Tanium - Get Running Processes workflow This workflow creates an audit trail, and the Tanium: Get-Processes Question activity takes the IPV4 address of the CI as input and runs a query on the Tanium server. The output is a list of all the running processes on the affected CI. Figure 1. Security Operations Tanium Integration - Get Running Processes workflow When the Configuration item field in a security incident is modified, this workflow is launched. How the workflow works Given a string question ID (normally the result of an AddObject command), the Tanium: Check if Done activity queries the Tanium server to check if data collection is complete. This activity uses the sn_sec_tanium.TaniumEndpointUtil script include and relies on the GetResultInfo Tanium server SOAP message. When the Tanium: Check if Done activity returns true, the Tanium: Get Result Data from Response activity collects all the data returned from the Tanium server in answer to the Get-Processes question. The output consists of an array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array. Create Enrichment Data records activityThis workflow activity stores workflow output data in a table. Get IP from CI activityThis workflow activity determines the IPV4 address associated with a configuration item (CI).Tanium: Build Get-Processes Request activityThis workflow activity takes the IPV4 address of a CI added to a security incident and builds a request to the Tanium server for all the running processes for that CI. The output is the details necessary for executing the request, with the payload encrypted.Tanium: Build Check if Done Request activityThis workflow activity builds a request of the Tanium server to check if data collection for the question is complete. It returns the encrypted request and other components necessary to execute the request.Tanium: Build Get Result Data Request activityThis workflow builds a request to collect all the data returned from Tanium in answer to a question. It takes a Question ID as input and provides the output to execute the request, including an encrypted SOAP envelope payload.Tanium: Determine if done from Response activityThis workflow activity determines if a request has completed based on the response body.Tanium: Execute Request activityThis workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope. Tanium: Get Question ID from Response activityThis workflow activity processes the response body to obtain the Question ID.Tanium: Get Result Data from Response activityThis workflow activity processes the response body from the result data and outputs an array of JSON objects representing the results from Tanium.