Skip to content

Tanium integration getting startedπŸ”—

PrerequisitesπŸ”—

  • A running instance of the Tanium Threat Response module with Direct Connect.
  • Admin access to AQtive Guard.

Note

The integration uses Tanium File Evidence in the Threat Response module to retrieve files from endpoints without impacting the rest of the Tanium platform.

Before you beginπŸ”—

You’ll need the AQtive Guard Integration Bundle (Content Set), which contains the following:

  • AQtive Guard Install Package - Installs the Filesystem Scanner on selected endpoints through the Tanium Action Deployment page. This package is meant to be used once per endpoint. To limit resource consumption, deployment can be distributed over time.
  • AQtive Guard Scan Package - Launches the Filesystem Scanner on selected endpoints through the Tanium Action Deployment page. This package can also be scheduled for recurring deployment through the same page (recommended configuration).
  • AQtive Guard Uninstall Package - Uninstalls the Filesystem Scanner on selected endpoints through the Tanium Action Deployment page.
  • AQtive Guard Info Sensor - Queries information about endpoint trace availability.
  • AQtive Guard Monitor Sensor - Queries information about the Filesystem Scanner status and resource usage.

ConfigurationπŸ”—

There are four main steps to configure the Tanium integration:

  1. In Tanium: Set up integration authentication and scope.
  2. In AQtive Guard: Set up AQtive Guard for large-scale host scanning.
  3. In Tanium: Create the Tanium packages.
  4. In Tanium: Create the Tanium sensors.

The sections that follow provide detailed instructions for each step.

Set up Tanium integration authentication and scopeπŸ”—

  1. Create a dedicated AQtive Guard user account with the required rights:
    • API Gateway User
    • Threat Response User
  2. Create an associated API token.
  3. Create a Computer Group to limit the scope of the integration.

Set up AQtive Guard for large-scale host scanningπŸ”—

Enable Tanium capabilities by setting ENABLE_TANIUM_INTEGRATION to true in the AQtive Guard configuration file at /etc/cryptosense-analyzer/config (on each host where it’s installed).

In your AQtive Guard organization, configure the Tanium integration:

  1. Log in to the AQtive Guard web interface as an admin.
  2. Select Integrations from the menu bar.
  3. From the integration options, select Tanium.
  4. Enter the Tanium Server URL and API Token previously created.
  5. You can optionally add the Trusted CA Certificate you’d like to use.
  6. Set the maximum number of parallel trace uploads.
  7. Set the maximum number of calls per minute to the Tanium API.

You’ll also need to:

  • Create a project to handle the endpoints.
  • Create a specific AQtive Guard user and provide them with Analyst level permissions. You can also provide the user with Tester level permissions and assign them to all projects to comply with the principle of least privilege.

Create the Tanium packagesπŸ”—

There are five packages to create in Tanium: two for deploying, two for launching a distributed scan, and one for stopping a scan in progress.

Import the package descriptionsπŸ”—

  1. Select Administration, then Packages.
  2. Select Import, then Import Files.
  3. Select the AQPkgDetails.json file from the cs-tanium-<version>.zip file you downloaded.
    • This will create five Cryptosense packages that start with 3P Cryptosense.

Install packages for deployingπŸ”—

In the previous section, we created the packages, but they don’t contain the necessary files. This section explains how to install the packages you need.

Note

The host scanner binary is distributed separately and typically approved for production separately as new versions are released.

Linux

  1. Navigate to the 3P Cryptosense - Host Scanner - Install [Linux] package.
  2. Remove all the files.
  3. Upload the following from the downloaded Cryptosense archive:
    • cs-host-scanner (Cryptosense Host Scanner)
    • install.py (distributed separately)
  4. Save the modifications.

Windows

  1. Navigate to the 3P Cryptosense - Host Scanner - Install [Windows] package.
  2. Remove all the files.
  3. Upload the following from the downloaded Cryptosense archive:
    • cs-host-scanner.exe (Cryptosense Host Scanner)
    • install.py (distributed separately)
    • libffi-6.dll (distributed separately)
    • libgmp-10.dll (distributed separately)
    • zlib1.dll (distributed separately)
  4. Save the modifications.

Install packages for scanningπŸ”—

Linux

  1. Navigate to the 3P Cryptosense - Host Scanner - Scan [Linux] package.
  2. Remove all files from a previous installation.
  3. Upload the following:
    • scan.py (from the downloaded Cryptosense package)
  4. Save the modifications.

Windows

  1. Navigate to the 3P Cryptosense - Host Scanner - Scan [Windows] package.
  2. Remove all files from a previous installation.
  3. Upload the following:
    • scan.py (from the downloaded Cryptosense package)
  4. Save the modifications.

