Tanium Sensor Inventory
The table below is a list of all Sensors you can read from the Tanium API and the Content Set it is included with.
Name | Content Set | Type | Solutions | Description |
---|---|---|---|---|
Account Lockouts Security Event Log Search | Incident Response | Sensor | Tanium Threat Response | Retrieves lockout events from the Windows Security Event log, in a specified time period. Also retrieves attempts to authenticate with a locked-out account. (Requires enabling account lockout auditing.) |
Action Lock Status | Base | Sensor | Tanium Default Content | Returns whether the client is in a 'locked' state. Use the package "Tanium Client Action Unlock" to unlock the Client and allow actions. Example: Action Lock On |
Action Statuses | Reserved | Sensor | Tanium Default Content | The recorded state of each action a client has taken recently in the form of id:status. Example: 1:Completed |
Activation Lock Status | Core Content | Sensor | Tanium Core Content | Returns Enabled/Disabled based on whether or not Activation Lock is Enabled. MacOS only. |
Active Devices | Core Content | Sensor | Tanium Core Content | All hardware devices currently in use by a computer. Example: Microsoft PS/2 Mouse |
AD Distinguished Name | Core Content | Sensor | Tanium Core Content | The full Active Directory distinguished name for the computer Example: CN=Win8-test5,CN=Computers,DC=corp,DC=com |
AD Domain | Core Content | Sensor | Tanium Core Content | The Active Directory domain name (if any) that the computer is joined to. Example: intra.company.com |
AD Forest | Core Content | Sensor | Tanium Core Content | Returns the name of the Active Directory Forest that a machine is a member of. This may produce the same value that the Sensor named AD Domain produces. Example: corp.domain.com |
AD Organizational Unit | Core Content | Sensor | Tanium Core Content | The Active Directory organizational unit (OU) where the machine is located. Example: CN=Computers,DC=corp,DC=com |
AD Query - Computer Attributes | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The value of the specified attribute of the computer's Active Directory object. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Computer Group Memberships | Core AD Query Content | Sensor | Tanium Core ADQuery Content | All Active Directory group memberships the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup). The sensor returns the group's Well Known Name. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Computer Groups | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The distinguishedName of any Active Directory groups the computer is explicitly a member of (no nested groups). Also returns the computer's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com). This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Computer Has Group Membership | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Searches the computer's group inventory for membership in the specified group(s). Returns True if the computer is a member of the Active Directory group. Returns False if no match was found. The default comparison is performed on the group's Well Known Name. This may be overridden by prefacing the Group input with 'name:' - causing a compare to be performed on the group's non-translated name. The group name may be specified as groupname or domain\groupname syntax. Multiple groups may be specified if separated by a comma. Ex: groupname,corp\groupname RegEx based comparisons are also supported. Prefacing the Group input with 'regex:' will cause a RegEx compare to be performed. Ex: regex:name:domain.* (compare the Name attribute for a match on the provided regex) Ex: regex:domain.* (compare the Well Known Name attribute for a match on the provided regex) This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Computer Site Name | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The computer's Active Directory Site Name This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Domain Controller | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The name of the Active Directory Domain Controller responding to queries. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Domain Controller Site Name | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The Active Directory Site Name of the Domain Controller responding to queries. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Has Stale Results | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Returns True/False value based on the time the AD Query XML files were generated and a time period the Active Directory data should be considered stale. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Last Logged In User Date | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The date when the last user logged into the system This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Last Logged In User Name | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The domain\name of the last user to log into the system This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Last Logged In User Time | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The time when the last user logged into the system This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Last Run Status | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Status information recorded when the inventory script last ran. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Last Run Timing | Core AD Query Content | Sensor | Tanium Core ADQuery Content | How long the inventory script ran start to finish. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Local Administrators | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Users and groups who are a member of the local Administrators group. The sensor returns the Well Known Name of users and groups. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Local Group Membership | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Searches local group inventory to return group names and membership. The sensor returns the Well Known Name of users and groups who are a member of the specified group(s). Input 'all' in the Groups field to return all inventoried groups. The group's name should be specified as groupname syntax. Multiple groups may be specified if separated by a comma. Ex: groupname1,groupname2 The default comparison is performed on the group's Well Known Name. This may be overridden by prefacing the Groups input with 'name:' - causing a compare to be performed on the group's non-translated name. The default member name returned is the member's Well Known Name. This may be overridden by appending the Groups input with ':name' - causing the member's non-translated name to be returned. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Local Groups | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The names of all local groups. No group members are returned. The sensor returns the group's Well Known Name. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Local Objects Potentially Renamed | Core AD Query Content | Sensor | Tanium Core ADQuery Content | A multi-column list containing current object name, the well known name of the object, the object type, the system locale ID, and the system locale strings. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Local User Account Control Flags | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Parses the UserFlags attribute of local user accounts to report the following account control flags: account disabled allow encrypted password expire password has logon script password expired password required smartcard required user can change password The sensor's default behavior checks the Well Known Name of users. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name. Input 'all' into the Users field to return the account control value from all inventoried users. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Local Users | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Listing of all local users. The sensor returns the Well Known Name of local users. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Logged In User Details | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The following Active Directory attributes of the logged-in user: name (cn or name), department, co (country), city (l), email (mail), and telephoneNumber. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Logged In User Group Memberships | Core AD Query Content | Sensor | Tanium Core ADQuery Content | All group memberships the logged in user is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup). The sensor returns the group's Well Known Name. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Logged In User Groups | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The distinguishedName of any Active Directory groups the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com). This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Mismatched Site Names | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Determines if there is an Active Directory Site Name mis-match between the computer and the Domain Controller responding to queries. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Primary User | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The computer's primary user The sensor returns the Well Known Name of the primary user. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Primary User Details | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The following Active Directory attributes of the primary user: name (cn or name), department, co (country), city (l), email (mail), and telephoneNumber. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Primary User Email Addresses | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Gets the email addresses of the primary user from the mail and ProxyAddresses Active Directory attributes. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Primary User Group Memberships | Core AD Query Content | Sensor | Tanium Core ADQuery Content | All groups the primary user of the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup). The sensor returns the group's Well Known Name. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Primary User Groups | Core AD Query Content | Sensor | Tanium Core ADQuery Content | The distinguishedName of Active Directory group memberships for the computer's primary user. The groups returned are those which the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com). This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - Primary User Has Group Membership | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Searches Primary User group inventory for membership. Returns True if the user is a member of the group. Returns False if no match was found. The default comparison is performed on the group's Well Known Name. This may be overridden by prefacing the Groups input with 'name:' - causing a compare to be performed on the group's non-translated name. The group may be a local group or an Active Directory group. The group name may be specified as groupname or domain\groupname syntax. Multiple groups may be specified if separated by a comma. Ex: groupname,corp\groupname RegEx based comparisons are also supported. Prefacing the Groups input with 'regex:' will cause a RegEx compare to be performed. Ex: regex:name:domain.* (compare the Name attribute for a match on the provided regex) Ex: regex:domain.* (compare the Well Known Name attribute for a match on the provided regex) This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - User Attribute Inventory | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Returns the user name, the name of inventoried attributes and their value. Input 'all' in the User field to return the attribute value for all inventoried users. Input 'Primary' in the User field to return the attribute value for the primary user. Input 'Current' in the User field to return the attribute value for all current user. The user may be a local account or an Active Directory account. The attribute may be a local attribute or Active Directory attribute. The sensor's default behavior searches the user's Well Known Name. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - User Attributes | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Returns the value of the attribute for the user. The user may be a local account or an Active Directory account. The attribute may be a local or Active Directory attribute. Input 'all' in the User field to return the attribute value for all inventoried users. The default comparison is performed on the user's Well Known Name. This may be overridden by prefacing the User input with 'name:' - causing a compare to be performed on the user's non-translated name. The user name may be specified as username or domain\username syntax. Multiple users may be specified if separated by a comma. Ex: username,corp\username RegEx based comparisons are also supported. Prefacing the User input with 'regex:' will cause a RegEx compare to be performed. Ex: regex:name:username.* (compare the Name attribute for a match on the provided regex) Ex: regex:username.* (compare the Well Known Name attribute for a match on the provided regex) This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - User Group Memberships | Core AD Query Content | Sensor | Tanium Core ADQuery Content | All group memberships the specified user is a member of -both explicitly and implicitly. Nested groups are also returned. The result is returned in NT format as UserDomain\UserName|GroupDomain\GroupName. The sensor's default behavior checks the Well Known Name of users and returns the Well Known Name of any groups the user is a member of. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name. User names may be specified as username, domain\username. Multiple users may be specified if separated by a comma. Ex: user,Local\user,corp\user,.\user Input 'all' into the Users field to return group membership of all inventoried users. This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Query - User Has Group Membership | Core AD Query Content | Sensor | Tanium Core ADQuery Content | Searches user group inventory for membership. Returns True if the user is a member of the group. Returns False if no match was found. The default comparison is performed on the user's and group's Well Known Name. This may be overridden by prefacing the Users or Groups input with 'name:' - causing a compare to be performed on the non-translated name. The user may be a local account or an Active Directory account. The user may be specified as username and domain\username syntax. Input 'any' in the Users field to test any inventoried user for membership. Multiple users may be specified when separated by a comma. Ex: user,Local\localuser,corp\user,.\user The group may be a local group or an Active Directory group. The group may be specified as groupname and domain\groupname syntax. Multiple groups may be specified if separated by a comma. Ex: group,Local\group,corp\group,.\group RegEx based comparisons are also supported. Prefacing the Users or Groups input with 'regex:' will cause a RegEx compare to be performed. Ex: regex:name:somename.* (compare the Name attribute for a match on the provided regex) Ex: regex:somename.* (compare the Well Known Name attribute for a match on the provided regex) This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory. |
AD Short Domain | Core Content | Sensor | Tanium Core Content | Returns the short, NetBIOS name of a machine's domain. Example: CORP |
AnyConnect VPN Status | Core Content | Sensor | Tanium Core Content | Returns the status of the AnyConnect Network Connect VPN Adapter |
Applicable Patches | Patch Service Objects | Sensor | Tanium Patch | Returns a row for every applicable patch on an endpoint Example: a5aa3417baf0e1e0672dd70abacee6ea|MSXML 6.0 RTM Security Update (925673)|Not Installed|True|Critical|4/4/2012|MS06-061|1853208|07609d43-d518-4e77-856e-d1b316d1b8a8|KB925673|CVE-2006-4686 CVE-2006-4685|http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|False|Windows|Windows Server 2012 R2|Security Updates |
Application Crashes in Last X Days | Core Content | Sensor | Tanium Core Content | A parameterized Sensor that queries for any processes that have crashed in the last X days. Example: chrome.exe |
Application Crashes Yesterday | Core Content | Sensor | Tanium Core Content | A multi-column Sensor that shows processes that have crashed yesterday, including the instance number to capture multiple crashes by the same process. Example: firefox.exe | 3 |
AppLocker - Application Control Enabled | Core Content | Sensor | Tanium Core Content | Returns True for Windows endpoints with any AppLocker Policy configured and running Application Identity Service |
ARP Cache | Incident Response | Sensor | Tanium Threat Response | Returns the current arp cache values, and whether the values are static or dynamic. Example: 172.16.173.1|00-50-56-c0-00-08|dynamic |
Asset SIU - Installed Product Usage Details | Asset | Sensor | Tanium Asset | Lists the usage information of installed products |
Asset SIU Installed Products | Asset | Sensor | Tanium Asset | Lists the installed products found on the endpoint. |
Asset SIU Product Usage | Asset | Sensor | Tanium Asset | Lists usage of tracked products on the endpoint. |
Asset SQL Server Details | Asset | Sensor | Tanium Asset | Returns SQL Server Instance Details Example: Standard Edition|RTM-GDR|13.0.1742.0|Microsoft SQL Server 2016 (RTM-GDR)|MSSQLSERVER |
Attached Battery | Core Content | Sensor | Tanium Core Content | Device name for any attached batteries for a machine, commonly found in laptops. Example: DELL V57XN24 |
Audio Controller | Core Content | Sensor | Tanium Core Content | Description of the onboard audio controller for the computer. Example: Intel(R) High Definition Audio Controller |
Auditd Reload Required | Core Content | Sensor | Tanium Core Content | The sensor uses augenrules --check to determine if auditd needs a reload for new rule configurations. It returns "True" if a reload is needed, and "False" if not. Note: This sensor only compares the rules files in the 'rules.d' directory with the combined 'audit.rules' file. It does not check the rules that are currently active in the kernel against the 'audit.rules' file. Example: True |
Authenticated Root Volume Status | Core Content | Sensor | Tanium Core Content | Returns True/False based on the output of csrutil authenticated-root status. MacOS only. |
AutoRun Files | Incident Response | Sensor | Tanium Threat Response | Returns a subset of the AutoRuns data, specifically the name of each AutoRun file and the cryptographic hash of the file (e.g. MD5, SHA256). Note: This sensor uses cached data; this cached data can be regenerated with the "Incident Response - Generate Autorun Cache [Windows]" package. |
AutoRun Program Details | Incident Response | Sensor | Tanium Threat Response | Retrieves information about the Autorun applications found in the Windows Registry. Note: This sensor uses cached data; this cached data can be regenerated with the "Incident Response - Generate Autorun Cache [Windows]" package. |
Autoruns by Category | Incident Response | Sensor | Tanium Threat Response | Retrieves Autorun data for the enabled auto-start extension points (ASEPs). Use parameters to specify the category and hash for each ASEP. Note: This sensor uses cached data; this cached data can be regenerated with the "Incident Response - Generate Autorun Cache [Windows]" package. |
Average Alerts Benchmark Metric | Benchmark | Virtual Sensor | Benchmark | Average Alerts Data |
Battery Details | Core Content | Sensor | Tanium Core Content | Get battery health from machines with batteries installed. |
Benchmark - Certificate Audit Port Exclusions | Benchmark | Sensor | Tanium Benchmark | Returns exclusions applied to a particular endpoint; It is possible to configure a particular endpoint to exclude specific ports from the audit scan if the target application is too fragile to scan. Example: 443,8443 |
BIOS Current Language | Core Content | Sensor | Tanium Core Content | Currently configured language for the BIOS. Example: en|US|iso8859-1 |
BIOS Name | Core Content | Sensor | Tanium Core Content | Name of BIOS. Example: Phoenix ROM BIOS PLUS Version 1.10 A10 |
BIOS Release Date | Core Content | Sensor | Tanium Core Content | Release date of the BIOS. Example: 2008-12-25 |
BIOS Vendor | Core Content | Sensor | Tanium Core Content | Manufacturer or vendor of the BIOS. Example: Dell, Inc. |
BIOS Version | Core Content | Sensor | Tanium Core Content | Version of the BIOS. Example: A11 |
BitLocker Details | Core Content | Sensor | Tanium Core Content | Returns information on the BitLocker status of a machine. Example: Drive | Device ID | Encryption Method |
Bluetooth MAC Address | Core Content | Sensor | Tanium Core Content | Returns the MAC address of the system's Bluetooth Controller. Example: 88:66:5A:11:EE:13. |
Boot Device | Core Content | Sensor | Tanium Core Content | Hard disk device that the operating system uses to boot from. Example: \Device\HarddiskVolume1 |
Boot Time | Core Content | Sensor | Tanium Core Content | The amount of time, in seconds, that the last boot of this machine took. Example: 100 |
Bootstrap Token Status | Core Content | Sensor | Tanium Core Content | Return Bootstrap Token details for Mac endpoints. Example: Supported|Escrowed |
CD-ROM Drive | Core Content | Sensor | Tanium Core Content | Name of any installed CD-ROM or DVD-ROM drives. Example: SONY DVD-ROM DDU1615 ATA Device |
CD-ROM Drive Loaded | Core Content | Sensor | Tanium Core Content | Checks if CD-ROM/DVD-ROM drive is loaded. Example: True or False |
Certificate Audit Age | Certificate Manager | Sensor | Tanium Certificate Manager | Returns age of the audit data in days. Example: 12 |
Certificate Audit Port Exclusions | Certificate Manager | Sensor | Tanium Certificate Manager | Returns exclusions applied to a particular endpoint; It is possible to configure a particular endpoint to exclude specific ports from the audit scan if the target application is too fragile to scan. Example: 443,8443 |
Certificate Audit Status | Certificate Manager | Sensor | Tanium Certificate Manager | Reports on basic configuration and audit execution of the Certificate Audit package. |
Certificate Details | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Source, Location, Subject, Issuer, Not Before, Not After, Expiration Status, Public Key Algorithm, Public Key Bit Size, Signature Algorithm, Signature Hash Algorithm, and Subject Alternative Name for all scanned Certificates. Example: CertStore~Root~Organizational Unit: Class 3 Public Primary Certification Authority~Organization: VeriSign, Inc.~1996-01-29~2028-08-01~Expiring in over a year~rsa~1024~rsassa_pkcs1v15~md2~None Not Before and Not After timestamps are in UTC. |
Certificate Duration | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Certificate Source, Location, Expiration Status, and Days Until Expiration. Example: Listen Port~443~Expired~0 |
Certificate Expiry | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Certificate Source, Location, Expiration Status, and Days Until Expiration. Example: Listen Port~443~Expired~0 |
Certificate Manager - Coverage Status Details | Certificate Manager | Sensor | Tanium Certificate Manager | Details of Certificate Manager tools on endpoints. Shows whether the Certificate Manager tools are working correctly, in a sub-optimal state, or not functioning at all. Additionally, the sensor surfaces details of why the endpoint needs attention. |
Certificate Manager - SSL Certificate CA Short Name | Certificate Manager | Sensor | Tanium Certificate Manager | Returns a shortened Certificate Authority name used by Tanium Benchmark. This sensor returns Organization Name if it exists, else it returns the Common Name. |
Certificate Manager - SSL Certificate Cipher Suite Details | Certificate Manager | Sensor | Tanium Certificate Manager | Returns the SSL Protocol and available cipher suites available on each port. Example:TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256~deflate~false~8089~httpd~Apache HTTPD~True |
Certificate Manager - SSL Certificate Details | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Port, Not Before, Not After, Public Key Algorithm, Public Key Bit Size, Signature Algorithm, Signature Hash Algorithm, Subject, Issuer, Authorization Status, Root Authority Subject Name, Root Authority Subject Key Identifier, Serial Number, SHA1 Fingerprint for all SSL/TLS Certificates. Example: 17500,2022-08-31,2027-08-30,rsa,2048,rsassa_pkcs1v15,sha256,Common Name: Win2019SQL,Common Name: Win2019SQL,Self Signed,None,None,6abcc674c081175e53,3092f464401549c25902dcce5a5ed9e39a4fc0c8 Not Before and Not After timestamps are in UTC. |
Certificate Manager - SSL Certificate Expiration | Certificate Manager | Sensor | Tanium Certificate Manager | Returns bucketed number of days until certificate expires. Example: 443,91-180 |
Certificate Manager - SSL Certificate Process Details | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Port, Not Before, Not After, Subject, Issuer, Authorization Status, Root Authority Subject Name, Root Authority Subject Key Identifier, Owning Process, Owning Process Description for all SSL Certificates. Example: 631,2022-06-17,2032-06-14,Locality: Unknown, State/Province: Unknown, Organizational Unit: Unknown, Organization: cx-centos83-consolidated, Common Name: cx-centos83-consolidated, Country: US,Locality: Unknown, State/Province: Unknown, Organizational Unit: Unknown, Organization: cx-centos83-consolidated, Common Name: cx-centos83-consolidated, Country: US,self signed,None,None,cupsd,cupsd |
Certificate Manager - SSL Certificate Subject | Certificate Manager | Sensor | Tanium Certificate Manager | Returns the subject field of the certificate in use on the port given as a parameter. Example: Common Name: www.tanium.com |
Certificate Manager - SSL Extended Key Usage | Certificate Manager | Sensor | Tanium Certificate Manager | Returns the Extended Key Usage field for SSL/TLS Certificates. Example: 443~server_auth,client_auth |
Certificate Manager - SSL Key Usage | Certificate Manager | Sensor | Tanium Certificate Manager | Returns the key usage fields for the certificate. Example: 443~digital_signature,key_encipherment,key_cert_sign |
Certificate Manager - SSL Server Key Exchange | Certificate Manager | Sensor | Tanium Certificate Manager | Returns the Key Exchange parameters for each port in use. Example: TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA~520~443~True |
Certificate Manager - SSL Server Root Certificate Authority | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Port and Subject Key Identifier for all SSL/TLS Certificates. Example: 3389, self signed |
Certificate Manager - SSL Service Cipher Suite Approval | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Port, Process Name, Process Description,Has Unapproved Cipher Suites, Number of Approved and Unapproved Cipher Suites. Example: 443~nginx~nginx~True~14~2 |
Certificate Manager - Supported SSL/TLS Protocols | Certificate Manager | Sensor | Tanium Certificate Manager | Returns a list of active SSL/TLS Protocols. Example: TLS 1.2 |
Certificate Search | Incident Response | Sensor | Tanium Threat Response | Enables searching for installed certificates. You can search by issuer name or SHA1 hash. The default is to return all installed certificates. |
Certificate Thumbprints | Certificate Manager | Sensor | Tanium Certificate Manager | Returns Source, SHA1 Thumbprint, SHA256 Thumbprint, and MD5 Thumbprint for at-rest certificates. |
Chassis Type | Base | Sensor | Tanium Default Content | The machine or chassis type for the machine. Example: Server or Virtual |
Child Processes | Incident Response | Sensor | Tanium Threat Response | Provides a list of child processes for the specified parent process name, as specified by a regular expression. Example: "C:\Windows\System32\cmd.exe|C:\temp\notepad.exe" |
Chrome Extensions | Core Content | Sensor | Tanium Core Content | Returns installed Extensions based on an enumeration of each users profile. Only searches local profiles. |
