Tanium Sensor Inventory

The table below is a list of all Sensors you can read from the Tanium API and the Content Set it is included with.

Name Type Solution Description
AD Distinguished Name Sensor Tanium Core Content The full Active Directory distinguished name for the computer
Example: CN=Win8-test5,CN=Computers,DC=corp,DC=com
AD Domain Sensor Tanium Core Content The Active Directory domain name (if any) that the computer is joined to.
Example: intra.company.com
AD Forest Sensor Tanium Core Content Returns the name of the Active Directory Forest that a machine is a member of. This may produce the same value that the Sensor named AD Domain produces.
Example: corp.domain.com
AD Organizational Unit Sensor Tanium Core Content The Active Directory organizational unit (OU) where the machine is located.
Example: CN=Computers,DC=corp,DC=com
AD Query - Computer Attributes Sensor Tanium Core ADQuery Content The value of the specified attribute of the computer's Active Directory object.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Computer Group Memberships Sensor Tanium Core ADQuery Content All Active Directory group memberships the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).

The sensor returns the group's Well Known Name.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Computer Groups Sensor Tanium Core ADQuery Content The distinguishedName of any Active Directory groups the computer is explicitly a member of (no nested groups). Also returns the computer's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Computer Has Group Membership Sensor Tanium Core ADQuery Content Searches the computer's group inventory for membership in the specified group(s).
Returns True if the computer is a member of the Active Directory group.
Returns False if no match was found.

The default comparison is performed on the group's Well Known Name.
This may be overridden by prefacing the Group input with 'name:' - causing a compare to be performed on the group's non-translated name.
The group name may be specified as groupname or domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: groupname,corp\groupname

RegEx based comparisons are also supported.
Prefacing the Group input with 'regex:' will cause a RegEx compare to be performed.
Ex: regex:name:domain.* (compare the Name attribute for a match on the provided regex)
Ex: regex:domain.* (compare the Well Known Name attribute for a match on the provided regex)

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Computer Site Name Sensor Tanium Core ADQuery Content The computer's Active Directory Site Name

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Domain Controller Sensor Tanium Core ADQuery Content The name of the Active Directory Domain Controller responding to queries.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Domain Controller Site Name Sensor Tanium Core ADQuery Content The Active Directory Site Name of the Domain Controller responding to queries.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Has Stale Results Sensor Tanium Core ADQuery Content Returns True/False value based on the time the AD Query XML files were generated and a time period the Active Directory data should be considered stale.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Last Logged In User Date Sensor Tanium Core ADQuery Content The date when the last user logged into the system

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Last Logged In User Name Sensor Tanium Core ADQuery Content The domain\name of the last user to log into the system

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Last Logged In User Time Sensor Tanium Core ADQuery Content The time when the last user logged into the system

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Last Run Status Sensor Tanium Core ADQuery Content Status information recorded when the inventory script last ran.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Last Run Timing Sensor Tanium Core ADQuery Content How long the inventory script ran start to finish.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Administrators Sensor Tanium Core ADQuery Content Users and groups who are a member of the local Administrators group.

The sensor returns the Well Known Name of users and groups.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Group Membership Sensor Tanium Core ADQuery Content Searches local group inventory to return group names and membership.

The sensor returns the Well Known Name of users and groups who are a member of the specified group(s).

Input 'all' in the Groups field to return all inventoried groups.
The group's name should be specified as groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: groupname1,groupname2

The default comparison is performed on the group's Well Known Name.
This may be overridden by prefacing the Groups input with 'name:' - causing a compare to be performed on the group's non-translated name.

The default member name returned is the member's Well Known Name.
This may be overridden by appending the Groups input with ':name' - causing the member's non-translated name to be returned.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Groups Sensor Tanium Core ADQuery Content The names of all local groups. No group members are returned.

The sensor returns the group's Well Known Name.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Objects Potentially Renamed Sensor Tanium Core ADQuery Content A multi-column list containing current object name, the well known name of the object, the object type, the system locale ID, and the system locale strings.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local User Account Control Flags Sensor Tanium Core ADQuery Content Parses the UserFlags attribute of local user accounts to report the following account control flags:
account disabled
allow encrypted password
expire password
has logon script
password expired
password required
smartcard required
user can change password

The sensor's default behavior checks the Well Known Name of users. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name.

Input 'all' into the Users field to return the account control value from all inventoried users.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Local Users Sensor Tanium Core ADQuery Content Listing of all local users.

The sensor returns the Well Known Name of local users.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Logged In User Details Sensor Tanium Core ADQuery Content The following Active Directory attributes of the logged-in user: name (cn or name), department, co (country), city (l), email (mail), and telephoneNumber.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Logged In User Group Memberships Sensor Tanium Core ADQuery Content All group memberships the logged in user is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).

The sensor returns the group's Well Known Name.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Logged In User Groups Sensor Tanium Core ADQuery Content The distinguishedName of any Active Directory groups the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Mismatched Site Names Sensor Tanium Core ADQuery Content Determines if there is an Active Directory Site Name mis-match between the computer and the Domain Controller responding to queries.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Sensor Tanium Core ADQuery Content The computer's primary user

The sensor returns the Well Known Name of the primary user.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Details Sensor Tanium Core ADQuery Content The following Active Directory attributes of the primary user: name (cn or name), department, co (country), city (l), email (mail), and telephoneNumber.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Email Addresses Sensor Tanium Core ADQuery Content Gets the email addresses of the primary user from the mail and ProxyAddresses Active Directory attributes.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Group Memberships Sensor Tanium Core ADQuery Content All groups the primary user of the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).

The sensor returns the group's Well Known Name.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Groups Sensor Tanium Core ADQuery Content The distinguishedName of Active Directory group memberships for the computer's primary user. The groups returned are those which the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - Primary User Has Group Membership Sensor Tanium Core ADQuery Content Searches Primary User group inventory for membership.
Returns True if the user is a member of the group.
Returns False if no match was found.

The default comparison is performed on the group's Well Known Name.
This may be overridden by prefacing the Groups input with 'name:' - causing a compare to be performed on the group's non-translated name.

The group may be a local group or an Active Directory group.
The group name may be specified as groupname or domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: groupname,corp\groupname

RegEx based comparisons are also supported.
Prefacing the Groups input with 'regex:' will cause a RegEx compare to be performed.
Ex: regex:name:domain.* (compare the Name attribute for a match on the provided regex)
Ex: regex:domain.* (compare the Well Known Name attribute for a match on the provided regex)

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - User Attribute Inventory Sensor Tanium Core ADQuery Content Returns the user name, the name of inventoried attributes and their value.

Input 'all' in the User field to return the attribute value for all inventoried users.
Input 'Primary' in the User field to return the attribute value for the primary user.
Input 'Current' in the User field to return the attribute value for all current user.

The user may be a local account or an Active Directory account.
The attribute may be a local attribute or Active Directory attribute.

The sensor's default behavior searches the user's Well Known Name. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - User Attributes Sensor Tanium Core ADQuery Content Returns the value of the attribute for the user.

The user may be a local account or an Active Directory account.
The attribute may be a local or Active Directory attribute.

Input 'all' in the User field to return the attribute value for all inventoried users.

The default comparison is performed on the user's Well Known Name.
This may be overridden by prefacing the User input with 'name:' - causing a compare to be performed on the user's non-translated name.
The user name may be specified as username or domain\username syntax.
Multiple users may be specified if separated by a comma. Ex: username,corp\username

RegEx based comparisons are also supported.
Prefacing the User input with 'regex:' will cause a RegEx compare to be performed.
Ex: regex:name:username.* (compare the Name attribute for a match on the provided regex)
Ex: regex:username.* (compare the Well Known Name attribute for a match on the provided regex)

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - User Group Memberships Sensor Tanium Core ADQuery Content All group memberships the specified user is a member of -both explicitly and implicitly. Nested groups are also returned. The result is returned in NT format as UserDomain\UserName|GroupDomain\GroupName.

The sensor's default behavior checks the Well Known Name of users and returns the Well Known Name of any groups the user is a member of. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name.

User names may be specified as username, domain\username.
Multiple users may be specified if separated by a comma. Ex: user,Local\user,corp\user,.\user
Input 'all' into the Users field to return group membership of all inventoried users.

