Skip to content

Tanium integration reference

GraphQL API requests for Tanium File Evidence

Below are the Tanium GraphQL API requests performed in the integration.

Create a Threat Response Connection to an endpoint

GraphQL
/plugin/products/threat-response/api/v1/conns/connect [POST]

# Data

{"target": {"clientId": "<clientId>"}}

Response:

JSON
remote:undefined:<clientId>:

then:

GraphQL
/plugin/products/threat-response/api/v1/conns [GET]

Response:

JSON
[{"clientId": "<clientId>", "status": "connected", "userId": "<cryptosenseId>", "id": "remote:<hostname>:<clientId>:<eid>", ...}, ...]

to retrieve the connection <cid>.

(<cid> = "remote:<hostname>:<id>:<eid>")

Download the trace file from the remote endpoint as File Evidence in Tanium

GraphQL
/plugin/products/threat-response/api/v1/conns/<cid>/file [POST]

# Data

{"path":"<localTraceFilePath>"}

Response:

JSON
{"taskInfo": {"id": <taskId>, "status": "STARTED", "metadata": {"connection": "<cid>", "paths": ["<localTraceFilePath>"], "compress": "true"}, ...}, "status": "ACCEPTED"}

and retrieve the task <taskId>.

Then:

GraphQL
/plugin/products/threat-response/api/v1/conns [GET]

Response:

JSON
[{"clientId": "<clientId>", "status": "connected", "userId": "<cryptosenseId>", "id": "remote:<hostname>:<clientId>:<eid>", ...}, ...]

and retrieve the File Evidence <uuid>.

Close the Threat Response Connection

/plugin/products/threat-response/api/v1/conns/close/<cid> [DELETE]

Download the File Evidence data in AQtive Guard

GraphQL
/plugin/products/threat-response/api/v1/filedownload/data/<uuid> [GET]

Response:

JSON
<binary content (zipped)>

Clean up the File Evidence in Tanium

GraphQL
/plugin/products/threat-response/api/v1/filedownload [DELETE]

# Data

{"ids": ["<uuid>", ...]}

How it works

Trace file

On each endpoint, the SandboxAQ Filesystem Scanner generates a single trace file containing the entire cryptographic inventory for that endpoint. This is the unique file that needs to be transferred through Tanium to be analyzed by AQtive Guard.

The trace is saved in a concatenated-JSON format and gzipped. For each cryptographic artifact, the trace contains both the data and its metadata, such as its path, date, size, and type. During analysis, AQtive Guard evaluates the uploaded trace and builds a cryptographic inventory, flagging any object associated with a vulnerability or compliance issue.

Diff trace

After the initial scan, the Filesystem Scanner stores a complete trace, along with a diff trace. The diff trace contains only the inventory changes since the previous scan, resulting in a much smaller trace file transfer for subsequent scans.

Example trace file

JSON
{"format": "CST", "api": "host-scanner", "api_specific": {"scanner_version": "<version>", "os": "<os>", "hostname": "<hostname>", ...}, ...}
{"path": "<path>", "last_modified": <date>, "size_bytes": <size>, "type": "X509 CERTIFICATE", "encrypted": false, "public": true, "details": {"tbs_certificate": {"version": "3", "serial": "<serial>", "issuer": [...], "validity": {...}}, "signature_algorithm": {"algorithm": "ecdsa-with-SHA256"}, "signature": "<sign>", "encoded": "<enc>"}, ...}
{"path": "<path>", "last_modified": <date>, "size_bytes": <size>, "type": "rsa_pkcs8", "encrypted": false, "public": false, "details": {"bit_length": 2048}, "key": {"type": "rsa", "value": {"type": "exact", "n": "<n>", "e": "<e>"}}, ...}
{"path": "<path>", "last_modified": <date>, "size_bytes": <size>, "type": "pgp", "encrypted": false, "public": true, "details": {"key": {"key": {"type": "rsa", "value": {"type": "exact", "n": "<n>", "e": "<e>"}}, "info": {"creation_time": <time>, "has_private_key": true, "ids": [...], "validity_period": <period>, "version": 4, "uses": ["Certification", "Sign data"], "revocation_reason": []}}}, ...}

Trusted certificate limitation

There isn’t a way to designate a trusted certificate using a parameter.

If the server presents a self-signed certificate or a certificate signed by a custom CA, you must manually add the required certificate to the Java Runtime Environment (JRE) to establish trust to upload a trace.

Add the certificate using the following command:

Bash
"$JAVA_HOME"/bin/keytool \
    -import -noprompt \
    -keystore "$JAVA_HOME"/lib/security/cacerts \
    -storepass changeit \
    -alias custom-alias-foo \
    -file /path/to/cert_or_ca.pem

In this example:

  • $JAVA_HOME is the path to your Java Development Kit (JDK).
  • keystore indicates the path to the keystore file.
  • storepass is the password for the keystore.
  • alias is the custom name of the certificate.
  • file specifies the path to the certificate file.

Note

For older JREs, replace /lib with /jre/lib.

Stopping the AQtive Guard scan in Tanium

A scan may sometimes need to be stopped because of an unintended impact on the infrastructure. If an environment is experiencing issues because of a scan, you must first stop the scan before removing the scanner. Only removing the scanner most likely won’t stop the issue since the scanner will still exist in the endpoint’s memory.

Stopping the Filesystem Scanner

To stop the Filesystem Scanner:

  1. Identify the endpoints that you need to stop scanning. We recommend using the Question Builder for this.
  2. Open the Question Builder and choose the Online sensor under the Get the following data section. Use your filtering criteria to select your impacted endpoints.
  3. Add a filter using the 3P Cryptosense - Monitor sensor. Set the filtering options to is equal to and Running to confirm the Filesystem Scanner status.

  4. Select the True process checkbox, and then select Deploy Action.

    This is a small package. Distributing it immediately or within a short timeframe should cause minimal impact on the platform or environment.

  5. Once the action is complete, check the status of the scan with the 3P Cryptosense - Monitor sensor:

    • Navigate to the Question Builder again.
    • When using the 3P Cryptosense - Monitor sensor this time, select Advanced Sensor Options and set the Maximum Data Age field to 1 minute. This will make sure recent data is returned so you can verify the status.

The sensor should now report Not Running for the Filesystem scanner status.

Removing the Filesystem Scanner from the endpoint

To remove the Filesystem Scanner:

  1. To locate the binary file for the scanner, look for the file using the File Exists sensor in Question Builder with the path /opt/cryptosense/bin/cs-host-scanner. Additionally, use the same filtering in Stopping the Filesystem Scanner to select the endpoints in question.
  2. Select the system reporting the file exists and then select Deploy Action.

  3. Select the 3P Cryptosense - Host Scanner - Uninstall package for your platform.

    This is a small package. Distributing it immediately or within a short timeframe should have minimal impact on the platform or environment.

  4. Once the package is deployed, verify the file no longer exists on the endpoint using the same File Exists sensor in Question Builder you used in Step 1.