending approval
| ApprovedFlag | ID | Name | OwnerUserId |
|---|---|---|---|
| false | 164 | Deploy Kill Process | 1 |
21. tn-get-group
Returns a group object based on ID or name.
Base Command
tn-get-group
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The group ID. | Optional |
| name | Name of group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Group.ID | Unknown | The unique ID of the group object. |
| Tanium.Group.Name | String | The name of the group. |
| Tanium.Group.Text | String | A description of the clients that this group represents. |
| Tanium.Group.Type | String | The type of the group. |
| Tanium.Group.Deleted | Boolean | Whether the group is deleted. True if deleted. |
Command Example
!tn-get-group name=`linux machines`
Context Example
{
"Tanium.Group": {
"Deleted": false,
"ID": 11721,
"Name": "linux machines",
"Text": " OS Platform equals linux",
"Type": "Manual group"
}
}
Human Readable Output
Group information
| Deleted | ID | Name | Text | Type |
|---|---|---|---|---|
| false | 11721 | linux machines | OS Platform equals linux | Manual group |
22. tn-create-manual-group
Creates a group object based on computers or IP addresses list.
Base Command
tn-create-manual-group
Input
| Argument Name | Description | Required |
|---|---|---|
| group-name | The name of the group to create. | Required |
| computer-names | Comma separated list of hosts. For example, Host1,Host2. | Optional |
| ip-addresses | Comma separated list of IP addresses. For example, 12.12.12.12,10.1.1.1. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Group.ID | Number | The unique ID of the group object. |
Command Example
!tn-create-manual-group group-name=group11 computer-names=host1,host2
Context Example
{
"Tanium.Group": {
"Deleted": false,
"ID": 31825,
"Name": "group11",
"Type": "Manual group"
}
}
Human Readable Output
Group created
| Deleted | ID | Name | Type |
|---|---|---|---|
| false | 31825 | group11 | Manual group |
23. tn-create-filter-based-group
Creates a group object based on text filter.
Base Command
tn-create-filter-based-group
Input
| Argument Name | Description | Required |
|---|---|---|
| text-filter | The text filter-based computer group. For example, operating system contains windows. | Required |
| group-name | Name of the group to create. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Group.ID | Number | The unique ID of the group object. |
Command Example
!tn-create-filter-based-group group-name=linux_machines text-filter=`operating system contains linux`
Context Example
{
"Tanium.Group": {
"ID": 31826,
"Type": "Manual group"
}
}
Human Readable Output
Group created
| ID | Type |
|---|---|
| 31826 | Manual group |
24. tn-list-groups
Returns all groups.
Base Command
tn-list-groups
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of groups to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Group.ID | Number | The unique ID of the group object. |
| Tanium.Group.Name | String | The name of the group. |
| Tanium.Group.Text | String | A description of the clients that this group represents. |
| Tanium.Group.Type | String | The type of the group. |
| Tanium.Group.Deleted | Boolean | whether the group is deleted. True if deleted. |
Command Example
!tn-list-groups limit=1
Context Example
{
"Tanium.Group": [
{
"Deleted": false,
"ID": 315,
"Name": "Default",
"Type": "Action group"
}
]
}
Human Readable Output
Groups
| Deleted | ID | Name | Text | Type |
|---|---|---|---|---|
| false | 315 | Default | Action group |
25. tn-delete-group
Deletes a group object.
Base Command
tn-delete-group
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The group ID. | Required |
Context Output
There are no context output for this command.
Command Example
!tn-delete-group id=31822
Context Example
{
"Tanium.Group": {
"Deleted": true,
"ID": 31822
}
}
Human Readable Output
Group has been deleted. ID = 31822
26. tn-create-action-by-host
Creates an action object, based on a package name or package ID.
Base Command
tn-create-action-by-host
Input
| Argument Name | Description | Required |
|---|---|---|
| package-id | The package ID. | Optional |
| package-name | The package name. Target group is required and can passed by name or ID. When both exist, the ID is used. Note the target group should be different than "All Computers" or "Default". | Optional |
| parameters | Package parameters. For example, $1=Value1;$2=Value2;$3=Value3. | Optional |
| action-group-id | The action group ID to deploy the package. | Required |
| hostname | The hostname to deploy the package. Hostname or IP address is required. | Optional |
| ip-address | The IP address of the host to deploy the package. | Optional |
| expiration-time | Expiration time (in seconds) for the package. | Optional |
| action-name | The action name. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.Action.ActionGroupId | Number | The id of the parent group of machines to target. |
| Tanium.Action.ActionGroupName | String | The name of the parent group of machines to target. |
| Tanium.Action.ApproverId | Number | The id of the approver of this action. |
| Tanium.Action.ApproverName | String | The name of the approver of this action. |
| Tanium.Action.CreationTime | Date | The date and time when this object was created in the database. |
| Tanium.Action.ExpirationTime | Date | The date and time when the action expires. |
| Tanium.Action.ExpireSeconds | Number | The timeout in seconds for the action expiry. |
| Tanium.Action.HistorySavedQuestionId | Number | The ID of the saved question that tracks the results of the action. |