Chrome Extensions Summary | Core Content | Sensor | Tanium Core Content | Returns distinct list of installed Extensions (including extension ID) based on an enumeration of each users profile. Only searches local profiles. |
Cleared Windows Security Event Log Search | Incident Response | Sensor | Tanium Threat Response | Retrieves events generated when the Windows Security Event Log has been cleared. |
Client Configuration and Support - AIX C++ Runtime | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves AIX C++ Runtime version for Client Configuration and Support. |
Client Configuration and Support - AIX Runtime | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves AIX Runtime version for Client Configuration and Support. |
Client Configuration and Support - AIX Version | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves AIX version for Client Configuration and Support. |
Client Configuration and Support - Glibc Version | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Returns the version of Glibc for a box |
Client Configuration and Support - Is Container | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Determines if running within a container for Client Configuration and Support. |
Client Date | Base | Sensor | Tanium Default Content | The calendar date on the managed client. Example: 01/30/2012 |
Client Extensions - Installed Extensions | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Reports the details of enabled client extensions on the endpoint. Data captured includes the domain, path, and version. Example: config|/opt/Tanium/TaniumClient/extensions/libTaniumConfig.so|1.3.273.0 |
Client Extensions - Status | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Reports the status of installed client extensions to report back domain, key (name of data point), and value of the key. Examples: core,version,2.5.1011; dec,connection_state,idle; threatresponse,applied_profile,"1,6" |
Client Health - Client Settings | Tanium Client Management | Sensor | Tanium Client Management | Captures Tanium Client settings from endpoints. Example data captured: ServerName, ServerNameList, ServerPort, Server_TLSMode, Resolver, LogVerbosity |
Client Health - Health Failures | Tanium Client Management | Sensor | Tanium Client Management | Reports health check failures from installed client extensions. |
Client Health - Python Version Details | Tanium Client Management | Sensor | Tanium Client Management | Checks which version of Python is installed on the Tanium client. Utilized by TCM for client health check. Example: 3.8 Core Python Version,info,2.1.24.0 |
Client Health - Tanium Client Version | Tanium Client Management | Sensor | Tanium Client Management | Version number of the Tanium Client on the client machine. Example: 4.1.314.7020 |
Client Management - Upgrade Status | Tanium Client Management | Sensor | Tanium Client Management | Reports the status of Tanium Client version upgrades |
Client Time | Base | Sensor | Tanium Default Content | The local time on the managed client. Example: 5:17:44 PM |
Cloud EC2 Instance IAM Role | Core Content | Sensor | Tanium Core Content | Returns the IAM Role information for the instance in AWS. |
Cloud EC2 Instance VPC ID | Core Content | Sensor | Tanium Core Content | Returns information about the VPC ID of the primary interface of the instance in AWS. |
Cloud Instance Account | Core Content | Sensor | Tanium Core Content | Returns the Account information for the instance currently running in AWS, Azure or Google Cloud. |
Cloud Instance Hostname | Core Content | Sensor | Tanium Core Content | Returns the Hostname information for the instance currently running in AWS, Azure or Google Cloud. |
Cloud Instance ID | Core Content | Sensor | Tanium Core Content | Returns the unique ID associated with the instance in AWS, Azure, or GCP. |
Cloud Instance Image | Core Content | Sensor | Tanium Core Content | Returns information about the image used for creation of the instance in AWS, Azure, or GCP. If the result is '[empty string]' on Azure, it may be because image names are only available if the image is deployed from the Azure Image gallery. |
Cloud Instance Launch Time | Discover Content | Virtual Sensor | Discover Content | |
Cloud Instance Network ID | Discover Content | Virtual Sensor | Discover Content | |
Cloud Instance Provider | Core Content | Sensor | Tanium Core Content | Returns the cloud provider currently running the instance on AWS, Azure, or GCP. |
Cloud Instance Public IP | Core Content | Sensor | Tanium Core Content | Returns public IP information for the instance in AWS, Azure, or GCP. |
Cloud Instance Public Keys | Core Content | Sensor | Tanium Core Content | Returns information about the public keys used for the instance in AWS, Azure, or GCP. |
Cloud Instance Region | Core Content | Sensor | Tanium Core Content | Returns information about the region used for the instance in AWS, Azure, or GCP. |
Cloud Instance State | Discover Content | Virtual Sensor | Discover Content | |
Cloud Instance Tags | Core Content | Sensor | Tanium Core Content | Returns tags associated to the instance in AWS and Azure. |
Cloud Instance Type | Core Content | Sensor | Tanium Core Content | Returns the cloud provider designated resource type associated with the instance on AWS, Azure, or GCP. |
Cloud Instance Zone | Core Content | Sensor | Tanium Core Content | Returns information about the zone of the cloud computer instance in AWS, Azure, or GCP. |
Command Line of Process | Incident Response | Sensor | Tanium Threat Response | Returns the command line of any process by process name. Parameter is a regex of the process name. |
Command Line with Hash Match | Incident Response | Sensor | Tanium Threat Response | Retrieves the following information for any running process matching the specified hash: process, command line arguments of the process, and the module used by the process. Example: "explorer.exe|C:\Windows\system32\WINTRUST.dll|C:\Windows\Explorer.EXE " |
Compensating Controls | Risk | Virtual Sensor | Risk | Returns the number of endpoints that are missing each compensating control. |
Compliance Rule Failures | Risk | Virtual Sensor | Risk | |
Comply - All Engine Versions | Comply Deployment | Sensor | Tanium Comply | [DEPRECATED] Returns a pipe-delimited list of engine versions found on an endpoint. The value will be formatted as engine1|version1|engine2|version2. Engine names should be alphabetized. |
Comply - Architecture Type | Comply Deployment | Sensor | Tanium Comply | Returns the type of underlying Architecture for the operating system (powerpc, sparc, x86, x64). |
Comply - Assessment Status | Comply Reporting | Sensor | Tanium Comply | A sensor that returns the status of each assessment on the endpoint. |
Comply - CIS-CAT Results | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the configuration compliance results for the given report hash. |
Comply - CIS-CAT Results - Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the full configuration compliance results for the given report hash. |
Comply - CIS-CAT Vulnerabilities | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns found vulnerabilities for the given report hash. |
Comply - CIS-CAT Vulnerabilities - Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns found vulnerabilities for the given report hash. |
Comply - Compliance Aggregates | Comply Reporting | Sensor | Tanium Comply | A sensor that aggregates compliance result data from scans |
Comply - Compliance Checks Expanded | Comply Reporting | Virtual Sensor | Comply Reporting | This sensor will return the unique compliance findings present on an endpoint. |
Comply - Compliance Exposure Score | Comply Reporting | Sensor | Tanium Comply | Returns the Compliance Exposure Score (Optimized, Above Average, Average, Below Average, Needs Improvement, Not Scanned). |
Comply - Compliance Findings | Comply Reporting | Sensor | Tanium Comply | This sensor will return the unique compliance findings present on an endpoint. |
Comply - Compliance Findings - First Found | Comply Reporting | Sensor | Tanium Comply | Returns the first found date for all the unique compliance findings present on an endpoint. If the compliance finding state changes (from Pass to Fail, for example), this date will be reset to the new discovery date. |
Comply - Compliance Findings - Last Scan | Comply Reporting | Sensor | Tanium Comply | Returns the last scan date for all the unique compliance findings present on an endpoint. |
Comply - Compliance Findings Details | Comply Reporting | Virtual Sensor | Comply Reporting | This sensor will return the unique compliance findings present on an endpoint. |
Comply - Compliance Findings Expanded | Comply Reporting | Virtual Sensor | Comply Reporting | This sensor will return the unique compliance findings present on an endpoint. |
Comply - Compliance Investigation Details | Comply Reporting | Sensor | Tanium Comply | This sensor will return the actual values that were collected in order to evaluate the test for compliance findings present on an endpoint. |
Comply - Compliance Percentage | Comply Reporting | Sensor | Tanium Comply | Determine the percentage of non-failed checks on the endpoint. |
Comply - Compliance Results | Comply Reporting | Sensor | Tanium Comply | Returns the configuration compliance results for the given report hash. |
Comply - Compliance Results Joined | Comply Reporting | Sensor | Tanium Comply | Returns the configuration compliance results for the given report hash joined into a single field. |
Comply - Configuration Settings | Comply Deployment | Sensor | Tanium Comply | Show current Comply configuration settings on endpoints. |
Comply - Coverage Status | Comply Deployment | Sensor | Tanium Comply | Highlight if Comply isn't deployed or functional on all potential endpoints. |
Comply - Coverage Status Details | Comply Deployment | Sensor | Tanium Comply | Highlight the details if Comply isn't deployed or functional on all potential endpoints. |
Comply - CVE Checks Expanded | Comply Reporting | Virtual Sensor | Comply Reporting | This sensor will return the unique vulnerability findings (CVEs) present on an endpoint. |
Comply - CVE Findings | Comply Reporting | Sensor | Tanium Comply | This sensor will return the unique vulnerability findings (CVEs) present on an endpoint. |
Comply - CVE Findings - Absolute First Found | Comply Reporting | Sensor | Tanium Comply | Returns the absolute first found date for all observed vulnerabilities that the endpoint is currently vulnerable to. The absolute first found date is when the vulnerability was first observed on the endpoint, and will remain unchanged if the vulnerability is ever remediated in the future. |
Comply - CVE Findings - First Found | Comply Reporting | Sensor | Tanium Comply | Returns the first found date for all observed vulnerabilities that the endpoint is currently vulnerable to. If the vulnerability is remediated and detected at a later date, this date will be reset to the new discovery date. |
Comply - CVE Findings - Last Found | Comply Reporting | Sensor | Tanium Comply | Returns the last found date for all observed vulnerabilities that the endpoint is currently vulnerable to. |
Comply - CVE Findings - Last Scan | Comply Reporting | Sensor | Tanium Comply | Returns the last scan date for all observed vulnerabilities that the endpoint is currently vulnerable to. |
Comply - CVE Investigation Details | Comply Reporting | Sensor | Tanium Comply | This sensor will return the actual values that were collected in order to evaluate the test for vulnerability findings (CVEs) present on an endpoint. |
Comply - Endpoint Scan Status | Comply Reporting | Sensor | Tanium Comply | A sensor that returns the scan status of an endpoint for valid scans; stale assessments are not considered. |
Comply - Has Been Scanned | Comply Reporting | Sensor | Tanium Comply | Determines if the endpoint has had a scan in the last 30 days. |
Comply - Has Engine Versions | Comply Deployment | Sensor | Tanium Comply | [DEPRECATED] Returns true/false based on endpoint containing all specified deployment values. |
Comply - Has High Vulnerabilities | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] A sensor that returns "Vulnerabilities Found" if endpoint has high vulnerabilities (based on CVSS v2 scoring). "No Vulnerabilities Found" otherwise |
Comply - Has Unix prerequisites | Comply Deployment | Sensor | Tanium Comply | Returns whether or not the endpoint has the necessary prerequisites to run Comply scripts. |
Comply - Hygiene - Outdated High Severity Vulnerabilities | Default | Sensor | Tanium Comply | [DEPRECATED] This sensor parses vulnerability results on targeted endpoints and returns the normalized operating system of the targeted endpoint if discovered vulnerability scan results have a severity score of 7.0 (High Severity under CVSS v2) or higher and those vulnerability results originate from calendar year 2019 or earlier. Parameter input must be either blank to target all available reports on the targeted endpoint, or be a comma-separated list of at least one Tanium Comply report hash (e.g. b31337c1 or 6c750c51,b31337c1). |
Comply - Hygiene - Product Vulnerability Results | Default | Sensor | Tanium Comply | [DEPRECATED] This sensor pulls back the discovered CVEs, Release Year, CVSS v2 Severities, and Titles for detected vulnerabilities on an endpoint based on the report hashes targeted and the product strings provided. To target vulnerabilities for Adobe, for example, use parameters (Adobe,adobe). Must be either blank to target all available reports on targeted endpoint, or comma-separated list of at least one Tanium Comply report hash (e.g. b31337c1 or 6c750c51,b31337c1). |
Comply - Hygiene - Vulnerability Results | Default | Sensor | Tanium Comply | [DEPRECATED] This sensor pulls back the discovered CVEs, Release Year, CVSS v2 Severities, and Titles for detected vulnerabilities on an endpoint based on the report hashes or max report age targeted. Must be either blank to target all available reports on targeted endpoint, or comma-separated list of at least one Tanium Comply report hash (e.g. b31337c1 or 6c750c51,b31337c1). |
Comply - Is Deployable | Comply Deployment | Sensor | Tanium Comply | Determines if there's enough disk space on the machine to be able to successfully deploy an engine. |
Comply - Is Vulnerable | Comply Reporting | Sensor | Tanium Comply | Determine is the endpoint is vulnerable or not. |
Comply - JovalCM Results | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the configuration compliance results for the given report hash. |
Comply - JovalCM Results - Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the full configuration compliance results for the given report hash. |
Comply - JovalCM Vulnerabilities | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns found vulnerabilities for the given report hash. |
Comply - JovalCM Vulnerabilities - Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns found vulnerabilities for the given report hash. |
Comply - Last Scan | Comply Reporting | Sensor | Tanium Comply | A sensor that reports the last time an assessment was started on an endpoint and whether results exist. For continuous SBOM scans, the returned time indicates when the scan was most recently resumed. Typically this occurs on client extension reset. |
Comply - Max Vulnerability Score | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the highest CVSS v2 score of any vulnerability found on an endpoint. |
Comply - Metrics Compliance Counts | Comply Reporting | Sensor | Tanium Comply | Count the number of compliance findings per state (pass, fail, etc). |
Comply - Metrics Engines Deployed | Comply Deployment | Sensor | Tanium Comply | [DEPRECATED] Returns 'SCC', 'CIS-CAT', 'Tanium Scan Engine', 'No Engine Installed'. |
Comply - Metrics Tools Deployed | Comply Deployment | Sensor | Tanium Comply | [DEPRECATED] Returns 'Deployed' if Comply Tools are deployed. 'Not Deployed' otherwise. |
Comply - Metrics Tools Outdated | Comply Deployment | Sensor | Tanium Comply | [DEPRECATED] Returns 'Current' if Comply Tools are up to date. 'Outdated' if Comply Tools are deployed but old. 'not installed' otherwise. |
Comply - Metrics Vulnerability Counts | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Count the number of vulnerabilities by CVSS v2 severity. |
Comply - NMap Scan Results | Comply Reporting | Sensor | Tanium Comply | Returns the Discover NMap scan results for reporting in Comply report scan reports. |
Comply - Open Ports | Comply Reporting | Sensor | Tanium Comply | Identifies the listening TCP ports, including the process listening to the port, the display name of the process (if available), and the listening IP Address and port. The Sensor definition can be modified to exclude process and IP range. |
Comply - Open Ports Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Identifies the listening TCP ports, including the process listening to the port, the display name of the process (if available), and the listening IP Address and port. The Sensor definition can be modified to exclude process and IP range. |
Comply - Oval Findings | Comply Reporting | Sensor | Tanium Comply | This sensor will return the unique oval definitions from the found vulnerabilities present on an endpoint. |
Comply - Report Age | Comply Reporting | Sensor | Tanium Comply | This sensor will return for each report the following: Scan Engine, Report Hash, and Report Age. |
Comply - Report Hashes | Comply Reporting | Sensor | Tanium Comply | Find all report hash occurrences on an endpoint. |
Comply - Report Results Older Than | Comply Reporting | Sensor | Tanium Comply | Will return true if the results for a Comply report having the specified scan engine and report hash are either non-existent or older than the number of seconds specified. |
Comply - Report Runtimes | Comply Reporting | Sensor | Tanium Comply | Find the runtimes of each report in seconds. |
Comply - Scan Error Details | Comply Reporting | Sensor | Tanium Comply | Get detailed scan error information. |
Comply - SCC Results | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the configuration compliance results for the given report hash. |
Comply - SCC Results - Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the full configuration compliance results for the given report hash. |
Comply - SCC Vulnerabilities | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns found vulnerabilities for the given report hash. |
Comply - SCC Vulnerabilities - Full | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns found vulnerabilities for the given report hash. |
Comply - Vulnerability Aggregates | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] A sensor that aggregates vulnerability result data from scans; severity categories are based on CVSS v2 scores. |
Comply - Vulnerability CVE Search | Comply Reporting | Sensor | Tanium Comply | Searches vulnerability results for CVE |
Comply - Vulnerability Discovery Dates | Comply Reporting | Sensor | Tanium Comply | Returns the first found/last found dates of vulnerabilities. |
Comply - Vulnerability Findings Aggregate | Comply Reporting | Sensor | Tanium Comply | [DEPRECATED] Returns the most severe Vulnerability level reported (CVSS v2 severities: High, Medium, Low, Unscored, No Vulnerabilities) |
Comply - Vulnerability Findings Details | Comply Reporting | Virtual Sensor | Comply Reporting | This sensor will return the unique vulnerability findings (CVEs) present on an endpoint. |
Comply - Vulnerability Results | Comply Reporting | Sensor | Tanium Comply | Returns OVAL definition IDs for vulnerabilities found on endpoint. |
Comply - Vulnerability Results - Export | Comply Reporting | Sensor | Tanium Comply | Returns OVAL definition IDs and first found/last found dates for vulnerabilities found on endpoint. |
Computer Groups | Tanium Data Service | Virtual Sensor | Tanium Data Service | |
Computer ID | Reserved | Sensor | Tanium Default Content | A unique identifier of each computer for internal use. Example: 4202979704 |
Computer Name | Reserved | Sensor | Tanium Default Content | The assigned name of the client machine. Example: workstation-1.company.com |
Computer Serial Number | Core Content | Sensor | Tanium Core Content, Tanium Interact | The serial number, if available, provided by the computer manufacturer. Example: 123ABC1 |
Configuration Profiles | Core Content | Sensor | Tanium Core Content | Return all configured profiles for Mac endpoints. |
Configured Auditd Rules | Core Content | Sensor | Tanium Core Content | This sensor validates the presence of auditd, then displays configured audit rules from /etc/audit/audit.rules. If no rules are found, it returns "No rules". Example: -w /usr/bin/passwd -p x -k identity |
Connections Exclude List Days Old | Incident Response | Sensor | Tanium Threat Response | Returns the age, in days, of the excluded-processes.dat and excluded-subnets.dat files that are currently deployed. Example: 3 |
Container Host Operating System | Containers | Sensor | Tanium Containers | Returns the Operating System Generation of a mangaged container host. |
Container Image | Containers | Sensor | Tanium Containers | Returns information about the images used to instantiate running containers. |
Container Image Name | Containers | Sensor | Tanium Containers | Returns the names of images used to instantiate running containers. |
Container Labels | Containers | Sensor | Tanium Containers | Returns labels defined for running containers. |
Container Name with Image Hash | Containers | Sensor | Tanium Containers | Returns the names and hashes of Images (not containers, but the template used to instantiate the container). |
Container Network | Containers | Sensor | Tanium Containers | Returns network details for running containers. |
Container PID Count | Containers | Sensor | Tanium Containers | Returns the number of Process IDs (PIDs) for running containers. |
Container Running Processes | Containers | Sensor | Tanium Containers | Returns process details for running containers. |
Container Runtime | Containers | Sensor | Tanium Containers | Provides detail regarding the executor of the containers, the "Container Runtime". |
Container Stats | Containers | Sensor | Tanium Containers | Provides runtime resource utilization statistics for running containers. |
Container Uptime | Containers | Sensor | Tanium Containers | Provides information regarding the age of running containers. |
Country Code | Base | Sensor | Tanium Default Content | Shows the currently specified country code used by the operating system. Example: 1 (United States) |
CPU | Core Content | Sensor | Tanium Core Content | Description of the CPU. Example: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz |
CPU Architecture | Core Content | Sensor | Tanium Core Content, Tanium Endpoint Configuration | Describes the architecture of the CPU/processor. Example: i386, X86-based PC |
CPU by Process | Core Content | Sensor | Tanium Core Content | A multi-column sensor that lists every running process and the amount of CPU usage they are taking up. Example: svchost | 15 |
CPU Cache Size | Core Content | Sensor | Tanium Core Content | CPU cache size in KB. Example: 1024 KB |
CPU Consumption | Core Content | Sensor | Tanium Core Content | Current total CPU consumption in %. Example: 50% |
CPU Details | Core Content | Sensor | Tanium Core Content | A multi-column sensor that provides CPU details: system type, CPU description, speed, # of processors, # of cores, and # of logical processors. Example: x64-based PC | Intel(R) Xeon(R) CPU X3430 | 2390 Mhz | 1 | 4 | 4 |
CPU Family | Core Content | Sensor | Tanium Core Content, Tanium Endpoint Configuration | The family of the processor or CPU (Windows provides a family ID). Example: Xeon, Family 198 |
CPU Manufacturer | Core Content | Sensor | Tanium Core Content | The manufacturer of the CPU. Example: GenuineIntel |
CPU Speed Mhz | Core Content | Sensor | Tanium Core Content | The speed of the processor in Mhz. Example: 3200 Mhz |
CredGuard Status | Default | Sensor | Tanium Benchmark | A sensor to determine if an endpoint is actively running CredGuard or is configured to run CredGuard. Requires Windows 10 or Server 2016. |
Custom Tag Exists | Core Content | Sensor | Tanium Core Content | Checks to see if a given custom tag exists on the endpoint. The input can either be a substring or an exact match, and the check is case insensitive. Example: True |
Custom Tags | Core Content | Sensor | Tanium Core Content | Any specified custom tags that have been set for this machine. See the Custom Tagging Dashboard. Example: Development, Test-Machines |
CVE-2023-36884 Findings | Default | Sensor | Tanium Emerging Issues Content | |
CVE-2024-6387 OpenSSH Status | Default | Sensor | Tanium Emerging Issues Content | Determines CVE-2024-6387 applicability status and OpenSSH installed version for Linux endpoints |
Data Execution Prevention Enabled | Core Content | Sensor | Tanium Core Content | Whether data execution prevention is enabled. If disabled, code can be executed from a non-executable memory region. Example: True, False, Unknown |
Default Login Domain | Core Content | Sensor | Tanium Core Content | Name of the domain of the most recently logged in user. Example: CORP |
Default Login UserID | Core Content | Sensor | Tanium Core Content | Last user name entered in the "Log On to Windows" dialog box. Example: tanium_admin |
Default Web Browser | Core Content | Sensor | Tanium Core Content | Default web browser for new users. Note that this can be changed per user. Example: Internet Explorer |
DEP Enrollment Status | Core Content | Sensor | Tanium Core Content | Return Enrolled, Not Enrolled or Unknown if a Mac device was enrolled via DEP (i.e Device Enrollment Program). |
Deploy - All Deployment Activities | Deploy Content Set | Sensor | Tanium Deploy | Return details of the activities performed as part of the deployment for all deployments |
Deploy - All Deployments Errors | Deploy Content Set | Sensor | Tanium Deploy | Return the deployment errors for all deployments |
Deploy - Applicability Scan Age | Deploy Content Set | Sensor | Tanium Deploy | Get the age of the Deploy software package applicability scan |
Deploy - Coverage Status | Deploy Content Set | Sensor | Tanium Deploy | Returns Optimal, Needs Attention, or Unsupported for whether the system has had any recent scans. |
Deploy - Coverage Status Details | Deploy Content Set | Sensor | Tanium Deploy | Returns "Optimal" if Deploy is installed and running, "Needs Attention" if Deploy is not installed or is not healthy, "Unsupported" if the operating system is not supported, and "Initializing" if the system is in the process of installing tools or running the first scan. Provides additional details for systems that have a "Needs Attention" status to help administrators resolve client health issues. |
Deploy - Deployment Activities | Deploy Content Set | Sensor | Tanium Deploy | Return details of the activities performed as part of the deployment for deployment with the specified ID |
Deploy - Deployment Details | Deploy Content Set | Sensor | Tanium Deploy | Return the deployment status details for deployment with the specified ID |
Deploy - Deployments | Deploy Content Set | Sensor | Tanium Deploy | Return the status of all deployments |
Deploy - Deployments Errors | Deploy Content Set | Sensor | Tanium Deploy | Return the deployment errors for deployments with IDs within the specified bounds |
Deploy - Deployments Statuses | Deploy Content Set | Sensor | Tanium Deploy | Return the deployment statuses for deployments with IDs within the specified bounds |
Deploy - Download Status Details | Deploy Content Set | Sensor | Tanium Deploy | Shows download status of all active deployments and any completed deployments of the last about 3 days. Older completed downloads are not returned. This also adds the hash of said file and DeploymentID from Deploy - Download Status and is a slower running sensor. |
