Tanium Python Package Runner

The Demisto SDK library can be used to manage your Demisto content with ease and efficiency.The library uses python 3.7+.

The Python module allows you download the subscribed categories as text or JSON object. It even has presets for well-known products that support YARA scanning like FireEye’s appliances, Tenable, Tanium, CarbonBlack or Symantec MAA. It requires no more than 3 lines of code to retrieve the subscribed YARA rule set. Tanium™ Core Platform: 7.3 or later: Tanium™ Client: Windows: 7.2.314.3584 or later; Linux, AIX, Solaris: Any supported version of Tanium Client; Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements. What is TPython.exe? TPython.exe is known as Tanium Python, it also has the following name Microsoft Windows Script Host or Microsoft Windows Operating System and it is developed by Tanium Inc., it is also developed by Microsoft Corporation.We have seen about 19 different instances of TPython.exe in different location. So far we haven't seen any alert about this. Android SDK packages can be installed using the Android SDK Manager tool. See Installing the Android SDK for detailed instructions. The default Android SDK can be configured using Studio's Preferences, and then selected per-project using the Run Configurations. Android Native Add-on Module Development on macOS.

Usage

Installation

  1. Install - pip3 install demisto-sdk

  2. Upgrade - pip3 install --upgrade demisto-sdk

  3. Demisto server demisto-sdk integration - In order that demisto-sdk and Cortex XSOAR (Demisto) server communicate, perfrom the following steps:

    1. Get an API key for Demisto-server - Settings -> Integrations -> API keys -> Get your Key (copy it, you will be to copy it once)

    2. Add the following parameters to your environment (can be done globally in ~/.zshrc or ~/.bashrc files):

      for example:

      For more configurations, check the demisto-py repository (which is used by the demisto-sdk to communicate with Cortex XSOAR).

    3. Reload your terminal before continue.

CLI usage

You can use the SDK in the CLI as follows:

For more information, run demisto-sdk -h.For more information on a specific command execute demisto-sdk <command> -h.

Version Check

demisto-sdk will check against the GitHub repository releases for a new version every time it runs and will issue a warning if you are not using the latest and greatest. If you wish to skip this check you can set the environment variable: DEMISTO_SDK_SKIP_VERSION_CHECK. For example:

Commands

Supported commands:

Python package index

Tanium Python Package Runner Interview

Customizable command configuration

You can create your own configuration for the demisto-sdk commands by creating a file named .demisto-sdk-conf within the directory from which you run the commands.This file will enable you to set a default value to the existing command flags that will take effect whenever the command is run.This can be done by entering the following structure into the file:

Note: Make sure to use the flag's full name and input _ instead of a - if it exists in the flag name (e.g. instead of no-docker-checks use no_docker_checks).

Here are a few examples:

  • As a user, I would like to not use the mypy linter in my environment when using the lint command. In the .demisto-sdk-conf file I'll enter:
  • As a user, I would like to include untracked git files in my validation when running the validate command. In the .demisto-sdk-conf file I'll enter:
  • As a user, I would like to automatically use minor version changes when running the update-release-notes command. In the .demisto-sdk-conf file I'll enter:

How to setup development environment?

Follow the guide found here to setup your demisto-sdk-dev virtual environment.The development environment is connected to the branch you are currently using in the SDK repository.

Simply activate it by running workon demisto-sdk-dev.The virtual environment can be deactivated at all times by running deactivate.

Autocomplete

Our CLI supports autocomplete for Linux/MacOS machines, you can turn this feature on by running one of the following:for zsh users run in the terminal

for regular bashrc users run in the terminal

License

MIT - See LICENSE for more information.

Contributions

Contributions are welcome and appreciated.For information regarding contributing, press here.For release guide, press here

Review the requirements before you install and use Incident Response.

Tanium dependencies

ComponentRequirement
PlatformVersion 7.2 or later.
Tanium ClientAny supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

LicenseThe license for Incident Response includes the following solutions:
  • Tanium Incident Response
  • Tanium Quarantine (Quarantine)
  • Tanium Live Response (Live Response)
  • Tanium Index (Index)
  • Windows Security Patch Management (for more information, see Tanium Knowledge Base)
Tanium™ TraceVersion 2.3.2.0004 or later is required for real-time events on Linux endpoints with Tanium Index 2.0.0 or later.

Third-party software requirements

For Tanium Incident Response, the required third-party software is installed automatically.

However, the IR Gatherer solution has third-party software requirements that are not installed automatically. The related documentation includes instructions to download the software and include it in packages that are distributed to the endpoints.

Endpoints

Supported operating systems

The following endpoint operating systems are supported by Incident Response, Copy tools, Quarantine, Index, and Live Response:

Tanium Python Package Runner Tutorial

  • Windows (A minimum of Windows 7 with SP1 or Windows Server 2008 R2 with SP1 is required. Windows 7 Service Pack 1 requires Microsoft KB2758857.)
  • macOS (macOS 10.14 (Mojave) or later is required for Tanium Incident Response 4.5.3 or later and Tanium Index 2.3.2 or later)
  • Linux

See the documentation for each IR solution for specific version numbers.

Disk space requirements

Index requires 1 GB free space. For other solutions, the required disk space is minimal.

Host and network security requirements

Specific ports and processes are needed to run Incident Response.

Ports

The following ports are required for IR communication.

SourceDestinationPort ProtocolPurpose
Tanium ClientDestination Servers443 (S3), 22 (SFTP/SCP), or 445 (SMB)TCPOutbound connections over ports depending on how the collected data is being transferred.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Incident Response security exclusions
Target DeviceNotesExclusion TypeExclusion
Windows x86 or x64 endpointsProcess<Tanium Client>ToolsIRTaniumPersistenceAnalyzer.exe
Process<Tanium Client>ToolsEPITaniumExecWrapper.exe
Process<Tanium Client>ToolsIRTaniumExecWrapper.exe
Process<Tanium Client>ToolsIRTanFileInfo.exe
Process<Tanium Client>ToolsIRTaniumHandle.exe
Process<Tanium Client>ToolsIRTanListModules.exe
Process<Tanium Client>ToolsEPITaniumEndpointIndex.exe
Process<Tanium Client>ToolsIRPowerForensicsPowerForensics.dll
1Process<Tanium Client>DownloadsAction_nnnWinpmem.gb414603.exe
1Process<Tanium Client>DownloadsAction_nnnTaniumFileTransfer.exe
1,2Process<Tanium Client>DownloadsAction_nnnsurge-collect.exe
1,2Process<Tanium Client>DownloadsAction_nnnsurge.dat
7.2.x clients, 3Process<Tanium Client>Python27TPython.exe
7.4.x clients, 3Process<Tanium Client>Python38TPython.exe
7.4.x clientsFolder<Tanium Client>Python38
macOS endpointsProcess<Tanium Client>/Tools/EPI/TaniumExecWrapper
Process<Tanium Client>/Tools/IR/TaniumExecWrapper
Process<Tanium Client>/Tools/EPI/TaniumEndpointIndex
1,2Process<Tanium Client>/Downloads/Action_nnn/surge-collect
1,2Process<Tanium Client>/Downloads/Action_nnn/surge.dat
1Process<Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem
1Process<Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
7.2.x clientsProcess<Tanium Client>/python27/python
7.4.x clientsProcess<Tanium Client>/python38/python
Linux x86 or x64 endpointsProcess<Tanium Client>/Tools/EPI/TaniumExecWrapper
Process<Tanium Client>/Tools/IR/TaniumExecWrapper
Process<Tanium Client>/Tools/EPI/TaniumEndpointIndex
1,2Process<Tanium Client>/Downloads/Action_nnn/surge-collect
1,2Process<Tanium Client>/Downloads/Action_nnn/surge.dat
1Process<Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin
1Process<Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
7.2.x clientsProcess<Tanium Client>/python27/python
7.4.x clientsProcess<Tanium Client>/python38/python

1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

3 = TPython requires SHA2 support to allow installation.

What Is Tanium Client

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URL:

  • content.tanium.com

User role requirements

Incident Response Advanced user role permissions
PermissionContent Set for PermissionIncident Response AdministratorIncident Response UserIncident Response Read Only User
Ask Dynamic Questions***
Read ActionIncident Response
Read PackageIncident Response*
Read Saved QuestionIncident Response*
Read SensorIncident Response*
Write ActionIncident Response
Write Action for Saved QuestionsIncident Response
Write PackageIncident Response
Write Saved QuestionIncident Response
Write SensorIncident Response

‡ To install IR solutions, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.

Index Advanced user role permissions
PermissionContent Set for PermissionIndex AdministratorIndex UserIndex Read Only User
Ask Dynamic Questions***
Read ActionIndex
Read PackageIndex*
Read Saved QuestionIndex**
Read SensorIndex**
Write ActionIndex
Write Action for Saved QuestionsIndex
Write PackageIndex
Write Saved QuestionIndex
Write SensorIndex

‡ To install IR solutions, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.