ISG Tanium: Execute

This guide includes key steps for executing actions with sensors previously loaded to Tanium.

Additional information, including architecture, can be found on the ISG Tanium page.

Overview

There are two use cases covered in this document:

Use Case 1: Execute Run Without Dependencies. Run exports directly from end point hosts to AgileSec Server. Used to run AgileSec Run jobs for direct streaming.

Use Case 2: Execute Connect Job. Results are retrieved from hosts to Tanium server via Saved Question then exported from Tanium Server to AgileSec Server via Connect. Used to send real-time endpoint data out of Tanium to other systems.

Note for Tanium Connect Jobs: AgileSec Platform versions 3.5.0+ require a data migration tool (provided by AgileSec) in order to allow compatibility between AgileSec and the Connect Jobs' data format. Further information can be found in the Use Case 2 instructions below.

Use Case 1: Execute Run Without Dependencies

Step 1: Select Target Systems

On the Tanium Home page, use Tanium’s Interact tool to Ask a Question or use the Question Builder to retrieve and group specific systems endpoints for cryptographic inventory.

AgileSec Tanium Actions run by OS, so it is recommended to group target endpoints by OS Platform.

Example: Sort by OS with Ask a Question

As an example, you may sort by OS using Ask a Question as follows.

Or search for Windows OS specifically.

Check the box beside the results you want to target then click Deploy Action.

Step 2: Execute Deploy Action

Select the ISG - Deploy action and execute it against the previously defined target systems.

Deploy Action Field	Description / Notes
Deployment Package	Specific Action to run. Example: ISG - Deploy [`<OS>`]
Deployment Path	Path to store the different ISG Discovery Packages on the Target Systems. Tanium provides default path suggestions in the Action Deployment UI. In most cases, users can rely on the default values unless they have a specific requirement to change them.
DB Path	Path to store the different ISG Local Databases on the target systems. By default, DB Path is the same as the Deployment Path.
Minimum available space for the filesystem (GB)	Deployment Path and DB Path must have at least the specified amount of free space or Action will fail.
Action Details Name Description	Name of action Brief Description
Deployment Schedule Schedule Type Distribute Over	Schedule Type options: One-Time Deployment Recurring Deployment One-Time Deployment is recommended for Deploy and Undeploy actions. Discover and Run actions use One-Time Deployment by default but may be configured with a Recurring Deployment.
Targeting Criteria Action Group	Select the previously defined Target Systems from Step 1 to execute action on.

After filling out the required fields, click Show Preview to Continue, review, then click Deploy Actions to proceed to action execution.

Step 3: Execute Run Action

After successful deployment of the AgileSec Plugin, you can execute the Run Action against Windows or Linux devices. Select the ISG - Run Action, set the different parameters, then click Deploy Action.

Run Action Field	Description	Recommended Default
Scan Path	Set the Directories or Drives to include in the analysis	Windows: `C:/, D:/` Linux: `/` Note: using / for Linux may be heavy and time-consuming as it scans the entire Linux target machine. Adjust the path based on performance and scope requirements.
Host Scan Type	Select the type of scan to run: Run-Incremental: Perform Incremental Scan since last scan and export results to AgileSec Server. After every 5 incremental scans, a complete scan executes. Run-Full: Perform complete scan and export results to AgileSec Server Network: Only scan network interfaces and export results to AgileSec Server	Run-Full
Ignore Missing Path	Avoid fail if a given scan path is missing. For example, when targeting Windows systems, if `C:/, D:/, E:/, F:/` are given as scan paths, some machines may not have `D:/`, causing a fail if this option is not enabled. When enabled, scan will still fail if all given scan paths do not exist.	Checked
Include Tanium	Select to include Tanium directory in scan process	Not Checked
Skip Mounts	Set to skip network mounts	Checked
Scan Priority	Set priority of the discovery process vs other processes: Low: Set Low priority for discovery process Normal: Set Normal priority for discovery process High: Set High priority for discovery process	Low
CPU Priority	Set number of threads to parallelize the discovery process run: Low: Set single thread / core usage Normal: Set 4 threads usage High: Set 8 threads usage	Normal
Config File	Add a custom configuration file	Leave blank unless a specific, custom configuration is needed.
EDR Id	An organization ID used by sensor to retrieve a token	EDR Id obtained from AgileSec UI (Platform Management → EDR Management)
Ingest URL:	Ingest URL of your AgileSec Server Examples: `https://ingest.agilesec.net/` `https://www.my-agilesec-server.local/ingest/`	`<Your AgileSec Server Ingest URL>`

