Tanium - Get File Details workflow

  • Release version: Washingtondc
  • Updated January 20, 2026
  • 7 minutes to read

    • This workflow queries the Tanium server for the existence of files with a specific hash value or file name. The activities collect the results and store them as enrichment data on a security incident.

    Figure 1. Security Operations Tanium Integration - Get File Details workflow
    Get File Details workflow
    Note:
    This workflow illustrates how you can query the Tanium server for the existence of files with a specific hash value or file name, collect the data, and store it as enrichment data on a security incident. In its current implementation, the workflow does not return the enriched data for use by the system. It is provided to exemplify the process you can use to increase the effectiveness of your security incident investigation.

    Activities specific to this integration are described here. For more information on other activities, see Common integration workflow activities.

    Tanium: Build Get Sensor ID Request activity

    This activity takes a sensor name, and builds a request to perform a lookup on the Tanium server . It returns a sensor ID used by subsequent activities.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 1. Input variables
    Variable Description
    sensor_name [string] A string that identifies the sensor name.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 2. Output variables
    Variable Description
    endpoint [string] The encrypted endpoint from the database.
    request_body [Encrypted] The SOAP request body.
    http_timeout [Integer] The HTTP timeout value, in seconds.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.

    Tanium: Execute Request activity

    This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 3. Input variables
    Variable Description
    request_body [Encrypted] The SOAP request body. This input field is mandatory.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.
    endpoint [string] The encrypted endpoint from the database. This input field is mandatory.
    http_timeout [integer] The HTTP timeout value, in seconds.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 4. Output variables
    Variable Description
    status_code [integer] Standard HTTP status codes.
    header [string] The SOAP header.
    body [string] The SOAP body.
    error [string] Any errors provided by the server.

    Tanium: Execute Request activity

    This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 5. Input variables
    Variable Description
    request_body [Encrypted] The SOAP request body. This input field is mandatory.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.
    endpoint [string] The encrypted endpoint from the database. This input field is mandatory.
    http_timeout [integer] The HTTP timeout value, in seconds.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 6. Output variables
    Variable Description
    status_code [integer] Standard HTTP status codes.
    header [string] The SOAP header.
    body [string] The SOAP body.
    error [string] Any errors provided by the server.

    Tanium: Get Sensor ID From Response activity

    This activity processes the SOAP response body provided as input, and outputs the corresponding sensor ID.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 7. Input variables
    Variable Description
    response_body [string] the SOAP response body coming back from Tanium.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 8. Output variables
    Variable Description
    sensor_id [string] The string sensor ID associated with the requested sensor.

    Tanium: Execute Request activity

    This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 9. Input variables
    Variable Description
    request_body [Encrypted] The SOAP request body. This input field is mandatory.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.
    endpoint [string] The encrypted endpoint from the database. This input field is mandatory.
    http_timeout [integer] The HTTP timeout value, in seconds.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 10. Output variables
    Variable Description
    status_code [integer] Standard HTTP status codes.
    header [string] The SOAP header.
    body [string] The SOAP body.
    error [string] Any errors provided by the server.

    Tanium: Get Question ID from Response activity

    This workflow activity processes the response body to obtain the Question ID.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 11. Input variables
    Variable Description
    response_body [string] The SOAP response body.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 12. Output variables
    Variable Description
    question_id [integer] The Question ID returned from the Tanium server.

    Tanium: Build Check if Done Request activity

    This workflow activity builds a request of the Tanium server to check if data collection for the question is complete. It returns the encrypted request and other components necessary to execute the request.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 13. Input variables
    Variable Description
    question_id [integer] The Question ID returned from the Tanium server.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 14. Output variables
    Variable Description
    endpoint [string] The encrypted endpoint from the database.
    request_body [Encrypted] The SOAP request body.
    http_timeout [Integer] The HTTP timeout value, in seconds.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.

    Tanium: Execute Request activity

    This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 15. Input variables
    Variable Description
    request_body [Encrypted] The SOAP request body. This input field is mandatory.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.
    endpoint [string] The encrypted endpoint from the database. This input field is mandatory.
    http_timeout [integer] The HTTP timeout value, in seconds.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 16. Output variables
    Variable Description
    status_code [integer] Standard HTTP status codes.
    header [string] The SOAP header.
    body [string] The SOAP body.
    error [string] Any errors provided by the server.

    Tanium: Determine if done from Response activity

    This workflow activity determines if a request has completed based on the response body.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 17. Input variables
    Variable Description
    response_body [string] The SOAP request body returned from Tanium.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 18. Output variables
    Variable Description
    done [Boolean] Returns true if the request processing is done.

    Tanium: Build Get Result Data Request activity

    This workflow builds a request to collect all the data returned from Tanium in answer to a question. It takes a Question ID as input and provides the output to execute the request, including an encrypted SOAP envelope payload.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 19. Input variables
    Variable Description
    question_id [string] The question ID of the question posed to Tanium.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 20. Output variables
    Variable Description
    endpoint [string] The encrypted endpoint from the database.
    request_body [Encrypted] The SOAP request body.
    http_timeout [Integer] The HTTP timeout value, in seconds.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.

    Tanium: Execute Request activity

    This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.

    Input variables

    Input variables determine the initial behavior of the activity.

    Table 21. Input variables
    Variable Description
    request_body [Encrypted] The SOAP request body. This input field is mandatory.
    use_mid [Boolean] A boolean flag indicating whether to use the MID Server.
    endpoint [string] The encrypted endpoint from the database. This input field is mandatory.
    http_timeout [integer] The HTTP timeout value, in seconds.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 22. Output variables
    Variable Description
    status_code [integer] Standard HTTP status codes.
    header [string] The SOAP header.
    body [string] The SOAP body.
    error [string] Any errors provided by the server.

    Tanium: Get Result Data from Response activity

    The Tanium: Get Result Data from Response workflow activity processes the response body from the result data and outputs an array of JSON objects representing the results from Tanium.

    The Tanium: Get Result Data from Response activity can be used with any workflow to retrieve result data to use in the workflow.

    Results

    Possible results for this activity are:

    Table 23. Results
    Result Description
    Success Retrieved result data.
    Failure No data retrieved. More error information is available in the activity output error.

    Input variables

    Input variables determine the initial behavior of the activity.

    Variable Description
    response_body Encrypted SOAP response contents
    implementation_id Implementation identifier.
    affected_ci Configuration item affected.

    Output variables

    The output variables contain data that can be used in subsequent activities.

    Table 24. Output variables
    Variable Description
    result_data Array Element type of API variables. Each array contains key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array.
    output Formatted return data on running processes used by the abstract workflow.