| Tanium.Action.ID | Number | The unique ID of the action object. |
| Tanium.Action.Name | String | The action name. |
| Tanium.Action.PackageId | Number | The ID of the package deployed by this action. |
| Tanium.Action.PackageName | String | The name of the package deployed by this action. |
| Tanium.Action.SavedActionId | Number | The ID of the saved action that this action was issued from, if any. |
| Tanium.Action.StartTime | String | The date and time when the action became active. |
| Tanium.Action.Status | String | The status of the action. Can be: "Pending", "Active", "Stopped", or "Expired". |
| Tanium.Action.StoppedFlag | Boolean | Whether an action stop has been issued for this action. A value of true indicates an action stop was issued. |
| Tanium.Action.TargetGroupId | Number | The ID of the group of machines to target. |
| Tanium.Action.TargetGroupName | String | The name of the group of machines to target. |
| Tanium.Action.UserDomain | String | The domain of the user who issued this action. |
| Tanium.Action.UserId | Number | The ID of the user who issued this action. |
| Tanium.Action.UserName | String | The name of the user who issued this action. |
Command Example
!tn-create-action-by-host action-group-id=1 action-name=`Trace - Install Endpoint Certificate [Windows]` package-id=225 ip-address=127.0.0.1
Context Example
{
"Tanium.Action": {
"ActionGroupId": 1,
"ActionGroupName": "All Computers",
"ApproverId": 1,
"CreationTime": "2019-11-27T15:06:19Z",
"ExpirationTime": "2001-01-01T00:13:00Z",
"ExpireSeconds": 780,
"HistorySavedQuestionId": 0,
"ID": 19881,
"Name": "Trace - Install Endpoint Certificate [Windows] via Demisto API",
"PackageId": 1222,
"PackageName": "Apply Windows IPsec Quarantine",
"SavedActionId": 642,
"StartTime": "2001-01-01T00:00:00Z",
"Status": "Pending",
"StoppedFlag": false,
"TargetGroupId": 31823,
"TargetGroupName": "Default",
"UserDomain": "EC2AMAZ-N5ETQVT",
"UserId": 1,
"UserName": "administrator"
}
}
Human Readable Output
Action created
| ActionGroupId | ActionGroupName | ApproverId | ApproverName | CreationTime | ExpirationTime | ExpireSeconds | HistorySavedQuestionId | ID | Name | PackageId | PackageName | SavedActionId | StartTime | Status | StoppedFlag | TargetGroupId | TargetGroupName | UserDomain | UserId | UserName |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | All Computers | 1 | 2019-11-27T15:06:19Z | 2001-01-01T00:13:00Z | 780 | 0 | 19881 | Trace - Install Endpoint Certificate [Windows] via Demisto API | 1222 | Apply Windows IPsec Quarantine | 642 | 2001-01-01T00:00:00Z | Pending | false | 31823 | Default | EC2AMAZ-N5ETQVT | 1 | administrator |
27. tn-get-action-result
Get device actions result.
Base Command
tn-get-action-result
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The device ID. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Tanium.ActionResult.now | Date | The action result time. |
| Tanium.ActionResult.max_available_age | String | The maximum action result age. |
| Tanium.ActionResult.result_sets.age | Number | The age of the action result. |
| Tanium.ActionResult.result_sets.id | Number | The result sets ID. |
| Tanium.ActionResult.result_sets.report_count | Number | The result sets report count. |
| Tanium.ActionResult.result_sets.saved_question_id | Number | The result sets saved question ID. |
| Tanium.ActionResult.result_sets.question_id | Number | The result sets question ID. |
| Tanium.ActionResult.result_sets.archived_question_id | Number | The result sets archived question ID. |
| Tanium.ActionResult.result_sets.seconds_since_issued | Number | The result sets seconds since issued. |
| Tanium.ActionResult.result_sets.issue_seconds | Number | The result sets issued seconds. |
| Tanium.ActionResult.result_sets.expire_seconds | Number | The result sets expire seconds. |
| Tanium.ActionResult.result_sets.tested | Number | The result sets tested. |
| Tanium.ActionResult.result_sets.passed | Number | The result sets passed. |
| Tanium.ActionResult.result_sets.mr_tested | Number | The result sets mr tested. |
| Tanium.ActionResult.result_sets.mr_passed | Number | The result sets mr passed. |
| Tanium.ActionResult.result_sets.estimated_total | Number | The result sets estimated total. |
| Tanium.ActionResult.result_sets.select_count | Number | The result sets select count. |
| Tanium.ActionResult.result_sets.error_count | Number | The result sets error count. |
| Tanium.ActionResult.result_sets.no_results_count | Number | The result sets no results count. |
| Tanium.ActionResult.result_sets.columns.hash | Number | The result sets columns hash. |
| Tanium.ActionResult.result_sets.columns.name | String | The result sets columns name. |
| Tanium.ActionResult.result_sets.columns.type | Number | The result sets columns type. |
| Tanium.ActionResult.result_sets.filtered_row_count | Number | The result sets filtered row count. |
| Tanium.ActionResult.result_sets.filtered_row_count_machines | Number | The result sets filtered row count machines. |
| Tanium.ActionResult.result_sets.row_count | Number | The result sets row count. |
| Tanium.ActionResult.result_sets.row_count_machines | Number | The result sets row count machines. |
| Tanium.ActionResult.result_sets.item_count | Number | The result sets item count. |
| Tanium.ActionResult.result_sets.rows.id | Number | The action results row ID. |
| Tanium.ActionResult.result_sets.rows.cid | Number | The action results computer ID. |
| Tanium.ActionResult.result_sets.rows.data.text | Number | The action results status. |
| Tanium.ActionResult.ID | String | The action results ID. |
Command Example
!tn-get-action-result id=1