Skip to main content
Skip table of contents

ISG Tanium: Load

This guide includes key steps for loading actions packages and sensors to Tanium via Tanium’s UI or API.

Additional information, including architecture and package contents info, can be found on the ISG Tanium page.

Overview

Several sensor and action packages have been created by ISG to leverage the capabilities of Tanium to perform a cryptographic inventory at scale. Once loaded to Tanium, they provide full integration with AgileSec Analytics' functionality.

There are two ways to upload ISG actions and sensors info to Tanium. Availability of options depends on your Tanium infrastructure type:

  • Tanium Appliance (on-prem infrastructure): Package loading via UI

  • Tanium Cloud (SaaS infrastructure): Package loading via API Script

Compatible Product Versions

To start the deployment of the ISG Tanium Content, you will need to receive the download link from ISG. If you do not have the download link, please reach out to ISG support. This guide is designed for the following versions of the Products:

  • Tanium Version Build. 7.5.x

  • Tanium Version Console. 3.4.x

  • ISG Sensor Tanium Content. 3.5.1

  • ISG AgileSec Analytics Unified Sensors for Tanium. 3.5.1

Other versions of Tanium may have a different import process. This guide will work for other versions of Tanium with minor differences in the import process.

Load with Tanium UI

If available with your Tanium infrastructure type, you may manually import packages for Actions, Sensors, Saved Questions, and Connect jobs to Tanium via the UI.

Step 1: Create Roles in Tanium

The following two roles should be created in Tanium:

Tanium Admin Role

The Tanium Admin role is the person who will load the package from ISG into Tanium and provide access to the Crypto Operational Role. The following actions should be considered when creating the role and granting permissions: 

  • Download ISG packages from the link provided by ISG

  • Create ISG Content Set

  • Load ISG Actions and Packages

  • Load ISG Sensors

  • Load ISG Saved Questions

  • Assign a set of Hosts to Crypto Operational Role

  • Assign a set of rights to Crypto Operation Role

Crypto Operational Role

The Crypto Operational role is the person who will manually execute the different sensors and actions from Tanium to trigger cryptographic inventory. It is recommended to provide the following rights to the crypto operational role: 

  • Right to run objects available in ISG Content Set

  • Right to Run ISG Actions on authorized hosts

  • Right to Create New Saved Questions

  • Right to Run Saved Questions

Step 2: Create ISG Content Set

Go to content Set

To create the InfoSec Global Content Set, navigate to Administration > Content Sets in Tanium.

Create ISG - AgileSec Analytics Content Set

When in Content Sets, create a new content set. You must use the following name: InfoSec Global.

image-20260421-150737.png

The Content Set Name must exactly (key sensitive) match the name InfoSec Global.

To use a different name you will need to replace the JSON attribute content_set.name in the Tanium Packages to match your content set name.

Save Content Set Changes 

Confirm your changes then click the Save button prior to moving forward. Saving is mandatory.

Step 3: Load ISG Packages in Tanium

ISG packages contain ISG executables to be controlled by the Tanium Agent. The Packages allow deployment of the ISG Sensor plugin for Tanium endpoints in order to execute cryptographic discovery, run processes on endpoints, and undeploy sensors.

Go to Packages

To load new packages, navigate to Administration > Packages in Tanium.

Import ISG Tanium packages

In the package menu, click on Import new content and select the file ISG-Tanium-Packages-version.json provided by ISG to load the ISG AgileSec Analytics Packages. 

The following Packages shall become available for import. Click Begin Import.

After successful import, the ISG Tanium Packages shall be available.

The loaded packages do not include ISG executables and other files. These must be loaded separately as defined in the next step.

Additionally, if you are upgrading to a newer version of ISG Tanium Content, update the Executables in the ISG Packages manually following the next steps.

Load ISG Executables to Packages

Click on the first Package: ISG - Deploy [Linux] to access the edit and preview modes of the package. Click on Edit Mode.

Manually add the following files to the package. 

  • Load file from directory ./ISG-Deploy-Linux/isg_sensor_<version>-py.zip 

  • Load file from directory ./ISG-Deploy-Linux/isg_sensor_linux_<version>.zip  

  • Load file from directory ./ISG-Deploy-Linux/isg_ds_deploy.py

Save the updated package and click Yes to continue.

Load ISG Executables for all packages

Follow the previous steps to load the remaining ISG executables packages:

ISG - Deploy [Linux]

  • Load file from directory ./ISG-Deploy-Linux/isg_sensor_linux_<version>.zip

  • Load file from directory ./ISG-Deploy-Linux/isg_sensor_<version>-py.zip  

  • Load file from directory ./ISG-Deploy-Linux/isg_ds_deploy.py

ISG - Deploy [Windows]

  • Load file from directory ./ISG-Deploy-Windows/isg_sensor_<version>-py.zip 

  • Load file from directory ./ISG-Deploy-Windows/isg_sensor_windows_<version>.zip

    • Load file from directory ./ISG-Deploy-Windows/isg_ds_deploy.py

ISG - Discover [Linux]

  • Load file from directory ./ISG-Discover-Linux/isg_ds_discover.py 

ISG - Discover [Windows]

  • Load file from directory ./ISG-Discover-Windows/isg_ds_discover.py 

ISG - Run [Linux]

  • Load file from directory ./ISG-Run-Linux/isg_ds_run.py 

ISG - Run [Windows]

  • Load file from directory ./ISG-Run-Windows/isg_ds_discover.py 

ISG - Undeploy [Linux]

  • Load file from directory ./ISG-Undeploy-Linux/isg_ds_undeploy.py

ISG - Undeploy [Windows]

  • Load file from directory ./ISG-Undeploy-Windows/isg_ds_undeploy.py

Verify ISG Executables 

Verify all executables have been correctly deployed by searching for the ISG sensors. The following list shall be displayed with a valid size for each package.

