.png){kind=logo}
ISG Tanium
This page provides an overview of the integration between AgileSec Analytics and the Tanium Environment, including overall integration flow and an overview of provided files.
The following guides are available to leverage the capabilities of Tanium with AgileSec Analytics:
Integration Overview
This integration includes specific content created and provided separately by AgileSec to leverage the capabilities of Tanium to perform cryptographic inventory at scale.
Integrating Tanium with AgileSec allows rapid deployment of AgileSec Analytics sensors for broad cryptographic discovery. Integration setup and flow is straightforward:
Depending on the Tanium infrastructure type, ISG-Tanium content can be loaded manually via the Tanium UI or via the Tanium SaaS API with a provided AgileSec Load Script.
Tanium triggers Cryptographic Discovery operations using the Tanium Infrastructure across all targeted Hosts via AgileSec Tanium Actions.
Tanium Agent will deploy and trigger the AgileSec Sensor for Tanium across all hosts.
AgileSec Sensor for Tanium will perform the cryptographic discovery and immediately send the findings to the AgileSec Server from the Host.
AgileSec Server receives the findings generated by the multiple Hosts.
Key Files
ISG Tanium integration content, ISG-Sensor-<version>-Tanium.zip, is provided in a single archive zip file by AgileSec separately through a secure download link.
The zip file contains the following key components, which can be loaded manually via UI for Tanium Appliance or via provided API scripts for Tanium SaaS:
ISG-Tanium-Packages: Used to deploy AgileSec discovery capabilities to end-points through Tanium Agent.
ISG-Tanium-Sensors: Used to query cryptographic findings from ISG packages.
ISG-Tanium-Saved-Questions: Used to leverage a set of pre-built saved questions.
ISG-Tanium-Connect Jobs: Used to export cryptographic findings to an external source.
Note: Saved Questions and Connect jobs are only compatible with Tanium Platform. Tanium SaaS API does not allow importing Saved Questions or Connect jobs.
The zip file contains scripts in the API-Loader folder to enable uploading via API to Tanium SaaS.
verify.sh: Verifies connectivity to the Tanium API and checks the provided token and URL are valid with a test request.deploy.sh: Loads the ISG Tanium integration packages to Tanium via API.shared.sh: Contains common functions used by other scripts.
ISG-Tanium-Packages
ISG-Tanium-Packages-<version>.json contains packages to load into Tanium Appliance.
ISG packages are used to deploy the ISG discovery plugin via the Tanium infrastructure. The packages are split into 3 main categories, including:
Deployment of the ISG package
Execution of the ISG package (discover and run packages)
Removal of the ISG package.
The following packages are provided:
Name | Type | Comment |
|---|---|---|
ISG - Deploy [Linux] | Deploy | Deploy ISG Sensor on targeted Linux Machines |
ISG - Deploy [Windows] | Deploy | Deploy ISG Sensor on targeted Windows Machines |
ISG - Discover [Linux] | Discover | Run ISG Sensor locally on targeted Linux Machines |
ISG - Discover [Windows] | Discover | Run ISG Sensor locally on targeted Windows Machines |
ISG - Run [Linux] | Run | Run ISG Sensor on targeted Linux Machines |
ISG - Run [Windows] | Run | Run ISG Sensor on targeted Windows Machines |
ISG - Undeploy [Linux] | Undeploy | Undeploy ISG Sensor on targeted Linux Machines |
ISG - Undeploy [Windows] | Undepoy | Undeploy ISG Sensor on targeted Windows Machines |
ISG-Tanium-Sensors
ISG-Tanium-Sensors-3<version>.json contains sensors to load into Tanium Appliance.
The Sensors in ISG-Tanium-Sensors-<version>.json will be loaded into Tanium. The sensors will be used to interact with the ISG packages and query specific cryptographic information. The sensors are usually divided into 2 groups:
File level sensors which return information about the location plus the metadata of the associated cryptographic object.
Detailed information about the cryptographic object.
As Tanium limits the number of events returned by Sensors by hosts, ISG implemented specific parameters allowing Sensors to return only a subset of information.
NOTE: Sensors are used to query for scan information without exporting to Analytics Server.