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Query - User Has Group Membership Sensor Tanium Core ADQuery Content Searches user group inventory for membership.
Returns True if the user is a member of the group.
Returns False if no match was found.

The default comparison is performed on the user's and group's Well Known Name.
This may be overridden by prefacing the Users or Groups input with 'name:' - causing a compare to be performed on the non-translated name.

The user may be a local account or an Active Directory account.
The user may be specified as username and domain\username syntax.

Input 'any' in the Users field to test any inventoried user for membership.
Multiple users may be specified when separated by a comma. Ex: user,Local\localuser,corp\user,.\user

The group may be a local group or an Active Directory group.
The group may be specified as groupname and domain\groupname syntax.

Multiple groups may be specified if separated by a comma. Ex: group,Local\group,corp\group,.\group

RegEx based comparisons are also supported.
Prefacing the Users or Groups input with 'regex:' will cause a RegEx compare to be performed.
Ex: regex:name:somename.* (compare the Name attribute for a match on the provided regex)
Ex: regex:somename.* (compare the Well Known Name attribute for a match on the provided regex)

This sensor is part of the Core AD Query Content solution. It will only return data after the Collect Active Directory Info package has completed an inventory.
AD Short Domain Sensor Tanium Core Content Returns the short, NetBIOS name of a machine's domain.
Example: CORP
ARP Cache Sensor Tanium Threat Response Returns the current arp cache values, and whether the values are static or dynamic.
Example: 172.16.173.1|00-50-56-c0-00-08|dynamic
Account Lockouts Security Event Log Search Sensor Tanium Threat Response Retrieves lockout events from the Windows Security Event log, in a specified time period. Also retrieves attempts to authenticate with a locked-out account. (Requires enabling account lockout auditing.)
Action Lock Status Sensor Tanium Default Content Returns whether the client is in a 'locked' state. Use the package "Tanium Client Action Unlock" to unlock the Client and allow actions.
Example: Action Lock On
Action Statuses Sensor Tanium Default Content The recorded state of each action a client has taken recently in the form of id:status.
Example: 1:Completed
Active Devices Sensor Tanium Core Content All hardware devices currently in use by a computer.
Example: Microsoft PS/2 Mouse
AnyConnect VPN Status Sensor Tanium Core Content Returns the status of the AnyConnect Network Connect VPN Adapter
Applicable Patches Sensor Tanium Patch Returns a row for every applicable patch on an endpoint

Example: a5aa3417baf0e1e0672dd70abacee6ea|MSXML 6.0 RTM Security Update (925673)|Not Installed|True|Critical|4/4/2012|MS06-061|1853208|07609d43-d518-4e77-856e-d1b316d1b8a8|KB925673|CVE-2006-4686 CVE-2006-4685|http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|False|Windows|Windows Server 2012 R2|Security Updates
Application Crashes Yesterday Sensor Tanium Core Content A multi-column Sensor that shows processes that have crashed yesterday, including the instance number to capture multiple crashes by the same process.
Example: firefox.exe | 3
Application Crashes in Last X Days Sensor Tanium Core Content A parameterized Sensor that queries for any processes that have crashed in the last X days.
Example: chrome.exe
Asset - Tools Version Sensor Tanium Asset Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Asset File Evidence Status Sensor Tanium Asset Returns file evidence status
Asset SQL Server Details Sensor Tanium Asset Returns SQL Server Instance Details

