Tanium Direct Endpoint Connect (DEC)
Direct Endpoint Connect is Tanium's method to dive deeper into events on the endpoint whether that be performance or security. Tanium's architecture leverages data storage on endpoints rather than centralized locations, Direct Endpoint Connect is a tool to access full data sets. Before continuing, please read the following documentation for an introduction into DEC Tanium DEC
Use Cases
DEC is primarily used to gather full context of events that are brought about within the console. For instance, a SOC analyst wants to understand how a certain alert occurred, a DEC connection will allow to user to exam the Recorder database Client Recorder and filesystem.
Here are just a few of the many example use cases for DEC:
- View running processes on an endpoint
- Check endpoint alerts
- Review endpoint performance
- Browse an endpoint file system
- Retrieve files from an endpoint
Getting Started
To start using DEC, the necessary tools must be installed within the console and on the endpoint. Once the tools are installed, administrators will be able to see Direct Connect under the Administration tab. In order to make connections, first following requirements in the documentation, the user must know the ip address or computer name of desired machines. Once targeted and Direct Connect initiated, the console will track the status to indicate success or failures. Upon success, the user can follow various actions on the endpoint detailed in the documentation.
If connections are failing to initiate, a first step is to check firewall rules that would allow line of site to the module server. Review the documentation for further considerations. Tanium DEC Troubleshooting
API Gateway Examples
The following queries and mutations use Direct Connect to connect to a single endpoint, retrieve data, stop a process, and then close the connection. Queries that retrieve information from endpoints require the Performance Module.
Open a connection to an endpoint
The following mutation uses Direct Connect to establish a connection to the endpoint with an ID of 12323. *You can retrieve IDs through the Get endpoints IDs from Tanium Data Service query.
Direct Connect connections close after two minutes of inactivity.
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
mutation {
openDirectConnection(input: {endpointID: "12323"}) {
connectionID
}
}
Example response body:
{
"data": {
"openDirectConnection": {
"connectionID": "5fc564d6-5767-47fc-abb6-25cba65409d8"
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"mutation { openDirectConnection(input: { endpointID: 12323 }) { connectionID } }"}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"mutation { openDirectConnection(input: { endpointID: 12323 }) { connectionID } }"}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"mutation { openDirectConnection(input: { endpointID: 12323 }) { connectionID } }\"}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Ping the connection to an endpoint
The following mutation retrieves the status for a Direct Connect connection. Use this mutation to check connection details or to keep the connection active. You need the connectionID that is returned by the mutation to open the connection.
Direct Connect connections close after two minutes of inactivity.
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
mutation ($connectionID: ID!) {
pingDirectConnection(input: {connectionID: $connectionID}) {
result
}
}
Include the connection ID in the QUERY VARIABLES panel:
{
"connectionID": "5fc564d6-5767-47fc-abb6-25cba65409d8"
}
Example response body:
{
"data": {
"pingDirectConnection": {
"result": true
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"mutation ($connectionID: ID!) { pingDirectConnection(input: {connectionID: $connectionID}) { result } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"mutation ($connectionID: ID!) { pingDirectConnection(input: {connectionID: $connectionID}) { result } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"mutation ($connectionID: ID!) { pingDirectConnection(input: {connectionID: $connectionID}) { result } }\",\"variables\":{\"connectionID\":\"5fc564d6-5767-47fc-abb6-25cba65409d8\"}}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Get CPU Usage from an endpoint
After you establish a connection to an endpoint through Direct Connect, you can query the endpoint for specific information. The following query retrieves the CPU usage on the endpoint:
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
{
directEndpoint (input : {endpointID: "12323"}) {
