Tanium integration getting started↑

Prerequisites↑

A running instance of the Tanium Threat Response module with Direct Connect.
Admin access to AQtive Guard.

Note

The integration uses Tanium File Evidence in the Threat Response module to retrieve files from endpoints without impacting the rest of the Tanium platform.

Before you begin↑

You’ll need the AQtive Guard Integration Bundle (Content Set), which contains the following:

AQtive Guard Install Package - Installs the Filesystem Scanner on selected endpoints through the Tanium Action Deployment page. This package is meant to be used once per endpoint. To limit resource consumption, deployment can be distributed over time.
AQtive Guard Scan Package - Launches the Filesystem Scanner on selected endpoints through the Tanium Action Deployment page. This package can also be scheduled for recurring deployment through the same page (recommended configuration).
AQtive Guard Uninstall Package - Uninstalls the Filesystem Scanner on selected endpoints through the Tanium Action Deployment page.
AQtive Guard Info Sensor - Queries information about endpoint trace availability.
AQtive Guard Monitor Sensor - Queries information about the Filesystem Scanner status and resource usage.

Configuration↑

There are four main steps to configure the Tanium integration:

In Tanium: Set up integration authentication and scope.
In AQtive Guard: Set up AQtive Guard for large-scale host scanning.
In Tanium: Create the Tanium packages.
In Tanium: Create the Tanium sensors.

The sections that follow provide detailed instructions for each step.

Set up Tanium integration authentication and scope↑

Create a dedicated AQtive Guard user account with the required rights:
- API Gateway User
- Threat Response User
Create an associated API token.
Create a Computer Group to limit the scope of the integration.

Set up AQtive Guard for large-scale host scanning↑

Enable Tanium capabilities by setting ENABLE_TANIUM_INTEGRATION to true in the AQtive Guard configuration file at /etc/cryptosense-analyzer/config (on each host where it’s installed).

The Tanium integration must be configured at the organization level in AQtive Guard.

In your AQtive Guard organization, configure the Tanium integration:

Log in to the AQtive Guard web interface as an admin.

Select Settings from the menu bar, then select Integrations.

From the integration options, select Tanium.

Enter the Tanium Server URL and API Token previously created.

You can optionally add the Trusted CA Certificate you’d like to use.

Set the maximum number of parallel trace uploads.

Important

For optimal performance, we recommend setting the number of parallel trace uploads to 3 in most large enterprise environments. For sensitive environments or those with a limited number of endpoints, a setting of 1 is recommended.

Set the maximum number of calls per minute to the Tanium API.

You’ll also need to:

Create a project to handle the endpoints.
Create a specific AQtive Guard user and provide them with Analyst level permissions. You can also provide the user with Tester level permissions and assign them to all projects to comply with the principle of least privilege.

Create the Tanium packages↑

There are five packages to create in Tanium: two for deploying, two for launching a distributed scan, and one for stopping a scan in progress.

Import the package descriptions↑

Select Administration, then Packages.
Select Import, then Import Files.
Select the AQPkgDetails.json file from the cs-tanium-<version>.zip file you downloaded.
- This will create five Cryptosense packages that start with 3P Cryptosense.

Install packages for deploying↑

In the previous section, we created the packages, but they don’t contain the necessary files. This section explains how to install the packages you need.

Note

The host scanner binary is distributed separately and typically approved for production separately as new versions are released.

Linux

Navigate to the 3P Cryptosense - Host Scanner - Install [Linux] package.
Remove all the files.
Upload the following from the downloaded Cryptosense archive:
- cs-host-scanner (Cryptosense Host Scanner)
- install.py (distributed separately)
Save the modifications.

Windows

Navigate to the 3P Cryptosense - Host Scanner - Install [Windows] package.
Remove all the files.
Upload the following from the downloaded Cryptosense archive:
- cs-host-scanner.exe (Cryptosense Host Scanner)
- install.py (distributed separately)
- libffi-6.dll (distributed separately)
- libgmp-10.dll (distributed separately)
- zlib1.dll (distributed separately)
Save the modifications.

Install packages for scanning↑

Linux

Navigate to the 3P Cryptosense - Host Scanner - Scan [Linux] package.
Remove all files from a previous installation.
Upload the following:
- scan.py (from the downloaded Cryptosense package)
Save the modifications.

Windows

Navigate to the 3P Cryptosense - Host Scanner - Scan [Windows] package.
Remove all files from a previous installation.
Upload the following:
- scan.py (from the downloaded Cryptosense package)
Save the modifications.