Use Case 2: Connect Jobs

Note: Saved Questions and Connect jobs are only compatible with Tanium Platform. Tanium SaaS API does not allow importing Saved Questions or Connect jobs.

Note: These instructions are intended for use with Tanium Sensor v3.4.0 and AgileSec Platform 3.5.0+.

Note: Tanium Connect does not currently require authentication to the AgileSec server. Authentication will be supported in v3.6+.

Step 1: Data Migration

AgileSec Platform versions 3.5.0+ require data migration to allow the platform to correctly read data from Tanium integration v3.4.2 Connect jobs. The AgileSec installation includes a data migration tool, which needs to be patched for this use case. Specific instructions for Connect Jobs data migration are provided below. Further information about the data migration tool can be found on the Data Migration page.

For the Connect Jobs use case, first perform the following steps to enable automatic data migration. In multi-node installations, these steps must be performed on all backend nodes. For single-node installations, perform all steps on the single node.

Check if v2_sensors was enabled at install

When v2_sensors is enabled during install, Fluentd (td-agent) is installed alongside the Indexing Service.

Verify if <installation_directory>/services/td-agent exists on each backend node. If this directory exists, v2_sensors was enabled at install, and users may proceed to patching the data migration tool and migrating data.

If the td-agent directory does not exist, v2_sensors was not enabled at install, and users will need to reinstall AgileSec with v2_sensors enabled.

On each backend node:

Uninstall AgileSec:

CODE

cd <installation_directory>
sudo ./scripts/uninstall.sh --non-interactive

Update <installer_directory>/generate_envs/single_node_config.conf or <installer_directory>/generate_envs/multi_node_config.conf with v2_sensors="enabled".

Reinstall AgileSec (see Installation for more information):

CODE

cd <installer_directory>

# Generate new env config with v2_sensors enabled
./generate_envs/generate_envs.sh -t single-node --non-interactive

# Generate certificates
cd certificates/
./generate_certs.sh --non-interactive
cd ..

# Run system tuning
sudo ./scripts/tune.sh -u <user>

# Install
./install_analytics.sh install -u <user> -p <installation_directory> --non-interactive

Directory Variables Definitions:

installer_directory: the location where the unzipped install files reside, including all installation scripts and supporting files.
installation_directory: the location where AgileSec is installed to.

Patch the Data Migration Tool

On each backend node:

Unzip the Data Migration Patch archive file (provided separately by AgileSec).
CODE
```
unzip data_migration_patch_3.5.1.zip
```

Run the data migration patch script data_migration_patch.sh:

CODE

cd data_migration_patch_3.5.1
./data_migration_patch.sh <installation_directory>

Restart all services with manage.sh:

CODE

cd <installation_directory>
./scripts/manage.sh restart

Set environment variables for automatic data migration

By default, AgileSec retains source data when migrating data. This behavior is recommended for test environments and first time use.

On each backend node:

For production environments, users may add the variable MIGRATION_KEEP_SOURCE=false in <installation_directory>/config_envs/scheduler to disable retaining source information and free up storage:
CODE
```
MIGRATION_KEEP_SOURCE=false
```
Verify automatic data migration is set. When MIGRATE_ENABLED=true in <installation_directory>/config_envs/scheduler, the tool will run automatically on a schedule, picking up any new data arriving in the old indexes since the last run. By default, this runs every 60 minutes. MIGRATE_ENABLED should be set true by default when v2_sensors is enabled at install.
CODE
```
MIGRATE_ENABLED=true
```

Optional: Run the data migration tool manually

If users want to immediately run data migration without waiting for automatic data migration to begin, they may start a manual run.