performance {
cpuUsagePercent
}
}
}
Example response body:
{
"data": {
"directEndpoint": {
"performance": {
"cpuUsagePercent": 28.751501243887798
}
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"{directEndpoint (input : {endpointID: \"12323\"}) { performance { cpuUsagePercent } } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"{directEndpoint (input : {endpointID: \"12323\"}) { performance { cpuUsagePercent } } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"{directEndpoint (input : {endpointID: \\\"12323\\\"}) { performance { cpuUsagePercent } } }\",\"variables\":{\"connectionID\":\"5fc564d6-5767-47fc-abb6-25cba65409d8\"}}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Get processes from an endpoint
After you establish a connection to an endpoint through Direct Connect, you can query the endpoint for process information. The following query retrieves the state of all processes running on the endpoint:
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
{
directEndpoint (input : {endpointID: "12323"}) {
processes {
all {
pid
ppid
name
commandLine
userName
groupName
memoryResidentBytes
}
}
}
}
Example response body:
{
"data": {
"directEndpoint": {
"processes": {
"all": [
{
"pid": 2092,
"ppid": 496,
"name": "TaniumReceiver.exe",
"commandLine": "\"C:\\Program Files\\Tanium\\Tanium Server\\TaniumReceiver.exe\" --service",
"userName": "admin",
"groupName": "test-group",
"memoryResidentBytes": 59842560
},
{
"pid": 5760,
"ppid": 1112,
"name": "TaniumClient.exe",
"commandLine": "\"C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe\" -c",
"userName": "SYSTEM",
"groupName": "NT AUTHORITY",
"memoryResidentBytes": 17965056
},
{
"pid": 1036,
"ppid": 496,
"name": "TaniumBlobService.exe",
"commandLine": "\"C:\\Program Files\\Tanium\\Tanium Module Server\\services\\blob-service\\TaniumBlobService.exe\"",
"userName": "SYSTEM",
"groupName": "NT AUTHORITY",
"memoryResidentBytes": 7426048
}
]
}
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"{ directEndpoint (input : {endpointID: \"12323\"}) { processes { all { pid ppid name commandLine userName groupName memoryResidentBytes } } } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"{ directEndpoint (input : {endpointID: \"12323\"}) { processes { all { pid ppid name commandLine userName groupName memoryResidentBytes } } } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"{ directEndpoint (input : {endpointID: \\\"12323\\\"}) { processes { all { pid ppid name commandLine userName groupName memoryResidentBytes } } } }\",\"variables\":{\"connectionID\":\"5fc564d6-5767-47fc-abb6-25cba65409d8\"}}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Get alerts from an endpoint
After you establish a connection to an endpoint through Direct Connect, you can query the endpoint for alert information. The following query retrieves alerts from an endpoint:
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
{
directEndpoint (input : {endpointID: "12323"}) {
alerts {
all {
schema
key
type
ref
topProcessesExpr
labels
pendingAt
start
resolvedAt
leadup
value
}
}
}
}
Example response body:
{
"data": {
"directEndpoint": {
"alerts": {
"all": [
{
"schema": 1,
"key": "available-mem{heuristic=\"available-mem\"}",
"type": "available-mem",
"ref": null,
"topProcessesExpr": null,
"labels": {
"heuristic": "available-mem"
},
"pendingAt": "2022-03-15T15:54:38.574990164Z",
"start": "2022-03-15T15:54:38.574990164Z",
"resolvedAt": null,
"leadup": 300000000000,
"value": 168.48828125
}
]
}
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"{ directEndpoint (input : {endpointID: \"12323\"}) { alerts { all { schema key type ref topProcessesExpr labels pendingAt start resolvedAt leadup value } } } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"{ directEndpoint (input : {endpointID: \"12323\"}) { alerts { all { schema key type ref topProcessesExpr labels pendingAt start resolvedAt leadup value } } } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"{ directEndpoint (input : {endpointID: \\\"12323\\\"}) { alerts { all { schema key type ref topProcessesExpr labels pendingAt start resolvedAt leadup value } } } }\",\"variables\":{\"connectionID\":\"5fc564d6-5767-47fc-abb6-25cba65409d8\"}}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Stop a process on an endpoint
After you establish a connection to an endpoint through Direct Connect, you can stop running processes on the endpoint. The following mutation stops a process named notepad.exe on an endpoint. You need the connectionID that is returned by the mutation to open the connection.