Deploy - Enforcement Status | Deploy Content Set | Sensor | Tanium Deploy | Returns the enforcement status for enforcements defined in the Deploy Workbench Example: Type|ID|Status|Reason MaintenanceWindow|1|Enforced| MaintenanceWindow|2|Unenforced|Maintenance window configuration not found |
Deploy - Gallery Compliance by Age | Deploy Content Set | Sensor | Tanium Deploy | Determine if any Gallery packages older than 30 days are applicable |
Deploy - Has Enforced Maintenance Window | Deploy Content Set | Sensor | Tanium Deploy | Returns True if there is at least one enforced Deploy maintenance window and False otherwise |
Deploy - Has Recent Scan Results | Deploy Content Set | Sensor | Tanium Deploy | Returns a Yes/No answer for the question of whether the system has Deploy software catalog scan results within the specified Scan Age Days. |
Deploy - Installed Software Packages | Deploy Content Set | Sensor | Tanium Deploy | This sensor returns all applications from the Software Catalog which are considered Installed, Update Eligible, or Update Ineligible from Install verification rules. This is great for taking this data to Asset for offline reporting. |
Deploy - Is AEM Degradations Configuration Registered | Deploy Content Set | Sensor | Tanium Deploy | Check if the Is AEM Degradations configuration registered with ECF |
Deploy - Is Process Running | Deploy Content Set | Sensor | Tanium Deploy | Check if the deploy process is running |
Deploy - Is Supported | Deploy Content Set | Sensor | Tanium Deploy | Returns True or False based on whether the endpoint meets the operating system and Tanium Client version requirements to install Deploy Tools. For more information on requirements, see https://docs.tanium.com/deploy/deploy/requirements.html#endpoints |
Deploy - Maintenance Window Enforcements | Deploy Content Set | Sensor | Tanium Deploy | Returns the enforcement status for Maintenance Windows Example: ID|Status|Reason|EditID 1|Enforced||1 |
Deploy - Maintenance Windows | Deploy Content Set | Sensor | Tanium Deploy | This sensor will return the Maintenance Windows deployed and applied on an endpoint for Deploy. |
Deploy - Mean Time to Deploy | Deploy Content Set | Sensor | Tanium Deploy | Determine the average number of days for a package update to be installed. |
Deploy - Next Maintenance Window | Deploy Content Set | Sensor | Tanium Deploy | This sensor will show you the current endpoint state and whether or not it is in a maintenance window, or if none can be found. It will also show the next available window to that endpoint. |
Deploy - Scan Errors | Deploy Content Set | Sensor | Tanium Deploy | Return any scan errors that are present on the endpoint. |
Deploy - Self Service Activity | Deploy Content Set | Sensor | Tanium Deploy | Return the self service activity for software packages and bundles |
Deploy - Self Service Activity By User | Deploy Content Set | Sensor | Tanium Deploy | Return the self service activity by user for software packages and bundles |
Deploy - Self Service Profiles | Deploy Content Set | Sensor | Tanium Deploy | Return the Self Service Profiles deployed to an endpoint |
Deploy - Settings Version | Deploy Content Set | Sensor | Tanium Deploy | Returns the version of settings or Not Found |
Deploy - Software Installed By Tanium | Deploy Content Set | Sensor | Tanium Deploy | Show the software that has been installed, updated, or removed over the given time period. Example: Software Package ID|Software Package Name|Software Package Vendor|Software Package Version|Software Package Platform|Operation|Source 1|Chrome x64|Google|83.0.4103.61|windows|install|Self-Service 1|7-Zip x64|Igor Pavlov|19.00.00.0|windows|update|Standard Deployment |
Deploy - Software Package Catalog Version | Deploy Content Set | Sensor | Tanium Deploy | Returns the version of the software package catalog or Not Found |
Deploy - Software Packages | Deploy Content Set | Sensor | Tanium Deploy | Get the ID, vendor, name, version, and applicability of software packages in the Deploy catalog and gallery |
Deploy - Software Packages Applicability | Deploy Content Set | Sensor | Tanium Deploy | Return the applicability statuses for software packages with IDs within the specified bounds |
Deploy - Software Packages Applicability Details | Deploy Content Set | Sensor | Tanium Deploy | Return the applicability statuses and reasons for software packages |
Deploy - Software Packages Gallery Applicability | Deploy Content Set | Sensor | Tanium Deploy | Return the applicability statuses for software packages in the Deploy software packages gallery |
Deploy - Software Packages Gallery Applicability Details | Deploy Content Set | Sensor | Tanium Deploy | Return the applicability details for software packages in the Deploy software packages gallery |
Deploy - Windows Upgrade Ready | Default | Sensor | Tanium Deploy | Returns "True", "False", or "N/A (No Scan Data)" based on the scan results scan results from the Windows Upgrade Phase 1 and Phase 2 packages. For more information, see https://docs.tanium.com/deploy/deploy/use_case_managing_windows_upgrades.html |
Deploy - Windows Upgrade Scan Details | Default | Sensor | Tanium Deploy | Returns detailed data from the Windows Upgrade Phase 1 and 2 scan results. For more information, see https://docs.tanium.com/deploy/deploy/use_case_managing_windows_upgrades.html |
Deploy - Windows Upgrade Scan Results | Default | Sensor | Tanium Deploy | Returns basic data from the Windows Upgrade Phase 1 and 2 scan results. For more information, see https://docs.tanium.com/deploy/deploy/use_case_managing_windows_upgrades.html |
DeviceGuard Status | Default | Sensor | Tanium Benchmark | A sensor to determine if an endpoint is actively running DeviceGuard or is configured to run DeviceGuard, and whether or not Code Integrity Policy enforcement is configured. Requires Windows 10 or Server 2016. |
DHCP Enabled? | Core Content | Sensor | Tanium Core Content | Whether or not a machine has a network adapter set to DHCP. Note, a machine may have multiple active adapters and may return multiple lines. If a machine has multiple adapters on DHCP, TRUE is returned only once. Example: TRUE, FALSE |
DHCP Server | Core Content | Sensor | Tanium Core Content | The addresses of the configured DHCP servers, If a machine is on DHCP. Example: 192.168.1.1 |
Direct Connect - Connection Configuration | Direct Connect | Sensor | Tanium Direct Connect | Obtains current Direct Connect configuration |
Direct Connect - Connection Status | Direct Connect | Sensor | Tanium Direct Connect | Get Direct Connect connection status |
Direct Connect - Endpoint UUID | Direct Connect | Sensor | Tanium Direct Connect | Obtains current Direct Connect endpoint UUID |
Discover - Endpoint within Network Range | Discover Content | Sensor | Tanium Discover | Reports if endpoint is within the specified ranges. If True, endpoint is included within the ranges. If False, endpoint is excluded or not included by the parameters. |
Discover - Installed Npcap Version | Discover Content | Sensor | Tanium Discover | Reports Npcap version information, including the installed version, if the installed version was installed by Tanium, the last version that Tanium installed, and Npcap version put on the endpoint by the Discover - Install Npcap package if it exists. |
Discover - Is Nmap Required | Discover Content | Sensor | Tanium Discover | Reports whether the endpoint needs to have Nmap available for running Discover scans. |
Discover - Is Unmanageable | Discover Content | Virtual Sensor | Discover Content | |
Discover - Profile Diagnostics | Discover Content | Sensor | Tanium Discover | Retrieves Discover profile diagnostics (tuples consisting of a profile ID and an error message). Example: 14,TOO_MANY_SCANS 27,NO_PROFILE |
Discover - Required Npcap Version | Discover Content | Sensor | Tanium Discover | Reports the Npcap version an endpoint requires. |
Discover - Scan Metrics | Discover Content | Sensor | Tanium Discover | Displays scan metrics gathered from Discover Profile Scans. |
Discover Label | Discover Content | Virtual Sensor | Discover Content | |
Discover Last Scan Range | Discover Content | Sensor | Tanium Discover | Displays the last scan range for Ping and Nmap. |
Discover Location | Discover Content | Virtual Sensor | Discover Content | |
Discover Method | Discover Content | Virtual Sensor | Discover Content | |
Discover Profile | Discover Content | Virtual Sensor | Discover Content | |
Discover Satellite | Discover Content | Virtual Sensor | Discover Content | |
Discover Scan Range | Discover Content | Sensor | Tanium Discover | Useful in troubleshooting, this sensor will return the range of IP addresses that each endpoint will be scanning (for Windows, Mac and Linux only). Example: 10.10.10.1-10|10.10.10.11-11|Backward |
Disk Drive Details | Core Content | Sensor | Tanium Core Content | Multi-column sensor that returns details on the type, size, and free space of all partitions on the machine. Example:ST3808110AS ATA Device|C:|250G|120G |
Disk Drive Serial Number | Core Content | Sensor | Tanium Core Content | Multi-column sensor that returns Disk drive name and serial number Example: ST3808110AS ATA Device|SerialNumber |
Disk Drives | Core Content | Sensor | Tanium Core Content | Descriptions of any installed disk drives, including external or USB drives. Example: ST3808110AS ATA Device |
Disk Free Space | Core Content | Sensor | Tanium Core Content | The amount of free disk space per drive. Example: C: 40 GB |
Disk Free Space Below Threshold | Core Content | Sensor | Tanium Core Content | If a drive has less free space than the configured threshold, the drive and remaining free space is returned. The threshold defaults to 2048 MB and can be altered. Example: C: 1 GB |
Disk Free Space Status | Core Content | Sensor | Tanium Core Content | The drive name, percentage of available free space, and status (okay, reduced, low, and critical). The thresholds may be specified as numeric values, or as a percentage of disk size if the 'Evaluate as percentage' option is selected. Example: /dev/disk1s5 5 low |
Disk IOPS | Core Content | Sensor | Tanium Core Content | Returns the current total number of disk IOPS currently occurring Example: 86 |
Disk Total Byte Count | Core Content | Sensor | Tanium Core Content | The total amount of disk space per endpoint, rounded to three significant figures Example: 2680000000 |
Disk Total Size of System Drive | Core Content | Sensor | Tanium Core Content | The amount of total disk space on the main system drive. Example: C: 100 GB |
Disk Total Space | Core Content | Sensor | Tanium Core Content | The amount of total disk space per drive. Example: C: 100 GB |
Disk Type of C: | Core Content | Sensor | Tanium Core Content | File system type of the C drive. Example: NTFS |
Disk Used Percentage | Core Content | Sensor | Tanium Core Content | The percentage of used disk space per partition. Example: C: 24% |
Disk Used Space | Core Content | Sensor | Tanium Core Content | The amount of used disk space per partition. Example: C: 40 GB |
DLL Load Order Hijacking Search | Incident Response | Sensor | Tanium Threat Response | Searches for instances where DLL search order hijacking might have occurred in currently running processes. False positives are possible, so you must manually verify the results. |
DNS Resolver Cache CNames | Incident Response | Sensor | Tanium Threat Response | Returns the DNS resolver cache entries for CNAME records. Example: www.mycompany.com|www.mycompany.com.vgtf.net |
DNS Resolver Cache Hosts | Incident Response | Sensor | Tanium Threat Response | Returns the DNS resolver cache entries for IPv4 addresses. Example: ads.mycompany.com|157.166.226.208 |
DNS Resolver Misses | Incident Response | Sensor | Tanium Threat Response | Returns the DNS resolver cache entries for DNS records that were not found. Example: www.mycompany.com |
DNS Server | Base | Sensor | Tanium Default Content | Addresses of any configured DNS servers for active network adapters. Example: 192.168.1.1, 8.8.8.8 |
Domain Controller SYSVOL Size | Core Content | Sensor | Tanium Core Content | Returns the SYSVOL size on Domain Controllers Example: 2.2 GB |
Domain Member | Base | Sensor | Tanium Default Content | Returns true if the machine is part of an Active Directory domain. Example: TRUE, FALSE |
Domain Name | Base | Sensor | Tanium Default Content | The domain name (if any) that the computer is joined to or configured for. Example: intra.company.com |
Domain Role | Core Content | Sensor | Tanium Core Content | Returns the Active Directory domain role Example: Primary Domain Controller |
Download Statuses | Reserved | Sensor | Tanium Default Content | The recorded state of each download a client has made recently in the form of hash:completion percentage. Example: 05839407baccdfccfd8e2c1ffc0ff27541cc053d15b52cfd4ed904510e59b428:100 |
Driver Details | Core Content | Sensor | Tanium Core Content | Return details about loaded drivers Example: WIMMount|Stopped|C:\Windows\system32\drivers\wimmount.sys|6.3.9600.16384 |
Driver Details with Hash | Incident Response | Sensor | Tanium Threat Response | Retrieves information about loaded device drivers, including a hash of each driver file. |
Edge Extensions | Core Content | Sensor | Tanium Core Content | Returns installed Extensions based on an enumeration of each users profile. Only searches local profiles. |
Edge Extensions Summary | Core Content | Sensor | Tanium Core Content | Returns distinct list of installed Extensions (including extension ID) based on an enumeration of each users profile. Only searches local profiles. |
EICAR AV Exclusions Check | AntiVirus | Sensor | Tanium Core EICAR Content | Returns the details from running the "Write EICAR File" Package. Check Name|Check Result Example: Expected Tanium Client result|Pass |
EID First Seen | Tanium Data Service | Virtual Sensor | Tanium Data Service | |
EID Last Changed | Tanium Data Service | Virtual Sensor | Tanium Data Service | |
EID Last Seen | Tanium Data Service | Virtual Sensor | Tanium Data Service | |
Elevated Privileges | Incident Response | Sensor | Tanium Threat Response | Retrieves information about attempts to elevate user privileges. |
Elevated Users | Incident Response | Sensor | Tanium Threat Response | Retrieves information about users with elevated privileges, such as users logged in as root. |
End-User Notifications - Is Self Service Enabled | End-User Notifications | Sensor | Tanium End-User Notifications | Reports whether the targeted profile enables End-User Self Service. |
End-User Notifications - Mac OS Version | End-User Notifications | Sensor | Tanium End-User Notifications | Return the operating system version of a Mac |
End-User Self Service - Is Self Service Tool Installed | End-User Self Service | Sensor | Tanium End-User Notifications, Tanium Patch | Returns a True/False answer indicating whether the Self Service tool is installed. |
End-User Self Service - Mac OS Version | End-User Self Service | Sensor | Tanium Deploy, Tanium End-User Notifications, Tanium Patch | Return the operating system version of a Mac |
Endpoint Configuration - Change Management Status | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Change Management Upgrade Ring and Toolset Manifest version. |
Endpoint Configuration - Manifest Metadata | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Configuration manifest metadata from each endpoint, including manifest revision number and the service UUID from which the manifest originated. |
Endpoint Configuration - Tools Retry Status | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Configuration tools retry status from each endpoint. |
Endpoint Configuration - Tools Status | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Configuration tools information from each endpoint, including installed and targeted versions, as well as information about the status of each tool. |
Endpoint Configuration - Tools Status Details | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Configuration tools information from each endpoint, including installed and targeted versions, as well as detailed information about the status of each tool. |
Endpoint Configuration - Tools Status Summary | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Configuration tools information from each endpoint, summarized to a single status. If any tools are errored, the result is Error. If any installed tool version is less than the targeted version, the result is In Progress. If any installed tool version is greater than the targeted version, the result is Other. If all tools are installed as expected, the result is Ok. Other may also indicate an unknown state. |
Endpoint Configuration - Tools Status Summary Per Tool | Endpoint Configuration | Sensor | Tanium Endpoint Configuration | Retrieves Endpoint Configuration tools information from each endpoint, with a summarized status per tool |
Endpoint Criticality | Criticality | Virtual Sensor | Criticality | Returns the number of endpoints with each endpoint criticality. Criticalities are listed by their multiplier. Low = 1, Medium = 1.33, High = 1.67, Critical = 2. |
Endpoint Criticality with Level | Criticality | Virtual Sensor | Criticality | Returns the number of endpoints with each endpoint criticality value and text. |
Endpoint Fingerprint | Base | Sensor | Tanium Default Content, Tanium Interact | Endpoint Fingerprint returns a unique identifier based, where possible, on something more-or-less unique to the hardware. This might be the BIOS Serial Number, MAC Address or some manufacturer created GUID; or a generated GUID or or timestamp if hardware based values are not available. |
Endpoint ID | Tanium Data Service | Virtual Sensor | Tanium Data Service | |
Enforce - Admission Enforcement Count | Enforce Global Objects | Sensor | Tanium Enforce | Reports the count of enforced admission policies on the Kubernetes cluster. |
Enforce - Admission Violations | Enforce Global Objects | Sensor | Tanium Enforce | Reports the Enforce Kubernetes admission violations. |
Enforce - Admission Violations Count | Enforce Global Objects | Sensor | Tanium Enforce | Reports the count of Enforce Kubernetes admission violations. |
Enforce - Anti-Malware Definition Outdated | Enforce Windows | Sensor | Tanium Enforce | Reports the current Windows Anti-malware definition version installed on the computer is out of date. |
Enforce - Anti-Malware Definition Version | Enforce Windows | Sensor | Tanium Enforce | Reports the current Windows Anti-malware definition version installed on the computer. |
Enforce - Anti-Malware Engine Version | Enforce Windows | Sensor | Tanium Enforce | Reports the current Windows Antimalware engine version installed on the computer. |
Enforce - Anti-Malware Threat Counts Last X Days | Enforce Windows | Sensor | Tanium Enforce | Given a number of days in the past, this sensor reports all anti-malware threat counts since that date. |
Enforce - Anti-Malware Threat Details | Enforce Windows | Sensor | Tanium Enforce | Reports all anti-malware threats along with detection date, process name, and file paths. |
Enforce - Anti-Malware Threats Last X Days | Enforce Windows | Sensor | Tanium Enforce | Given a number of days in the past, this sensor reports all anti-malware threats since that date. |
Enforce - AppLocker Threats Last X Days | Enforce Windows | Sensor | Tanium Enforce | Given a number of days in the past, this sensor reports all AppLocker events since that date. |
Enforce - BitLocker Encryption Status | Enforce Windows | Sensor | Tanium Enforce | Reports BitLocker encryption status per encryptable drive. |
Enforce - BitLocker Protection Status | Enforce Windows | Sensor | Tanium Enforce | Reports BitLocker protection status per encryptable drive. |
Enforce - Can Remove Quarantine By File Path | Enforce Windows | Sensor | Tanium Enforce | Reports "Yes" if the endpoint supports restoring an individual file path from quarantine. |
Enforce - Coverage Status | Enforce Global Objects | Sensor | Tanium Enforce | Returns "Optimal" if Enforce is installed and running, "Needs Attention" if Enforce is not installed or is not healthy, "Unsupported" if the operating system is not supported. |
Enforce - Daily Stream Stats | Enforce Global Objects | Sensor | Tanium Enforce | This sensor is used to collect the statistics recorded for Stream. The results are reported as a RFC 3339 date and the total bytes transferred for that date. The bytes transferred are grouped into the following buckets: "0 B", "<= 10 MB", "<= 50 MB", "<= 100 MB", "<= 200 MB", "<= 1 GB", "1 GB+". |
Enforce - Defender Platform Version | Enforce Windows | Sensor | Tanium Enforce | Reports Defender Platform Version |
Enforce - Device Setup Classes | Enforce Windows | Sensor | Tanium Enforce | Lists all device setup classes. |
Enforce - Diagnostic - Applied Machine Policies | Enforce Global Objects | Sensor | Tanium Enforce | Returns status of applied machine policies. Specifically for small scale diagnostics. |
Enforce - Diagnostic - Applied Policy Settings | Enforce Windows | Sensor | Tanium Enforce | Returns status of applied policy settings. Specifically for small scale diagnostics. |
Enforce - Diagnostic - AppLocker Threat Details Last X Days | Enforce Windows | Sensor | Tanium Enforce | Given a number of days in the past, this sensor reports all AppLocker events with additional details since that date. Specifically for small scale diagnostics. |
Enforce - FileVault Encryption Status | Enforce Global Objects | Sensor | Tanium Enforce | Reports endpoint encryption status for FileVault on Mac. |
Enforce - Firewall Rules [Linux] | Enforce Linux | Sensor | Tanium Enforce | Reports all configured firewall rules on linux endpoints. |
Enforce - Firewall Rules [Windows] | Enforce Windows | Sensor | Tanium Enforce | Reports all configured firewall rules. |
Enforce - Get Admission Enforcements | Enforce Global Objects | Sensor | Tanium Enforce | List the admission enforcements on a cluster. |
Enforce - Has Admission Enforcement | Enforce Global Objects | Sensor | Tanium Enforce | Reports whether a Kubernetes admission policy is enforced. |
Enforce - Host Firewall Enabled | Enforce Global Objects | Sensor | Tanium Benchmark, Tanium Enforce | Returns Yes if firewall is enabled, No otherwise |
Enforce - Last Successful GPO Save | Enforce Global Objects | Sensor | Tanium Enforce | Searches the System event log for the last successful GPO save event (1500-1503). Useful to see if an endpoint has connectivity to a Domain Controller to fully apply policies if needed. NOTE: This could be any successful save, whether or not it was invoked by Enforce, such as a background policy refresh, or another 3rd party tool. |
Enforce - Machine Policy Status | Enforce Global Objects | Sensor | Tanium Enforce | Given a list of Policy Id numbers, reports the enforcement status of each. |
Enforce - Machine Policy Status [VBS] | Enforce Global Objects | Sensor | Tanium Enforce | Given a list of Policy Id numbers, reports the enforcement status of each. |
Enforce - Quarantine Details | Enforce Windows | Sensor | Tanium Enforce | Reports all quarantined threats along with severity, process name, and file paths. |
Enforce - Remediation Results | Enforce Global Objects | Sensor | Tanium Enforce | Reports remediation results. |
Enforce - SRP Threats Last X Days | Enforce Windows | Sensor | Tanium Enforce | Given a number of days in the past, this sensor reports all SRP events since that date. |
Enforce - Total Anti-Malware Threats Last X Days | Enforce Windows | Sensor | Tanium Enforce | Given a number of days in the past, this sensor reports the total number of anti-malware threats detected since that date. |
Enforce - TPM Status | Enforce Windows | Sensor | Tanium Benchmark, Tanium Enforce | Reports TPM Status. |
Enforce - USB Blocked Devices | Enforce Global Objects | Sensor | Tanium Enforce | Lists the blocked devices, rules, and users with the associated events detected by Tanium Recorder and Driver. |
Enforce - USB Storage Device Details | Enforce Global Objects | Sensor | Tanium Enforce | Lists the attached USB devices detected by Tanium Recorder and Driver. |
Enforce - USB Storage Devices | Enforce Windows | Sensor | Tanium Enforce | Lists hardware IDs for all USB storage devices. |
Enforce Anti-Malware Exclusions | Enforce Windows | Sensor | Tanium Enforce | Reports all anti-malware exclusions. |
Enforce Managed Definitions Targeting | Enforce Windows | Sensor | Tanium Enforce | Used for targeting of Tanium Enforce Managed Definitions packages, this sensor determines if a host requires download and execution of the definitions package. |
Enforce Prerequisites | Enforce Windows | Sensor | Tanium Enforce | Reports the installed prerequisites needed by some Enforce policies. |
Engage - Survey Results | Engage | Sensor | Tanium Engage | Returns the details of survey results from endpoints, one per row. |
Engage - Survey Status | Engage | Sensor | Tanium Engage | Returns survey status items from endpoints, one per row. |
Enhanced Tags | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns all Enhanced Tags for a specified Category Example: Business Unit~=Information Security |
Enhanced Tags - Single Value | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns the value of a single Enhanced Tag given a Tag Category and Tag Name Example: Information Security |
Enhanced Tags - Single Value Exists | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns True if a single Enhanced Tag exists given a Tag Category and Tag Name Example: True |
Enhanced Tags Categories | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns a list of Tag Categories Example: Information Security,Finance |
Enhanced Tags Category Exists | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns True if a specified Tag Category exists. Example: True |
Enhanced Tags Deployment Errors | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns the deployment errors for all enhanced tag categories Example: Error |
Enhanced Tags Details | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns all Enhanced Tags for all Categories Example: Information Security~=Region~=North America |
Enhanced Tags FQDN | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns the FQDN expected by Enhanced Tags packages Example: host.example.com |
Enhanced Tags Hostname | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns the Hostname expected by Enhanced Tags packages Example: host |
Enhanced Tags Version | Enhanced Tags | Sensor | Tanium Core Content - Enhanced Tags | Returns the version of Enhanced Tags tools on endpoints Example: 2.3.7 |
Environment Variables | Incident Response | Sensor | Tanium Threat Response | Retrieves environment variables. |
Established Connections | Core Content | Sensor | Tanium Core Content | Any established connections currently being made. This multi-column Sensor displays the process responsible for the connection, the display name of the process (if available), and the target IP Address and port. Processes and IP ranges can be excluded in the Sensor definition. Example: chrome.exe | Google Chrome | 173.194.79.99:80 |
Established Connections with Hash | Incident Response | Sensor | Tanium Threat Response | Retrieves information about established connections with the hash value of the connected processes. The hash algorithm can be specified. |
Established Ports by Application | Core Content | Sensor | Tanium Core Content | Parameterized Sensor that shows which addresses the process is connecting to and over what local port. Example: 0.0.0.0:17500 Firefox.exe |
Explicit Logon Security Event Log Search | Incident Response | Sensor | Tanium Threat Response | Searches the Windows Security Event Log for explicit logon events. |
File Certificate Details | Incident Response | Sensor | Tanium Threat Response | Provides details about embedded certificates in Unix PE and COFF format image files. |
File Creation Date | Core Content | Sensor | Tanium Core Content | Returns the creation date of the file specified by the parameter. Example: 12-12-2014 18:00 |