From the installation_directory, run the following for immediate data migration on each backend node:

CODE

./bin/isg_tools migrate -c ./config_envs/migrate.json

Step 2: Select Target Systems

On the Tanium Home page, use Tanium’s Interact tool to Ask a Question or use the Question Builder to retrieve and group specific systems endpoints for cryptographic inventory.

AgileSec Tanium Actions run by OS, so it is recommended to group target endpoints by OS Platform.

Example: Sort by OS with Ask a Question

As an example, you may sort by OS using Ask a Question as follows.

Or search for Windows OS specifically.

Check the box beside the results you want to target then click Deploy Action.

Step 3: Execute Deploy Action

Select the ISG - Deploy action and execute it against the previously defined target systems.

Deploy Action Field	Description / Notes
Deployment Package	Specific Action to run. Example: ISG - Deploy [`<OS>`]
Deployment Path	Path to store the different AgileSec ISG Discovery Packages on the Target Systems. Tanium provides default path suggestions in the Action Deployment UI. In most cases, users can rely on the default values unless they have a specific requirement to change them.
DB Path	Path to store the different ISG Local Databases on the target systems. By default, DB Path is the same as the Deployment Path.
Minimum available space for the filesystem (GB)	Deployment Path and DB Path must have at least the specified amount of free space or Action will fail.
Action Details Name Description	Name of action Brief Description
Deployment Schedule Schedule Type Distribute Over	Schedule Type options: One-Time Deployment Recurring Deployment One-Time Deployment is recommended for Deploy and Undeploy actions. Discover and Run actions use One-Time Deployment by default but may be configured with a Recurring Deployment.
Targeting Criteria Action Group	Select the previously defined Target Systems from Step 1 to execute action on.

After filling out the required fields, click Show Preview to Continue, review, then click Deploy Actions to proceed to action execution.

Step 4: Execute Discover Action

After successful deployment of the AgileSec Plugin, you can execute the Discover Action against Windows or Linux devices. Select the ISG - Discover Action, set the different parameters, then click Deploy Action.

Discover Action Field	Description	Recommended Default
Scan Path	Set the Directories or Drives to include in the analysis	Windows: `C:/, D:/` Linux: `/` Note: using / for Linux may be heavy and time-consuming as it scans the entire Linux target machine. Adjust the path based on performance and scope requirements.
Host Scan Type	Select the type of scan to run: Regular: Perform optimized scan excluding archive files (zip, tar, etc.) and system directories. Full: Perform complete scan of all files in path. None: No host case.	None
Network Scan Type	Select the network scan type: Host: Scan local processes on host to check if they allow SSH or TLS connections. None: No network scan.	Host
Ignore Missing Path	Avoid fail if a given scan path is missing. For example, when targeting Windows systems, if `C:/, D:/, E:/, F:/` are given as scan paths, some machines may not have `D:/`, causing a fail if this option is not enabled. When enabled, scan will still fail if all given scan paths do not exist.	Checked
Include Tanium	Select to include Tanium directory in scan process	Not Checked
Skip Mounts	Set to skip network mounts	Checked
Scan Priority	Set priority of the discovery process vs other processes: Low: Set Low priority for discovery process Normal: Set Normal priority for discovery process High: Set High priority for discovery process	Low
CPU Priority	Set number of threads to parallelize the discovery process run: Low: Set single thread / core usage Normal: Set 4 threads usage High: Set 8 threads usage	Normal
Scan files modified since days	Limit scan to only new or modified files since x days ago. For example, if the last scan was 3 days ago, set the value to 3 to scan for new results.	0

Step 5: Execute Saved Questions

Navigate to Modules > Interact > Overview, locate the question in the Saved Questions panel, and click its name. Alternatively, go to Administration > Content > Saved Questions, select the question, and click Load.

Check the results. If there are results, continue to Execute Connect job. Otherwise, amend your Deployment targets or change your Saved Question to one appropriate for your use case or environment.

Step 6: Execute Connect Jobs

Navigate to Modules > Connect > Connections. Select the Connect job using the previous Saved Question as the source.

Run the Connect job to export results to the AgileSec Server.