Example:
Standard Edition|RTM-GDR|13.0.1742.0|Microsoft SQL Server 2016 (RTM-GDR)|MSSQLSERVER
Attached Battery Sensor Tanium Core Content Device name for any attached batteries for a machine, commonly found in laptops.
Example: DELL V57XN24
Audio Controller Sensor Tanium Core Content Description of the onboard audio controller for the computer.
Example: Intel(R) High Definition Audio Controller
AutoRun Files Sensor Tanium Threat Response Returns a subset of the AutoRuns data, specifically the name of each AutoRun file and the cryptographic hash of the file (e.g. MD5, SHA256). Note: This sensor uses cached data; this cached data can be regenerated with the "Incident Respose - Gather Autorun Details" package.
AutoRun Program Details Sensor Tanium Threat Response Retrieves information about the Autorun applications found in the Windows Registry. Note: This sensor uses cached data; this cached data can be regenerated with the "Incident Respose - Gather Autorun Details" package.
Autoruns by Category Sensor Tanium Threat Response Retrieves Autorun data for the enabled auto-start extension points (ASEPs). Use parameters to specify the category and hash for each ASEP. Note: This sensor uses cached data; this cached data can be regenerated with the "Incident Respose - Gather Autorun Details" package.
BIOS Current Language Sensor Tanium Core Content Currently configured language for the BIOS.
Example: en|US|iso8859-1
BIOS Name Sensor Tanium Core Content Name of BIOS.
Example: Phoenix ROM BIOS PLUS Version 1.10 A10
BIOS Release Date Sensor Tanium Core Content Release date of the BIOS.
Example: 2008-12-25
BIOS Vendor Sensor Tanium Core Content Manufacturer or vendor of the BIOS.
Example: Dell, Inc.
BIOS Version Sensor Tanium Core Content Version of the BIOS.
Example: A11
BitLocker Details Sensor Tanium Core Content Returns information on the BitLocker status of a machine.
Example: Drive | Device ID | Encryption Method
Boot Device Sensor Tanium Core Content Hard disk device that the operating system uses to boot from.
Example: \Device\HarddiskVolume1
Boot Time Sensor Tanium Core Content The amount of time, in seconds, that the last boot of this machine took.
Example: 100
CD-ROM Drive Sensor Tanium Core Content Name of any installed CD-ROM or DVD-ROM drives.
Example: SONY DVD-ROM DDU1615 ATA Device
CD-ROM Drive Loaded Sensor Tanium Core Content Checks if CD-ROM/DVD-ROM drive is loaded.
Example: True or False
CPU Sensor Tanium Core Content Description of the CPU.
Example: Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
CPU Architecture Sensor Tanium Core Content Describes the architecture of the CPU/processor.
Example: i386, X86-based PC
CPU Architecture Sensor Tanium Client Management Describes the architecture of the CPU/processor.
Example: i386, X86-based PC
CPU Cache Size Sensor Tanium Core Content CPU cache size in KB.
Example: 1024 KB
CPU Consumption Sensor Tanium Core Content Current total CPU consumption in %.
Example: 50%
CPU Details Sensor Tanium Core Content A multi-column sensor that provides CPU details: system type, CPU description, speed, # of processors, # of cores, and # of logical processors.
Example: x64-based PC | Intel(R) Xeon(R) CPU X3430 | 2390 Mhz | 1 | 4 | 4
CPU Family Sensor Tanium Core Content The family of the processor or CPU (Windows provides a family ID).
Example: Xeon, Family 198
CPU Family Sensor Tanium Client Management The family of the processor or CPU (Windows provides a family ID).
Example: Xeon, Family 198
CPU Manufacturer Sensor Tanium Core Content The manufacturer of the CPU.
Example: GenuineIntel
CPU Speed Mhz Sensor Tanium Core Content The speed of the processor in Mhz.
Example: 3200 Mhz
CPU by Process Sensor Tanium Core Content A multi-column sensor that lists every running process and the amount of CPU usage they are taking up.
Example: svchost | 15
CX - Configured Event Triggers Sensor Tanium Endpoint Identity
CX - Scheduled Events Sensor Tanium Endpoint Identity
Certificate Search Sensor Tanium Threat Response Enables searching for installed certificates. You can search by issuer name or SHA1 hash. The default is to return all installed certificates.
Chassis Type Sensor Tanium Default Content The machine or chassis type for the machine.
Example: Server or Virtual
Child Processes Sensor Tanium Threat Response Provides a list of child processes for the specified parent process name, as specified by a regular expression.
Example: "C:\Windows\System32\cmd.exe|C:\temp\notepad.exe"
Chrome Extensions Sensor Tanium Core Content Returns installed Extensions based on an enumeration of each users profile. Only searches local profiles.
Chrome Extensions Summary Sensor Tanium Core Content Returns distinct list of installed Extensions (including extension ID) based on an enumeration of each users profile. Only searches local profiles.
Cleared Windows Security Event Log Search Sensor Tanium Threat Response Retrieves events generated when the Windows Security Event Log has been cleared.
Client Configuration and Support - AIX C++ Runtime Sensor Tanium Client Management Retrieves AIX C++ Runtime version for Client Configuration and Support.
Client Configuration and Support - AIX Runtime Sensor Tanium Client Management Retrieves AIX Runtime version for Client Configuration and Support.
Client Configuration and Support - AIX Version Sensor Tanium Client Management Retrieves AIX version for Client Configuration and Support.
Client Configuration and Support - Glibc Version Sensor Tanium Client Management Returns the version of Glibc for a box
Client Configuration and Support - Is Container Sensor Tanium Client Management Determines if running within a container for Client Configuration and Support.
Client Date Sensor Tanium Default Content The calendar date on the managed client.
Example: 01/30/2012
Client Extensions - Installed Extensions Sensor Tanium Client Management
Client Extensions - Status Sensor Tanium Client Management
Client Health - Client Settings Sensor Tanium Client Management Captures Tanium Client settings from endpoints. Example data captured: ServerName, ServerNameList, ServerPort, Server_TLSMode, Resolver, LogVerbosity
Client Health - Python Version Details Sensor Tanium Client Management Checks which version of Python is installed on the Tanium client. Utilized by TCM for client health check. Example: 3.8 Core Python Version,info,2.1.24.0
Client Health - Tanium Client Version Sensor Tanium Client Management Version number of the Tanium Client on the client machine.
Example: 4.1.314.7020
Client Management - Upgrade Log Sensor Tanium Client Management Sensor returns log of the Tanium Client Install (not the Action Log)
Client Management - Upgrade Status Sensor Tanium Client Management Reports the status of Tanium Client version upgrades
Client Time Sensor Tanium Default Content The local time on the managed client.
Example: 5:17:44 PM
Cloud EC2 Instance IAM Role Sensor Tanium Core Content Returns the IAM Role information for the instance in AWS.
Cloud EC2 Instance VPC ID Sensor Tanium Core Content Returns information about the VPC ID of the primary interface of the instance in AWS.
Cloud Instance Account Sensor Tanium Discover Returns the Account information for the instance currently running in AWS, Azure or Google Cloud.
Cloud Instance Account Sensor Tanium Core Content Returns the Account information for the instance currently running in AWS, Azure or Google Cloud.
Cloud Instance ID Sensor Tanium Core Content Returns the unique ID associated with the instance in AWS, Azure, or GCP.
Cloud Instance ID Sensor Tanium Discover Returns the unique ID associated with the instance in AWS, Azure, or GCP.
Cloud Instance Image Sensor Tanium Core Content Returns information about the image used for creation of the instance in AWS, Azure, or GCP. If the result is '[empty string]' on Azure, it may be because image names are only available if the image is deployed from the Azure Image gallery.
Cloud Instance Image Sensor Tanium Discover Returns information about the image used for creation of the instance in AWS, Azure, or GCP. If the result is '[empty string]' on Azure, it may be because image names are only available if the image is deployed from the Azure Image gallery.
Cloud Instance Provider Sensor Tanium Discover Returns the cloud provider currently running the instance on AWS, Azure, or GCP.
Cloud Instance Provider Sensor Tanium Core Content Returns the cloud provider currently running the instance on AWS, Azure, or GCP.