File Exists | Core Content | Sensor | Tanium Core Content, Tanium Endpoint Identity | A parameterized Sensor that checks to see if a file exists on a machine. If it does, it returns back the full path of the file. Will expand environment variables, and will expand %userprofile%/file or "~/file" to search all user home directories. Example: C:\Windows\system32\notepad.exe |
File Handle Details | Incident Response | Sensor | Tanium Threat Response | Retrieves information about the specified file handle that matches the input string. |
File Handles Of Process | Incident Response | Sensor | Tanium Threat Response | Finds the file handles that are currently open in the specified process. The parameter is a regular expression of the process name. |
File Modification Date | Core Content | Sensor | Tanium Core Content | Returns the modification date of the file specified by the parameter. Example: 12/12/2014 18:00 |
File Size | Core Content | Sensor | Tanium Core Content | Returns the size of the file specified by the parameter. Example: 69120 |
File System Permissions | Core Content | Sensor | Tanium Core Content | |
File Version | Core Content | Sensor | Tanium Core Content | Returns the version of the file specified. Example: 1.0 |
FileVault Details | Core Content | Sensor | Tanium Core Content | Returns information on the FileVault status of a machine Example: If Available | Fully Secure | Status |
Firefox Extensions | Core Content | Sensor | Tanium Core Content | Returns installed Extensions based on the contents of the addons.json file from each users profile and each Firefox profile. Only searches local profiles. |
Firefox Extensions Summary | Core Content | Sensor | Tanium Core Content | Returns distinct list of installed Extensions based on the contents of the addons.json file from each users profile and each Firefox profile. Only searches local profiles. |
Firewall Status | Core Content | Sensor | Tanium Core Content | Returns the current status of the Windows firewalls. Example: DomainProfile enabled |
First Managed | Discover Content | Virtual Sensor | Discover Content | |
First Seen | Discover Content | Virtual Sensor | Discover Content | |
Folder Contents | Core Content | Sensor | Tanium Core Content | Returns the contents of the specified folder. Example: 0.log |
Folder Exists | Core Content | Sensor | Tanium Core Content | A parameterized Sensor that checks to see if a folder exists on a machine. If it does, it returns back the full path of the folder. Will expand environment variables, and will expand %userprofile%/folder or "~/folder" to search all user home directories. Example: C:\Windows\system32 |
Folder Size | Core Content | Sensor | Tanium Core Content | Folder size (in GB, MB, KB, or B) Example: 62 GB |
Forefront Client AS Signature Applied Date | Default | Sensor | Core Content - Forefront Support | Indicates the last time that the client AV signature was updated. Example: 09/18/2012 |
Forefront Client AS Signature Applied Days Old | Default | Sensor | Core Content - Forefront Support | Indicates how many days ago a new AS signature was applied. Example: 8 |
Forefront Client AS Signature Version | Default | Sensor | Core Content - Forefront Support | The current version of the AV signature being used by Forefront. Example: 1.85.1626.0 |
Forefront Client AV Signature Applied Date | Default | Sensor | Core Content - Forefront Support | Indicates the last time that the client AV signature was updated. Example: 09/18/2012 |
Forefront Client AV Signature Applied Days Old | Default | Sensor | Core Content - Forefront Support | Indicates how many days ago a new AS signature was applied. Example: 8 |
Forefront Client AV Signature Version | Default | Sensor | Core Content - Forefront Support | The current version of the AV signature being used by Forefront. Example: 1.85.1626.0 |
Forefront Client Engine Version | Default | Sensor | Core Content - Forefront Support | The version of the engine being used by Forefront on the client machine. Example: 1.1.5902.0 |
Forefront Client NIS Engine Version | Default | Sensor | Core Content - Forefront Support | The version fo the Forefront NIS engine running on the client machine. Example: 1.3.1106.0 |
Forefront Client NIS Signature Applied Date | Default | Sensor | Core Content - Forefront Support | Indicates the last time that the client AV signature was updated. Example: 09/18/2012 |
Forefront Client NIS Signature Applied Days Old | Default | Sensor | Core Content - Forefront Support | Indicates how many days ago a new AS signature was applied. Example: 8 |
Forefront Client NIS Signature Version | Default | Sensor | Core Content - Forefront Support | The version of the Forefront NIS signature file on the client machine. Example: 1.12.2131.0 |
Forefront Client Realtime Monitoring Status | Default | Sensor | Core Content - Forefront Support | Indicates whether Forefront Realtime Monitoring is enabled. Example: enabled |
Forefront Client Scheduled Scan Check Definitions | Default | Sensor | Core Content - Forefront Support | Indicates checking for definitions before running scheduled scan Example: Yes |
Forefront Client Scheduled Scan Day | Default | Sensor | Core Content - Forefront Support | indicates the the scheduled scan day Example: Sunday |
Forefront Client Scheduled Scan Limit CPU Usage | Default | Sensor | Core Content - Forefront Support | Indicates Limit CPU usage for scan Example: 50% |
Forefront Client Scheduled Scan Only When Idle | Default | Sensor | Core Content - Forefront Support | Indicates scheduled scan only when idle Example: Yes |
Forefront Client Scheduled Scan Time | Default | Sensor | Core Content - Forefront Support | Indicates the scheduled scan time Example: 2:00 AM |
Forefront Client Signature Applied Date | Default | Sensor | Core Content - Forefront Support | Indicates the last time that the client AV signature was updated. Example: 09/18/2012 |
Forefront Client Signature Applied Days Old | Default | Sensor | Core Content - Forefront Support | Indicates how many days ago a new AV signature was applied. Example: 8 |
Forefront Client Signatures Last Checked Date | Default | Sensor | Core Content - Forefront Support | Indicates the last date that the Forefront client signatures were checked by Forefront. Example: 09/18/2012 |
Forefront Client Signatures Last Checked Days Old | Default | Sensor | Core Content - Forefront Support | Indicates the time in days since the last time the Forefront client signatures were checked by Forefront. Example: 2 |
Forefront Client Signatures Last Updated Date | Default | Sensor | Core Content - Forefront Support | Indicates the last time that the client AV signature was updated. Example: 09/18/2012 |
Forefront Client Spyware Signature Version | Default | Sensor | Core Content - Forefront Support | The version of the client spyware signatures used by Forefront. Example: 1.20.3423.0 |
Forefront Client Version | Default | Sensor | Core Content - Forefront Support | The version of the Forefront client on the client machine |
Forefront Last Scan Run Date | Default | Sensor | Core Content - Forefront Support | Indicates the last time that a scan was run |
Forefront Last Scan Run Type | Default | Sensor | Core Content - Forefront Support | indicates the last scan type |
Forefront Scheduled Scan Enabled | Default | Sensor | Core Content - Forefront Support | Indicates if a Scheduled Scan is enabled or not |
Forefront Scheduled Scan Type | Default | Sensor | Core Content - Forefront Support | Indicates the Scheduled Scan Type |
Free Memory | Core Content | Sensor | Tanium Core Content | Indicates the free RAM available to the operating system. Example: 1024MB |
Free Swap | Core Content | Sensor | Tanium Core Content | Indicates the free swap space available to the operating system. Example: 640MB |
Gatekeeper Status | Core Content | Sensor | Tanium Core Content | Return if Gatekeeper on MacOS is Enabled, Disabled or Unknown. |
Hardware Device Failed to Load | Core Content | Sensor | Tanium Core Content | Provides errors codes for hardware devices that failed to load correctly at last boot. Example: none |
Has Incident Response ID Files | Incident Response | Sensor | Tanium Threat Response | Identifies the Incident Response ID files that exist on a machine. Example: "irsearch1234 " |
Has Scheduled Task | Incident Response | Sensor | Tanium Threat Response | Returns whether the specified scheduled task exists |
Hash Of File | Incident Response | Sensor | Tanium Threat Response | Returns the hash digest in the chosen algorithm of a specified file path. |
High CPU Consumption | Core Content | Sensor | Tanium Core Content | Indicates whether the client machine is currently experiencing high utilization of its CPU. Example: Under threshold |
High CPU Processes | Core Content | Sensor | Tanium Core Content | Lists the specified number of processes that are using the highest amount of CPU. Example: cmd |
High Memory Consumption | Core Content | Sensor | Tanium Core Content | Indicates whether the machine is above an acceptable threshold for memory utilization. Example: Under threshold |
High Memory Processes | Core Content | Sensor | Tanium Core Content | Lists the specified number processes based on ordering on amount of memory used. Example: cmd |
High Uptime | Core Content | Sensor | Tanium Core Content | Indicates whether the client machine has been online for more than 30 days. Example: Less than 30 days |
Hosted Services Name Audit | Incident Response | Sensor | Tanium Threat Response | Returns the Windows Service Group Name and a sorted list of service names in each group. |
Hosted Wireless Ad-Hoc Networks | Core Content | Sensor | Tanium Core Content | Returns details of ad-hoc wireless networks are hosted in your environment. Details include SSID, Mode, Max Clients, Auth, Status, BSSID, Radio Type, Channel, and Connections. Example: personalwifi | ad-hoc | 1 | Open | active | xx:xx:xx:xx:xx:xx | 802.11g | 11 | 1 |
Hosts File Entries | Core Content | Sensor | Tanium Core Content | Provides a list of hosts file entries for the local operating system. Example: myserver.com , 192.168.1.100 |
Human Interface Device | Core Content | Sensor | Tanium Core Content | Indicates any human interface devices connected to the client machine. Example: HID-compliant mouse |
Hyperthreading Enabled | Core Content | Sensor | Tanium Core Content | Indicates whether hyperthreading is enabled on the client machine. This is not supported on all OS patch levels. Example: Yes |
IC Python - Days Since Python 2 Used | Python | Sensor | Tanium Initial Content - Python |
Returns value indicating the number of days since Python 2 was last used. Example: 12 |
IC Python - Endpoint Tooling Safe for Python27 Removal | Python | Sensor | Tanium Initial Content - Python | Tests endpoint compatibility for Python |
IC Python - Python 3.12 Status | Python | Sensor | Tanium Initial Content - Python | Returns a detailed view of Python 3.12 and its dependencies. |
IC Python - Python Version Health | Python | Sensor | Tanium Initial Content - Python |
Returns python health status with detailed information. Example: Not Healthy|Internal version: 38 != External version: 312 |
IC Python - Tanium Client 7.4 Compatibility | Python | Sensor | Tanium Initial Content - Python | Tests endpoint compatibility for Python |
IC Python - Tools Blocking Python Migration | Python | Sensor | Tanium Initial Content - Python | Returns a list of Python 3.8 dependencies blocking migration. |
IC Python - Version Details | Python | Sensor | Tanium Initial Content - Python |
Returns version details for Python installed on the Tanium client. Example: 2.8 Core Python, info, 2.7.18 |
ICloud Settings | Incident Response | Sensor | Tanium Threat Response | Prints out all iCloud settings for all users by default. You may also search by user, iCloud setting, or both. |
IIS Website Details | Core Content | Sensor | Tanium Core Content | Returns information about IIS Websites |
Impact - Active User Session SIDs | Impact | Sensor | Tanium Impact | Get the SIDs of users with an active session. |
Impact - Administrator SIDs | Impact | Sensor | Tanium Impact | Get the SIDs of the domain users and groups in the Administrators group. |
Impact - Computer Domain SID | Impact | Sensor | Tanium Impact | Get the SID of the domain to which the computer is joined. |
Impact - Coverage Status | Impact | Sensor | Tanium Impact | Returns "Optimal" if Python is installed, "Needs Attention" if Python is not installed, "Unsupported" if the operating system is not supported. |
Impact - Physical NetBIOS Computer Name | Impact | Sensor | Tanium Impact | Get the NetBIOS name of an endpoint. |
Impact Rating | Impact | Virtual Sensor | Impact | |
In Subnet | Base | Sensor | Tanium Default Content | Returns True or False if a computer is in a given subnet. Must be in CIDR format (192.168.10.0/24) |
Index - File Count | Index | Sensor | Tanium Threat Response | Returns count of index files that match one or more supplied inputs |
Index - File Details | Index | Sensor | Tanium Threat Response | Returns details of index files that match one or more supplied inputs |
Index - File Exists | Index | Sensor | Tanium Threat Response | Returns Yes or No, using Index to determine whether the specified file exists based on the supplied input |
Index - File Hash Recently Changed | Index | Sensor | Tanium Threat Response | Returns details of index files that match one or more supplied inputs |
Index - Is Path Indexed | Default | Sensor | Tanium Threat Response | Evaluates index configuration to see if a path will be indexed |
Index - List Discovered Volumes | Index | Sensor | Tanium Threat Response | Returns list of filesystem volumes discovered by index |
Index - Tuning - Get Top Extensions | Index | Sensor | Tanium Threat Response | Returns the top 10 file extensions with highest file counts (bucketed) for tuning index |
Index - Tuning - Get Top Paths | Index | Sensor | Tanium Integrity Monitor, Tanium Threat Response | Returns the top 10 paths with highest file counts (bucketed) for tuning index |
Injected Threads | Incident Response | Sensor | Tanium Threat Response |
Returns threads executing possibly injected code. This is determined by finding thread start function addresses not mapped to a file on disk. ----Parameters---- Show PID/TID: By default is unchecked and will display [omitted] for both PID and TID. Check this box for both process and thread IDs to be displayed. Show Omitted Results: By default believe false positives will be omitted from results. By checking this box you will see all possible false positive results. ----Columns---- Process: "full path of process. Will show mismatches when found between process and kernel paths" PID: "Process ID when Show PID/TID is checked" TID: "Thread ID when Show PID/TID is checked" Header: "First 2 bytes of allocated memory region in hex" Mapped File: "File mapped to this memory region or No Mapped File" Memory Type: "Type of the pages in the memory region such as MEM_MAPPED or MEM_PRIVATE" Allocated Protection: "Protection of the memory region when allocated such as PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY" Page Protection: "Protection of the page in the memory region such as PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY" Start Address: "The Win32 thread function start address" Region Size: "The total size of the allocated memory region the Win32 thread function start address is in" When no suspicious threads are found, "No injected threads found" is returned. |
Installed Application Exists | Core Content | Sensor | Tanium Core Content | Determines whether a given substring exists in the Installed Applications list and returns True or False. Example: True The name of an application to be searched. The following options may be prefaced on the string to be searched to control how the matching is performed: left: - Does the name of an app start with the string to match? right: - Does the name of an app end with the string to match? contains: - Does the name of an app contain the string to match? (Default behavior for Windows) regex: - Does the name of an app match the specified regex? (Default behavior for Non-Windows) The following option may be appended to the string to be searched to enable expanded searching: :queryall - Used to locate an app listed as a hotfix, system component, or child entry of another app. Windows only. Disregarded on other OS's. Example: left:Tanium Client:queryall |
Installed Application Version | Core Content | Sensor | Tanium Core Content | The version string of applications which match the parameter given. Example: 11.5.502.146 The following options may be prefaced on the string to be searched to control how the matching is performed: left: - Does the name of an app start with the string to match? right: - Does the name of an app end with the string to match? contains: - Does the name of an app contain the string to match? (Default behavior for Windows) regex: - Does the name of an app match the specified regex? (Default behavior for Non-Windows) The following option may be appended to the string to be searched to enable expanded searching: :queryall - Used to locate an app listed as a hotfix, system component, or child entry of another app. Windows only. Disregarded on other OS's. Example: left:Tanium Client:queryall |
Installed Applications | Core Content | Sensor | Tanium Core Content | List of applications and application versions on the client. The list includes symlinked applications from guest OSes if the client has Parallels installed. Example: Mozilla Firefox | 16.0.1 |
Installed HotFixes | Core Content | Sensor | Tanium Core Content | Returns a list of hotfixes that have previously been applied to the client machine. Example: IY94310 |
Installed Pkgs | Core Content | Sensor | Tanium Core Content | Returns a list of installed Packages by name on Solaris systems. Example: glibc-2.5-12 |
Installed RPMs | Core Content | Sensor | Tanium Core Content | Returns a list of installed RPMs by name on Linux systems. Example: glibc-2.5-12 |
Installed Store Apps | Core Content | Sensor | Tanium Core Content | Returns the Application name and Version for native OS App Stores. On Windows, OS 8+ and Server 2012 R2+ |
Integrity Monitor - Active Watchlists | Integrity Monitor Deployment | Sensor | Tanium Integrity Monitor | Retrieves the active watchlists from the endpoint |
Integrity Monitor - Endpoint ID | Integrity Monitor Deployment | Sensor | Tanium Integrity Monitor | Gets the Integrity Monitor ID (IMID) that Integrity Monitor has generated for the endpoint |
Integrity Monitor - Event Count | Integrity Monitor Events | Sensor | Tanium Integrity Monitor | Returns a bucketed number of events for the last 24 hours from the endpoint. |
Integrity Monitor - Event Count By Watchlist | Integrity Monitor Events | Sensor | Tanium Integrity Monitor | Returns a bucketed number of events grouped by Watchlist for the last 24 hours from the endpoint. |
Integrity Monitor - Monitor Events | Integrity Monitor Events | Sensor | Tanium Integrity Monitor | Returns change type event counts from DB on endpoint. |
Integrity Monitor - Monitor Events Unlabeled | Integrity Monitor Events | Sensor | Tanium Integrity Monitor | Returns change type event counts from DB on endpoint that are unlabeled. |
Internet Explorer Version | Core Content | Sensor | Tanium Core Content | Returns the version of Internet Explorer installed on a system. Example:8.0.6001.18702 |
IP Address | Reserved | Sensor | Tanium Default Content | Current IP Addresses of client machine. Example: 192.168.1.1 |
IP Connections | Core Content | Sensor | Tanium Core Content | Returns the protocol, local address / port, process name, application name, remote port, and connection state for all active IP connections on an endpoint. Example: tcp|192.168.95.186:51866|explorer.exe|Windows Explorer|165.254.58.66:80|established |
IP Route Details | Core Content | Sensor | Tanium Core Content | Returns IPv4 network routes, filtered to exclude noise. With Flags, Metric, Interface columns. Example: 172.16.0.0|192.168.1.1|255.255.0.0|UG|100|eth0 |
IP Routes | Core Content | Sensor | Tanium Core Content | Returns IPv4 network routes, filtered to exclude noise. Example: 172.16.0.0|192.168.1.1|255.255.0.0 |
IPv4 Address | Base | Sensor | Tanium Default Content | Returns only IP V4 addresses |
IPv6 Address | Base | Sensor | Tanium Default Content | Returns only IPv6 addresses |
Is AIX | Reserved | Sensor | Tanium Default Content | Returns whether the machine runs a AIX OS. True if so, False if not. Example: True |
Is AWS | RTAC | Sensor | Tanium Red Team As Code | Returns True if Amazon's instance-identity/document IMDS endpoint returns information. |
Is Azure | RTAC | Sensor | Tanium Red Team As Code | Returns True if Azure's instance metadata endpoint returns information. |
Is Cloud | Core Content | Sensor | Tanium Core Content | Returns whether the machine is cloud hosted. True if so, False if not. Example: True |
Is DC | Core Content | Sensor | Tanium Core Content | Returns True if the endpoint has a Domain Controller role (Primary or Backup) Example: True |
Is Ephemeral Endpoint | Tanium Data Service | Virtual Sensor | Tanium Data Service | |
Is File Digitally Signed | Incident Response | Sensor | Tanium Threat Response | Checks whether or not the specified file is digitally signed. Uses the Windows WinVerifyTrust API to verify the signature embedded in the file. |
Is GCP | RTAC | Sensor | Tanium Red Team As Code | Returns True if GCP's Instance ID metadata endpoint returns information. |
Is Kubernetes Node | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports whether it is a Kubernetes node or not. |
Is Laptop | Base | Sensor | Tanium Default Content | Returns True if the chassis type is a laptop or similar portable device, False otherwise. |
Is Linux | Reserved | Sensor | Tanium Default Content | Returns whether the machine runs a Linux-based OS. True if so, False if not. Example: True |
Is Mac | Reserved | Sensor | Tanium Default Content | Returns whether the machine is a Mac. True if so, False if not. Example: True |
Is Managed | Base | Sensor | Tanium Default Content | Returns True if the endpoint is running the Tanium Client. Returns False if not. |
Is Managed Container Host | Containers | Sensor | Tanium Containers | Identifies managed endpoints that are container hosts and have the TCC/TCC Tools. |
Is Python 2.7 Installed | Python 2 | Sensor | Tanium Asset, Tanium Deploy, Tanium Endpoint Configuration Toolset Solution, Tanium Engage, Tanium Impact, Tanium Map, Tanium Threat Response | |
Is Python 3.12 Installed | Base | Sensor | Tanium Default Content | Returns True if Core Python 3.12 is installed, otherwise returns False. Example: True |
Is Python 3.8 Installed | Base | Sensor | Tanium Default Content | Returns True if Core Python 3.8 is installed, otherwise returns False. Example: True |
Is Quarantined | Incident Response | Sensor | Tanium Threat Response | Windows: Returns "Yes" if a machine has a Ipsec Policy named "Tanium Quarantine" applied, other wise returns "No". Linux: Returns "Yes" if a machine has an iptables rule named "Tanium Quarantine", otherwise returns "No". |
Is Solaris | Reserved | Sensor | Tanium Default Content | Returns whether the machine runs a Solaris-based OS. True if so, False if not. Example: True |
Is Tanium Client Container | Containers | Sensor | Tanium Containers | Returns True if the Tanium Client is executing in a Tanium Client Container, False otherwise. |
Is Terminal Server | Base | Sensor | Tanium Default Content | Returns Yes or No depending on whether a Windows machine is a Terminal Server Example: Yes |
Is Virtual | Base | Sensor | Tanium Default Content | Returns Yes or No to indicate whether the hardware is virtual. Echo: Yes |
Is Windows | Reserved | Sensor | Tanium Default Content | Returns whether the machine runs Windows. True if so, False if not. Example: True |
Kaspersky Client Version | Core Content | Sensor | Tanium Core Content | Returns the version of the Kaspersky Antivirus Scanner. Example:5.6 |
Kaspersky DAT Days Old | Core Content | Sensor | Tanium Core Content | Returns the age, in days, of the Kaspersky Antivirus DAT file. Example: 5 |
Kaspersky DAT Version | Core Content | Sensor | Tanium Core Content | Returns the version of the Kaspersky Antivirus DAT file. Example: 5.0.0.3 |
KB5037771 - Impacted Endpoints | Default | Sensor | Tanium Emerging Issues Content | Detects if an endpoint is impacted by an issue with KB5037771 |
Kernel Modules | Core Content | Sensor | Tanium Core Content | Returns loaded kernel modules on Linux systems. Example:dcdbas |
Kernel Version | Core Content | Sensor | Tanium Core Content | Returns running kernel version on Unix based systems. Example:Linux 4.15.0-45-generic |
Kubernetes - Cluster Labels | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports Tanium labels assigned to the Kubernetes cluster. |
Kubernetes - Cluster Name | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the name assigned to the Kubernetes cluster. |
Kubernetes - Container Details | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the running container details for Kubernetes pods. |
Kubernetes - Correlation ID | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the correlation ID assigned to the Kubernetes cluster. |
Kubernetes - Is Kubernetes Cluster | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports whether it is a Kubernetes cluster or not. |
Kubernetes - Node Info | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports details about the nodes in the cluster. |
Kubernetes - Node Machine IDs | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the machine IDs of all nodes in the cluster. |
Kubernetes - Number of Nodes | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the count of the nodes reported by the Kubernetes cluster. |
Kubernetes - Number of Running Pods | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the count of running pods in the Kubernetes cluster. |
Kubernetes - Number of Running Pods with Rogue Containers | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the count of running pods with rogue containers in the Kubernetes cluster. |
Kubernetes - Orchestrator Version | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the orchestrator version. |
Kubernetes - Provider | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the cloud service provider name of the Kubernetes cluster. |
Kubernetes - Server Version | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the server version of the Kubernetes cluster. |
Kubernetes Environment | Containers | Sensor | Tanium Containers | Identifies the Kubernetes environment details, typically of the cloud provider. |
Kubernetes Pods | Containers | Sensor | Tanium Containers | Enumerates all Kubernetes running pods including those typically hidden from view. |
Last Discovered | Discover Content | Virtual Sensor | Discover Content | |
Last Logged In User | Core Content | Sensor | Tanium Core Content | If no user is logged in, returns the last user to log in is reported. If a user is currently logged in, that user is returned. Example: DOMAIN\Jane.Doe |
Last Managed | Discover Content | Virtual Sensor | Discover Content | |
Last Reboot | Base | Sensor | Tanium Default Content | Returns the time the last reboot occurred. Example: Tue, 14 Jan 2020 18:37:13 -0800 |
Last System Crash | Core Content | Sensor | Tanium Core Content | Returns the date of the last system crash that occurred. Example: 8/2/2012 |
Last System Crash in X Days | Core Content | Sensor | Tanium Core Content | Returns the date at which the last system crash occurred. Example:5/2/2012 |
Linux AutoRuns | Incident Response | Sensor | Tanium Threat Response | Linux AutoRuns and their types, from known categories such as Systemd, etc ... |
Linux Machine ID | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the machine ID of a Linux host running systemd. |
Linux Network Manager | Incident Response | Sensor | Tanium Threat Response | Returns "Yes" If Network Manager is enabled, otherwise "No" |