Stop scan package↑

Navigate to the 3P Cryptosense - Host Scanner - Stop Scan package.
Remove all files from a previous installation.
Upload the following:
- stopscan.py (from your downloaded Cryptosense package)
Save the modifications.

Uninstall packages↑

The following steps explain how to add the uninstall packages.

Uninstall Linux Package

Navigate to the 3P Cryptosense - Host Scanner - Uninstall [Linux] package.
Remove any existing files.
Upload the following from your downloaded Cryptosense archive:
- uninstall.py
Save the modifications.

Uninstall Windows Package

Navigate to the 3P Cryptosense - Host Scanner - Uninstall [Windows] package.
Remove any existing files.
Upload the following from your downloaded Cryptosense archive:
- uninstall.py
Save the modifications.

Create the Tanium sensors↑

There are two sensors to create in Tanium.

Select Administration, then Sensors.
Select Import, then Import Files.
Select AQsensors.json from the cs-tanium-<version>.zip file you downloaded.

This will create three Cryptosense sensors that start with 3P Cryptosense.

Use↑

Deploy the Filesystem scanner↑

This section explains how to deploy the Filesystem scanner from Tanium.

Linux↑

Create a deploy action of the 3P Cryptosense - Host Scanner - Install [Linux] package.
Select all compatible machines to be scanned later.
Preview and deploy the action.

Windows↑

Create a deploy action of the 3P Cryptosense - Host Scanner - Install [Windows] package.
Select all compatible machines to be scanned later.
Preview and deploy the action.

Launch a scan↑

This will run the Filesystem scanner simultaneously on all selected machines.

Enter a command in the form:
Text Only
```
Get Computer Name from <set of machines>
```
where <set of machines> is the set of compatible machines you want to scan.
When Tanium has gathered all the data, select all rows and select Deploy Action.
Select 3P Cryptosense - Host Scanner - Scan (Linux or Windows) as the deployment package.
Set the scan directory along with any required limiters.
Preview and deploy the action.

Retrieve the traces in AQtive Guard↑

The steps below explain how to retrieve the traces in AQtive Guard. Keep in mind that this only retrieves new traces from previously launched scans and can take some time.

Note

Only administrators have permission to edit or test a computer group, and launch, stop, or unlink a retrieval. Analysts and testers can only view the information and download logs.

Select Projects in the menu bar.
Select the project with the trace you want to retrieve.
Select the Integrations tab.
Expand the Tanium section.
Specify the Computer Group to limit the scope of the integration.
(Optional) Select Test Connection to make sure you have a computer group that’s configured in Tanium. The connection test also tells you how many endpoints there are. You’ll receive a notification if you try to use a computer group that doesn’t exist.
Select Launch Retrieval.

The page automatically refreshes and updates the number of remaining endpoints to show the progress of the retrieval.

Once the retrieval is complete, you can download the log files by selecting Download Logs.

Note

You can unlink the integration by selecting Unlink. You’ll need to configure the integration again to launch a new retrieval.

Trace analysis↑

The following steps explain how to view the analysis of a trace.

Select Projects in the menu bar.
Select the project you want to view the analysis for.
Select the Reports tab. In this table, you’ll see retrieved traces in slots corresponding to their respective endpoints.
Select a slot to see its latest trace and auto-generated report.

Uninstall the Filesystem scanner↑

This section explains how to uninstall the Filesystem scanner from Tanium.

Linux↑

Create a deploy action of the 3P Cryptosense - Host Scanner - Uninstall [Linux] package.
Select all compatible machines.
Preview and deploy the action.

Windows↑

Create a deploy action of the 3P Cryptosense - Host Scanner - Uninstall [Windows] package.
Select all compatible machines.
Preview and deploy the action.

How it works↑

When the AQtive Guard Filesystem Scanner is triggered on an endpoint, it scans the machine and stores a complete trace, along with a diff trace based on the previous scan (if applicable).

Tip

Refer to Trace file in the Tanium integration reference for details.

The Cryptosense Monitor Sensor checks to verify the Filesystem scanner is working properly. In Tanium, you can monitor the health of a running Filesystem scanner on each endpoint.

As scheduled, AQtive Guard connects to the Tanium GraphQL API to request new data using the Tanium sensor, Cryptosense Info.

When new trace files are available, AQtive Guard connects to Tanium File Evidence and performs these steps:

Establish a Threat Response Connection to an endpoint.
Save the trace file from the remote endpoint as File Evidence in Tanium.
Close the Threat Response Connection.
Download the File Evidence data into AQtive Guard.
Clean up the File Evidence in Tanium.

Note

Refer to the Tanium integration reference for the associated GraphQL API requests.