Tanium 6.x: Packages with Sourced Sensors

Overview

Tanium's real time data gathering capabilities can reveal the root cause of outages and the symptoms of security incidents as they are occurring. This naturally leads operators to take action as a result of data that Tanium has discovered. To automate the interactions between sensors and actions taken through packages, it is possible to use the output of a sensor as the input to a package.

This is similar to Parameterized Packages. However, these packages use Sensor Output instead of Run Time values to form the command..

Unescaping

As a security precaution, all values which are fed onto the command line are escaped/URL encoded. This ensures that most special characters, including spaces, are encoded into values which are considered safe. For example, the Space character is transformed into "%20" once the command line makes it to the client. Therefore, DOS commands which take encoded input should be run through a wrapper script which would unescape the characters and ensure their safety before passing them onto the client. A useful function for Windows is the unescape function in VBScript.

Usage

One specific example where the ability to drive packages based on the output of sensors makes sense would be in the case of wanting to kill a process running on a client machine. The Running Processes sensor provides a list of all the processes running on each machine. To make it as convenient as possible for the operator, it is possible to deploy a package directly from a question that uses the Running Processes sensor to then kill one of the identified processes.

The linkage between the output of a sensor and the input for a package is defined when creating the package by clicking on the Advanced Settings link in the upper right as shown below.

Package-with-sourced-sensor.png
 

The package shown above requires a specific sensor, Running Processes. The output of the sensor is a single column, which can be referred to in the package as ||Running Processes|| on the command line. Clicking the Main Settings link will show the command line itself. Here, the command line has everything it needs to kill a process on a Windows machine.

Deploying as Action

If a Package requires a source Sensor to run, you can deploy the Package from only Answer Grids in which the original question contains the Sensor in the select part of the question. Otherwise, the Package will not appear within the list of available Packages on the Deploy Action UI.

Have more questions? Submit a request