AgileSec Tanium: Execute Scans

This guide includes key steps for executing actions with Sensors previously loaded to Tanium.

Additional information, including architecture, can be found on the AgileSec Tanium page.

Overview

There are two use cases covered in this document:

Use Case 1: Execute Run Without Dependencies. Run exports directly from end point hosts to AgileSec Server. Used to run AgileSec Run jobs for direct streaming.

Use Case 2: Execute Connect Job. Results are retrieved from hosts to Tanium server via Saved Question then exported from Tanium Server to AgileSec Server via Connect. Used to send real-time endpoint data out of Tanium to other systems.

Use Case 1: Execute Run Without Dependencies

Step 1: Select Target Systems

On the Tanium Home page, use Tanium’s Interact tool to Ask a Question or use the Question Builder to retrieve and group specific systems endpoints for cryptographic inventory.

AgileSec Tanium Actions run by OS, so it is recommended to group target endpoints by OS Platform. 

image-20260422-183922.png

Example: Sort by OS with Ask a Question

As an example, you may sort by OS using Ask a Question as follows.

image-20251229-115311.png

Or search for Windows OS specifically.

image-20260422-185726.png

Check the box beside the results you want to target then click Deploy Action.

Step 2: Execute Deploy Action

Select the ISG - Deploy action and execute it against the previously defined target systems.

Deploy-Action.png

Deploy Action Field

Description / Notes

Deployment Package

Specific Action to run.

Example: ISG - Deploy [<OS>]

Deployment Path

Path to store the different AgileSec Discovery Packages on the Target Systems.

Tanium provides default path suggestions in the Action Deployment UI. In most cases, users can rely on the default values unless they have a specific requirement to change them.

DB Path

Path to store the different AgileSec Local Databases on the target systems.

By default, DB Path is the same as the Deployment Path.

Minimum available space for the filesystem (GB)

Deployment Path and DB Path must have at least the specified amount of free space or Action will fail.

Action Details

  • Name

  • Description

  • Name of action

  • Brief Description

Deployment Schedule

  • Schedule Type

  • Distribute Over

Schedule Type options:

  • One-Time Deployment

  • Recurring Deployment

One-Time Deployment is recommended for Deploy and Undeploy actions.

Discover and Run actions use One-Time Deployment by default but may be configured with a Recurring Deployment.

Targeting Criteria

  • Action Group

Select the previously defined Target Systems from Step 1 to execute action on.

After filling out the required fields, click Show Preview to Continue, review, then click Deploy Actions to proceed to action execution.

Step 3: Execute Run Action

After successful deployment of the AgileSec Tanium Sensor, you can execute the Run Action against Windows or Linux devices. Select the ISG - Run Action, set the parameters, then click Deploy Action.

image-20251229-115342.png

Run Action Field

Description

Recommended Default

Scan Path

Set the Directories or Drives to include in the analysis

Windows: C:/, D:/

Linux: /

Note: using / for Linux or C:/ for Windows may be heavy and time-consuming as it scans the entire target machine.

Adjust the path based on performance and scope requirements.

Host Scan Type

Select the type of scan to run:

  • Run-Incremental: Perform Incremental Scan since last scan and export results to AgileSec Server. After every 5 incremental scans, a complete scan executes.

  • Run-Full: Perform complete scan and export results to AgileSec Server

  • Network: Only scan network interfaces and export results to AgileSec Server

Run-Full

Ignore Missing Path

Avoid fail if a given scan path is missing. For example, when targeting Windows systems, if C:/, D:/, E:/, F:/ are given as scan paths, some machines may not have D:/, causing a fail if this option is not enabled.

When enabled, scan will still fail if all given scan paths do not exist.

Checked

Include Tanium

Select to include Tanium directory in scan process

Not Checked

Skip Mounts

Set to skip network mounts

Checked

Scan Priority

Set priority of the discovery process vs other processes:

  • Low: Set Low priority for discovery process 

  • Normal: Set Normal priority for discovery process 

  • High: Set High priority for discovery process 

Low

CPU Priority

Set number of workers to parallelize the discovery process run:

  • Low: Set single worker / core usage

  • Normal: Set 4 workers usage

  • High: Set 16 workers usage

Normal

Config File

Add a custom configuration file

Leave blank unless a specific, custom configuration is needed.

EDR Id

An organization ID used by sensor to retrieve a token

EDR Id obtained from AgileSec UI (Platform Management → EDR Management)

Ingest URL

Ingest URL of your AgileSec Server
Examples:

  • https://ingest.agilesec.net/


<Your AgileSec Server Ingest URL>

Background Mode

When enabled, scan runs as a background process.

Enabled

Log Level

Sets the log level for the log file to Warn, Info, or Debug.

When scan runs, a log file is created in the installation directory on the execution machine. Log files can be examined if there is remote access to machine.


Warn

Use Case 2: Connect Jobs

Note: Saved Questions and Connect jobs are only compatible with Tanium Platform. Tanium SaaS API does not allow importing Saved Questions or Connect jobs.

Step 1: Select Target Systems

On the Tanium Home page, use Tanium’s Interact tool to Ask a Question or use the Question Builder to retrieve and group specific systems endpoints for cryptographic inventory.

AgileSec Tanium Actions run by OS, so it is recommended to group target endpoints by OS Platform. 

image-20260422-183922.png

Example: Sort by OS with Ask a Question

As an example, you may sort by OS using Ask a Question as follows.

image-20251229-115311.png

Or search for Windows OS specifically.

image-20260422-185726.png

Check the box beside the results you want to target then click Deploy Action.

Step 2: Execute Deploy Action

Select the ISG - Deploy action and execute it against the previously defined target systems.

Deploy-Action.png

Deploy Action Field

Description / Notes

Deployment Package

Specific Action to run.

Example: ISG - Deploy [<OS>]

Deployment Path

Path to store the different AgileSec AgileSec Discovery Packages on the Target Systems.

Tanium provides default path suggestions in the Action Deployment UI. In most cases, users can rely on the default values unless they have a specific requirement to change them.

DB Path

Path to store the different AgileSec Local Databases on the target systems.

By default, DB Path is the same as the Deployment Path.

Minimum available space for the filesystem (GB)

Deployment Path and DB Path must have at least the specified amount of free space or Action will fail.

Action Details

  • Name

  • Description

  • Name of action

  • Brief Description

Deployment Schedule

  • Schedule Type

  • Distribute Over

Schedule Type options:

  • One-Time Deployment

  • Recurring Deployment

One-Time Deployment is recommended for Deploy and Undeploy actions.

Discover and Run actions use One-Time Deployment by default but may be configured with a Recurring Deployment.

Targeting Criteria

  • Action Group

Select the previously defined Target Systems from Step 1 to execute action on.

After filling out the required fields, click Show Preview to Continue, review, then click Deploy Actions to proceed to action execution.

Step 3: Execute Discover Action

After successful deployment of the AgileSec Tanium Sensor, you can execute the Discover Action against Windows or Linux devices. Select the ISG - Discover Action, set the different parameters, then click Deploy Action.

image-20260429-152702.png

Discover Action Field

Description

Recommended Default

Scan Path

Set the Directories or Drives to include in the analysis

Windows: C:/, D:/

Linux: /

Note: using / for Linux may be heavy and time-consuming as it scans the entire Linux target machine. Adjust the path based on performance and scope requirements.

Host Scan Type

Select the type of scan to run:

  • Regular: Perform optimized scan excluding archive files (zip, tar, etc.) and system directories.

  • Full: Perform complete scan of all files in path.

  • None: No host case.

None

Network Scan Type

Select the network scan type:

  • Host: Scan local processes on host to check if they allow SSH or TLS connections.

  • None: No network scan.

Host

Ignore Missing Path

Avoid fail if a given scan path is missing. For example, when targeting Windows systems, if C:/, D:/, E:/, F:/ are given as scan paths, some machines may not have D:/, causing a fail if this option is not enabled.

When enabled, scan will still fail if all given scan paths do not exist.

Checked

Include Tanium

Select to include Tanium directory in scan process

Not Checked

Skip Mounts

Set to skip network mounts

Checked

Scan Priority

Set priority of the discovery process vs other processes:

  • Low: Set Low priority for discovery process 

  • Normal: Set Normal priority for discovery process 

  • High: Set High priority for discovery process 

Low

CPU Priority

Set number of workers to parallelize the discovery process run:

  • Low: Set single worker / core usage

  • Normal: Set 4 workers usage

  • High: Set 16 workers usage

Normal

Scan files modified since days

Limit scan to only new or modified files since x days ago. For example, if the last scan was 3 days ago, set the value to 3 to scan for new results.

0

Config File

Add a custom configuration file

Leave blank unless a specific, custom configuration is needed.

Background Mode

When enabled, scan runs as a background process.

Enabled

Log Level

Sets the log level for the log file to Warn, Info, or Debug.

When scan runs, a log file is created in the installation directory on the execution machine. Log files can be examined if there is remote access to machine.


Warn

Step 4: Execute Saved Questions

Navigate to Modules > Interact > Overview, locate the question in the Saved Questions panel, and click its name. Alternatively, go to Administration > Content > Saved Questions, select the question, and click Load.

Check the results. If there are results, continue to Execute Connect job. Otherwise, amend your Deployment targets or change your Saved Question to one appropriate for your use case or environment.

Step 5: Execute Connect Jobs

Navigate to Modules > Connect > Connections. Select the Connect job using the previous Saved Question as the source.

image-20260608-201458.png

Run the Connect job to export results to the AgileSec Server.

Create Your Own Connect Jobs

To create your own, non-loaded Connect jobs, navigate to Modules > Connect > Connections.

Click Create Connection.

image-20260608-201728.png

Select the following parameters:

Source: Saved Questions

Saved Question Name: Select a Saved Question

Check to enable the following settings:

  • Flatten Result

  • Hide Errors

  • Include Recent Answers

Computer Group: Create new or use an existing destination

image-20260608-200414.png

HTTPS Destination and Authentication:

  • URL: Update your_server_url to your AgileSec Server endpoint (ingestion URL server)

    • Examples:
      https://ingest.agilesec.net/

  • Method: POST

  • Trust on First Use Enabled

  • Add or update Authorization HTTP Header with an AgileSec JWE bearer token (see Load ISG Tanium Connect Jobs instructions for generating a token).

    image-20260608-202152.png

Output Format:

  • Format: JSON

  • Generate Document enabled

image-20260608-200359.png

Click Save to save the job. Click Save and Run to save the job and export results to the AgileSec Server.