Sensor-sourced packages are designed like parameterized packages (see Example: Parameterized packages), but take sensor output instead of user input as run-time arguments. The command syntax requires a sensor result that is passed from the Interact Question Results grid when you initiate the action deployment workflow. For example, Start Service - || Stopped Service || is a Tanium-provided sensor-sourced package. You can issue a question with the Stopped Service sensor to find endpoints that have stopped services and then deploy an action with the Start Service - || Stopped Service || package to start the services.
On the Action Deployment page, the Deployment Package list includes sensor-sourced packages only if your selections in the Question Results grid have a value to pass to the package. For example, if you select a result that has Windows Defender in the Stopped Service column of the grid, the Start Service - ||Stopped Service|| package appears in the Deployment Package list. If you select a result with the value [no results] instead, the list does not show that package.
In the Targeting Criteria section of the Action Deployment page, note that the Target Question includes the name of the stopped service. This value is passed to the package command line.
In the startservice.vbs script, the value passed to strService must be UTF-8-decoded, just as if it were a parameterized package that took user input: see Package script and command-line parameters.
When you configure a sensor-sourced package (see Create a package), add the sensor in the Command field: click Add sensor variable, select a sensor, and click Confirm.
Optionally, you can also add a sensor to the Package Name by typing ||<sensor name>|| in that field. When you deploy an action based on the package, the sensor output determines the Action Name. For example, if you issue a question that uses the sensor Stopped Service, configure an action based on results that have the sensor output Windows Defender Network Inspection Service, and select a package that has the name Start Service - ||Stopped Service||, the Action Name is Deploy Restart Service - Windows Defender Network Inspection Service. If you select results with multiple output values for a sensor,
You cannot use a sensor that has an underscore character (_) in the name. The underscore is a delimiter for sensor sub-columns. If the sensor name has an underscore, it causes errors and unexpected results in sensor-sourced packages.
Last updated: 5/17/2022 2:09 PM | Feedback