Example: Sensor-sourced packages

Sensor-sourced packages are designed like parameterized packages, but take sensor output instead of user input as run-time arguments. The command syntax requires a sensor result that is passed from the Interact Question Results grid when you initiate the action deployment workflow. For example, Start Service - || Stopped Service || is a Tanium-provided sensor-sourced package. You can use it in Interact to find endpoints that have stopped services and then deploy an action to start the services.

Figure  1:  Deploy an action with a sensor-sourced package

On the Deploy Action page, the Browse Packages list includes sensor-sourced packages only if your selections in the Question Results grid have a value to pass to the package. In this example, you select a result that has Windows Defender in the Stopped Service column of the grid. Therefore, when you deploy an action, the Start Service - ||Stopped Service|| package appears in the list. If you selected a result with the value [no results] instead, the list would not show that package.

Figure  2:  Browse Packages list

Note the targeting criteria includes the name of the stopped service. This value is passed to the package command line.

Figure  3:  Targeting Criteria

Script

In the startservice.vbs script, the value passed to strService must be UTF-8-decoded, just as if it were a parameterized package that took user input. For information on parameterized packages and UTF-8 decoding, see Example: Parameterized packages.

Figure  4:  startservice.vbs script

Settings

When you configure package settings, specify the name of the sensor in the Command field. Enclose the name with double vertical bars (||), such as ||Stopped Service|| in the following example.

Figure  5:  Package command with sensor output arguments

You cannot use a sensor that has an underscore character (_) in the name. The underscore is a delimiter for sensor sub-columns. If the sensor name has an underscore, it causes errors and unexpected results in sensor-sourced packages.