Stop scan packageπŸ”—

  1. Navigate to the 3P Cryptosense - Host Scanner - Stop Scan package.
  2. Remove all files from a previous installation.
  3. Upload the following:
    • stopscan.py (from your downloaded Cryptosense package)
  4. Save the modifications.

Uninstall packagesπŸ”—

The following steps explain how to add the uninstall packages.

Uninstall Linux Package

  1. Navigate to the 3P Cryptosense - Host Scanner - Uninstall [Linux] package.
  2. Remove any existing files.
  3. Upload the following from your downloaded Cryptosense archive:
    • uninstall.py
  4. Save the modifications.

Uninstall Windows Package

  1. Navigate to the 3P Cryptosense - Host Scanner - Uninstall [Windows] package.
  2. Remove any existing files.
  3. Upload the following from your downloaded Cryptosense archive:
    • uninstall.py
  4. Save the modifications.

Create the Tanium sensorsπŸ”—

There are two sensors to create in Tanium.

  1. Select Administration, then Sensors.
  2. Select Import, then Import Files.
  3. Select AQsensors.json from the cs-tanium-<version>.zip file you downloaded.

This will create three Cryptosense sensors that start with 3P Cryptosense.

UseπŸ”—

Deploy the Filesystem scannerπŸ”—

This section explains how to deploy the Filesystem scanner from Tanium.

LinuxπŸ”—

  1. Create a deploy action of the 3P Cryptosense - Host Scanner - Install [Linux] package.
  2. Select all compatible machines to be scanned later.
  3. Preview and deploy the action.

WindowsπŸ”—

  1. Create a deploy action of the 3P Cryptosense - Host Scanner - Install [Windows] package.
  2. Select all compatible machines to be scanned later.
  3. Preview and deploy the action.

Launch a scanπŸ”—

This will run the Filesystem scanner simultaneously on all selected machines.

  1. Enter a command in the form:

    Text Only
    Get Computer Name from <set of machines>
    where <set of machines> is the set of compatible machines you want to scan.

  2. When Tanium has gathered all the data, select all rows and select Deploy Action.

  3. Select 3P Cryptosense - Host Scanner - Scan (Linux or Windows) as the deployment package.
  4. Set the scan directory along with any required limiters.
  5. Preview and deploy the action.

Retrieve the traces in AQtive GuardπŸ”—

The steps below explain how to retrieve the traces in AQtive Guard. Keep in mind that this only retrieves new traces from previously launched scans and can take some time.

  1. Select Projects in the menu bar.
  2. Select the project with the trace you want to retrieve.
  3. Select the Tanium tab.
  4. Specify the Computer Group to limit the scope of the integration.
  5. Select Launch Retrieval.
  6. Refresh the page to see the progress.

Trace analysisπŸ”—

The following steps explain how to view the analysis of a trace.

  1. Select Projects in the menu bar.
  2. Select the project you want to view the analysis for.
  3. Select the Reports tab. In this table, you’ll see retrieved traces in slots corresponding to their respective endpoints.
  4. Select a slot to see its latest trace and auto-generated report.

Uninstall the Filesystem scannerπŸ”—

This section explains how to uninstall the Filesystem scanner from Tanium.

LinuxπŸ”—

  1. Create a deploy action of the 3P Cryptosense - Host Scanner - Uninstall [Linux] package.
  2. Select all compatible machines.
  3. Preview and deploy the action.

WindowsπŸ”—

  1. Create a deploy action of the 3P Cryptosense - Host Scanner - Uninstall [Windows] package.
  2. Select all compatible machines.
  3. Preview and deploy the action.

How it worksπŸ”—

When the AQtive Guard Filesystem Scanner is triggered on an endpoint, it scans the machine and stores a complete trace, along with a diff trace based on the previous scan (if applicable).

Tip

Refer to Trace file in the Tanium integration reference for details.

The Cryptosense Monitor Sensor checks to verify the Filesystem scanner is working properly. In Tanium, you can monitor the health of a running Filesystem scanner on each endpoint.

As scheduled, AQtive Guard connects to the Tanium GraphQL API to request new data using the Tanium sensor, Cryptosense Info.

When new trace files are available, AQtive Guard connects to Tanium File Evidence and performs these steps:

  1. Establish a Threat Response Connection to an endpoint.
  2. Save the trace file from the remote endpoint as File Evidence in Tanium.
  3. Close the Threat Response Connection.
  4. Download the File Evidence data into AQtive Guard.
  5. Clean up the File Evidence in Tanium.

Note

Refer to the Tanium integration reference for the associated GraphQL API requests.