Cloud Instance Public IP Sensor Tanium Core Content Returns public IP information for the instance in AWS, Azure, or GCP.
Cloud Instance Public Keys Sensor Tanium Core Content Returns information about the public keys used for the instance in AWS, Azure, or GCP.
Cloud Instance Region Sensor Tanium Core Content Returns information about the region used for the instance in AWS, Azure, or GCP.
Cloud Instance Tags Sensor Tanium Discover Returns tags associated to the instance in AWS and Azure.
Cloud Instance Tags Sensor Tanium Core Content Returns tags associated to the instance in AWS and Azure.
Cloud Instance Type Sensor Tanium Discover Returns the cloud provider designated resource type associated with the instance on AWS, Azure, or GCP.
Cloud Instance Type Sensor Tanium Core Content Returns the cloud provider designated resource type associated with the instance on AWS, Azure, or GCP.
Cloud Instance Zone Sensor Tanium Discover Returns information about the zone of the cloud computer instance in AWS, Azure, or GCP.
Cloud Instance Zone Sensor Tanium Core Content Returns information about the zone of the cloud computer instance in AWS, Azure, or GCP.
Command Line of Process Sensor Tanium Threat Response Returns the command line of any process by process name. Parameter is a regex of the process name.
Command Line with Hash Match Sensor Tanium Threat Response Retrieves the following information for any running process matching the specified hash: process, command line arguments of the process, and the module used by the process.
Example: "explorer.exe|C:\Windows\system32\WINTRUST.dll|C:\Windows\Explorer.EXE "
Comply - Architecture Type Sensor Tanium Comply Returns the type of underlying Architecture for the operating system (powerpc, sparc, x86, x64).
Comply - Assessment Status Sensor Tanium Comply A sensor that returns the status of each assessment on the endpoint.
Comply - CVE Findings Sensor Tanium Comply This sensor will return the unique vulnerability findings (CVEs) present on an endpoint.
Comply - CVE Findings - First Found Sensor Tanium Comply Returns the first found date for all observed vulnerabilities that the endpoint is currently vulnerable to.
Comply - CVE Findings - Last Found Sensor Tanium Comply Returns the last found date for all observed vulnerabilities that the endpoint is currently vulnerable to.
Comply - Compliance Aggregates Sensor Tanium Comply A sensor that aggregates compliance result data from scans
Comply - Compliance Exposure Score Sensor Tanium Comply Returns the Compliance Exposure Score (Optimized, Above Average, Average, Below Average, Needs Improvement, Not Scanned).
Comply - Compliance Findings Sensor Tanium Comply This sensor will return the unique compliance findings present on an endpoint.
Comply - Compliance Percentage Sensor Tanium Comply Determine the percentage of non-failed checks on the endpoint.
Comply - Compliance Results Sensor Tanium Comply Returns the configuration compliance results for the given report hash.
Comply - Compliance Results Joined Sensor Tanium Comply Returns the configuration compliance results for the given report hash joined into a single field.
Comply - Configuration Settings Sensor Tanium Comply Show current Comply configuration settings on endpoints.
Comply - Coverage Status Sensor Tanium Comply Highlight if Comply isn't deployed or functional on all potential endpoints.
Comply - Coverage Status Details Sensor Tanium Comply Highlight the details if Comply isn't deployed or functional on all potential endpoints.
Comply - Endpoint Scan Status Sensor Tanium Comply A sensor that returns the scan status of an endpoint for valid scans; stale assessments are not considered.
Comply - Has Been Scanned Sensor Tanium Comply Determines if the endpoint has had a scan in the last 30 days.
Comply - Has High Vulnerabilities Sensor Tanium Comply A sensor that returns "Vulnerabilities Found" if endpoint has high vulnerabilities. "No Vulnerabilities Found" otherwise
Comply - Has Unix prerequisites Sensor Tanium Comply Returns whether or not the endpoint has the necessary prerequisites to run Comply scripts.
Comply - Hygiene - Outdated High Severity Vulnerabilities Sensor Tanium Comply This sensor parses vulnerability results on targeted endpoints and returns the normalized operating system of the targeted endpoint if discovered vulnerability scan results have a severity score of 7.0 (High Severity under CVSSv2) or higher and those vulnerability results originate from calendar year 2019 or earlier.
Parameter input must be either blank to target all available reports on the targeted endpoint, or be a comma-separated list of at least one Tanium Comply report hash (e.g. b31337c1 or 6c750c51,b31337c1).
Comply - Hygiene - Product Vulnerability Results Sensor Tanium Comply This sensor pulls back the discovered CVEs, Release Year, Severities, and Titles for detected vulnerabilities on an endpoint based on the report hashes targeted and the product strings provided. To target vulnerabilities for Adobe, for example, use parameters (Adobe,adobe).
Must be either blank to target all available reports on targeted endpoint, or comma-separated list of at least one Tanium Comply report hash (e.g. b31337c1 or 6c750c51,b31337c1).
Comply - Hygiene - Vulnerability Results Sensor Tanium Comply This sensor pulls back the discovered CVEs, Release Year, Severities, and Titles for detected vulnerabilities on an endpoint based on the report hashes or max report age targeted. Must be either blank to target all available reports on targeted endpoint, or comma-separated list of at least one Tanium Comply report hash (e.g. b31337c1 or 6c750c51,b31337c1).
Comply - Is Deployable Sensor Tanium Comply Determines if there's enough disk space on the machine to be able to successfully deploy an engine.
Comply - Is Vulnerable Sensor Tanium Comply Determine is the endpoint is vulnerable or not.
Comply - Max Vulnerability Score Sensor Tanium Comply Returns the highest CVSS score of any vulnerability found on an endpoint.
Comply - Metrics Compliance Counts Sensor Tanium Comply Count the number of compliance findings per state (pass, fail, etc).
Comply - Metrics Tools Outdated Sensor Tanium Comply [DEPRECATED] Returns 'Current' if Comply Tools are up to date. 'Outdated' if Comply Tools are deployed but old. 'not installed' otherwise.
Comply - Metrics Vulnerability Counts Sensor Tanium Comply Count the number of vulnerabilities by level.
Comply - NMap Scan Results Sensor Tanium Comply Returns the Discover NMap scan results for reporting in Comply report scan reports.
Comply - Open Ports Sensor Tanium Comply Identifies the listening TCP ports, including the process listening to the port, the display name of the process (if available), and the listening IP Address and port. The Sensor definition can be modified to exclude process and IP range.
Comply - Oval Findings Sensor Tanium Comply This sensor will return the unique oval definitions from the found vulnerabilities present on an endpoint.
Comply - Report Age Sensor Tanium Comply This sensor will return for each report the following: Scan Engine, Report Hash, and Report Age.
Comply - Report Hashes Sensor Tanium Comply Find all report hash occurrences on an endpoint.
Comply - Report Results Older Than Sensor Tanium Comply Will return true if the results for a Comply report having the specified scan engine and report hash are either non-existent or older than the number of seconds specified.
Comply - Report Runtimes Sensor Tanium Comply Find the runtimes of each report in seconds.
Comply - Tools Version Sensor Tanium Comply Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Comply - Vulnerability Aggregates Sensor Tanium Comply A sensor that aggregates vulnerability result data from scans
Comply - Vulnerability CVE Search Sensor Tanium Comply Searches vulnerability results for CVE
Comply - Vulnerability Discovery Dates Sensor Tanium Comply Returns the first found/last found dates of vulnerabilities.
Comply - Vulnerability Findings Aggregate Sensor Tanium Comply Returns the most severe Vulnerability level reported (High, Medium, Low, Unscored, No Vulnerabilities)
Comply - Vulnerability Results Sensor Tanium Comply Returns OVAL definition IDs for vulnerabilities found on endpoint.
Comply - Vulnerability Results - Export Sensor Tanium Comply Returns OVAL definition IDs and first found/last found dates for vulnerabilities found on endpoint.
Comply RAS - Tools Version Sensor Tanium Comply Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Computer ID Sensor Tanium Default Content A unique identifier of each computer for internal use.
