Tanium - Get Running Processes workflow
This workflow creates an audit trail, and the Tanium: Get-Processes Question activity takes the IPV4 address of the CI as input and runs a query on the Tanium server. The output is a list of all the running processes on the affected CI.
When the Configuration item field in a security incident is modified, this workflow is launched.
How the workflow works
Given a string question ID (normally the result of an AddObject command), the Tanium: Check if Done activity queries the Tanium server to check if data collection is complete. This activity uses the sn_sec_tanium.TaniumEndpointUtil script include and relies on the GetResultInfo Tanium server SOAP message.
When the Tanium: Check if Done activity returns true, the Tanium: Get Result Data from Response activity collects all the data returned from the Tanium server in answer to the Get-Processes question. The output consists of an array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array.
Activities specific to this integration are described here. For more information on other activities, see Common integration workflow activities.
Get IP from CI activity
This workflow activity determines the IPV4 address associated with a configuration item (CI).
The Get IP from CI activity can be used with any workflow to retrieve the IPv4 address of a CI.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| ci_sys_id [string] | Configuration item system identifier |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| ip_addr [string] | IPv4 address. If the IP address cannot be determined, this value is empty. |
Exit Conditions
Possible results for this activity are:
| Condition | Description |
|---|---|
| Success | An IPv4 address was returned. |
| Failure | An IPv4 address could not be determined. |
Tanium: Build Get-Processes Request activity
This workflow activity takes the IPV4 address of a CI added to a security incident and builds a request to the Tanium server for all the running processes for that CI. The output is the details necessary for executing the request, with the payload encrypted.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| ci_ip_address [string] | The IPV4 address of the CI that was added to a security incident. This input field is mandatory. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| endpoint [string] | The encrypted endpoint from the database. |
| request_body [Encrypted] | The SOAP request body. |
| http_timeout [Integer] | The HTTP timeout value, in seconds. |
| use_mid [Boolean] | A boolean flag indicating whether to use the MID Server. |
Tanium: Build Check if Done Request activity
This workflow activity builds a request of the Tanium server to check if data collection for the question is complete. It returns the encrypted request and other components necessary to execute the request.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| question_id [integer] | The Question ID returned from the Tanium server. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| endpoint [string] | The encrypted endpoint from the database. |
| request_body [Encrypted] | The SOAP request body. |
| http_timeout [Integer] | The HTTP timeout value, in seconds. |
| use_mid [Boolean] | A boolean flag indicating whether to use the MID Server. |
Tanium: Build Get Result Data Request activity
This workflow builds a request to collect all the data returned from Tanium in answer to a question. It takes a Question ID as input and provides the output to execute the request, including an encrypted SOAP envelope payload.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| question_id [string] | The question ID of the question posed to Tanium. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| endpoint [string] | The encrypted endpoint from the database. |
| request_body [Encrypted] | The SOAP request body. |
| http_timeout [Integer] | The HTTP timeout value, in seconds. |
| use_mid [Boolean] | A boolean flag indicating whether to use the MID Server. |
Tanium: Determine if done from Response activity
This workflow activity determines if a request has completed based on the response body.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| response_body [string] | The SOAP request body returned from Tanium. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| done [Boolean] | Returns true if the request processing is done. |
Tanium: Execute Request activity
This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| request_body [Encrypted] | The SOAP request body. This input field is mandatory. |
| use_mid [Boolean] | A boolean flag indicating whether to use the MID Server. |
| endpoint [string] | The encrypted endpoint from the database. This input field is mandatory. |
| http_timeout [integer] | The HTTP timeout value, in seconds. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| status_code [integer] | Standard HTTP status codes. |
| header [string] | The SOAP header. |
| body [string] | The SOAP body. |
| error [string] | Any errors provided by the server. |
Tanium: Get Question ID from Response activity
This workflow activity processes the response body to obtain the Question ID.
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| response_body [string] | The SOAP response body. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| question_id [integer] | The Question ID returned from the Tanium server. |
Tanium: Get Result Data from Response activity
The Tanium: Get Result Data from Response workflow activity processes the response body from the result data and outputs an array of JSON objects representing the results from Tanium.
The Tanium: Get Result Data from Response activity can be used with any workflow to retrieve result data to use in the workflow.
Results
Possible results for this activity are:
| Result | Description |
|---|---|
| Success | Retrieved result data. |
| Failure | No data retrieved. More error information is available in the activity output error. |
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| response_body | Encrypted SOAP response contents |
| implementation_id | Implementation identifier. |
| affected_ci | Configuration item affected. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| result_data | Array Element type of API variables. Each array contains key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array. |
| output | Formatted return data on running processes used by the abstract workflow. |