Listen Ports | Core Content | Sensor | Tanium Core Content | Returns information network-aware processes and the ports they have bound to. Example: googletalkplugin.exe Google Talk Plugin :60042 |
Listen Ports with Hash | Incident Response | Sensor | Tanium Threat Response | Identifies listening TCP ports, including the process listening to the port, the hash of the process, the display name of the process (if available), and the listening IP Address and port. |
Load Average | Core Content | Sensor | Tanium Core Content | Returns the average CPU load on a Mac or Linux system Example: 0.00 0.03 0.10 |
Loaded Auditd Rules | Core Content | Sensor | Tanium Core Content | This sensor confirms auditd is installed, then lists all currently loaded auditd rules. If no rules are loaded, it returns "No rules". Example: -w /usr/bin/passwd -p x -k identity |
Loaded Modules Not Matching Whitelist | Incident Response | Sensor | Tanium Threat Response | Lists the MD5 hash and fully-qualified path of any loaded modules that are not on the current MD5 whitelist. |
Loaded Modules Of Process | Incident Response | Sensor | Tanium Threat Response | Lists the modules loaded by the specified process. The parameter is a regular expression of the process or module name. |
Loaded Modules with Hash | Incident Response | Sensor | Tanium Threat Response | Displays the fully-qualified path and hash of each loaded module. |
Local Account Expiration Details | Core Content | Sensor | Tanium Core Content | Returns local accounts and days until they expire. Accounts which have no expiration date return "N/A" Example: user.name|19 |
Local Account Last Password Change Days Ago | Core Content | Sensor | Tanium Core Content | Returns local accounts and number of days ago that the password was changed. Example: user.name|19 |
Local Administrators | Core Content | Sensor | Tanium Core Content | Returns users and groups who are considered 'administrators' on non-windows platforms. For Windows, consider the Content-ADQuery solution. Example: root |
Local Administrators Without Groups | Core Content | Sensor | Tanium Core Content | Returns users which are considered local administrators on Mac and Linux. For Windows, consider the Content-ADQuery solution or try the "Local Administrators" sensor. Example: root |
Local Printers | Core Content | Sensor | Tanium Core Content | Returns printers which are not connected via Network Example: HP LaserJet 4400c |
Local User Login Dates | Core Content | Sensor | Tanium Core Content | Returns the names and dates of the last users to log in. Example: John.Doe 7/25/2012 |
Local User Password Change Dates | Core Content | Sensor | Tanium Core Content | Returns the last time the password was set for each user account. Example: taniumuser|2013-10-31 |
Locale Code | Base | Sensor | Tanium Default Content | Returns the OS Locale Code from the installed operating system. This differs from the LCID returned in the OS language sensor. Example:0409 |
Logged In Users | Base | Sensor | Tanium Default Content | Provides a list of users currently logged in to the client machine. Includes Remote Desktop sessions on Windows. Example: Administrator |
Logical Disk | Core Content | Sensor | Tanium Core Content | Logical disks installed on the endpoint Example: D:|D:|AX2PXFPP_EEN|585 MB|197 MB|167 MB|Fixed|FAT32 |
Logical Volumes | Core Content | Sensor | Tanium Core Content | Returns the logical volume names on the endpoint. Example: root |
Login Hooks | Incident Response | Sensor | Tanium Threat Response | Returns the file name and path of a login hook script. Example: /Library/Scripts/badStuff.sh |
Logon Security Event Log Search | Incident Response | Sensor | Tanium Threat Response | Searches Windows Security Event log and equivalent logging sources on Mac for logon events. |
Logout Hooks | Incident Response | Sensor | Tanium Threat Response | Returns the file name and path of logout hook script. Example: /Library/Scripts/badStuff.sh |
Low Disk Space | Core Content | Sensor | Tanium Core Content | Returns disk drives which have less than 2 gigabytes free. Example: C: |
MAC Address | Base | Sensor | Tanium Default Content | Returns MAC addresses for all IP enabled network connections. Example:00:0C:29:68:6A:D8 |
Mac AutoRuns | Incident Response | Sensor | Tanium Threat Response | Mac AutoRuns and their types, from known categories such as Launch Agents, Launch Daemons, Startup Items, User Login Items, Kernel Extensions, etc ... |
Mac Downloaded Files | Incident Response | Sensor | Tanium Threat Response | Queries the ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvent* file for downloaded files. |
Mac Firewall Settings | Incident Response | Sensor | Tanium Threat Response | Enumerate the firewall settings on MacOS |
Mac Gatekeeper Settings | Incident Response | Sensor | Tanium Threat Response | Enumerate the Gatekeeper settings on MacOS |
Mac Kext Details | Incident Response | Sensor | Tanium Threat Response | Allows you to find allowed kernel extensions on a Mac |
Manual Group Membership | Reserved | Sensor | Tanium Default Content | A list of manual group ids for internal use. Example: 72 |
Manufacturer | Core Content | Sensor | Tanium Core Content | Returns System or Motherboard manufacturer (OS Dependent). Example: Apple |
Map - Active Applications | Map | Sensor | Tanium Map | Returns list of applications that were active during the selected time window |
Map - Application Coverage | Map | Sensor | Tanium Map | Returns "Mapped" if the endpoint is a member of an application definition, otherwise "Unassigned". |
Map - Coverage Status | Map | Sensor | Tanium Map | Returns "Optimal" if Map is installed and configured properly, "Needs Attention" if Map is not installed or not healthy, "Unsupported" if the operating system is not supported. |
Map - Discover Seed Clients | Map | Sensor | Tanium Map | Returns clients for specified processes within the specified time period |
Map - Discover Seed Details | Map | Sensor | Tanium Map | Returns details for specified processes within the specified time period |
Map - Discover Seeds | Map | Sensor | Tanium Map | Returns a list of mappable processes identified on endpoints within the specified time period, filtered by listening ports |
Map - Discover Tier Details | Map | Sensor | Tanium Map | Returns a list of incoming and outgoing connections related to the ip and port parameters. |
Map - Endpoint Connections | Map | Sensor | Tanium Map | Returns a list of connections that have the target endpoint as source or destination |
Map - Endpoint Health | Map | Sensor | Tanium Map | Returns "Healthy" if no health checks found or some combination of "Map CX Issue", "Core CX Issue", and/or "Recorder CX Issue" if any health checks are found for these extensions. |
Maximum Process Memory Size | Core Content | Sensor | Tanium Core Content | Returns the maximum amount of memory, in Kilobytes, that a process can use. This may be free physical RAM and virtual RAM combined, or may be an arbitrary upper ceiling. Example: 2097024 |
McAfee Agent Health | Core Content | Sensor | Tanium Core Content | Determines McAfee Health based upon Last Communication Threshold, McAfee Agent Service Status and StartUp state. Each of these categories are also returned in the output. |
McAfee Agent Last ASC Days | Core Content | Sensor | Tanium Core Content | Return Last Agent to Server Communication between the McAfee Agent and the EPO Server. |
McAfee Agent Last Policy Update Days | Core Content | Sensor | Tanium Core Content | Return Last McAfee Agent Policy Update between the McAfee Agent and the EPO Server. |
McAfee Agent Version | Core Content | Sensor | Tanium Core Content | Returns the McAfee Agent Version Example: 4.6.0.2292 |
McAfee Status | Core Content | Sensor | Tanium Core Content | Returns whether or not the agent is installed and running Example: Installed Not Running |
McAfee Status Details | Core Content | Sensor | Tanium Core Content | Provides service details for McAfee services on Windows endpoints. |
McAfee VSE DAT Version | Core Content | Sensor | Tanium Core Content | Returns the version of the active McAfee VirusScan Enterprise DAT file. Example: 6910 |
MD5 Hash Match Files Executing | Incident Response | Sensor | Tanium Threat Response | Retrieves a fully-qualified path of an executable file for a running process that matches the specified MD5 hash. Results also indicate if the file is executing. |
MD5 Hash Of File | Incident Response | Sensor | Tanium Threat Response | Returns the MD5 hash for a file at a specified path. |
MD5 Hash Single File Match | Incident Response | Sensor | Tanium Threat Response | Indicates whether the file at the specified path matches the specified MD5 hash. |
MDM - Available Device Capacity | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Awaiting Configuration | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Device Capacity | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Device Config Profile Status | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Device Config Profile Status List | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Device Config Profile Status Summary | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Device ID | Mobile Device Management | Sensor | Tanium Mac Device Enrollment | Displays MDM device id. |
MDM - Device Platform | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce Config Profile last updated In TDS Sequence | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce FileVault Enabled | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce FileVault Key Escrowed | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce FileVault Key Rotation Status | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce MDM FileVault Escrow Targeted | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce Targeted Device Configuration Profile | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce Targeted Device Configuration Profile List | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enforce Targeted Password Profile | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enrollment Email | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Enrollment Status | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Is Activation Lock Enabled | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Is Enrolled Via ABM | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Is Supervised | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Last Check In Date | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Last Seen Epoch Milliseconds | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - macOS Available OS Updates | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Model | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Model Name | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Operating System Version | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - OS Update Settings | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Password Config Profile Status | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - Product Info | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - UDID | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
MDM - User ID | Mobile Device Management | Virtual Sensor | Mobile Device Management | |
Memory Consumption | Core Content | Sensor | Tanium Core Content | Returns the percentage of used (committed) memory on a system. Example: 27 percent |
Microsoft Defender AntiMalware Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender AntiMalware Versions, service enabled and service state status. Example: 1.1.19600.3 | 4.18.2207.7 | True | Normal |
Microsoft Defender AntiSpyware Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender AntiSpyware signature details and service enabled. Signature Age is in days. Example: True | 1 | Mon, 26 Sep 2022 19:00:00 +0000| 1.374.1089.0 |
Microsoft Defender AntiVirus Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender AntiVirus signature details and service enabled. Signature Age is in days. Example: True | 0 | Mon, 26 Sep 2022 19:00:00 +0000 | 1.374.1089.0 |
Microsoft Defender Attack Surface Reduction Rule ID Status | AntiVirus | Sensor | Tanium Core Content | Returns Enabled or Disabled depending on the Attack Surface Reduction Rule ID GUID enablement. Example: Enabled |
Microsoft Defender Computer ID | AntiVirus | Sensor | Tanium Core Content | Returns the Computer ID associated with Microsoft Defender. Example: A5C31234-ASDF-1234-12AS-40ASD1234ASDF |
Microsoft Defender Extension Exclusions | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Extension Exclusions Example: pdf |
Microsoft Defender FullScan Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender FullScan age, overdue, required, signature version, start time and end time. Example: 89 | False | False | 1.369.468.0 | Wed, 29 Jun 2022 20:00:00 +0000 | Wed, 29 Jun 2022 20:00:00 +0000 |
Microsoft Defender Health Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Health Details True|False and Health Issues. Example: False | Defender Signatures out of date |
Microsoft Defender Installed | AntiVirus | Sensor | Tanium Core Content | Report True if Microsoft Defender is installed or False. Example: True |
Microsoft Defender IP Address Exclusions | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender IP Address Exclusions. Example: 192.168.1.1 |
Microsoft Defender Network Inspection Service Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Network Inspection Service Status, Engine Version, Signature Age in Days, Signature Last Updated date, and Signature Version. Example: True | 1.1.19600.3 | 1 | Mon, 26 Sep 2022 07:00:00 +0000 | 1.375.1089.0 |
Microsoft Defender On Access Protection Status | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender On Access Protection Status Enabled|Disabled. Example: Enabled |
Microsoft Defender Org ID | AntiVirus | Sensor | Tanium Core Content | Returns the Org ID associated with Microsoft Defender. Example: A5C31234-ASDF-1234-12AS-40ASD1234ASDF |
Microsoft Defender Path Exclusions | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Path Exclusions Example: /opt/Tanium/TaniumClient |
Microsoft Defender Process Exclusions | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Process Exclusions Example: TaniumClient.exe |
Microsoft Defender QuickScan Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender QuickScan age, overdue, signature version, start time and end time. Example: 3 | False | 1.375.867.0 | 1.375.867.0 | Fri, 23 Sep 2022 13:00:00 +0000 | Fri, 23 Sep 2022 13:00:00 +0000 |
Microsoft Defender Real-Time Protection Status | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Real-Time Protection Status Enabled|Disabled. Example: Enabled |
Microsoft Defender Tamper Protection Status | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Tamper Protection Status Enabeld|Disabled. Example: Enabled |
Microsoft Defender Threat Details | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender Threat Type, Severity, Execution Status, Active Status, Remediation Status, Resources. Example: Virus:DOS/EICAR_Test_File | 5 | True | quarantined | notepad.exe, eicar.com.txt, Tue, 01 Jan 2020 00:00:00 +0000 |
Microsoft Defender UI Lockdown Status | AntiVirus | Sensor | Tanium Core Content | Returns Microsoft Defender UI Lockdown Status Enabled|Disabled. Example: Enabled |
Microsoft Dot Net Details | Core Content | Sensor | Tanium Core Content | Details of installed Microsoft .Net components. |
Model | Core Content | Sensor | Tanium Core Content | Returns the Model of a system. Example: Precision T1600 |
Monitor Details | Core Content | Sensor | Tanium Core Content | Returns details of attached physical monitors. Example: Model Name, Serial Number, VESA Manufacturer ID, Manufacture Date |
Monitor Resolution | Core Content | Sensor | Tanium Core Content | Returns details about connected displays. Example:1024 by 768 pixels, True Color, 60 Hertz |
Motherboard Manufacturer | Core Content | Sensor | Tanium Core Content | Returns the Motherboard Manufacturer of a system. Example:Lenovo |
Motherboard Name | Core Content | Sensor | Tanium Core Content | Returns the motherboard product name of a system. Example: 440BX Desktop Reference Platform |
Motherboard Version | Core Content | Sensor | Tanium Core Content | Returns the Version of a motherboard. Example:9230 |
Mutex Details | Incident Response | Sensor | Tanium Threat Response | Returns details about a specified mutex object, including process, PID, user, handle ID, and mutex name. |
Mutex Handles Of Process | Incident Response | Sensor | Tanium Threat Response | Returns the open handles to file mutex objects for a specified process. The parameter is a regular expression for a process name. |
NAT IP Address | Discover Content | Sensor | Tanium Discover | Returns the IP Address of this client as seen from the Tanium Server. Example: 24.102.223.34 |
NET Version | Core Content | Sensor | Tanium Core Content | Returns the highest version number of all installed .NET. |
Network Adapter Details | Core Content | Sensor | Tanium Core Content | Returns information on network adapters. Example:Intel(R) Centrino(R) Ultimate-N 6300 AGN|Intel Corporation|Ethernet 802.3|00:24:D7:21:9C:70|65 Mbps|Wi-Fi |
Network Adapter Name | Core Content | Sensor | Tanium Core Content | Returns the names of network adapters that are active. Example: VMware Accelerated AMD PCNet Adapter |
Network Adapter Type | Core Content | Sensor | Tanium Core Content | Returns the names of the network connections which are active. Example: Local Area Connection |
Network Adapters | Discover Content | Sensor | Tanium Discover | Returns a list of network adapter addresses. Example: 192.168.0.1|01-0C-03-4D-25-D8 |
Network Details | Incident Response | Sensor | Tanium Threat Response | Enumerates verbose network connection details |
Network IP Gateway | Core Content | Sensor | Tanium Core Content | Returns the default gateway for all IP enabled network adapters. Example: 192.168.10.254 |
Network Link Speed | Core Content | Sensor | Tanium Core Content | Returns the names and speeds of all network connections. Example: WAN Miniport (IP) | 10000 |
Network Printer Details | Core Content | Sensor | Tanium Core Content | Returns the connected network printers. Example: printer_name | driver | port |
Network Printers | Core Content | Sensor | Tanium Core Content | Returns printers which are connected via Network Example: HP LaserJet 4400c |
Network Throughput Inbound | Core Content | Sensor | Tanium Core Content | Returns the current inbound throughput, in KB/Sec, of the network interface used to connect to the tanium server. Example: 1024 KB/S |
Network Throughput Outbound | Core Content | Sensor | Tanium Core Content | Returns the current output throughput, in KB/Sec, of the network interface used to connect to the tanium server. Example: 1024 KB/S |
Network Throughput Percentage | Core Content | Sensor | Tanium Core Content | Returns the current throughput, as a percentage of total possible, of the network interface used to connect to the tanium server. Example: 50% |
Network Throughput Total | Core Content | Sensor | Tanium Core Content | Returns the current total throughput, in KB/Sec, of the network interface used to connect to the tanium server. Example: 2048 KB/S |
No Screen Saver Password | Core Content | Sensor | Tanium Core Content | Returns the users which have no screen saver password set. Example: Domain\John.Doe |
Non-Approved Established Connections | Incident Response | Sensor | Tanium Threat Response | Lists information about established connections that were opened by a prohibited process or to a prohibited destination. The Sensor definition can be modified to exclude process and IP range. Returns the process responsible for the connection, the display name of the process (if available), and the target IP Address and port. Example: chrome.exe | Google Chrome | 173.194.79.99:80 |
Non-Approved Established Connections with Hash | Incident Response | Sensor | Tanium Threat Response | Lists information about established connections that were opened by a prohibited process or to a prohibited destination. Returns the process responsible for the connection, the hash of the process, the display name of the process (if available), and the target IP Address and port. Processes and IP ranges can be excluded in the Sensor definition. |
Number of Application Crashes in Last X Days | Core Content | Sensor | Tanium Core Content | Returns the number of application crashes that have occurred in the last number of days supplied to the sensor. Example: 3 |
Number of Fixed Drives | Core Content | Sensor | Tanium Core Content | Returns the number of fixed drives installed in the system. Example:4 |
Number of Logged In Users | Core Content | Sensor | Tanium Core Content | Returns the number of interactively logged in users. On Windows, this will include Remote Desktop sessions. Example: 2 |
Number of Processor Cores | Core Content | Sensor | Tanium Core Content | Returns the number of processor cores in all installed processors. Not supported on all OS patch levels. Example:2 |
Number of Processors | Core Content | Sensor | Tanium Core Content | Returns the number of physical processors on a system. This may differ from the number of cores or number of logical processors. Example:1 |
Number Of Users | Core Content | Sensor | Tanium Core Content | Returns the number of user sessions for which the operating system is storing state. This may differ from the number of interactively logged in users. Example:3 |
Onboard Devices | Core Content | Sensor | Tanium Core Content | Returns the name of any device which is built into the motherboard. Example: ES1371 |
Online | Reserved | Sensor | Tanium Default Content | Returns, in all cases, the word True. This sensor is used in many ways, including to find a common target for machines which may have responded to a question with a 'where' clause - get "online from machines where IP address starts with 192.168.10." will allow you to target the respondents with an action or count responses. Example:True |
Online Random Sample | Base | Sensor | Tanium Default Content | Sample your population. Return True for X % of online devices, False for 100-X% online devices. Can be used for targeting sample audiences, such as Tagging for phased roll-out or sampled analysis of index logs Default for % sample is 5% Default Max Age is 60 minutes Example: True Example: False |
Open Port | Core Content | Sensor | Tanium Core Content | Returns the ports which are listening on a local machine and the IP address the port is bound to. 0.0.0.0 indicates that the port is bound to all IP addresses. Example: 0.0.0.0:80 |
Open Ports | Discover Content | Sensor | Tanium Discover | Returns the top 1000 (according to Nmap) open tcp ports. Example: 135,443,445,902,912,1536,1537,1538,1539,1566 |
Open Share Details | Core Content | Sensor | Tanium Core Content | Returns a set of columns with details about open shares on a machine. Example: name | path | status | type | permissions |
Open Share Inventory Status | Core Content | Sensor | Tanium Core Content | The status of the Open Share Inventory package used to collect details of shares on endpoints. The Status column shows general Completed or Failed results. If the action had a failure, the Status Reason column might contain information of what failure occurred. If Run Time returns a negative number: -1 = The inventory status file has an invalid WhenStarted date -2 = The inventory status file has an invalid WhenCompleted date -3 = Determining the action runtime resulted in an invalid negative value |
Open Shares | Core Content | Sensor | Tanium Core Content | Returns information about shares on a PC. Example: SHARENAME |
Operating System | Reserved | Sensor | Tanium Default Content | Returns the name of the Operating System from all machines. This name may be localized. Example: Windows Server 2008 R2 Enterprise |
Operating System Boot Directory | Core Content | Sensor | Tanium Core Content | Returns the directory the Operating System boots from. Example:\Windows |
Operating System Build Number | Core Content | Sensor | Tanium Core Content | Returns the build number of the installed operating system. Example:7601 |
Operating System Full Build Number | Default | Sensor | Tanium Patch | Returns the Build Number, and UBR. Example: 14393.576 |
Operating System Generation | Base | Sensor | Tanium Default Content | Returns the generation of the Operating System from all machines. Examples: Windows 10, Windows Server 2008 R2, Red Hat Enterprise Linux Server 6, Mac OS X 10.14 |
Operating System Install Date | Core Content | Sensor | Tanium Core Content | Returns the date the OS was installed. Example: 8/24/2012 |
Operating System Language | Base | Sensor | Tanium Default Content | Returns the OS language along with any Language Packs installed. Example: English-United States en-US |
Operating System Language Code | Base | Sensor | Tanium Default Content | Returns the Language Code (LCID) of the Operating System. This differs from the Locale Code returned in the Locale Code sensor. Example: 1033 |
Operating System SKU | Base | Sensor | Tanium Default Content | Returns the Operating System SKU value. Examples: 48 |
Operating System Temp Directory | Core Content | Sensor | Tanium Core Content | Returns the gobal temp directory of the Operating System. Example: C:\Temp |
Organization | Core Content | Sensor | Tanium Core Content | Returns the Organization defined at OS install time. Example: YourCorp |
Original Filename | Incident Response | Sensor | Tanium Threat Response | Gathers the original filename for that binary on disk. This is a potential indicator that someone has renamed a legitimate binary. For example, copying and renaming the cmd.exe binary to a different location in an attempt to avoid detection |
OS Boot Time | Core Content | Sensor | Tanium Core Content | Returns the Date and Time that the OS last booted in UTC. Example: Mon, 05 Jan 2015 15:17:59 +0000 |
OS Platform | Reserved | Sensor | Tanium Default Content | Returns the platform of the operating system. Example: Windows |
Out of Date Antivirus Benchmark Metric | Benchmark | Virtual Sensor | Benchmark | Out of Date Antivirus Data |
Outlook Version | Core Content | Sensor | Tanium Core Content | Returns the version of Microsoft Office Outlook installed. Example: Outlook 2003, Version: 11.0 |
Packet Loss | Core Content | Sensor | Tanium Core Content | Returns data about percent of packet loss on Windows machines. Example: 5 % |
Page File Details | Core Content | Sensor | Tanium Core Content | Returns information about the Page File(s) on a Windows system. Path, initial size, maximum size, size on disk, current used, and peak used. Example: C:\pagefile.sys|3050 MB|3050 MB|3050 MB|413 MB|517 MB |
Parentless Processes | Incident Response | Sensor | Tanium Threat Response | Returns any running processes that do not have a parent process, or top level processes. Example: "cmd.exe" |
Patch - Applicable Patch Count | Patch Content Set | Sensor | Tanium Patch | Returns the count of all applicable patches. |
Patch - Applicable Patches by Year | Patch Service Objects | Sensor | Tanium Patch | Returns a row for every applicable patch on an endpoint Example: MSXML 6.0 RTM Security Update (925673)|Critical|4/4/2012|KB925673|False|Windows|Windows Server 2012 R2|Security Updates |
Patch - Block Lists | Patch Service Objects | Sensor | Tanium Patch | Returns the enforcement status for Block Lists Example: Type|ID|Status|Reason|OS|Version Block List|1|Enforced||Windows|1 |
Patch - Coverage Status | Patch Service Objects | Sensor | Tanium Patch | Returns "Optimal" if Patch is installed and running, "Needs Attention" if Patch is not installed or is not healthy, "Unsupported" if the operating system is not supported, and Initializing if the system is in the process of installing tools or running the first scan. |