Example: 4202979704
Computer Name Sensor Tanium Default Content The assigned name of the client machine.
Example: workstation-1.company.com
Computer Serial Number Sensor Tanium Interact The serial number, if available, provided by the computer manufacturer.
Example: 123ABC1
Computer Serial Number Sensor Tanium Core Content The serial number, if available, provided by the computer manufacturer.
Example: 123ABC1
Connections Exclude List Days Old Sensor Tanium Threat Response Returns the age, in days, of the excluded-processes.dat and excluded-subnets.dat files that are currently deployed.
Example: 3
Container Host Operating System Sensor Tanium Containers Returns the Operating System Generation of a mangaged container host.
Container Image Sensor Tanium Containers Returns information about the images used to instantiate running containers.
Container Image Name Sensor Tanium Containers Returns the names of images used to instantiate running containers.
Container Labels Sensor Tanium Containers Returns labels defined for running containers.
Container Name with Image Hash Sensor Tanium Containers Returns the names and hashes of Images (not containers, but the template used to instantiate the container).
Container Network Sensor Tanium Containers Returns network details for running containers.
Container PID Count Sensor Tanium Containers Returns the number of Process IDs (PIDs) for running containers.
Container Running Processes Sensor Tanium Containers Returns process details for running containers.
Container Runtime Sensor Tanium Containers Provides detail regarding the executor of the containers, the "Container Runtime".
Container Stats Sensor Tanium Containers Provides runtime resource utilization statistics for running containers.
Container Uptime Sensor Tanium Containers Provides information regarding the age of running containers.
Core Content - Tools Version Sensor Tanium Core Content Reports support and installation details.
Checks if the endpoint supports the tools and has enough disk space.
If package has been deployed, reports the install location, version of tools, and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Country Code Sensor Tanium Default Content Shows the currently specified country code used by the operating system.
Example: 1 (United States)
CredGuard Status Sensor Tanium Risk A sensor to determine if an endpoint is actively running CredGuard or is configured to run CredGuard. Requires Windows 10 or Server 2016.
Custom Tag Exists Sensor Tanium Core Content Checks to see if a given custom tag exists on the endpoint. The input can either be a substring or an exact match, and the check is case insensitive.
Example: True
Custom Tags Sensor Tanium Core Content Any specified custom tags that have been set for this machine. See the Custom Tagging Dashboard.
Example: Development, Test-Machines
DHCP Enabled? Sensor Tanium Core Content Whether or not a machine has a network adapter set to DHCP. Note, a machine may have multiple active adapters and may return multiple lines. If a machine has multiple adapters on DHCP, TRUE is returned only once.
Example: TRUE, FALSE
DHCP Server Sensor Tanium Core Content The addresses of the configured DHCP servers, If a machine is on DHCP.
Example: 192.168.1.1
DLL Load Order Hijacking Search Sensor Tanium Threat Response Searches for instances where DLL search order hijacking might have occurred in currently running processes. False positives are possible, so you must manually verify the results.
DNS Resolver Cache CNames Sensor Tanium Threat Response Returns the DNS resolver cache entries for CNAME records.
Example: www.mycompany.com|www.mycompany.com.vgtf.net
DNS Resolver Cache Hosts Sensor Tanium Threat Response Returns the DNS resolver cache entries for IPv4 addresses.
Example: ads.mycompany.com|157.166.226.208
DNS Resolver Misses Sensor Tanium Threat Response Returns the DNS resolver cache entries for DNS records that were not found.
Example: www.mycompany.com
DNS Server Sensor Tanium Default Content Addresses of any configured DNS servers for active network adapters.
Example: 192.168.1.1, 8.8.8.8
Data Execution Prevention Enabled Sensor Tanium Risk Whether data execution prevention is enabled for 32-bit machines. If disabled, code can be executed from a non-executable memory region.
Example: TRUE, FALSE
Data Execution Prevention Enabled Sensor Tanium Core Content Whether data execution prevention is enabled. If disabled, code can be executed from a non-executable memory region.
Example: True, False, Unknown
Default Login Domain Sensor Tanium Core Content Name of the domain of the most recently logged in user.
Example: CORP
Default Login UserID Sensor Tanium Core Content Last user name entered in the "Log On to Windows" dialog box.
Example: tanium_admin
Default Web Browser Sensor Tanium Core Content Default web browser for new users. Note that this can be changed per user.
Example: Internet Explorer
Deploy - All Deployment Activities Sensor Tanium Deploy Return details of the activities performed as part of the deployment for all deployments
Deploy - All Deployments Errors Sensor Tanium Deploy Return the deployment errors for all deployments
Deploy - All Software Packages Applicability Details Sensor Tanium Deploy Return the applicability statuses and reasons for all software packages
Deploy - Applicability Scan Age Sensor Tanium Deploy Get the age of the Deploy software package applicability scan
Deploy - Coverage Status Sensor Tanium Deploy Returns Optimal, Needs Attention, or Unsupported for whether the system has had any recent scans.
Deploy - Coverage Status Details Sensor Tanium Deploy Returns "Optimal" if Deploy is installed and running, "Needs Attention" if Deploy is not installed or is not healthy, "Unsupported" if the operating system is not supported, and "Initializing" if the system is in the process of installing tools or running the first scan. Provides additional details for systems that have a "Needs Attention" status to help administrators resolve client health issues.
Deploy - Deployment Activities Sensor Tanium Deploy Return details of the activities performed as part of the deployment for deployment with the specified ID
Deploy - Deployment Details Sensor Tanium Deploy Return the deployment status details for deployment with the specified ID
Deploy - Deployments Sensor Tanium Deploy Return the status of all deployments
Deploy - Deployments Errors Sensor Tanium Deploy Return the deployment errors for deployments with IDs within the specified bounds
Deploy - Deployments Statuses Sensor Tanium Deploy Return the deployment statuses for deployments with IDs within the specified bounds
Deploy - Download Status Details Sensor Tanium Deploy Shows download status of all active deployments and any completed deployments of the last about 3 days. Older completed downloads are not returned. This also adds the hash of said file and DeploymentID from Deploy - Download Status and is a slower running sensor.
Deploy - Enforcement Status Sensor Tanium Deploy Returns the enforcement status for enforcements defined in the Deploy Workbench
Example:
Type|ID|Status|Reason
MaintenanceWindow|1|Enforced|
MaintenanceWindow|2|Unenforced|Maintenance window configuration not found
Deploy - Gallery Compliance by Age Sensor Tanium Deploy Determine if any Gallery packages older than 30 days are applicable
Deploy - Has Enforced Maintenance Window Sensor Tanium Deploy Returns True if there is at least one enforced Deploy maintenance window and False otherwise
Deploy - Has Recent Scan Results Sensor Tanium Deploy Returns a Yes/No answer for the question of whether the system has Deploy software catalog scan results within the specified Scan Age Days.
Deploy - Installed Software Packages Sensor Tanium Deploy This sensor returns all applications from the Software Catalog which are considered Installed, Update Eligible, or Update Ineligible from Install verification rules. This is great for taking this data to Asset for offline reporting.
Deploy - Is Process Running Sensor Tanium Deploy Check if the deploy process is running
Deploy - Is Supported Sensor Tanium Deploy Returns True or False based on whether the endpoint meets the operating system and Tanium Client version requirements to install Deploy Tools. For more information on requirements, see https://docs.tanium.com/deploy/deploy/requirements.html#endpoints
Deploy - Maintenance Window Enforcements Sensor Tanium Deploy Returns the enforcement status for Maintenance Windows

