Example: Sensor-sourced packages

Sensor-sourced packages are designed like parameterized packages (see Example: Parameterized packages), but take sensor output instead of user input as run-time arguments. The command syntax requires a sensor result that is passed from the Interact Question Results grid when you initiate the action deployment workflow. For example, Start Service - || Stopped Service || is a Tanium-provided sensor-sourced package. You can issue a question with the Stopped Service sensor to find endpoints that have stopped services and then deploy an action with the Start Service - || Stopped Service || package to start the services.

Figure  1:  Deploy an action with a sensor-sourced package (click image to enlarge)

On the Action Deployment page, the Deployment Package list includes sensor-sourced packages only if your selections in the Question Results grid have a value to pass to the package. For example, if you select a result that has Windows Defender in the Stopped Service column of the grid, the Start Service - ||Stopped Service|| package appears in the Deployment Package list. If you select a result with the value [no results] instead, the list does not show that package.

Figure  2:  Deployment Package list

In the Targeting Criteria section of the Action Deployment page, note that the Target Question includes the name of the stopped service. This value is passed to the package command line.

Figure  3:  Targeting Criteria (click image to enlarge)

Package script

In the startservice.vbs script, the value passed to strService must be UTF-8-decoded, just as if it were a parameterized package that took user input. See Package script and command-line parameters.

Figure  4:  startservice.vbs script

Package settings

When you configure a sensor-sourced package (see Create a package), add the sensor in the Command field: click Add sensor variable, select a sensor, and click Confirm.

Optionally, you can also add a sensor to the Package Name by typing ||<sensor name>|| in that field. When you deploy an action based on the package, the sensor output determines the Action Name. For example, if you issue a question that uses the sensor Stopped Service, configure an action based on results that have the sensor output Windows Defender Network Inspection Service, and select a package that has the name Start Service - ||Stopped Service||, the Action Name is Deploy Restart Service - Windows Defender Network Inspection Service. If you select results with multiple output values for a sensor, Tanium Cloudthe Tanium Server creates a separate action for each value. For example, if the package name includes the sensor Computer Name, the action deployment workflow automatically creates an action for each endpoint in the selected results because each has a unique computer name. Because you can select a maximum of 100 results for one action deployment, Tanium Cloudthe server creates a maximum of 100 actions for a single package that has a sensor in its name.

Figure  5:  Package name and command with sensor output arguments (click image to enlarge)

You cannot use a sensor that has an underscore character (_) in the name. The underscore is a delimiter for sensor sub-columns. If the sensor name has an underscore, it causes errors and unexpected results in sensor-sourced packages.