Patch - Coverage Status Details | Patch Service Objects | Sensor | Tanium Patch | Returns "Optimal" if Patch is installed and running, "Needs Attention" if Patch is not installed or is not healthy, "Unsupported" if the operating system is not supported, and Initializing if the system is in the process of installing tools or running the first scan. Provides additional details for systems have a "Needs Attention" status to help administrators resolve client health issues. |
Patch - Deployment Errors | Patch Service Objects | Sensor | Tanium Patch | Returns error messages for Deployments defined in the Patch Workbench Example: Deployment Id|Patch UID|Error Number|Error Message 1|9876abcde|4|Failed 2|0|-214123445|WU_ERROR_MSG 3|0|9|Install Script Failed |
Patch - Deployment Results | Patch Service Objects | Sensor | Tanium Patch | Returns the deployment results for deployments defined in the Patch Workbench Example: Deployment Id|Patch UID|Patch Title|Result|Severity|Release Date|KB Articles 1|9876abcde|Some Patch Title|Succeeded|Critical|01/01/2020|222231 1|abcd9876e|Another Patch Title|Succeeded with Errors|Critical|01/01/2020|211231 2|cd76e1234|Failed Patch Title|Failed|Critical|01/01/2020|225231 |
Patch - Deployment Statuses | Patch Service Objects | Sensor | Tanium Patch | Returns the deployment statuses for deployments defined in the Patch Workbench Example: ID|Parent Status|Status|Currently Targeted 1|Complete|Complete, All Patches Applied|Yes 2|Complete|Error, No Patches Applied|No |
Patch - Direct Download Statuses | Patch Service Objects | Sensor | Tanium Patch | Returns download statuses for endpoints that download update files from the internet Example: Patch1|Patch Title 1|Patch URL 1|Succeeded|... Patch2|Patch Title 2|Patch URL 2|In Progress|... |
Patch - Enforcement Status | Patch Service Objects | Sensor | Tanium Patch | Returns the enforcement status for Blacklists and Scan Configurations defined in the Patch Workbench Example: Type|ID|Status|Reason Scan Configuration|1|Enforced| Scan Configuration|2|Unenforced|Scan Configuration Not Found Blacklist|1|Enforced| |
Patch - Has Aged Applicable Patches | Patch Service Objects | Sensor | Tanium Patch | Returns a Yes/No answer for the question of whether the system has applicable patches that meet the specified Patch Age and Severity parameters. |
Patch - Has Antivirus Compatibility Registry Key | Patch Service Objects | Sensor | Tanium Patch | Returns Yes or No if the QualityCompat registry setting that informs future patches that antivirus software was updated is set. |
Patch - Has Enforced Maintenance Window | Patch Service Objects | Sensor | Tanium Patch | Returns Yes or No if a maintenance window policy is enforced on the endpoint. |
Patch - Has Enforced Scan Configuration | Patch Service Objects | Sensor | Tanium Patch | Returns Yes or No if a scan configuration is being enforced. |
Patch - Has Recent Scan Results | Patch Service Objects | Sensor | Tanium Patch | Returns a Yes/No answer for the question of whether the system has Patch scan results within the specified Scan Age Days. |
Patch - In Maintenance Window | Patch Service Objects | Sensor | Tanium Patch | Returns "Yes" for an active maintenance window, "No" if outside of all maintenance windows, or "No Maintenance Windows Enforced" if the endpoint has no maintenance windows |
Patch - Incompatible Configurations | Patch Service Objects | Sensor | Tanium Patch | Returns all incompatible configurations from ECF Example: Data Category|ID|Compatibility Status deployment|5|Not Supported patch-list|7|Not Fully Supported |
Patch - Installation State | Patch Service Objects | Sensor | Tanium Patch | Returns a row for every applicable patch on an endpoint, and indicates whether it's installed or required. Example: a5aa3417baf0e1e0672dd70abacee6ea|MSXML 6.0 RTM Security Update (925673)|Not Installed|True|Critical|4/4/2012|MS06-061|1853208|07609d43-d518-4e77-856e-d1b316d1b8a8|KB925673|CVE-2006-4686 CVE-2006-4685|http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|False|Windows|Windows Server 2012 R2|Security Updates |
Patch - Is Process Running | Patch Service Objects | Sensor | Tanium Patch | Is the Patch process running on this endpoint? Example: Yes |
Patch - Last Scan Duration | Patch Content Set | Sensor | Tanium Patch | Returns the last scan duration rounded up to the nearest 30 seconds Example: 1:30 |
Patch - Maintenance Windows | Patch Service Objects | Sensor | Tanium Patch | Returns the enforcement status for Maintenance Windows Example: Type|ID||Status|Reason|OS|Version Maintenance Window|1|Enforced||Windows|1 |
Patch - Mean Time to Patch | Patch Service Objects | Sensor | Tanium Patch | Returns Mean Time to Patch from an endpoint |
Patch - Offline CAB Build Date | Patch Content Set | Sensor | Tanium Patch | The sensor returns the "Date" for the "index.xml" file inside the wsusscn2.cab ("CAB") file. Generally, the timestamp for the "index.xml" file is the day prior to "Patch Tuesday." This sensor is only applicable if the Offline CAB scan type is configured & deployed. |
Patch - Offline CAB Days Old | Patch Content Set | Sensor | Tanium Patch | The sensor returns the "Days Old" for the "index.xml" file inside the wsusscn2.cab ("CAB") file. Generally, the timestamp for the "index.xml" file is the day prior to "Patch Tuesday." This sensor is only applicable if the Offline CAB scan type is configured & deployed. "Days Old" provides the a numeric response of the days between the CAB file timestamp and the current date. |
Patch - OS for Applicable Patches | Patch Service Objects | Sensor | Tanium Patch | Returns the Operating System name for systems with applicable patches |
Patch - Patch Downloads | Patch Service Objects | Sensor | Tanium Patch | Returns the status for Tanium file downloads initiated by Patch deployments. Example: Deployment IDs|Tanium UID|Patch URL|Status 1|09fa665904c554959b822222c203d444|https://path/to/patch/file|Complete 2|fe320b179031f7b18942d0b4af98180f|https://path/to/patch/file|Requested |
Patch - Patch List Applicability | Patch Service Objects | Sensor | Tanium Patch | Returns a row for every unique patch showing the lists that it matches Example: 1,2,4|Patch1|... 1|Patch2|... 1,3,4|Patch3|... |
Patch - Patch List Applicability Results | Patch Service Objects | Sensor | Tanium Patch | Returns a row for every unique patch showing the lists that it matches Example: 1,2,4|Patch1|... 1|Patch2|... 1,3,4|Patch3|... |
Patch - Patch List Compliance | Patch Service Objects | Sensor | Tanium Patch | Returns endpoint compliance with respect to each Patch List defined. Example: 1|All Patches|26-50 missing|Windows 1|All Patches|11-25 missing|Windows 3|Core Patches - QA|1-5 missing|Windows 4|Core Patches - Prod|Compliant|Windows 4|All Patches|1-5 missing|Red Hat |
Patch - Patch Process Options | Patch Service Objects | Sensor | Tanium Patch | Returns the values of all Patch Process Options (returns the default value if no override is configured) |
Patch - Repositories | Patch Service Objects | Sensor | Tanium Patch | Returns repository information for repositories defined and enabled on the endpoint |
Patch - Repository Variables | Patch Service Objects | Sensor | Tanium Patch | Returns repository variables key:value pairs with corresponding operating system from an endpoint |
Patch - Requires Patch 1 Cleanup | Patch Service Objects | Sensor | Tanium Patch | Returns Yes if a running TaniumPatch.vbs process is detected or if a Tanium Client\Tools\PatchMgmt directory is present. |
Patch - Requires WSP Cleanup | Patch Content Set | Sensor | Tanium Patch | Returns Yes or No if the systems has files leftover from Windows Security Patch that need to be cleaned up Example: Yes |
Patch - Scan Age | Patch Service Objects | Sensor | Tanium Patch | Returns the number of days since the last scan. Example: Days Since Successful Scan No scan results found 0 Days 5 Days 30 Days More than 30 days |
Patch - Scan Configurations | Patch Service Objects | Sensor | Tanium Patch | Returns the enforcement status for Scan Configurations Example: Type|ID|Status|Reason|OS|Version Scan Configuration|1|Enforced||Windows|1 |
Patch - Scan Errors | Patch Service Objects | Sensor | Tanium Patch | Returns error messages for Scan Configurations defined in the Patch Workbench Example: ID|Error Message 1|Missing Cab File 2|Failed to start Windows Update Service |
Patch - Self Service Activity | Patch Service Objects | Sensor | Tanium Patch | Return the self service activity for deployments |
Patch - Self Service Deployments | Patch Service Objects | Sensor | Tanium Patch | Return Patch self service deployments |
Patch - Supported Scan Types | Patch Service Objects | Sensor | Tanium Patch | Returns the supported package scan types for the endpoint. |
Patch - Tanium Scan Product Applicability | Patch Service Objects | Sensor | Tanium Patch | Returns a list of applicable Windows products as found by Tanium Scan. |
Patch Installation History | Patch Content Set | Sensor | Tanium Patch | Returns a list of patches that were installed along with the date and the tool that installed them (AV Definition updates and Windows Store updates are excluded) |
Patch Installation History - Linux | Patch Content Set | Sensor | Tanium Patch | Returns a list of patches that were installed along with the date and the package manager that installed them |
Path Permissions | Core Content | Sensor | Tanium Core Content | Returns the permissions of the given file or folder path Example (Windows): NT AUTHORITY\SYSTEM (I)(F) Example (non-Windows): User root: r-x |
PCI Device | Core Content | Sensor | Tanium Core Content | Returns the names of PCI devices in the system. Example:Intel(R) 82371AB/EB PCI Bus Master IDE Controller |
Performance - Active Profile | Performance | Sensor | Tanium Performance | Returns the id of the active profile or "None" if there is no active profile, as well as the revision of the profile. |
Performance - Affected Disks | Performance | Sensor | Tanium Performance | Returns affected disks for disk events that occurred in a given duration for a given category. Categories: 'Disk Capacity', 'Disk Latency' |
Performance - Application Crashes | Performance | Sensor | Tanium Performance | Returns application crashes including process, crash count and version over the specified duration. |
Performance - Application Details Metric Analysis | Performance | Sensor | Tanium Performance | Will return the utilization of a given metric over a certain time for the processes that make up an application. |
Performance - Application Health Data | Performance | Sensor | Tanium Performance | Returns the average daily CPU and Memory Utilization as well as the daily Application Crash count for configuration Applications. |
Performance - Application Metric Analysis | Performance | Sensor | Tanium Performance | Will return the utilization of an application (as defined by the processes in the parameter of this sensor). |
Performance - Boot Metrics | Performance | Sensor | Tanium Performance | Boot metrics that include count, average, maximum, and minimum values in seconds over a specified duration. |
Performance - Configured | Performance | Sensor | Tanium Performance | Returns the endpoint configured state in regards to Performance. Return value examples: "Not Configured", "Configured", "Unsupported". If Not Configured, the endpoint will return why it is not configured. Return value examples: "Needs Tools", "Needs Profile". |
Performance - Coverage Status | Performance | Sensor | Tanium Performance | Returns the Performance coverage status. Return value examples: "Optimal", "Needs Attention", "Unsupported". See Performance - Configured sensor for reasons why the endpoint needs attention. |
Performance - Daily Stream Stats | Performance | Sensor | Tanium Performance | This sensor is used to collect the statistics recorded for Stream. The results are reported as a RFC 3339 date and the total bytes transferred for that date. The bytes transferred are grouped into the following buckets: "0 B", "<= 10 MB", "<= 50 MB", "<= 100 MB", "<= 200 MB", "<= 1 GB", "1 GB+". Note that this sensor will return the sum of bytes sent by all streams on the endpoint. |
Performance - Endpoint Criticality with Level | Criticality | Virtual Sensor | Criticality | |
Performance - Endpoint Score | Performance | Sensor | Tanium Performance | The Performance Score is determined by a weighted average of the scores per event type to compute an overall health score for a single endpoint within the last 24 hours. Each profile can have its own weights. Score Breakdown: Very Poor: 1-25 High: 26-50 Fair: 51-75 Good: 76-100 |
Performance - Endpoint Score Details | Performance | Sensor | Tanium Performance | The Performance Score is determined by a weighted average of the scores per event type to compute an overall health score for a single endpoint within the last 24 hours. Each profile can have its own weights. Score Breakdown: Very Poor: 1-25 High: 26-50 Fair: 51-75 Good: 76-100 |
Performance - Endpoint Score Details with Health | Performance | Virtual Sensor | Performance | |
Performance - Event Category Match Count | Performance | Sensor | Tanium Performance | Returns the count of events that occurred in a give duration for a given category. Categories: 'cpu', 'mem', 'disklat', 'diskcap', 'appcrash', 'syscrash', 'netlat', 'netoutage', 'wifisignal', 'boottime', 'logontime', '*'(all categories). 'ex. Event Category Match Count['24h', 'mem'] |
Performance - Event Category Match Counts | Performance | Sensor | Tanium Performance | Returns bucketed counts of events for a category ID in a give duration. Sample return values: cpu 1-4 appcrash 9+ appcrash 1-4 |
Performance - Event Details | Performance | Sensor | Tanium Performance | Returns detailed information about Performance events occurring within a specified timeframe for a specific event category. |
Performance - Event Match Counts | Performance | Sensor | Tanium Performance | Returns bucketed event count on Endpoint grouped by event type in a given duration. EventType1 1-4 EventType2 9+ EventType2 1-4 |
Performance - Installed Profiles | Performance | Sensor | Tanium Performance | Returns a list of profile ids |
Performance - Last Boot | Performance | Sensor | Tanium Performance | Details about the last boot. Includes duration in seconds and date. Health is determined based on duration. Health Breakdown: Poor: 61+ Fair: 31-60 Good: 0-30 |
Performance - Last Logon | Performance | Sensor | Tanium Performance | Details about the last logon. Includes duration in seconds and date. Health is determined based on duration. Health Breakdown: Poor: 181+ Fair: 121-180 Good: 0-120 |
Performance - Logon Metrics | Performance | Sensor | Tanium Performance | Logon metrics that include count, average, maximum, and minimum values in seconds over a specified duration. |
Performance - Process Metric Analysis | Performance | Sensor | Tanium Performance | Performs a specified analysis (e.g. Avg) of a given process name, for a specific metric, over a certain number of hours. |
Performance - Profile Versions | Performance | Sensor | Tanium Performance | Returns the status ("Installed", "None Installed"), the profile id and the revision |
Performance - Startup Programs Count | Performance | Sensor | Tanium Performance | Return the number of programs configured to run on startup on the endpoint |
Performance - System CPU Queue Length Metric Analysis | Performance | Sensor | Tanium Performance | Performs a specified analysis (e.g. Avg) of the CPU Queue Length metric over a certain number of hours. |
Performance - System CPU Utilization Analysis | Performance | Sensor | Tanium Performance | Performs a specified analysis (e.g. Avg) of a specific CPU metric over a certain number of hours. |
Performance - System Crashes | Performance | Sensor | Tanium Performance | Returns system crashes including bug check references over the specified duration. |
Performance - System Disk Metric Analysis | Performance | Sensor | Tanium Performance | Performs a specified analysis (e.g. Avg) of a specific Disk metric over a certain number of hours. |
Performance - System Memory Metric Analysis | Performance | Sensor | Tanium Performance | Performs a specified analysis (e.g. Avg) of a specific Memory metric over a certain number of hours. Results are in bytes for most metrics. "Memory Utilization" is a percentage of total memory. |
Performance - System Network Metric Analysis | Performance | Sensor | Tanium Performance | Performs a specified analysis (e.g. Avg) of a specific Network metric over a certain number of hours. |
Performance - Top Process Metric Analysis | Performance | Sensor | Tanium Performance | Returns the top x processes for a specified analysis (e.g. Avg), for a specific metric, over a certain number of hours. |
Performance - Top Processes | Performance | Sensor | Tanium Performance | Returns top process for events within the duration specified. This means more than one can be returned but only one per event. |
Performance - Trends Application Metric Analysis | Performance | Sensor | Tanium Performance | Will return the utilization of a particular computer resource from UTC midnight until machine's current UTC time for a given application. This application is defined by a list of processes provided by the user. Currently supported are CPU normalized (total, user, and kernel) and Memory |
Performance - Trends Event Category Match Counts | Performance | Sensor | Tanium Performance | Returns bucketed counts of events for a category name since UTC midnight. Sample return values: CPU 1-4 Application Crashes 9+ Application Crashes 1-4 |
Performance - Trends Event Summary | Performance | Sensor | Tanium Performance | Returns Performance Event Summary for the past day. Sample return values: With Critical Events or Without Critical Events |
Performance - Trends Process Metric Analysis | Performance | Sensor | Tanium Performance | Will return the utilization of a particular computer resource from UTC midnight until machine's current UTC time for a given application. This application is defined by a list of processes provided by the user. Currently supported are CPU normalized (total, user, and kernel) and Memory |
Performance - Trends System Metric Analysis | Performance | Sensor | Tanium Performance | Will return the utilization of a particular computer resource from UTC midnight until machine's current UTC time. Currently supported are CPU (total, user, and kernel) and Memory |
Performance - Trends Top Application Crashes | Performance | Sensor | Tanium Performance | Returns up to the top x applications that have crashed the most from UTC midnight until machine's current UTC time |
Performance - Trends Top Process Metric Analysis | Performance | Sensor | Tanium Performance | Returns up to the top x processes for a specified analysis (e.g. Avg), for a specific metric, from UTC midnight until machine's current UTC time |
Performance - Trends Top System Crashes | Performance | Sensor | Tanium Performance | Returns up to the top x bugcheck codes that have occurred the most from UTC midnight to current time. |
Performance - TSDB Status | Performance | Sensor | Tanium Performance | Returns information about the Tanium TSDB process on endpoints - version, space consumed, etc. |
Physical Disk | Core Content | Sensor | Tanium Core Content | Physical disks installed on the endpoint Example: Drive #0|PC1\.\PHYSICALDRIVE0|S91NFAED132527|SAMSUNG|SAMSUNG MZMPC128HBFU-000MV|Disk|IDE|128034708480 |
Physical Disk Type | Core Content | Sensor | Tanium Core Content | Physical disks installed on the endpoint and their type Example: disk0|SSD|Physical |
Physical Volumes | Core Content | Sensor | Tanium Core Content | Returns the logical volume names on the endpoint. Example: /dev/sda1 |
Pod Availability | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the pod availability. |
Pod Details | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the pod details. |
Pods Running inside Cluster | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the pods running inside a cluster. |
Power Plans Active | Core Content | Sensor | Tanium Core Content | Returns the currently active power plan. Example: High performance |
Power Plans Available | Core Content | Sensor | Tanium Core Content | Returns the available power plans. Example: High performance |
PowerForensics File Record | Incident Response | Sensor | Tanium Threat Response | Retrieves the Master File Table (MFT) modified, accessed, changed, and born times for a specified file name. Returns file name, STANDARD_INFORMATION (SI) time stamps, and FILE_NAME (FN) time stamps. All time stamps are returned in UTC format. |
PowerForensics Master Boot Record | Incident Response | Sensor | Tanium Threat Response | Retrieves the operating system name, enumerated through WMI, and the MD5 hash of the master boot record (MBR) code section. |
PowerForensics Prefetch | Incident Response | Sensor | Tanium Threat Response | Searches prefetch entries for previously executed applications with a provided file path. |
PowerForensics Recently Opened Office Files by User | Incident Response | Sensor | Tanium Threat Response | Returns the path of any recently opened Office files by User name (required) and file path (optional). Requires PowerShell 2.0 or later. |
PowerForensics Shim Cache | Incident Response | Sensor | Tanium Threat Response | Retrieves executables that might have been run from entries in the Microsoft Application Compatibility section of the Registry. If an Explorer window is opened to a location for a given executable, a shim cache entry might be created even if the executable was never run. Example output: C:\Windows\System32\cmd.exe^N/A Verbose Example output: C:\Windows\System32\cmd.exe^2016-04-11 14:28 |
PowerForensics UserAssist Search | Incident Response | Sensor | Tanium Threat Response | Parses a specified NTUser.dat file for a user account. Returns the list of applications that were recently run in the Windows GUI. If an optional executable name is specified, only entries matching that executable are returned. |
PowerShell Effective Execution Policy | Base | Sensor | Tanium Default Content | The effective execution policy for the PowerShell session. PowerShell determines the effective execution policy by evaluating execution policies set by Set-ExecutionPolicy and Group Policy settings. 32 Restricted 64 Restricted 64 RemoteSigned 32 RemoteSigned 64 Bypass |
PowerShell Logging Configuration | Base | Sensor | Tanium Default Content | Reports the applied activity logging policy configurations for PowerShell and PowerShell Core. The following configuration items are reported: EnableTranscripting EnableInvocationHeader EnableScriptBlockLogging EnableScriptBlockInvocationLogging EnableModuleLogging If Transcription is enabled, the Additional Data column will list the defined OutputDirectory. If Module Logging is enabled, the Additional Data column will list what modules are defined for monitoring. Supported Platforms: Windows Use Cases: This data can be useful to determine what logging configurations are applied to endpoints. Next Steps: Use this information to enable standardizing PowerShell and PowerShell Core logging across your enterprise. Sensor Columns: Context - Where the configuration data was read. System = HKLM registry. Tanium = The user context of the Tanium Client process. Target - Indicates where the configuration setting applies (PowerShell or PowerShell Core). Component - The logging configuration item being reported. Status - The status of the configuration item (Enabled, Disabled, Not Configured). Additional Data - May contain two data points. 1- The path where transcription data is written. 2- What modules are configured for logging. Example Output: System|PowerShell|Invocation Header|Enabled System|PowerShell|Transcription|Enabled|C:\PS-Transcripts System|PowerShell|Script Block|Enabled System|PowerShell|Script Block Invocation|Enabled System|PowerShell|Modules|Enabled|* |
PowerShell Scope Policies | Base | Sensor | Tanium Default Content | The execution policies for each scope in the order of precedence as set by Set-ExecutionPolicy and Group Policy settings. 64 LocalMachine RemoteSigned 32 LocalMachine RemoteSigned 64 Process Undefined 32 Process Undefined 64 CurrentUser Undefined 32 MachinePolicy Undefined 64 MachinePolicy Undefined 32 UserPolicy Undefined 32 CurrentUser Undefined 64 UserPolicy Undefined |
PowerShell Version | Base | Sensor | Tanium Default Content | Returns the version(s) of PowerShell installed on a system Example: 2.0 |
Predicted Disk Failures | Core Content | Sensor | Tanium Core Content | Returns drives and the S.M.A.R.T. status of the drives on machines which have a failing drive reporting through S.M.A.R.T. Example: Drive | SMART Report |
Primary Owner Name | Core Content | Sensor | Tanium Core Content | Returns the name of the Primary System Owner on Windows. This is set at OS install time. Example: John Doe |
Primary WINS Server | Core Content | Sensor | Tanium Core Content | Returns the primary WINS server of a machine. Example: WINS1 |
Printers | Core Content | Sensor | Tanium Core Content | Returns printers connected to a system. Example:HP LaserJet 4400c |
Process Count | Core Content | Sensor | Tanium Core Content | Parameter: Name of a process This sensor will return the number of times that process occurs. Leave blank for a count of all processes. |
Process Details | Incident Response | Sensor | Tanium Threat Response | Returns verbose details about running processes |
Processes Using Module | Incident Response | Sensor | Tanium Threat Response | Lists processes that use a specified module. |
PST Information | Core Content | Sensor | Tanium Core Content | Returns details of PST files that have been mounted by users on a system. Example: c:\psts\huge.pst 4088 MB |
Quarantined Sensors | Client Management | Sensor | Tanium Default Content | List of sensors that have been quarantined on the local endpoint. Example: File Search |
RAM | Core Content | Sensor | Tanium Core Content | Returns the amount of RAM available to the operating system, in Megabytes. Example: 2048 MB |
RAM Max Capacity | Core Content | Sensor | Tanium Core Content | Returns the size of the maximum amount of RAM a machine can carry. Example: 8 GB |
Ram Slots Unused | Core Content | Sensor | Tanium Core Content | Returns the number of empty, unused RAM slots. Example:2 |
RAM Slots Used and Unused | Core Content | Sensor | Tanium Core Content | Returns the number of used and unused RAM slots. Example:2 6 |
Random Group Threshold | Core Content | Sensor | Tanium Core Content | This sensor will output a random number from 0-99 used as a threshold for group membership. Example Return: 67 |
RDP Client History | Incident Response | Sensor | Tanium Threat Response | Returns Local Profile, RDP Target Name or IP, and Remote Logon Name for a remote desktop client. Note that if an attacker starts the RDP client with the /Public option, then this information is not recorded in the user profile registry hive. |
Reboot Required | Core Content | Sensor | Tanium Core Content | Returns data indicating that a reboot is required and, if so, for which reason. Example: Yes |
Recently Closed Connections | Core Content | Sensor | Tanium Core Content | Returns any recently closed connection, ie those connection currently in CLOSED_WAIT or TIME_WAIT. If the process that owned the connection can be determined, it will be included. Example: Google Chrome | 173.194.79.99:80 |
Recorder - Amazon Linux Version | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns the version of Amazon Linux installed, e.g. 2 |
Recorder - Extension Settings | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Show Recorder Settings which have been set via Package. |
Recorder - Is BPF BCC Supported | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns 'True' if BPF BCC is supported on this endpoint |
Recorder - Is BPF CO-RE Supported | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns 'True' if BPF CO-RE (Compile Once Run Everywhere) is supported on this endpoint |
Recorder - Is BPF Supported Details | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns details about if BPF is supported on this endpoint |