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
mutation {
killProcess(
input: {connectionID: "5fc564d6-5767-47fc-abb6-25cba65409d8", name: "notepad.exe", pid: 7056, signal: SIGKILL}
) {
result
}
}
Example response body:
{
"data": {
"killProcess": {
"result": true
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"mutation { killProcess( input: {connectionID: \"5fc564d6-5767-47fc-abb6-25cba65409d8\", name: \"notepad.exe\", pid: 7056, signal: SIGKILL} ) { result } }"}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"mutation { killProcess( input: {connectionID: \"5fc564d6-5767-47fc-abb6-25cba65409d8\", name: \"notepad.exe\", pid: 7056, signal: SIGKILL} ) { result } }"}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"mutation { killProcess( input: {connectionID: \\\"5fc564d6-5767-47fc-abb6-25cba65409d8\\\", name: \\\"notepad.exe\\\", pid: 7056, signal: SIGKILL} ) { result } }\"}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Close connection to an endpoint
The following mutation closes a Direct Connect connection to an endpoint. You need the **connectionID* that is returned by the mutation to close the connection.*
Direct Connect connections close after two minutes of inactivity.
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
mutation ($connectionID: ID!) {
closeDirectConnection(input: {connectionID: $connectionID}) {
result
}
}
Include the connection ID in the QUERY VARIABLES panel:
{
"connectionID": "5fc564d6-5767-47fc-abb6-25cba65409d8"
}
Example response body:
{
"data": {
"closeDirectConnection": {
"result": true
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--data '{"query":"mutation ($connectionID: ID!) { closeDirectConnection(input: {connectionID: $connectionID}) { result } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST `
-Headers $headers -ContentType 'application/json' -Body '{"query":"mutation ($connectionID: ID!) { closeDirectConnection(input: {connectionID: $connectionID}) { result } }","variables":{"connectionID":"5fc564d6-5767-47fc-abb6-25cba65409d8"}}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"mutation ($connectionID: ID!) { closeDirectConnection(input: {connectionID: $connectionID}) { result } }\",\"variables\":{\"connectionID\":\"5fc564d6-5767-47fc-abb6-25cba65409d8\"}}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
Get endpoints IDs from Tanium Data Service
The following query retrieves all endpoint IDs from Tanium Data Service. The remaining mutations will use Direct Connect to establish a connection to the endpoint with an ID of 12323.
POST /plugin/products/gateway/graphql
| Header | Value |
|---|---|
Content-Type |
application/json |
session |
token or session id |
Example request query:
{
endpoints {
edges {
node {
id
}
}
}
}
Example response body:
{
"data": {
"endpoints": {
"edges": [
{
"node": {
"id": "12323"
}
},
{
"node": {
"id": "54321"
}
},
{
"node": {
"id": "21212"
}
}
]
}
}
}
Example cURL request:
curl --request POST \
--url https://tanium_server/plugin/products/gateway/graphql \
--header 'Content-Type: application/json' \
--header 'session: token-0000000000000000000000000000000000000000000000000000000000' \
--header 'tanium_server: ' \
--data '{"query":"{ endpoints { edges { node { id } } } }"}'
Example Powershell request:
$headers=
$headers.Add("Content-Type", "application/json")
$headers.Add("session", "token-0000000000000000000000000000000000000000000000000000000000")
$response = Invoke-RestMethod -Uri 'https://tanium_server/plugin/products/gateway/graphql' -Method POST -Headers $headers -ContentType 'application/json' -Body '{"query":"{ endpoints { edges { node { id } } } }"}'
Example Python request:
import requests
url = "https://tanium_server/plugin/products/gateway/graphql"
payload = "{\"query\":\"{ endpoints { edges { node { id } } } }\"}"
headers = {
"Content-Type": "application/json",
"session": "token-0000000000000000000000000000000000000000000000000000000000"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)