Example: Sensor-sourced packages
Sensor-sourced packages are designed like parameterized packages, but take sensor output instead of user input as run-time arguments. The command syntax requires a sensor result that is passed from the Interact Question Results grid when you initiate the action deployment workflow. For example, Start Service - || Stopped Service || is a Tanium-provided sensor-sourced package. You can use it in Interact to find endpoints that have stopped services and then deploy an action to start the services.
On the Deploy Action page, the Browse Packages list includes sensor-sourced packages only if your selections in the Question Results grid have a value to pass to the package. In this example, you select a result that has Windows Defender in the Stopped Service column of the grid. Therefore, when you deploy an action, the Start Service - ||Stopped Service|| package appears in the list. If you selected a result with the value [no results] instead, the list would not show that package.
Note the targeting criteria includes the name of the stopped service. This value is passed to the package command line.
In the startservice.vbs script, the value passed to strService must be UTF-8-decoded, just as if it were a parameterized package that took user input. For information on parameterized packages and UTF-8 decoding, see Example: Parameterized packages.
When you configure package settings, specify the name of the sensor in the Command field. Enclose the name with double vertical bars (||), such as ||Stopped Service|| in the following example.
You cannot use a sensor that has an underscore character (_) in the name. The underscore is a delimiter for sensor sub-columns. If the sensor name has an underscore, it causes errors and unexpected results in sensor-sourced packages.
Last updated: 4/7/2020 2:50 PM | Feedback