Recorder - Is Extension Enabled | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns Disabled if the recorder extension is not loaded, and is disabled by the client setting DisableExtension_recorder .Otherwise, returns Enabled
|
Recorder - Legacy Installed | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns 'Yes' if legacy version of Tanium Recorder is installed, otherwise 'No' |
Recorder - Red Hat Enterprise Linux Version | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns the version of Red Hat Enterprise Linux installed, e.g. 8.3 |
Recorder - Suse Linux Version | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns the version of SuSe Linux installed, e.g. 12.1 |
Recorder - Ubuntu Linux Version | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns the version of Ubuntu Linux installed, e.g. 18.04 |
Registry Key Exists | Core Content | Sensor | Tanium Core Content | Returns True if the Registry Key exists, False if not. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand. Example: True |
Registry Key Subkeys | Core Content | Sensor | Tanium Core Content | Returns all subkeys of a supplied key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand. Example: N/A | Tanium Client | 32-bit | HKLM\Software\Tanium\Tanium Client |
Registry Key Value Exists | Core Content | Sensor | Tanium Core Content | Returns True if the Registry Value exists, False if not. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand. |
Registry Key Value Names | Core Content | Sensor | Tanium Core Content | Returns all values contained in a supplied key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand. Example: N/A | dwordValue | 64-bit | HKEY_LOCAL_MACHINE\Software\KeyPath\dwordValue |
Registry Key Value Names with Data | Core Content | Sensor | Tanium Core Content | Returns the data and values in a supplied registry key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand. Example: John~~4.1.314.7020~~REG_SZ~~32-bit~~HKLM\Software\Tanium\Tanium Client~~Version |
Registry Value Data | Core Content | Sensor | Tanium Core Content | Returns the data of a supplied value in a supplied registry key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand. Example: John~~4.1.314.7020~~REG_SZ~~32-bit |
Remote Desktop Event Log Search | Incident Response | Sensor | Tanium Threat Response | Retrieves the most recent RDP events from the Terminal Services event log. Requires Tanium Client 6.0.314.1420 or later. |
Reveal - Index File Count | Index | Sensor | Tanium Reveal | Returns count of index files that match one or more supplied inputs |
Reveal - Index File Details | Index | Sensor | Tanium Reveal | Returns details of index files that match one or more supplied inputs |
Reveal - Index File Exists | Index | Sensor | Tanium Reveal | Returns Yes or No, using Index to determine whether the specified file exists based on the supplied input |
Reveal - Index File Hash Recently Changed | Index | Sensor | Tanium Reveal | Returns details of index files that match one or more supplied inputs |
Reveal - Index Has Category Hit | Reveal | Sensor | Tanium Reveal | Returns Yes/No for endpoints with files matching a Category |
Reveal - Index Has No Validation Rule Hit | Reveal | Sensor | Tanium Reveal | Returns Yes/No for endpoints with files matching a rule with no validation |
Reveal - Index Has Rule Hit | Reveal | Sensor | Tanium Reveal | Returns Yes/No for endpoints with files matching a rule |
Reveal - Index Has Valid Rule Hit | Reveal | Sensor | Tanium Reveal | Returns Yes/No for endpoints with files matching a rule |
Reveal - Index Installed Rules | Reveal | Sensor | Tanium Reveal | Returns Rule IDs installed on the endpoint |
Reveal - Index Is Path Indexed | Default | Sensor | Tanium Reveal | Evaluates index configuration to see if a path will be indexed |
Reveal - Index List Discovered Volumes | Index | Sensor | Tanium Reveal | Returns list of filesystem volumes discovered by index |
Reveal - Index No Validation Rule Hit Files | Reveal | Sensor | Tanium Reveal | Returns files that match rules with a no validation |
Reveal - Index Quick Search | Reveal | Sensor | Tanium Reveal | Search for a hashed token on an endpoint. |
Reveal - Index Rule Hit Files | Reveal | Sensor | Tanium Reveal | Returns files that match rules |
Reveal - Index Rule Hit Files by Validation | Reveal | Sensor | Tanium Reveal | Returns files that match rules with a validation |
Reveal - Index Rule Hit Summary | Reveal | Sensor | Tanium Reveal | Summary of rule hits |
Reveal - Index Tuning - Get Top Extensions | Reveal | Sensor | Tanium Reveal | Returns the top 10 file extensions with highest file counts (bucketed) for tuning index |
Reveal - Index Tuning - Get Top Paths | Reveal | Sensor | Tanium Reveal | Returns the top 10 paths with highest file counts (bucketed) for tuning index |
Reveal - Index Valid Rule Hit Files | Reveal | Sensor | Tanium Reveal | Returns files that match rules with a valid validation |
Revision of CPU | Core Content | Sensor | Tanium Core Content | Returns the revision number of installed CPUs. Example: 5898 |
Risk - Vector Base Score | Risk | Sensor | Tanium Benchmark | Returns the base risk score components as key value pairs for a vector domain and name. |
Risk Coverage | Risk | Virtual Sensor | Risk | Provides status for the ability to calculate each vector for an endpoint. |
Risk Vectors | Risk | Virtual Sensor | Risk | Provides the endpoint risk score, vectors scores, endpoint criticality, and other details at the endpoint level. |
RPM Database Details | Core Content | Sensor | Tanium Core Content | Returns data about a Linux machine's RPM database in key/value format. Example: Corrupted|No |
RPM Database Locks | Core Content | Sensor | Tanium Core Content | Returns the count of RPM database lock files under the /var/lib/rpm directory. Example: 3 |
Run Command History | Incident Response | Sensor | Tanium Threat Response | Lists the commands that were run from the Windows command prompt field on the Start menu. |
Run Keys | Core Content | Sensor | Tanium Core Content | Returns the run keys that define which programs will be started when a user logs in. Example: System|GlobalProtect|"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" |
Run Level | Core Content | Sensor | Tanium Core Content | Returns the set run level of Linux systems Example: 3 |
Run Once Keys | Core Content | Sensor | Tanium Core Content | Returns the run once keys that define which programs will be started when a user logs in. Example: System|GlobalProtect|"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" |
Running Applications | Core Content | Sensor | Tanium Core Content | Provides a list of applications that are running at the present time on the client machine. Example: Google Chrome | 23.0.1271.64 |
Running Container Data | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports running container data. |
Running Container Details | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the running container details. |
Running Containers | Containers | Sensor | Tanium Containers | Identifies all running containers, including those hidden and unknown to the orchestration layer (such as System or Rogue containers). |
Running Instances of Image | Cloud Workloads | Sensor | Tanium Cloud Workloads | Reports the running instances of image. |
Running Processes | Core Content | Sensor | Tanium Core Content | Provides a list of processes currently running on the client machine. Example: svchost.exe |
Running Processes Memory Usage | Core Content | Sensor | Tanium Core Content | Returns all running processes along with the memory each process uses. This is the process's working set. Example: lsass.exe|23 MB |
Running Processes Of User | Incident Response | Sensor | Tanium Threat Response | Provides a list of the currently running processes associated with the specified user. Example: "svchost.exe" |
Running Processes With Filename Mismatch | Incident Response | Sensor | Tanium Threat Response | Gathers running processes and inspects the original filename for that binary on disk. If the running process and the binary original filename are different, results will be returned. This is a potential indicator that someone has renamed a legitimate binary. For example, copying and renaming the cmd.exe binary to a different location in an attempt to avoid detection |
Running Processes with Hash | Incident Response | Sensor | Tanium Threat Response | Lists the fully-qualified path and hash of each running executable. |
Running Processes with MD5 Hash | Incident Response | Sensor | Tanium Threat Response | Lists the fully-qualified path and MD5 hash of each running executable file. |
Running Processes With Parent | Incident Response | Sensor | Tanium Threat Response | Provides a list of the processes currently running and the parent process of the process. Example: "wordpad.exe|explorer.exe" |
Running Processes With User | Incident Response | Sensor | Tanium Threat Response | Provides a list of the processes currently running and the owner of the process. Example: "wordpad.exe|johndoe\CORP" |
Running Service | Core Content | Sensor | Tanium Core Content | Provides a list of currently running services on the client machine. Example: DHCP Client |
Running Service Short Name | Core Content | Sensor | Tanium Core Content | A list of the short names of all services currently in the running state. Example: defragsvc |
SBOM Has Results | SBOM | Sensor | Tanium SBOM | Determine if the endpoint has SBOM artifacts |
SBOM Package Information Filtered By | SBOM | Sensor | Tanium SBOM | Retrieve detailed SBOM package information for a given Name, Vendor, Version, and/or Ecosystem |
SBOM Package Information For Hash | SBOM | Sensor | Tanium SBOM | Retrieve detailed SBOM package information for a Hash value. |
SBOM Packages | SBOM | Sensor | Tanium SBOM | Retrieve all of the overview SBOM package information (Name, Vendor, Version, CPE, Type). |
SBOM Packages Count | SBOM | Sensor | Tanium SBOM | Returns the number of SBOM packages found. |
SBOM Packages Filtered By | SBOM | Sensor | Tanium SBOM | Retrieve all of the overview SBOM package information for a given Name, Vendor, Version, and/or Ecosystem. |
SCCM AutoAssignment Enabled | SCCM | Sensor | Tanium Core Content - SCCM | Checks if automatic site assignment is enabled |
SCCM Available Programs | SCCM | Sensor | Tanium Core Content - SCCM | The list of available program advertisements. |
SCCM Cache Percent Used | SCCM | Sensor | Tanium Core Content - SCCM | The percentage of used cache. |
SCCM Cache Size | SCCM | Sensor | Tanium Core Content - SCCM | Returns the SCCM agent's configured (not current cache usage) cache size in MB |
SCCM Client Cache Location | SCCM | Sensor | Tanium Core Content - SCCM | The location of the client's cache. |
SCCM Client Communication Days Old | SCCM | Sensor | Tanium Core Content - SCCM | The number of days since last time the policy log file was updated. |
SCCM Client Components | SCCM | Sensor | Tanium Core Content - SCCM | A listing of client components and their state. |
SCCM Client Fallback Status Point | SCCM | Sensor | Tanium Core Content - SCCM | The configured fallback status point. |
SCCM Client Health | SCCM | Sensor | Tanium Core Content - SCCM | Returns Healthy or Needs Attention for SCCM Client Health status, as well as a reason for not being healthy or those that Need Attention Example: No|SCCM Client Not Running |
SCCM Client ID | SCCM | Sensor | Tanium Core Content - SCCM | The client's ID (GUID). |
SCCM Client Installed | SCCM | Sensor | Tanium Core Content - SCCM | Determines if the client service is installed. |
SCCM Client MSI Properties | SCCM | Sensor | Tanium Core Content - SCCM | The Windows Installer parameters used the last time the client was successfully installed. |
SCCM Client Running | SCCM | Sensor | Tanium Core Content - SCCM | Determines if the client service is running. |
SCCM Client Version | SCCM | Sensor | Tanium Core Content - SCCM | Returns the version and a version description, if possible, of the SCCM client. Example: 5.00.7958.1000|2012 R2 |
SCCM DCM Status | SCCM | Sensor | Tanium Core Content - SCCM | This sensor will return compliance status for each DCM baseline on the machine. Example: My Baseline Name|Yes |
SCCM Internet Client | SCCM | Sensor | Tanium Core Content - SCCM | Determines if the client is currently connected via Internet. It will report Always if the client is always on the Internet. |
SCCM Management Point | SCCM | Sensor | Tanium Core Content - SCCM | The client's management point. |
SCCM Mandatory Assignment Pending | SCCM | Sensor | Tanium Core Content - SCCM | Determines if a mandatory advertisement is pending. |
SCCM Proxy Management Point | SCCM | Sensor | Tanium Core Content - SCCM | The client's proxy management point. |
SCCM Server Roles | SCCM | Sensor | Tanium Core Content - SCCM | Determines if the server is acting as a Distribution Point, a Management Point, or a Software Update Point. |
SCCM Site Code | SCCM | Sensor | Tanium Core Content - SCCM | The client's assigned site code. |
SCCM Software Updates Scan Age | SCCM | Sensor | Tanium Core Content - SCCM | Returns the number of days since the last SCCM Software Updates Scan |
SCCM Software Updates Scan Source | SCCM | Sensor | Tanium Core Content - SCCM | Returns the WSUS Server and Content Version of the last SCCM Software Updates Scan |
SCCM WMI Health | SCCM | Sensor | Tanium Core Content - SCCM | Checks the health of client WMI namespaces. |
Scheduled Tasks | Incident Response | Sensor | Tanium Threat Response | Returns scheduled tasks on a system, created either with "at" or "schtasks". Time and frequency information is omitted to limit unique strings. |
Screen Saver Active | Core Content | Sensor | Tanium Core Content | Indicates whether a screen saver is enabled on the client machine. Example: True |
Screen Sharing - ScreenMeet Session Support | Screen Sharing | Sensor | Tanium Screen Sharing | Reports to what extent the endpoint is able to launch ScreenMeet sessions. |
SCSI Controller Caption | Core Content | Sensor | Tanium Core Content | A short description of the SCSI Controller as provided by the manufacturer. Example: Dell PERC S100 S300 Controller |
SCSI Controller Driver Name | Core Content | Sensor | Tanium Core Content | Name for SCSI Controller Driver as provided by the manufacturer. Example: VClone |
SELinux Status | Core Content | Sensor | Tanium Core Content | returns the SElinux mode from the /etc/selinux/config file, the current status, and current running mode of SELinux. |
Semaphore Details | Incident Response | Sensor | Tanium Threat Response | Returns details about a specified semaphore. Example: symphony.exe|2400|WIN764\Administrator|2B4|\BaseNamedObjects\daemon242861781sem |
Service | Core Content | Sensor | Tanium Core Content | Gets a list of all Services on the client machine. Example: Task Scheduler |
Service Details | Core Content | Sensor | Tanium Core Content | Details about all installed services on the client machine, including name, display name, running status, and startup mode. Example: MDM | Machine Debug Manager | Running | Auto |
Service Login Names | Core Content | Sensor | Tanium Core Content | A list of accounts under which services are configured to run. This list will not include the default accounts, including LocalSystem, LocalService, and NetworkService. Example: .\servuser |
Service Module Details | Incident Response | Sensor | Tanium Threat Response | Lists services that are running at the time the Question is asked. The details include the path to the service executable (if it is a stand-alone service), the module (DLL) path (if it is a hosted service), and the loaded modules if the service implements a COM application. |
Service Module Details with Hash | Incident Response | Sensor | Tanium Threat Response | Collects a comprehensive list of stand-alone services, hosted services, COM+ application components, and the selected hash (MD5, SHA1, and SHA256) of the binary. |
Service Pack | Core Content | Sensor | Tanium Core Content | The Service Pack level of the machine if available, and "No Service Pack found" if unavailable. Example: Service Pack 1 |
Service Process Details | Incident Response | Sensor | Tanium Threat Response | Returns verbose details about running processes for Services. |
Service Status with Hash | Incident Response | Sensor | Tanium Threat Response | Provides information about each of the Microsoft Windows Services that are installed on the endpoint, including the hash and whether the service is running. |
Service System Event Log Search | Incident Response | Sensor | Tanium Threat Response | Searches and stacks Windows service start, stop, or install entries in the System event log that occurred within a specified time period. |
SHA1 Hash Match Files Executing | Incident Response | Sensor | Tanium Threat Response | Matches a specified SHA1 hash against files that are currently executing. Returns the paths to matching executing files, and "Yes", or "No" if no executing files match. |
SHA1 Hash Of File | Incident Response | Sensor | Tanium Threat Response | Returns the SHA1 hash of a specified file path. |
SHA1 Hash Single File Match | Incident Response | Sensor | Tanium Threat Response | Compares the file at a specified path to a provided SHA1 hash. Returns "Yes" if the file at the specified path matches the hash. |
Share Folder Permissions | Core Content | Sensor | Tanium Core Content | A list of all shared file system folders and their permissions. Example: SomethingSpecial|D:\Special|[Allow]NT AUTHORITY\SYSTEM:FullControl;[Allow]BUILTIN\Administrators:FullControl;[Allow]MyOrg\admRachel:FullControl |
Shared Network Printer Details | Core Content | Sensor | Tanium Core Content | Details on any shared printers available from the client machine. Details include printer name, print server, and share name. Example: \PRINTSERVER1\PRINTER2 | netserver | \PRINTSERVER1\PRINTER2 |
Shell History | Incident Response | Sensor | Tanium Threat Response | Retrieves the requested command(s) from the shell history files of all users (if found), or only one user if specified. |
Short Hostname | Core Content | Sensor | Tanium Core Content | The assigned name of the client machine, minus any domain suffix. Example: workstation-1 |
SIP Settings | Incident Response | Sensor | Tanium Threat Response | Returns the SIP settings on Macs. If all components are enabled, you will see only one line "System Integrity Protection status: enabled." Otherwise, each component will be shown with its status. |
SIU - Installed Products | Default | Sensor | Tanium Asset | List products from Software Manager's Software Inventory Catalog. |
SIU - Is Supported | Default | Sensor | Tanium Asset | Return "True" if SIU is supported on this platform, "False" if not |
SIU - Product First Used | Default | Sensor | Tanium Asset | Get how long ago a product was first used |
SIU - Product Last Used | Default | Sensor | Tanium Asset | Get how recently a product was used |
SIU - Product Usage | Default | Sensor | Tanium Asset | Get bucketed average usage per day for a product |
Software Management - Errors | Software Management Content Set | Sensor | Tanium Deploy | Get the last 10 error log messages from the software management process. |
Sophos Client Health | Core Content | Sensor | Tanium Core Content | Shows the details of two sophos services: sophos anti-virus and the sophos autoupdate service. Example: Service | StartMode | State | Healthy |
Sophos Client Version | Core Content | Sensor | Tanium Core Content | Returns the version of Sophos anti-virus installed on the client machine. Example: 4.80.0 |
Sophos Engine Version | Core Content | Sensor | Tanium Core Content | The engine version of Sophos AV installed on the client machine. Example: 4.80.0 |
Sophos Last Scan Time | Core Content | Sensor | Tanium Core Content | The last time Sophos AV scanned the client machine. Example: 2006-11-07T18:00:000Z |
Sophos Last Update Time | Core Content | Sensor | Tanium Core Content | The last time that Sophos AV was updated on the client machine. Example: 2006-11-07T18:00:000Z |
Sound Card | Core Content | Sensor | Tanium Core Content | Name of sound card in client machine. Example: SoundMAX Integrated Digital HD Audio |
SQL Buffer Hit Ratio | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns the buffer cache hit ratio from SQL Server on the client machine. Example: .5 |
SQL Clustered | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns whether or not the SQL server instance is clustered Example: True |
SQL Database Count | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | The number of databases in SQL Server on the client machine. Example: 4 |
SQL Database Metadata | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns metadata for SQL Server databases on the client machine. |
SQL Database Recovery Mode | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns the database recovery mode for each database on the SQL Server on the client machine. Example: master SIMPLE (SQLEXPRESS) |
SQL Database Settings | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns settings for SQL Server databases on the client machine. |
SQL Database Sizes | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns the database sizes for each database on the SQL Server on the client machine. master 4MB (SQLEXPRESS) |
SQL Log Sizes | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns the size of the log files for each database on the SQL Server on the client machine. Example: master 0.75MB (SQLEXPRESS) |
SQL Product Level | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Product level for SQL Server on client machine. Example: SP4 |
SQL Product Version | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Product version from SQL Server on client machine. Example: 10.50.1617.0 |
SQL Recovery Mode | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns database name and recovery mode for that database from all databases in SQL Server on client machine. Example: ReportServer SIMPLE |
SQL Server Agent Jobs | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns a list Agent Jobs for SQL Servers on the client machine. |
SQL Server Agent Long Running Jobs | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns a list of long running SQL Server jobs on the client machine. Details include job name, start date, and duration. Example: backupjob | 22-july-12 12:00 Am | 00:01:00:00 |
SQL Server CPU Consumption | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Current CPU utilization percentage by SQL Server process on client machine. Example: 8% |
SQL Server Databases | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | List of database names from SQL Server on client machines. Example: tanium |
SQL Server Edition | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns the Edition of SQL Server installed on the client machine if it exists. Example: Enterprise Edition (64-bit) |
SQL Server Linked Servers | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns a list of Linked Servers for SQL Servers on the client machine. |
SQL Server Memory | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns memory usage details for SQL Servers on the client machine. |
SQL Server Metadata | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns metadata for SQL Servers on the client machine. |
SQL Server Performance Data | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns metadata for SQL Servers on the client machine. |
SQL Server Settings | Core MSSQL Content | Sensor | Tanium Core Content - MSSQL | Returns results of SERVERPROPERTY and Metadata for SQL Servers on the client machine. |
SSH Audit - Authorized Keys | Default | Sensor | Tanium Emerging Issues Content | Show authorized key records |
SSH Audit - Authorized Keys Configuration | Default | Sensor | Tanium Emerging Issues Content | Returns if the endpoint is configured to use default or custom authorized keys settings (OpenSSH only for Non-Windows) |
SSH Audit - Host Fingerprints | Default | Sensor | Tanium Emerging Issues Content | Find duplicates (cloned VMs) or verify values |
SSH Audit - Known Hosts | Default | Sensor | Tanium Emerging Issues Content | Show user and global known hosts records |
SSH Audit - Private Keys | Default | Sensor | Tanium Emerging Issues Content | Find private ssh keys, passphrase true/false, md5 and sha256 fingerprints |
SSH Audit - Sshd Config | Default | Sensor | Tanium Emerging Issues Content | Show sshd_config settings checked by CIS Benchmarks (Match User|Group|... config blocks are skipped) |
SSH Audit - Sudo Settings | Default | Sensor | Tanium Emerging Issues Content | Show settings in /etc/sudo.conf, /etc/sudo-ldap.conf, /etc/sudoers and /etc/sudoers.d |
SSH Known Hosts | Incident Response | Sensor | Tanium Threat Response | Retrieves entries from the .ssh/known_hosts file for a user. |
SSL Server Audit Age | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns age of the audit data in days. Example: 91-180 |
SSL Server Audit Port Exclusions | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | It is possible to configure a particular endpoint to exclude specific ports from the audit scan if the target application is too fragile to scan. This sensor returns the exclusions applied on a particular endpoint. Example: 443,8443 |
SSL Server Audit Python Exists | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Confirms that a valid python interpreter exists on the ednpoint. |
SSL Server Certificate CA Short Name | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | This sensor returns a shortened Certificate Authority name, used by Tanium Risk to populate its dashboards. |
SSL Server Certificate Details | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit |
Return SSL Server Certificate Details for all open ports audited. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none |
SSL Server Certificate Details - Exclude Tanium | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit |
Return SSL Server Certificate Details for all open ports audited. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none |
SSL Server Certificate Details Exclude Ports | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit |
Return SSL Server Certificate Details for all open ports audited, except those listed in the parameter. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none |
SSL Server Certificate Expiry | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns bucketed number of days until certificate expires. Example: 443,91-180 |
SSL Server Certificate Expiry - Exclude Tanium | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns bucketed number of days until certificate expires. Port 17472 is excluded from the results. Example: 443,91-180 |
SSL Server Certificate Expiry Exclude Ports | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | List ports excluded from the audit report on a given machine. Example: 443 |
SSL Server Certificate Extended Key Usage | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Return the Extended Key Usage field for the certificates on each ssl-server-audit-port-exclusions.py Example: 443~server_auth,client_auth |
SSL Server Certificate Issuer | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the issuer of the certificate for the port specified in the parameter. Example: Common Name: acme-ACME-DC01-CA; Domain Component: acme, lab |
SSL Server Certificate Key Usage | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the key usage fields for the certificate. Example: 443~digital_signature,key_encipherment,key_cert_sign |
SSL Server Certificate Process Details | Default | Sensor | Tanium Core Content - SSL/TLS Server Audit |
Return SSL Server Certificate Details for all open ports audited, including owning process. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none~iis.exe~Internet Information Server~10.4.2 |
SSL Server Certificate Public Key Details | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Return Key length and algorithm for the public key presented on each port. Example: 8088~rsa~2048 |