Example:
ID|Status|Reason|EditID
1|Enforced||1
Deploy - Maintenance Windows Sensor Tanium Deploy This sensor will return the Maintenance Windows deployed and applied on an endpoint for Deploy.
Deploy - Mean Time to Deploy Sensor Tanium Deploy Determine the average number of days for a package update to be installed.
Deploy - Next Maintenance Window Sensor Tanium Deploy This sensor will show you the current endpoint state and whether or not it is in a maintenance window, or if none can be found. It will also show the next available window to that endpoint.
Deploy - Scan Errors Sensor Tanium Deploy Return any scan errors that are present on the endpoint.
Deploy - Self Service Activity Sensor Tanium Deploy Return the self service activity for software packages and bundles
Deploy - Self Service Activity By User Sensor Tanium Deploy Return the self service activity by user for software packages and bundles
Deploy - Self Service Profiles Sensor Tanium Deploy Return the Self Service Profiles deployed to an endpoint
Deploy - Settings Version Sensor Tanium Deploy Returns the version of settings or Not Found
Deploy - Software Installed By Tanium Sensor Tanium Deploy Show the software that has been installed, updated, or removed over the given time period.

Example:
Software Package ID|Software Package Name|Software Package Vendor|Software Package Version|Software Package Platform|Operation|Source
1|Chrome x64|Google|83.0.4103.61|windows|install|Self-Service
1|7-Zip x64|Igor Pavlov|19.00.00.0|windows|update|Standard Deployment
Deploy - Software Package Catalog Version Sensor Tanium Deploy Returns the version of the software package catalog or Not Found
Deploy - Software Packages Sensor Tanium Deploy Get the ID, vendor, name, version, and applicability of software packages in the Deploy catalog and gallery
Deploy - Software Packages Applicability Sensor Tanium Deploy Return the applicability statuses for software packages with IDs within the specified bounds
Deploy - Software Packages Applicability Details Sensor Tanium Deploy Return the applicability statuses and reasons for software packages
Deploy - Software Packages Gallery Applicability Sensor Tanium Deploy Return the applicability statuses for software packages in the Deploy software packages gallery
Deploy - Software Packages Gallery Applicability Details Sensor Tanium Deploy Return the applicability details for software packages in the Deploy software packages gallery
Deploy - Tools Version Sensor Tanium Deploy Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Deploy - Windows Upgrade Ready Sensor Tanium Deploy Returns "True", "False", or "N/A (No Scan Data)" based on the scan results scan results from the Windows Upgrade Phase 1 and Phase 2 packages. For more information, see https://docs.tanium.com/deploy/deploy/use_case_managing_windows_upgrades.html
Deploy - Windows Upgrade Scan Details Sensor Tanium Deploy Returns detailed data from the Windows Upgrade Phase 1 and 2 scan results. For more information, see https://docs.tanium.com/deploy/deploy/use_case_managing_windows_upgrades.html
Deploy - Windows Upgrade Scan Results Sensor Tanium Deploy Returns basic data from the Windows Upgrade Phase 1 and 2 scan results. For more information, see https://docs.tanium.com/deploy/deploy/use_case_managing_windows_upgrades.html
Detect Alerts Sensor Tanium Threat Response View recent Detect Alerts. This sensor can be used to view what the Detect Service is currently gathering as part of its Primary Alert Gathering.
Detect Primary Alerts Sensor Tanium Threat Response Get recent Detect alerts. This Sensor is primarily used by the Detect service to gather alerts.
Detect Quick Scan Sensor Tanium Threat Response Executes an immediate scan against a single intel item. This Sensor should not be used outside of Detect; however, it is exposed as a public Sensor to provide deeper insights and debugging. The input parameters are intentionally obscured and encoded as they are specialized for the Detect service and Evaluation Engine.
Detect Scan Result Sensor Tanium Threat Response The general use case for this Sensor is to get a quick sense of coverage; it provides the progress of a recently deployed scan (such as Quick Scan) and how many endpoints might have potential compromises.
Detect Scan Results Sensor Tanium Threat Response Emits results from a particular scan. If intel_id is not provided (default 0), then all results from all intel are given. This can be dangerous if the number of expected results is higher than the limit of strings that can be returned. In most cases, an intel id should be specified unless an additional filter is provided.
Detect Secondary Alerts Sensor Tanium Threat Response Get Detect alerts that were potentially missed by the primary gathering sensor. This Sensor is primarily used by the Detect service to gather alerts.
DeviceGuard Status Sensor Tanium Risk A sensor to determine if an endpoint is actively running DeviceGuard or is configured to run DeviceGuard, and whether or not Code Integrity Policy enforcement is configured. Requires Windows 10 or Server 2016.
Direct Connect - Connection Configuration Sensor Tanium Direct Connect Obtains current Direct Connect configuration
Direct Connect - Connection Status Sensor Tanium Direct Connect Get Direct Connect connection status
Direct Connect - Endpoint UUID Sensor Tanium Direct Connect Obtains current Direct Connect endpoint UUID
Direct Connect - Tools Version Sensor Tanium Direct Connect Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Discover - Endpoint within Network Range Sensor Tanium Discover Reports if endpoint is within the specified ranges. If True, endpoint is included within the ranges. If False, endpoint is excluded or not included by the parameters.
Discover - Installed Npcap Version Sensor Tanium Discover Reports Npcap version information, including the installed version, if the installed version was installed by Tanium, the last version that Tanium installed, and Npcap version put on the endpoint by the Discover - Install Npcap package if it exists.
Discover - Is Nmap Required Sensor Tanium Discover Reports whether the endpoint needs to have Nmap available for running Discover scans.
Discover - Profile Diagnostics Sensor Tanium Discover Retrieves Discover profile diagnostics (tuples consisting of a profile ID and an error message).
Example: 14,TOO_MANY_SCANS
27,NO_PROFILE
Discover - Required Npcap Version Sensor Tanium Discover Reports the Npcap version an endpoint requires.
Discover - Scan Metrics Sensor Tanium Discover Displays scan metrics gathered from Discover Profile Scans.
Discover - Tools Version Sensor Tanium Discover Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Discover Last Scan Range Sensor Tanium Discover Displays the last scan range for Ping and Nmap.
Discover Scan Range Sensor Tanium Discover Useful in troubleshooting, this sensor will return the range of IP addresses that each endpoint will be scanning (for Windows, Mac and Linux only). Example: 10.10.10.1-10|10.10.10.11-11|Backward
Discover Scan Range - Unix Sensor Tanium Discover Useful in troubleshooting, this sensor will return the range of IP addresses that each endpoint will be scanning (for AIX and Solaris only). Example: 10.10.10.1-10|10.10.10.11-11|Backward
Disk Drive Details Sensor Tanium Core Content Multi-column sensor that returns details on the type, size, and free space of all partitions on the machine.
Example:ST3808110AS ATA Device|C:|250G|120G
Disk Drive Serial Number Sensor Tanium Core Content Multi-column sensor that returns Disk drive name and serial number
Example: ST3808110AS ATA Device|SerialNumber
Disk Drives Sensor Tanium Core Content Descriptions of any installed disk drives, including external or USB drives.
Example: ST3808110AS ATA Device
Disk Free Space Sensor Tanium Core Content The amount of free disk space per drive.
Example: C: 40 GB
Disk Free Space Below Threshold Sensor Tanium Core Content If a drive has less free space than the configured threshold, the drive and remaining free space is returned. The threshold defaults to 2048 MB and can be altered.
Example: C: 1 GB
Disk IOPS Sensor Tanium Core Content Returns the current total number of disk IOPS currently occurring
Example: 86
Disk Total Size of System Drive Sensor Tanium Core Content The amount of total disk space on the main system drive.
Example: C: 100 GB
Disk Total Space Sensor Tanium Core Content The amount of total disk space per drive.
Example: C: 100 GB
Disk Type of C: Sensor Tanium Core Content File system type of the C drive.
Example: NTFS
Disk Used Percentage Sensor Tanium Core Content The percentage of used disk space per partition.
Example: C: 24%
Disk Used Space Sensor Tanium Core Content The amount of used disk space per partition.
Example: C: 40 GB
Domain Controller SYSVOL Size Sensor Tanium Core Content Returns the SYSVOL size on Domain Controllers
Example: 2.2 GB
Domain Member Sensor Tanium Default Content Returns true if the machine is part of an Active Directory domain.
Example: TRUE, FALSE
Domain Name Sensor Tanium Default Content The domain name (if any) that the computer is joined to or configured for.
Example: intra.company.com
Domain Role Sensor Tanium Core Content Returns the Active Directory domain role
Example: Primary Domain Controller
Download Statuses Sensor Tanium Default Content The recorded state of each download a client has made recently in the form of hash:completion percentage.
Example: 05839407baccdfccfd8e2c1ffc0ff27541cc053d15b52cfd4ed904510e59b428:100
Driver Details Sensor Tanium Core Content Return details about loaded drivers
Example:
WIMMount|Stopped|C:\Windows\system32\drivers\wimmount.sys|6.3.9600.16384
Driver Details with Hash Sensor Tanium Threat Response Retrieves information about loaded device drivers, including a hash of each driver file.
EICAR AV Exclusions Check Sensor Tanium Core EICAR Content Returns the details from running the "Write EICAR File" Package.
Check Name|Check Result
Example:
Expected Tanium Client result|Pass
Edge Extensions Sensor Tanium Core Content Returns installed Extensions based on an enumeration of each users profile. Only searches local profiles.
Edge Extensions Summary Sensor Tanium Core Content Returns distinct list of installed Extensions (including extension ID) based on an enumeration of each users profile. Only searches local profiles.
Elevated Privileges Sensor Tanium Threat Response Retrieves information about attempts to elevate user privileges.
Elevated Users Sensor Tanium Threat Response Retrieves information about users with elevated privileges, such as users logged in as root.
End-User Notifications - Has Tools Sensor Tanium End-User Notifications Returns the version of the EUN tools installed and a Yes/No answer. Example: Yes|1.10.54.0000
End-User Notifications - Mac OS Version Sensor Tanium End-User Notifications Return the operating system version of a Mac
End-User Notifications - Tools Version Sensor Tanium End-User Notifications Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Endpoint Configuration - Manifest Metadata Sensor Tanium Client Management Retrieves Endpoint Configuration manifest metadata from each endpoint, including manifest revision number and the service UUID from which the manifest originated.
Endpoint Configuration - Tools Status Sensor Tanium Client Management Retrieves Endpoint Configuration tools information from each endpoint, including installed and targeted versions, as well as information about the status of each tool.
Endpoint Configuration - Tools Status Details Sensor Tanium Client Management Retrieves Endpoint Configuration tools information from each endpoint, including installed and targeted versions, as well as detailed information about the status of each tool.
Endpoint Identity - Tools Version Sensor Tanium Endpoint Identity Reports support and installation details.
Checks if the endpoint supports the tools and has enough disk space.
If package has been deployed, reports the install location, version of tools, and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Enforce - Anti-Malware Definition Outdated Sensor Tanium Enforce Reports the current Windows Anti-malware definition version installed on the computer is out of date.
Enforce - Anti-Malware Definition Version Sensor Tanium Enforce Reports the current Windows Anti-malware definition version installed on the computer.
Enforce - Anti-Malware Engine Version Sensor Tanium Enforce Reports the current Windows Antimalware engine version installed on the computer.
Enforce - Anti-Malware Threat Counts Last X Days Sensor Tanium Enforce Given a number of days in the past, this sensor reports all anti-malware threat counts since that date.
Enforce - Anti-Malware Threat Details Sensor Tanium Enforce Reports all anti-malware threats along with detection date, process name, and file paths.
Enforce - Anti-Malware Threats Last X Days Sensor Tanium Enforce Given a number of days in the past, this sensor reports all anti-malware threats since that date.
Enforce - AppLocker Threats Last X Days Sensor Tanium Enforce Given a number of days in the past, this sensor reports all AppLocker events since that date.
Enforce - BitLocker Encryption Status Sensor Tanium Enforce Reports BitLocker encryption status per encryptable drive.
Enforce - BitLocker Protection Status Sensor Tanium Enforce Reports BitLocker protection status per encryptable drive.
Enforce - Can Remove Quarantine By File Path Sensor Tanium Enforce Reports "Yes" if the endpoint supports restoring an individual file path from quarantine.
Enforce - Coverage Status Sensor Tanium Enforce Returns "Optimal" if Enforce is installed and running, "Needs Attention" if Enforce is not installed or is not healthy, "Unsupported" if the operating system is not supported.
Enforce - Defender Platform Version Sensor Tanium Enforce Reports Defender Platform Version
Enforce - Device Setup Classes Sensor Tanium Enforce Lists all device setup classes.
Enforce - Diagnostic - AppLocker Threat Details Last X Days Sensor Tanium Enforce Given a number of days in the past, this sensor reports all AppLocker events with additional details since that date. Specifically for small scale diagnostics.
Enforce - Diagnostic - Applied Machine Policies Sensor Tanium Enforce Returns status of applied machine policies. Specifically for small scale diagnostics.
Enforce - Diagnostic - Applied Policy Settings Sensor Tanium Enforce Returns status of applied policy settings. Specifically for small scale diagnostics.
Enforce - FileVault Encryption Status Sensor Tanium Enforce Reports endpoint encryption status for FileVault on Mac.
Enforce - Firewall Rules [Linux] Sensor Tanium Enforce Reports all configured firewall rules on linux endpoints.
Enforce - Firewall Rules [Windows] Sensor Tanium Enforce Reports all configured firewall rules.
Enforce - Host Firewall Enabled Sensor Tanium Risk Returns Yes if firewall is enabled, No otherwise
Enforce - Host Firewall Enabled Sensor Tanium Enforce Returns Yes if firewall is enabled, No otherwise
Enforce - Machine Policy Status Sensor Tanium Enforce Given a list of Policy Id numbers, reports the enforcement status of each.
Enforce - Machine Policy Status [VBS] Sensor Tanium Enforce Given a list of Policy Id numbers, reports the enforcement status of each.
Enforce - Quarantine Details Sensor Tanium Enforce Reports all quarantined threats along with severity, process name, and file paths.
Enforce - Remediation Results Sensor Tanium Enforce Reports remediation results.
Enforce - SRP Threats Last X Days Sensor Tanium Enforce Given a number of days in the past, this sensor reports all SRP events since that date.
Enforce - TPM Status Sensor Tanium Risk Reports TPM Status.
Enforce - TPM Status Sensor Tanium Enforce Reports TPM Status.
Enforce - Tools Version Sensor Tanium Enforce Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Enforce - Total Anti-Malware Threats Last X Days Sensor Tanium Enforce Given a number of days in the past, this sensor reports the total number of anti-malware threats detected since that date.
Enforce - USB Storage Devices Sensor Tanium Enforce Lists hardware IDs for all USB storage devices.
Enforce Anti-Malware Exclusions Sensor Tanium Enforce Reports all anti-malware exclusions.
Enforce Managed Definitions Targeting Sensor Tanium Enforce Used for targeting of Tanium Enforce Managed Definitions packages, this sensor determines if a host should requires download and execution of the definitions package.
Enforce Prerequisites Sensor Tanium Enforce Reports the installed prerequisites needed by some Enforce policies.
Enhanced Tags Sensor Tanium Core Content - Enhanced Tags Returns all Enhanced Tags for a specified Category
Enhanced Tags - Single Value Sensor Tanium Core Content - Enhanced Tags Returns the value of a single Enhanced Tag given a Tag Category and Tag Name
Enhanced Tags - Single Value Exists Sensor Tanium Core Content - Enhanced Tags Returns the True/False if a single Enhanced Tag exists given a Tag Category and Tag Name
Enhanced Tags Categories Sensor Tanium Core Content - Enhanced Tags Returns a list of Tag Categories
Enhanced Tags Category Exists Sensor Tanium Core Content - Enhanced Tags Returns a True/False based on existence of specified Tag Category
Enhanced Tags Deployment Errors Sensor Tanium Core Content - Enhanced Tags Returns the deployment errors for all enhanced tag categories.
Enhanced Tags Details Sensor Tanium Core Content - Enhanced Tags Returns all Enhanced Tags for all Categories
Enhanced Tags FQDN Sensor Tanium Core Content - Enhanced Tags Returns the FQDN expected by Enhanced Tags packages
Enhanced Tags Hostname Sensor Tanium Core Content - Enhanced Tags Returns the Hostname expected by Enhanced Tags packages
Enhanced Tags Version Sensor Tanium Core Content - Enhanced Tags Returns the version of Enhanced Tags.
Environment Variables Sensor Tanium Threat Response Retrieves environment variables.
Established Connections Sensor Tanium Core Content Any established connections currently being made. This multi-column Sensor displays the process responsible for the connection, the display name of the process (if available), and the target IP Address and port. Processes and IP ranges can be excluded in the Sensor definition.
Example: chrome.exe | Google Chrome | 173.194.79.99:80
Established Connections with Hash Sensor Tanium Threat Response Retrieves information about established connections with the hash value of the connected processes. The hash algorithm can be specified.
Established Ports by Application Sensor Tanium Core Content Parameterized Sensor that shows which addresses the process is connecting to and over what local port.
Example: 0.0.0.0:17500
Explicit Logon Security Event Log Search Sensor Tanium Threat Response Searches the Windows Security Event Log for explicit logon events.
File Certificate Details Sensor Tanium Threat Response Provides details about embedded certificates in Unix PE and COFF format image files.
File Creation Date Sensor Tanium Core Content Returns the creation date of the file specified by the parameter.
Example: 12-12-2014 18:00
File Exists Sensor Tanium Endpoint Identity A parameterized Sensor that checks to see if a file exists on a machine. If it does, it returns back the full path of the file. Will expand environment variables, and will expand %userprofile%/file or "~/file" to search all user home directories.
Example: C:\Windows\system32\notepad.exe
File Exists Sensor Tanium Core Content A parameterized Sensor that checks to see if a file exists on a machine. If it does, it returns back the full path of the file. Will expand environment variables, and will expand %userprofile%/file or "~/file" to search all user home directories.
Example: C:\Windows\system32\notepad.exe
File Handle Details Sensor Tanium Threat Response Retrieves information about the specified file handle that matches the input string.
File Handles Of Process Sensor Tanium Threat Response Finds the file handles that are currently open in the specified process. The parameter is a regular expression of the process name.
File Modification Date Sensor Tanium Core Content Returns the modification date of the file specified by the parameter.
Example: 12/12/2014 18:00
File Size Sensor Tanium Core Content Returns the size of the file specified by the parameter.
Example: 69120
File System Permissions Sensor Tanium Core Content
File Version Sensor Tanium Core Content Returns the version of the file specified.
Example: 1.0
FileVault Details Sensor Tanium Core Content Returns information on the FileVault status of a machine
Example: If Available | Fully Secure | Status
Firefox Extensions Sensor Tanium Core Content Returns installed Extensions based on the contents of the addons.json file from each users profile and each Firefox profile. Only searches local profiles.
Firefox Extensions Summary Sensor Tanium Core Content Returns distinct list of installed Extensions based on the contents of the addons.json file from each users profile and each Firefox profile. Only searches local profiles.
Firewall Status Sensor Tanium Core Content Returns the current status of the Windows firewalls.
Example: DomainProfile enabled
Folder Contents Sensor Tanium Core Content Returns the contents of the specified folder.
Example: 0.log
Folder Exists Sensor Tanium Core Content A parameterized Sensor that checks to see if a folder exists on a machine. If it does, it returns back the full path of the folder. Will expand environment variables, and will expand %userprofile%/folder or "~/folder" to search all user home directories.
Example: C:\Windows\system32
Folder Size Sensor Tanium Core Content Folder size (in GB, MB, KB, or B)
Example: 62 GB
Forefront Client AS Signature Applied Date Sensor Core Content - Forefront Support Indicates the last time that the client AV signature was updated.
Example: 09/18/2012
Forefront Client AS Signature Applied Days Old Sensor Core Content - Forefront Support Indicates how many days ago a new AS signature was applied.
Example: 8
Forefront Client AS Signature Version Sensor Core Content - Forefront Support The current version of the AV signature being used by Forefront.
