Tanium - Get Running Processes workflow

This workflow creates an audit trail, and the Tanium: Get-Processes Question activity takes the IPV4 address of the CI as input and runs a query on the Tanium server. The output is a list of all the running processes on the affected CI.

Figure 1. Security Operations Tanium Integration - Get Running Processes workflow

When the Configuration item field in a security incident is modified, this workflow is launched.

Get Running Processes workflow

How the workflow works

Given a string question ID (normally the result of an AddObject command), the Tanium: Check if Done activity queries the Tanium server to check if data collection is complete. This activity uses the sn_sec_tanium.TaniumEndpointUtil script include and relies on the GetResultInfo Tanium server SOAP message.

When the Tanium: Check if Done activity returns true, the Tanium: Get Result Data from Response activity collects all the data returned from the Tanium server in answer to the Get-Processes question. The output consists of an array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array.