SSL Server Certificate Signature Algorithm Details | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Return signature algorithm and hash algorithm for the certificates used along with the associated port. Example: 8089~rsassa_pkcs1v15~sha256 |
SSL Server Certificate Subject | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the subject field of the certicate in use on the port given as a parameter. Example: Common Name: www.tanium.com |
SSL Server Cipher Suite | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the SSL Protocol and available cipher suites available on each port. Example:TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256~deflate~false~8089 |
SSL Server Cipher Suite Processes | Default | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the SSL Protocol and available cipher suites available on each port. Example:TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256~deflate~false~8089~httpd~Apache HTTPD |
SSL Server Enhanced Certificate Details | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Return Enhanced Certificate Details. Example: 443~2019-12-24~2021-12-24~rsa~2048~rsassa_pkcs1v15~sha256~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none~140000000c2cf994f1b11f23bb00000000000c~710830c33964b526dd4831a5988ade0b5905b7ed |
SSL Server Key Exchange | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the Key Exchange parameters for each port in use. Example: TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA~520~443 |
SSL Server Protocols | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | List supported SSL/TLS Protocols. Example: TLS 1.2 |
SSL Server Root Certificate Authority | SSL Audit | Sensor | Tanium Core Content - SSL/TLS Server Audit | Returns the status of the CA used to sign each ssl-server-root-certificate-authority.py Example: 3389~self signed |
Startup Programs | Core Content | Sensor | Tanium Core Content | A list of programs configured to automatically run on the client machine. Also includes the command line entry to run the program. Example: Windows Mobile Device Center | C:\Windows\WindowsMobile\wmdc.exe |
Static IP Addresses | Core Content | Sensor | Tanium Core Content | A list of the static IP addresses currently held by the client machine. Example: 192.168.1.1 |
Stopped Service | Core Content | Sensor | Tanium Core Content | Returns a list of all services currently stopped on the client machine. Example: DHCP Client |
Stopped Service Short Name | Core Content | Sensor | Tanium Core Content | A list of the short names of all services currently in the stopped state. Example: defragsvc |
Storage Encryption Status | Core Content | Sensor | Tanium Core Content | Reports endpoint encryption status for BitLocker on Windows and FileVault on Mac. |
Subnet Mask | Base | Sensor | Tanium Default Content | A list of all of the configured subnet masks for the network adapters of the client machine. Subnet masks are always represented in dotted decimal notation for ipv4 networks, and as descriptions of prefix lengths for ipv6. Example: 255.255.0.0 (IPv4) or inet6:/64 (IPv6) |
Successful Elevated Privileges | Incident Response | Sensor | Tanium Threat Response | Lists successful attempts at elevating privileges for a user. Returns user ID, month and day, and time at which the attempt occurred. |
System Directory | Core Content | Sensor | Tanium Core Content | The location of the system directory on Windows machines. Example: C:\Windows\system32 |
System Disk Free Space | Core Content | Sensor | Tanium Core Content | The amount of free disk space on the main system drive. Example: C:|4 GB |
System Drive | Core Content | Sensor | Tanium Core Content | Hard drive location hosting system directory on Windows machines. Example: C: |
System Environment Variables | Core Content | Sensor | Tanium Core Content | Returns the currently defined system variables Example: windir=c:\Windows |
System Integrity Protection Status | Core Content | Sensor | Tanium Core Content | Returns output of csrutil status. MacOS only. Example: Enabled |
System Slots Available | Core Content | Sensor | Tanium Core Content | Returns the number of open slots in the system on Windows client machines. Example: 3 |
System Slots In Use | Core Content | Sensor | Tanium Core Content | Returns the number of used slots in the system on Windows client machines. Example: 1 |
System UUID | Core Content | Sensor | Tanium Core Content | System unique identifier UUID. Example: 3e6be9de-8139-11d1-9106-a43f08d823a6 |
Tanium Action Log | Client Management | Sensor | Tanium Default Content | Provided with an action number as a parameter, this sensor returns the log from the action from each client machine that executed the action. Example: 2012-11-02 03:30:17 +0000|Command Completed |
Tanium Back Peer Address | Client Management | Sensor | Tanium Default Content | The address information of the back peer specified in the Tanium registry entry at HKLM\SOFTWARE\Tanium\Tanium Client\Status\PeerAddress on windows and TaniumClientStatus.ini on non-windows endpoints. The result is in the following format, networkProtocol:portFromClient:ipAddressFromClient_networkProtocol:portFromServer:ipAddressFromServer. Examples: 512:17472:192.168.0.206_512:0:133.209.157.73 NoAddress_NoAddress |
Tanium Buffer Count | Client Management | Sensor | Tanium Default Content | The number of buffered messages currently queued to be processed by the Tanium client on each client machine. Example: 2 |
Tanium Client Action Timing | Client Management | Sensor | Tanium Default Content | The number of seconds it took to download and complete the Action once a Client first sees the Action. Example: 300 seconds |
Tanium Client API Downloads | Client Management | Sensor | Tanium Default Content | Determines what the Tanium Client API downloads are active. Returns the name, status and URL. |
Tanium Client Architecture | Base | Sensor | Tanium Default Content, Tanium Endpoint Configuration, Tanium Initial Content - Python | Provides the target architecture for which the installed Tanium Client was compiled. |
Tanium Client Container Version | Containers | Sensor | Tanium Containers | Returns the version of the Tanium Client Container. |
Tanium Client Core Health | Client Management | Sensor | Tanium Default Content | Determines whether the Tanium Client is able to execute the default content set successfully. Returns any error conditions. Example: Error: Windows Script Host version must be at least 5.6 |
Tanium Client CPU | Client Management | Sensor | Tanium Default Content | The current percentage of cpu utilization being used by the Tanium Client process on each client machine. The reported value will be higher than average since the Tanium Client is actively in use while evaluating this Sensor. Example: 1.4 |
Tanium Client Directory Permissions | Client Management | Sensor | Client Service Hardening | Returns the current status of the Tanium Client directories permissions and if they have been set as restricted to SYSTEM. Example: Restricted - SYSTEM |
Tanium Client Downloads Directory Details | Client Management | Sensor | Tanium Default Content | Returns the path to and size of the Tanium Client "Downloads" directory. This is the directory to which Tanium Package files are downloaded. It is considered temporary space and will clean itself out periodically. Example: C:\Program Files (x86)\Tanium\Tanium Client\Downloads|139.4 MB |
Tanium Client Dump Files | Client Management | Sensor | Tanium Default Content | Report date and size of Tanium Client dumpfiles. |
Tanium Client Explicit Setting | Client Management | Sensor | Tanium Default Content | Returns the value of a supplied Tanium Client Setting fom the Tanium Clients registry key. Supply only the client setting name, for instance: ServerName and the output will appear as follows: Example: berkeley.tanium.com |
Tanium Client Folder Size | Client Management | Sensor | Tanium Default Content | Returns the total size of the Tanium Client directory. Example: 821 MB |
Tanium Client Installation Date | Client Management | Sensor | Tanium Default Content | The date on which the currently installed Tanium Client was installed on each client machine. Example: Wed, 13 Nov 2013 00:00:00 -0480 |
Tanium Client Installation Time | Client Management | Sensor | Tanium Default Content | The date and time on which the currently installed Tanium Client was installed on each client machine. Example: Wed, 13 Nov 2013 08:18:00 -0480 |
Tanium Client IP Address | Base | Sensor | Tanium Default Content | The local IP address the client is using to communicate with the Tanium Server. Example: 192.168.10.2 |
Tanium Client Logging Level | Client Management | Sensor | Tanium Default Content | Logging level setting between 1 and 100 of the Tanium Client on the client machine. Example: 41 |
Tanium Client NAT IP Address | Base | Sensor | Tanium Default Content | The IP address the Tanium Client is communicating to the server with. This can be a public IP, or IP of a NAT device, for example. Example: 65.128.25.253 |
Tanium Client Neighborhood | Client Management | Sensor | Tanium Default Content | Returns the Forward Peers and Backwards Peers returned by the server with which the client should communicate. Example: 10.0.0.1:17472, 10.0.02:17472 | 10.0.0.10:17472 |
Tanium Client Python Version | Base | Sensor | Tanium Default Content | Returns the value of the TaniumPythonDirName Client Setting if set, "(not set)" otherwise |
Tanium Client Service Control Status | Client Management | Sensor | Client Service Hardening | Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service. Example: Service Control Restricted to Administrators |
Tanium Client Subnet | Base | Sensor | Tanium Default Content | The Subnet in use by the Tanium Client. Example: 192.168.10.0/24 |
Tanium Client Uninstall Hidden | Client Management | Sensor | Client Service Hardening | Returns whether the Tanium Client is hidden from the Add-Remove programs list. Example: Yes |
Tanium Client Version | Base | Sensor | Tanium Default Content | Version number of the Tanium Client on the client machine. Example: 4.1.314.7020 |
Tanium Current Directory | Client Management | Sensor | Tanium Default Content | Installation directory of the Tanium Client on the client machine. Example: C:\Program Files\Tanium\Tanium Client |
Tanium Driver Status | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns information about the Tanium Driver Example (not installed): Driver Controller Version N/A Driver Version N/A Driver Location: Not installed Service Installation: Not installed Service Status: Not started Install Recommended Example (installed): EnableNetworkMonitor: 0 EnableHttpMonitor: 0 EnableApiMonitor: 0 HttpMonitorPorts: 80 Service Status: SERVICE_RUNNING Driver install path: \SystemRoot\system32\drivers\TaniumRecorderDrv.sys |
Tanium Driver Supported | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns 'True' if the driver is supported on this platform, 'False' otherwise |
Tanium Driver Version | Tanium Recorder | Sensor | Tanium Integrity Monitor, Tanium Map, Tanium Recorder Content, Tanium Threat Response | Returns version information for the Tanium Driver |
Tanium File Contents | Client Management | Sensor | Tanium Default Content | Provided with a parameter indicating the path to a file in the Tanium current directory, this sensor will return the contents of that file. Example: |
Tanium File Exists | Client Management | Sensor | Tanium Default Content | Provided with a parameter indicating the path to a file in the Tanium current directory, returns True or False based on whether that file exists in the specified location. Example: True |
Tanium File Version | Client Management | Sensor | Tanium Default Content | Provided with a parameter indicating the path to a file in the Tanium client directory, returns the version of the file in the specified location. Example: True |
Tanium Module Server Version | Base | Sensor | Tanium Default Content | Version number of Tanium Module Server installed. Example: 6.5.314.4316 |
Tanium Peer Address | Client Management | Sensor | Tanium Default Content | The address information of the peer specified in the Tanium registry entry at HKLM\SOFTWARE\Tanium\Tanium Client\Status\PeerAddress on windows and TaniumClientStatus.ini on non-windows endpoints. The result is in the following format, networkProtocol:portFromClient:ipAddressFromClient_networkProtocol:portFromServer:ipAddressFromServer. Examples: 512:17472:192.168.0.206_512:0:133.209.157.73 NoAddress_NoAddress |
Tanium PowerShell Execution Policy | Client Management | Sensor | Tanium Default Content | The PowerShell Execution Policy of the 32-bit Tanium Client process. A different policy might be set for 64-bit context on 64-bit systems. |
Tanium Provision - Deployment Progress | Provision | Sensor | Tanium Provision | Displays the progress of any active Provision deployments, as well as the historical results from devices previously deployed using Provision. |
Tanium Provision - Deployment Progress Minimal | Provision | Sensor | Tanium Provision | Displays the progress of any active Provision deployments, as well as the historical results from devices previously deployed using Provision. |
Tanium Provision - Has PXE Tag | Provision | Sensor | Tanium Provision | Tanium Provision augmentation of custom tags sensor. This will return true or false if the PROVISION_PXE tag exists on the endpoint. Example: True |
Tanium Provision - TaniumPXE Bundle Detail | Provision | Sensor | Tanium Provision | Reports on the detailed status of each bundle for the Tanium PXE service |
Tanium Provision - TaniumPXE Status | Provision | Sensor | Tanium Provision | Reports on the overall status of the Tanium PXE service |
Tanium Reboot Days Ago | Base | Sensor | Tanium Default Content | Returns the number of days since a Tanium Reboot Action occurred. Example: 2 |
Tanium Risk Score | Benchmark | Virtual Sensor | Benchmark | Provides the endpoint Tanium Risk Score and metric scores. |
Tanium Sensor Randomization Enabled | Client Management | Sensor | Tanium Default Content | Returns if sensor execution is randomized on an endpoint, for better distribution on VDI / VM environments. Example: Yes |
Tanium Server Name | Client Management | Sensor | Tanium Default Content | Retrieves the Tanium Server Name from the Client's Registry Example: server.domain.com |
Tanium Server Name List | Client Management | Sensor | Tanium Default Content | Retrieves the Tanium Server Name List from the Client's Registry Example: server.domain.com,server1.domain.com |
Tanium Server Version | Base | Sensor | Tanium Default Content | Version number of Tanium Server installed. Example: 6.2.314.3218 |
Tanium Service Control Status | Client Management | Sensor | Client Service Hardening | Returns whether the Tanium services have special permissions set such that regular users, or non-SYSTEM users, can control the service. Example: Tanium Client|Restricted to Local SYSTEM|D:(A;;CCDCLCSWRPWPDTLOCRSDRCWO;;;SY)(A;;CCLCSWLOCRRC;;;AU) |
Tanium Tool Hash Check | Incident Response | Sensor | Tanium Threat Response | Calculates the hash (MD5, SHA1 or SHA256) of every executable file recursively within the Tanium directory. Returns the relative path to each executable file and the computed hash. Examine output to identify computers with older or different binary versions. |
Tanium Zero Trust - Microsoft Entra ID Device Detail | Zero Trust | Sensor | Tanium Zero Trust | Collect Microsoft Entra ID Device Detail as written by the Zero Trust Gather Detail package. |
Tanium Zone Server Version | Base | Sensor | Tanium Default Content | Version number of Tanium Zone Server installed. Example: 6.5.314.4316 |
Target | Base | Sensor | Tanium Default Content | Simple sensor that returns the word "Target" that is used when targeting actions within Tanium. Example: Target |
Threat Response - Daily Stream Stats | Threat Response | Sensor | Tanium Threat Response | This sensor is used to collect the statistics recorded for Stream. The results are reported as a RFC 3339 date and the total bytes transferred for that date. The bytes transferred are grouped into the following buckets: "0 B", "<= 10 MB", "<= 50 MB", "<= 100 MB", "<= 200 MB", "<= 1 GB", "1 GB+". |
Threat Response - HTTP Headers | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint containing HTTP headers. |
Threat Response - Scan Status | Threat Response | Sensor | Tanium Threat Response | Returns the status of the scan for the given hunt id. |
Threat Response - Security Events | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding security events. |
Threat Response - Status | Threat Response | Sensor | Tanium Threat Response | [DEPRECATED] Performs checks to determine if the Threat Response software is installed and functional. This sensor is deprecated and will no longer be supported in future versions of Threat Response. It has been replaced with the Client Extensions - Status sensor to provide endpoint health and details. |
Time Zone | Base | Sensor | Tanium Default Content | The currently specified time zone for the client machine. Example: (UTC-08:00) Pacific Time (US & Canada) |
Time Zone Offset | Base | Sensor | Tanium Default Content | Returns the time offset in minutes. Example: -0700 |
Total Memory | Core Content | Sensor | Tanium Core Content | The total physical memory installed in the client machine. Example: 8000 MB |
Total Swap | Core Content | Sensor | Tanium Core Content | Total swap space configured by client machine. Example: 4000 MB |
Trace DNS Queries | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding DNS queries. |
Trace Executed Process Hashes | Threat Response | Sensor | Tanium Threat Response | Returns the md5 hashes of process executed within a specified time range. |
Trace Executed Process Trees | Threat Response | Sensor | Tanium Threat Response | Generates process trees from a process name (regex). With "As Parent" the specified process name appears at the top of the tree. With "As Child" it appears at the bottom. |
Trace Executed Processes | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding process executions. |
Trace File Operations | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding filesystem activity. |
Trace Image Loads | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding Image Loads. |
Trace Loaded Drivers | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding loaded drivers. |
Trace Logon Events | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding logon events. |
Trace Network Connections | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding network connections made by processes. |
Trace Registry Keys or Values | Threat Response | Sensor | Tanium Threat Response | Returns historical data from each endpoint regarding registry activity. |
UAC Status | Core Content | Sensor | Tanium Core Content | Returns Enabled or Disabled based on the status of Windows User Access Control on the client machine. Example: Enabled |
Unencrypted Wireless Networks | Core Content | Sensor | Tanium Core Content | Details of wireless networks that are currently open and unencrypted. Details include SSID, MAC address, connection state, network type, radio type, authentication, receive rate, transmit rate, and signal strength. Example: hotspotwifi | xx-xx-xx-xx-xx-xx | connected | Infrastructure | 802.11g | WEP | 54 | 54 | 99% |
Unmanaged Assets | Discover Content | Sensor | Tanium Discover | IP addresses of machines in the network that do not have the Tanium Client running. When possible, unmanaged assets will return the IP address, the machine name, and the MAC address. Example: ping | 192.168.1.2 | my-machine-name | 00-22-9a-3e-91-5f | VMWare | windows | 22,135,443 | 7.x |
Unsuccessful Elevated Privileges | Incident Response | Sensor | Tanium Threat Response | Lists unsuccessful attmpts to elevate privilege level for a user. Returns user ID, month and day, and time at which the attempt occurred. |
Uptime | Core Content | Sensor | Tanium Core Content | Time since reboot in days of the client machine. Example: 48 days |
USB Device | Core Content | Sensor | Tanium Core Content | Returns a list of USB devices currently plugged in to the client machine. Example: HID Keyboard Device |
USB Device Details | Core Content | Sensor | Tanium Core Content | Returns of details of attached USB devices, including Description, vendor ID, and product ID. Example: Generic USB Hub|VMware, Inc.|Virtual USB Hub |
USB Storage Devices | Core Content | Sensor | Tanium Core Content | Returns a list of USB storage devices currently plugged in to the client machine. Example: USB Mass Storage Device |
USB Write Protected | Core Content | Sensor | Tanium Core Content | Outputs True if USB storage devices connected to the client machine are set to write protected mode and false if not. Example: False |
Used Memory | Core Content | Sensor | Tanium Core Content | Memory in use in MB from client machine. Example: 6348 MB |
Used Swap | Core Content | Sensor | Tanium Core Content | Swap space in use in MB by the client machine. Example: 2164 MB |
User Accounts | Core Content | Sensor | Tanium Core Content | List of local user accounts on a machine. Examples: Administrator |
User Details | Core Content | Sensor | Tanium Core Content | Returns a list of local users to the Windows machine and the user's full name. Example:johndoe|John Doe |
User Profile Directory Details | Core Content | Sensor | Tanium Core Content | Returns the location of all user profiles and if the directory currently exists Example:C:\Users\John.Doe|True |
User Sessions | Core Content | Sensor | Tanium Core Content | Provides the terminal services session information, similar to what is available from the "query session" command. Example:console|Administrator|1|Active|| |
Username | Base | Sensor | Tanium Default Content | Returns the currently logged in user, and No User if nobody is logged in. On Windows, this sensor returns only users logged into the local console, but not users logged in over RDP. The "User Sessions" sensor includes RDP users. Example: Domain\JDoe |
Video Driver Version | Core Content | Sensor | Tanium Core Content | The version number of the video driver on the client machine. Example: 6.1.7600.16385 |
Video Graphics Card RAM | Core Content | Sensor | Tanium Core Content | Amount of RAM in the video card in the client machine. Example: 256MB |
Video/Graphics Card | Core Content | Sensor | Tanium Core Content | Description of the video card in the client machine. Example: ATI Radeon HD 2400 Pro |
Virtual Platform | Base | Sensor | Tanium Default Content | Returns the virtual platform or technology used for the virtual machine, if it is a virtual machine. Example: VMware |
VMSA-2024-0006 Status | Default | Sensor | Tanium Emerging Issues Content | |
VMware Guest | Base | Sensor | Tanium Default Content | Returns True if client machine is a guest VM in VMware. Example: True |
Volume Group Names | Core Content | Sensor | Tanium Core Content | Display Volume Group Names |
Windows 11 Compatibility | Core Content | Sensor | Tanium Core Content | Used to determine if the endpoint is capable of running Windows 11. Returns "Compatible" or "Not compatible", and "FAIL" for failed hardware checks. |
Windows Audit Policy | Threat Response | Sensor | Tanium Threat Response | Retrieves the Windows Audit Policy; Trace records the operating system audit data typically seen in the Windows Security Event Log. This policy can be altered. However, if Group Policy is set, it might overwrite the log. |
Windows Automatic Update Status | Default | Sensor | Tanium Patch | Determines if Automatic Updates are enabled or not and returns the result Example: Disabled |
Windows Credential Security Settings | Incident Response | Sensor | Tanium Benchmark, Tanium Threat Response | Returns the results of 10 Windows configuration settings that affect security. |
Windows Features | Core Content | Sensor | Tanium Core Content | Returns the currently installed and enabled Windows Features on a Windows 7 or later system. Example: MicrosoftWindowsPowerShell |
Windows Operating System Activation Status | Core Content | Sensor | Tanium Core Content | The activation status of the installed Windows operating system. Examples: Unknown|Retail|3V66T|Notification|Unexpected product key error MAK|Volume:MAK|HCG4H|Licensed Unknown|Retail|7VBKR|Licensed |
Windows OS Major Version | Base | Sensor | Tanium Default Content | Returns the Windows OS Major Version. Example: 6.1 |
Windows OS Release ID | Base | Sensor | Tanium Default Content | Returns the Windows OS Release ID. Example: 1607 |
Windows OS Type | Base | Sensor | Tanium Default Content | Will output "Windows Server" or "Windows Workstation" depending on the OS type. Example: Windows Server |
Windows Security Center Registered Antivirus Software | Core Content | Sensor | Tanium Core Content | List antivirus software registered with the Windows Security Center along with their current status. |
Windows Server Installed Roles | Base | Sensor | Tanium Default Content | Returns the currently installed roles on a Windows Server. Example: File Server |
Windows Update Agent - KB5039302 KB5040442 - Impacted Endpoints | Default | Sensor | Tanium Emerging Issues Content | Detects if an endpoint is impacted by an issue with KB5039302 and KB5040442 |
Windows Update Agent Version | Default | Sensor | Tanium Patch | The version of the Windows Update Agent on the client machine. Example: 7.6.7600.256 |
Wireless Network Connected SSID | Core Content | Sensor | Tanium Core Content | Returns the SSID (name) of a wireless network a machine is connected to. Example: linksys |
Wireless Network Details | Core Content | Sensor | Tanium Core Content | Details of currently active wireless network connection by client machine: SSID, MAC address, connection state, network type, radio type, authentication, receive rate, transmit rate, and signal strength from 0 (minimum) to 5 (maximum). Example: hotspotwifi | xx-xx-xx-xx-xx-xx | connected | Infrastructure | 802.11g | WPA2-Personal | 54 | 54 | 4 |
Wireless Network SSID Strength | Core Content | Sensor | Tanium Core Content | Returns the SSID name and signal strength of a connected wireless network from 0 (minimum) to 5 (maximum). Example: linksys|4 |
Wireless Network Used by Tanium | Core Content | Sensor | Tanium Core Content | Returns the SSID name, the IP Address, and the MAC address of connected wireless networks only if the Tanium Client is using those networks to communicate. Example: linksys|192.168.10.5|00D55FED214C1A2C |
Wireless Networks Using WEP | Core Content | Sensor | Tanium Core Content | Details of currently active wireless network connection using WEP authentication by client machine. Details include SSID, MAC address, connection state, network type, radio type, authentication, receive rate, transmit rate, and signal strength. Example: hotspotwifi | xx-xx-xx-xx-xx-xx | connected | Infrastructure | 802.11g | WEP | 54 | 54 | 99% |
Wireless Networks Visible | Core Content | Sensor | Tanium Core Content | Returns details of all wireless networks a machine can see, whether they are connected or not. Details include SSID, Network Type, Authentication Method, and Encryption Level. Example: hotspotwifi | Infrastructure | WPA2-Personal |
WMI Event Consumers | Incident Response | Sensor | Tanium Threat Response | Lists Windows Management Instrumentation (WMI) event consumers. Returns script path for ActiveScriptEventConsumers and command for CommandLineEventConsumers. |
Workgroup | Core Content | Sensor | Tanium Core Content | The configured workgroup for each Windows machine not joined to a domain. Example: mycompanyworkgroup |
WSUS Server | Default | Sensor | Tanium Patch | Returns the configured value for WSUS Server and WSUS Status server, if any. Returns 'Not Configured' if values do not exist. Exmaple: https://wsus001.domain.com:80 | https://wsus001.domain.com |
x64/x86? | Reserved | Sensor | Tanium Default Content | Returns whether the client machine is 64-bit or 32-bit (x86). Example: X86-based PC This sensor is deprecated with the advent of a newer CPU Architectures. The "CPU Architecture" sensor should be used for architecture-specific targeting. |
Last Updated: