Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Tanium - Get Running Processes workflow

Log in to subscribe to topics and get notified when content changes.

Tanium - Get Running Processes workflow

This workflow creates an audit trail, and the Tanium: Get-Processes Question activity takes the IPV4 address of the CI as input and runs a query on the Tanium server. The output is a list of all the running processes on the affected CI.

Figure 1. Security Operations Tanium Integration - Get Running Processes workflow

When the Configuration item field in a security incident is modified, this workflow is launched.

Get Running Processes workflow

How the workflow works

Given a string question ID (normally the result of an AddObject command), the Tanium: Check if Done activity queries the Tanium server to check if data collection is complete. This activity uses the sn_sec_tanium.TaniumEndpointUtil script include and relies on the GetResultInfo Tanium server SOAP message.

When the Tanium: Check if Done activity returns true, the Tanium: Get Result Data from Response activity collects all the data returned from the Tanium server in answer to the Get-Processes question. The output consists of an array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array.

Activities specific to this integration are described here. For more information on other activities, see Common integration workflow activities.

Get IP from CI activity

This workflow activity determines the IPV4 address associated with a configuration item (CI).

The Get IP from CI activity can be used with any workflow to retrieve the IPv4 address of a CI.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables
Variable Description
ci_sys_id [string] Configuration item system identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
ip_addr [string] IPv4 address. If the IP address cannot be determined, this value is empty.

Exit Conditions

Possible results for this activity are:

Table 3. Conditions
Condition Description
Success An IPv4 address was returned.
Failure An IPv4 address could not be determined.

Tanium: Build Get-Processes Request activity

This workflow activity takes the IPV4 address of a CI added to a security incident and builds a request to the Tanium server for all the running processes for that CI. The output is the details necessary for executing the request, with the payload encrypted.

Input variables

Input variables determine the initial behavior of the activity.

Table 4. Input variables
Variable Description
ci_ip_address [string] The IPV4 address of the CI that was added to a security incident. This input field is mandatory.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 5. Output variables
Variable Description
endpoint [string] The encrypted endpoint from the database.
request_body [Encrypted] The SOAP request body.
http_timeout [Integer] The HTTP timeout value, in seconds.
use_mid [Boolean] A boolean flag indicating whether to use the MID Server.

Tanium: Build Check if Done Request activity

This workflow activity builds a request of the Tanium server to check if data collection for the question is complete. It returns the encrypted request and other components necessary to execute the request.

Input variables

Input variables determine the initial behavior of the activity.

Table 6. Input variables
Variable Description
question_id [integer] The Question ID returned from the Tanium server.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 7. Output variables
Variable Description
endpoint [string] The encrypted endpoint from the database.
request_body [Encrypted] The SOAP request body.
http_timeout [Integer] The HTTP timeout value, in seconds.
use_mid [Boolean] A boolean flag indicating whether to use the MID Server.

Tanium: Build Get Result Data Request activity

This workflow builds a request to collect all the data returned from Tanium in answer to a question. It takes a Question ID as input and provides the output to execute the request, including an encrypted SOAP envelope payload.

Input variables

Input variables determine the initial behavior of the activity.

Table 8. Input variables
Variable Description
question_id [string] The question ID of the question posed to Tanium.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 9. Output variables
Variable Description
endpoint [string] The encrypted endpoint from the database.
request_body [Encrypted] The SOAP request body.
http_timeout [Integer] The HTTP timeout value, in seconds.
use_mid [Boolean] A boolean flag indicating whether to use the MID Server.

Tanium: Determine if done from Response activity

This workflow activity determines if a request has completed based on the response body.

Input variables

Input variables determine the initial behavior of the activity.

Table 10. Input variables
Variable Description
response_body [string] The SOAP request body returned from Tanium.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 11. Output variables
Variable Description
done [Boolean] Returns true if the request processing is done.

Tanium: Execute Request activity

This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope.

Input variables

Input variables determine the initial behavior of the activity.

Table 12. Input variables
Variable Description
request_body [Encrypted] The SOAP request body. This input field is mandatory.
use_mid [Boolean] A boolean flag indicating whether to use the MID Server.
endpoint [string] The encrypted endpoint from the database. This input field is mandatory.
http_timeout [integer] The HTTP timeout value, in seconds.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 13. Output variables
Variable Description
status_code [integer] Standard HTTP status codes.
header [string] The SOAP header.
body [string] The SOAP body.
error [string] Any errors provided by the server.

Tanium: Get Question ID from Response activity

This workflow activity processes the response body to obtain the Question ID.

Input variables

Input variables determine the initial behavior of the activity.

Table 14. Input variables
Variable Description
response_body [string] The SOAP response body.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 15. Output variables
Variable Description
question_id [integer] The Question ID returned from the Tanium server.

Tanium: Get Result Data from Response activity

The Tanium: Get Result Data from Response workflow activity processes the response body from the result data and outputs an array of JSON objects representing the results from Tanium.

The Tanium: Get Result Data from Response activity can be used with any workflow to retrieve result data to use in the workflow.

Results

Possible results for this activity are:

Table 16. Results
Result Description
Success Retrieved result data.
Failure No data retrieved. More error information is available in the activity output error.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
response_body Encrypted SOAP response contents
implementation_id Implementation identifier.
affected_ci Configuration item affected.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 17. Output variables
Variable Description
result_data Array Element type of API variables. Each array contains key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array.
output Formatted return data on running processes used by the abstract workflow.
Feedback