Creating remediation tasks

When you create a survey, one question can include a remediation task that the endpoint user can choose to run to resolve an issue. In addition to the default remediation packages that are included with Engage, you can define your own custom remediation tasks that use existing Tanium packages, or packages that you define.

Default remediation tasks

The following remediation tasks are included with Engage.

Restart Endpoint

Restarts the target device.

Clear Microsoft Teams Cache

Clears cache to resolve problems with Microsoft Teams.

Clear DNS Cache

Clears DNS cache to help resolve network issues.

Enable / Disable Fast Start

Enables or disables the Windows OS Fast Start feature.

Restart <application>

Restarts the Cisco Webex, Google Chrome, Microsoft Edge, Microsoft Outlook, Microsoft Teams, Mozilla Firefox, Slack, or Zoom application.

User Disk Cleanup

Performs light (Recycle bin empty) clean.

Create remediation package

Before you create a remediation task, choose or create a package that you want to deploy as a part of the remediation task.

Tanium packages

To browse the packages that are already in your environment, go to Administration > Packages.

You cannot use sensor-sourced packages as a remediation task. Sensor-sourced packages include a sensor name with pipe characters in the package command, for example: ||Reveal - Confirmed Files_File||

Custom package

To create a custom package that runs in the user space on the endpoint, see Sample: Create remediation package that runs in user space.

For more information about creating and managing packages, see Tanium Console User Guide: Managing packages.

Create remediation task

1. From the Engage menu, go to Remediations. Click Create Task.

2. Enter a name, description, and content set to which you want to save the remediation task.
3. Choose a Windows package to run as a part of the remediation task. Click Add Package and choose a package to run.
4. Save your changes.

Sample: Create remediation package that runs in user space

Use this sample to create a task that runs in the user space on an endpoint. This script uses the TaniumRunasuser.exe utility that ships with the Engage tools.

1. This sample includes a script that opens Notepad in the user context on the endpoint. Create the OpenNotepadAsUser.ps1 file by copying and pasting the following code into a text file.

   OpenNotePadAsUser.ps1

   Copy

   OpenNotePadAsUser.ps1

   1
   2
   3
   4
   5
   6
   7
   8
   9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   param (
       # The SID of the user
       [Parameter(Position = 0, Mandatory = $true)]
       [string]$UserSID
   )
   
   function Get-SessionFromSid( [string] $UserSID) {
       # Assume that the user has explorer.exe running
       foreach ( $process in (Get-CimInstance Win32_Process -filter "name = 'explorer.exe'")) {
           $owners = (Invoke-CimMethod -InputObject $process -MethodName GetOwnerSid)
           foreach ($owner in (Where-Object -InputObject $owners -Property ReturnValue -EQ 0)) {
               if ($UserSID -eq $owner.SID) {
                   return $process.SessionId
               }
           }
       }
   }
   
   # you should check that this is not $null and exit gracefully
   $sessionId = Get-SessionFromSid $UserSID
   
   # Take note of the extra quotes around the inner command
   $command = "cmd.exe /d /c start ""C:\Windows\notepad.exe"""
   
   # Note: /sessionid=<value> is one group
   #       /cmd is one group, and has more quotes around $command
   #       /userenv ensures that we will load the user's environment variables
   $arguments = ("/noconsole", "/wrap", "/userenv", "/sessionid=$sessionId", "/cmd ""$command""")
   
   
   $fileName = "$Env:TANIUM_CLIENT_ROOT\Tools\Engage\tasks\TaniumRunAsUser.exe"
   Start-Process -FilePath $fileName -ArgumentList $arguments

   
   
   Follow these guidelines in your script to prevent potential security issues, such as privilege escalation or malicious code execution:

   • The TaniumRunAsUser.exe file should be run from the default Tanium Client path, at: <Tanium Client>\Tools\Engage\tasks\TaniumRunAsUser.exe. Use the path exactly as it is provided in the OpenNotePadAsUser.ps1 code sample.
   • Any commands that run from within your package file should run from explicitly specified paths that are not writable by non-admin users. For example, the following command includes a path that is not writable:  "<Tanium Client>\Tools\Engage\tasks\TaniumRunAsUser.exe" /noconsole /wrap /userenv /sessionid= /cmd "cmd.exe /d /c start "non\user\writable\path\TARGET_PROCESS"

   • If the TaniumRunAsUser.exe command is run with the /userenv switch, environment variables that are referenced from within the TARGET_PROCESS resolve to the target user’s environment variables. Avoid executing scripts or executable files from within the TARGET_PROCESS using an unreliable path. A path that references user environment variables can lead to execution of unintended files.

   • The self-authored package file code should validate package parameters before appending them directly to other commands.

2. Create the package in the Tanium console. From the main menu, go to Administration > Packages > New Package.
3. Enter the package details.
   
   • Command: cmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -File OpenNotepadAsUser.ps $1
   • Verify that Launch this package command in a process group is not selected.
   • Click Add File and upload the OpenNotepadAsUser.ps1 file.
   • Click Add Parameter > Text Input. For the Label, enter User_SID. In the preview, enter PARAM_USER_SID for the default parameter value. Save your changes.
4. Choose this package when you create your remediation task. See Create remediation task.