Name | Type | Comment |
|---|---|---|
ISG - Algorithm Files | Algorithms | Get files containing cryptographic algorithms |
ISG - Algorithm Summary | Algorithms | Get the summary of cryptographic algorithms |
ISG - Certificate Algorithms | Certificates | Get algorithms used by Certificates |
ISG - Certificate Files | Certificates | Get files containing certificates. |
ISG - Certificate Info | Certificates | Get files and certificate metadata |
ISG - Certificate Summary | Certificates | Get the summary of certificates |
ISG - JCA Files | Algorithms JCA | Get files containing JCA (java) calls |
ISG - JCA Summary | Algorithms JCA | Get the summary of JCA (java) calls |
ISG - Key Files | Keys | Get files containing cryptographic keys |
ISG - Key Summary | Keys | Get the summary of cryptographic keys |
ISG - Keystore Files | Keystores | Get files containing keystores |
ISG - Keystore Summary | Keystores | Get the summary of keystores |
ISG - Library Files | Crypto Libraries | Get files containing cryptographic libraries |
ISG - Library Summary | Crypto Libraries | Get the summary of cryptographic libraries |
ISG - Status Deploy | Status | Get status of the ISG sensor deployment |
ISG - SSH Protocol Event | Protocol | Get ssh protocol used by running processes |
ISG - SSH Key Event | SSH Keys | Get keys used by running processes |
ISG - SSH Key Summary | SSH Keys | Get keys used by running processes |
ISG - TLS Protocol Event | Protocol | Get TLS protocol used by running processes |
ISG - TLS Certificate Event | Certificate | Get TLS certificates used by running processes |
ISG - TLS Certificate Summary | Certificate | Get TLS certificates used by running processes |
ISG-Tanium-Saved-Questions
ISG-Tanium-Saved-Questions-<version>.json contains saved questions to load into Tanium Appliance.
ISG saved questions are pre-built questions leveraging the ISG sensors. The default saved questions have been designed to split queries returning a large amount of data into isolated queries, such as queries related to X.509 certificates. Saved questions include:
Event Saved questions aiming to return the location of cryptographic objects associated with the associated metadata
Objects returning detailed information about the related cryptographic objects (especially for X509 certificates that contain several useful information).
Name | Type | Comment |
|---|---|---|
ISG - Key Events | Key | Query key events |
ISG - Keystore Events | Keystore | Query keystore events |
ISG - Library Events | Library | Query cryptographic library events |
ISG - Network Cipher Events | Network | Query network cipher events |
ISG - Self-Signed Certificate Events | Certificate | Query self-signed certificate events |
ISG - Self-Signed Certificate Objects | Certificate | Query self-signed certificate objects |
ISG - Signed Certificate Events | Certificate | Query signed certificate events |
ISG - Signed Certificate Objects | Certificate | Query signed certificate objects§ |
ISG - TLS Certificates Events | Certificate | Query Certificates used by Network Interfaces |
ISG - SSH Key Events | Certificate | Query SSH Keys used by Network interfaces |
Custom sensors are created to return only specific information to ISG backend or when a sensor returns more items by host than allowed by Tanium.
ISG-Tanium-Connect
ISG-Tanium-Connect-<version>.json
The Tanium Connect jobs match the ISG Saved Question to export the result of saved questions to the ISG backend Server. The following Tanium connect jobs are provided:
Name | Type | Details |
|---|---|---|
ISG - Export Key Events | Key | Export key events to ISG Server |
ISG - Export Keystore Events | Keystore | Export keystore events to ISG Server |
ISG - Export Library Events | Library | Export cryptographic library events to ISG Server |
ISG - Export Network Cipher Events | Network | Export network cipher events to ISG Server |
ISG - Export Self-Signed Certificate Events | Certificate | Export self-signed certificate events to ISG Server |
ISG - Export Self-Signed Certificate Objects | Certificate | Export self-signed certificate objects to ISG Server |
ISG - Export Signed Certificate Events | Certificate | Export signed certificate events to ISG Server |
ISG - Export Signed Certificate Objects | Certificate | Export signed certificate objects to ISG Server |
ISG - Export TLS Certificates Events | Certificate | Export TLS Certificates found in network to ISG Server |
ISG - Export SSH Key Events | Key | Export SSH keys found in network to ISG Server |