Step 4: Load ISG Sensors Within Tanium

The sensors are used to query information from the endpoints. ISG has created individual sensors to limit the information returned by query according to Tanium best practices. The sensors are used to query information from the endpoints and are used by the ISG Saved Questions.

Note: ISG Sensors are used with ISG - Discover for exploratory scans. These are local scans where the results can be queried without export to Analytics Server. Actual scans are executed with ISG - Run.

Go to Sensors

To load new sensors, navigate to Administration > Sensors menu in Tanium.

Import ISG Tanium Sensors

In the Sensors menu, click on Import and select the file ISG-Tanium-Sensors-<version>.json provided by ISG to load the ISG AgileSec Analytics Sensors. 

The following Sensors shall become available for import. Click Begin Import.

After successful import, the ISG Tanium Sensors shall be available.

Step 5: Load ISG Saved Questions Within Tanium

Saved questions are pre-defined questions using different sensors from Tanium and ISG.

Go to Saved Questions

To load new Saved Questions, navigate to Administration > Saved Questions in Tanium.

Import ISG Saved Questions

In the Saved Question menu, click on Import and select the file ISG-Tanium-Saved-Questions-<version>.json provided by ISG to load the ISG AgileSec Analytics Saved Questions. 

The following Saved Questions shall become available for import. Click Begin Import.

After successful import, the ISG Tanium Saved Questions shall be available.

Step 6: Load ISG Tanium Connect Jobs

Tanium Connect Jobs use the ISG Saved Questions to export findings to the ISG Server.

Configure Tanium Connect JSON files

Edit the file ISG-Tanium-Connect-3.4.0.json to replace the default HTTPS destination with your specific URL for AgileSec Analytics Server. For this purpose replace all instances of your_server_url with your own server address like 10.1.2.48 or my.isgserver.local. There are a total of 18 instances to replace. 

Go to Connect

To Load new packages, navigate to Modules>Connect menu in Tanium.

Import ISG Tanium Connect Jobs

In the package menu, click on Import new content and select the file ISG-Tanium-Connect-3.4.0.json modified to include your ISG Server URL. 

The following Packages shall become available for import. You must select each ISG Tanium Connect Job then Save. The error status is not relevant. Ignore the error status and proceed with saving.

The ISG connect jobs will be imported after you click Save.

After successful import, return to the Tanium Connect Menu to see the available ISG Tanium Connect Jobs.

Verify Tanium Connect Job URL

Verify all Tanium Connect jobs are correctly pointing to your ISG AgileSec Analytics Backend Server. If there is a mistake, you can still edit the connection manually to reset the appropriate URL.

Load with API

Tanium SaaS does not support manually loading Content Packages. You may load packages for actions and sensors via API scripts. AgileSec provides a Load Script in the ISG Tanium Content Package provided separately.

Note: Saved Questions and Connect jobs are only compatible with Tanium Platform. Tanium SaaS API does not allow importing Saved Questions or Connect jobs.

Networking and Security

The following security and network aspects should be considered: 

Connection

Protocol

Authentication

AgileSec Load Script -> Tanium SaaS

HTTPS

Token Created in Tanium

TANIUM_TOKEN

Tanium SaaS -> Hosts

Managed by Tanium 

Managed by Tanium

AgileSec Sensor -> AgileSec Server

Managed by AgileSec Analytics

Managed by AgileSec Analytics

Tanium SaaS APIs

The AgileSec Load script is based on a scripting language, enabling customers to review the different API and calls made to load the Content Set into Tanium. The following key API are used when Loading via API.

  • GET /api/v2/content_sets/by-name/

  • POST /api/v2/content_sets

  • GET /api/v2/sensors/by-name/

  • POST /api/v2/sensors/

  • GET /api/v2/packages/by-name/

  • POST /api/v2/packages/

  • POST /api/v2/upload_file_stream

  • POST /api/v2/upload_file

Step 1: Obtain Tanium Variables for Scripts

  • TANIUM_TOKEN: You can create a new token in the Tanium UI under Administration → Permissions → API Tokens → New API Token.

  • TANIUM_API_URL: In Tanium SaaS, the API URL is the base URL of the client’s Tanium instance. Typically, it is <instance>-api.domain.name. For example, if your URL is https://example.com and your instance name is example-isg, then the API URL is https://example-isg-api.example.com.

Step 2: Configure and Execute Load Script

There are two scripts used to verify configuration and load packages via API.

  • deploy.sh script loads the ISG Tanium integration packages to Tanium via API.

  • verify.sh script verifies connectivity to the Tanium API and checks the provided token and URL are valid with a test request.

To execute the Verify and Load (deploy.sh) scripts, you must define the TANIUM_TOKEN and TANIUM_API_URL in your Environment beforehand. Export the variables and run the scripts as follows:

CODE 
# Export Token
export TANIUM_TOKEN=XXXXXXX-MYTOKEN-XXXXXXX
# Export URL
export TANIUM_API_URL=https://xxxx-api.your-tanium-saas-instance.com/
# Run Verify Script
./verify.sh
# Check Results
InfoSec Global - verify Tanium Integration ...
10:44:58.802547336 validating session (https://...
OK
# Run Load Script
./deploy.sh
# Check Results
11:22:43.467834797 InfoSec Global - deploy Tanium Integration ...
11:22:43.469422883 data: ./cloud/, executables: ./Packages-Executables/
..

Step 3: Verify Loading

To verify the correct loading of the Integration, you can review the InfoSec Global Content Set in Tanium and check the packages and sensors are correctly loaded.

image-20251229-115207.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close