Example: 1.85.1626.0
Forefront Client AV Signature Applied Date Sensor Core Content - Forefront Support Indicates the last time that the client AV signature was updated.
Example: 09/18/2012
Forefront Client AV Signature Applied Days Old Sensor Core Content - Forefront Support Indicates how many days ago a new AS signature was applied.
Example: 8
Forefront Client AV Signature Version Sensor Core Content - Forefront Support The current version of the AV signature being used by Forefront.
Example: 1.85.1626.0
Forefront Client Engine Version Sensor Core Content - Forefront Support The version of the engine being used by Forefront on the client machine.
Example: 1.1.5902.0
Forefront Client NIS Engine Version Sensor Core Content - Forefront Support The version fo the Forefront NIS engine running on the client machine.
Example: 1.3.1106.0
Forefront Client NIS Signature Applied Date Sensor Core Content - Forefront Support Indicates the last time that the client AV signature was updated.
Example: 09/18/2012
Forefront Client NIS Signature Applied Days Old Sensor Core Content - Forefront Support Indicates how many days ago a new AS signature was applied.
Example: 8
Forefront Client NIS Signature Version Sensor Core Content - Forefront Support The version of the Forefront NIS signature file on the client machine.
Example: 1.12.2131.0
Forefront Client Realtime Monitoring Status Sensor Core Content - Forefront Support Indicates whether Forefront Realtime Monitoring is enabled.
Example: enabled
Forefront Client Scheduled Scan Check Definitions Sensor Core Content - Forefront Support Indicates checking for definitions before running scheduled scan
Example: Yes
Forefront Client Scheduled Scan Day Sensor Core Content - Forefront Support indicates the the scheduled scan day
Example: Sunday
Forefront Client Scheduled Scan Limit CPU Usage Sensor Core Content - Forefront Support Indicates Limit CPU usage for scan
Example: 50%
Forefront Client Scheduled Scan Only When Idle Sensor Core Content - Forefront Support Indicates scheduled scan only when idle
Example: Yes
Forefront Client Scheduled Scan Time Sensor Core Content - Forefront Support Indicates the scheduled scan time
Example: 2:00 AM
Forefront Client Signature Applied Date Sensor Core Content - Forefront Support Indicates the last time that the client AV signature was updated.
Example: 09/18/2012
Forefront Client Signature Applied Days Old Sensor Core Content - Forefront Support Indicates how many days ago a new AV signature was applied.
Example: 8
Forefront Client Signatures Last Checked Date Sensor Core Content - Forefront Support Indicates the last date that the Forefront client signatures were checked by Forefront.
Example: 09/18/2012
Forefront Client Signatures Last Checked Days Old Sensor Core Content - Forefront Support Indicates the time in days since the last time the Forefront client signatures were checked by Forefront.
Example: 2
Forefront Client Signatures Last Updated Date Sensor Core Content - Forefront Support Indicates the last time that the client AV signature was updated.
Example: 09/18/2012
Forefront Client Spyware Signature Version Sensor Core Content - Forefront Support The version of the client spyware signatures used by Forefront.
Example: 1.20.3423.0
Forefront Client Version Sensor Core Content - Forefront Support The version of the Forefront client on the client machine
Forefront Last Scan Run Date Sensor Core Content - Forefront Support Indicates the last time that a scan was run
Forefront Last Scan Run Type Sensor Core Content - Forefront Support indicates the last scan type
Forefront Scheduled Scan Enabled Sensor Core Content - Forefront Support Indicates if a Scheduled Scan is enabled or not
Forefront Scheduled Scan Type Sensor Core Content - Forefront Support Indicates the Scheduled Scan Type
Free Memory Sensor Tanium Core Content Indicates the free RAM available to the operating system.
Example: 1024MB
Free Swap Sensor Tanium Core Content Indicates the free swap space available to the operating system.
Example: 640MB
Hardware Device Failed to Load Sensor Tanium Core Content Provides errors codes for hardware devices that failed to load correctly at last boot.
Example: none
Has Application Management Tools Sensor Tanium Core Content Returns whether a machine has the application management tools which may be necessary for parameterized actions or sensor-fed actions.
Example: Yes
Has Hardware Tools Sensor Tanium Core Content Returns whether a machine has the hardware tools, which are used to identify specific types of hardware.
Example: Yes
Has Incident Response ID Files Sensor Tanium Threat Response Identifies the Incident Response ID files that exist on a machine.
Example: "irsearch1234 "
Has Old Incident Response ID Files Sensor Tanium Threat Response Checks for Incident Response identifier files older than 90 days. Used to target machines for the scheduled Action that removes old Incident Response identifier files.
Example: "Yes"
Has Scheduled Task Sensor Tanium Threat Response Returns whether the specified scheduled task exists
Has Tanium Standard Utilities Sensor Tanium Default Content Returns whether a machine has the Tanium Standard Utilities
Example: Yes
Hash Of File Sensor Tanium Threat Response Returns the hash digest in the chosen algorithm of a specified file path.
High CPU Consumption Sensor Tanium Core Content Indicates whether the client machine is currently experiencing high utilization of its CPU.
Example: Under threshold
High CPU Processes Sensor Tanium Core Content Lists the specified number of processes that are using the highest amount of CPU.
Example: cmd
High Memory Consumption Sensor Tanium Core Content Indicates whether the machine is above an acceptable threshold for memory utilization.
Example: Under threshold
High Memory Processes Sensor Tanium Core Content Lists the specified number processes based on ordering on amount of memory used.
Example: cmd
High Uptime Sensor Tanium Core Content Indicates whether the client machine has been online for more than 30 days.
Example: Less than 30 days
Hosted Services Name Audit Sensor Tanium Threat Response Returns the Windows Service Group Name and a sorted list of service names in each group.
Hosted Wireless Ad-Hoc Networks Sensor Tanium Core Content Returns details of ad-hoc wireless networks are hosted in your environment. Details include SSID, Mode, Max Clients, Auth, Status, BSSID, Radio Type, Channel, and Connections.
Example: personalwifi | ad-hoc | 1 | Open | active | xx:xx:xx:xx:xx:xx | 802.11g | 11 | 1
Hosts File Entries Sensor Tanium Core Content Provides a list of hosts file entries for the local operating system.
Example: myserver.com , 192.168.1.100
Human Interface Device Sensor Tanium Core Content Indicates any human interface devices connected to the client machine.
Example: HID-compliant mouse
Hyperthreading Enabled Sensor Tanium Core Content Indicates whether hyperthreading is enabled on the client machine. This is not supported on all OS patch levels.
Example: Yes
IC Python - Days Since Python 2 Used Sensor Tanium Initial Content - Python
IC Python - Endpoint Tooling Safe for Python27 Removal Sensor Tanium Initial Content - Python Tests endpoint compatibility for Python
IC Python - Tanium Client 7.4 Compatibility Sensor Tanium Initial Content - Python Tests endpoint compatibility for Python
IC Python - Version Details Sensor Tanium Initial Content - Python
ICloud Settings Sensor Tanium Threat Response Prints out all iCloud settings for all users by default. You may also search by user, iCloud setting, or both.
IIS Website Details Sensor Tanium Core Content Returns information about IIS Websites
IP Address Sensor Tanium Default Content Current IP Addresses of client machine.
Example: 192.168.1.1
IP Connections Sensor Tanium Core Content Returns the protocol, local address / port, process name, application name, remote port, and connection state for all active IP connections on an endpoint.
Example: tcp|192.168.95.186:51866|explorer.exe|Windows Explorer|165.254.58.66:80|established
IP Route Details Sensor Tanium Core Content Returns IPv4 network routes, filtered to exclude noise. With Flags, Metric, Interface columns.
Example: 172.16.0.0|192.168.1.1|255.255.0.0|UG|100|eth0
IP Routes Sensor Tanium Core Content Returns IPv4 network routes, filtered to exclude noise.
Example: 172.16.0.0|192.168.1.1|255.255.0.0
IPv4 Address Sensor Tanium Default Content Returns only IP V4 addresses
IPv6 Address Sensor Tanium Default Content Returns only IPv6 addresses
Impact - Active User Session SIDs Sensor Tanium Impact Get the SIDs of users with an active session.
Impact - Administrator SIDs Sensor Tanium Impact Get the SIDs of the domain users and groups in the Administrators group.
Impact - Computer Domain SID Sensor Tanium Impact Get the SID of the domain to which the computer is joined.
Impact - Coverage Status Sensor Tanium Impact Returns "Optimal" if Python is installed, "Needs Attention" if Python is not installed, "Unsupported" if the operating system is not supported.
Impact - Physical NetBIOS Computer Name Sensor Tanium Impact Get the NetBIOS name of an endpoint.
Impact - Tools Version Sensor Tanium Impact Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
In Subnet Sensor Tanium Default Content Returns True or False if a computer is in a given subnet. Must be in CIDR format (192.168.10.0/24)
Index - File Count Sensor Tanium Threat Response Returns count of index files that match one or more supplied inputs
Index - File Details Sensor Tanium Threat Response Returns details of index files that match one or more supplied inputs
Index - File Exists Sensor Tanium Threat Response Returns Yes or No, using Index to determine whether the specified file exists based on the supplied input
Index - File Hash Recently Changed Sensor Tanium Threat Response Returns details of index files that match one or more supplied inputs
Index - List Discovered Volumes Sensor Tanium Threat Response Returns list of filesystem volumes discovered by index
Index Config Sensor Tanium Threat Response Returns Index config file settings
Index Database Size Sensor Tanium Threat Response Returns the total disk space used by the Index database
Index Query File Count Sensor Tanium Threat Response Returns count of index files that match one or more supplied inputs
Index Query File Details Sensor Tanium Threat Response Returns details of index files that match one or more supplied inputs
Index Query File Details Using Name Sensor Tanium Threat Response Returns details of indexed files matching supplied file name
Index Query File Details Using Name Sort By Largest Sensor Tanium Threat Response Returns details of largest index files matching supplied file name
Index Query File Details by Last Modified Sensor Tanium Threat Response Returns details of index files by most recent modification date
Index Query File Exists Sensor Tanium Threat Response Returns Yes or No, using Index to determine whether specified file exists based on the supplied input
Index Query File Hash Recently Changed Sensor Tanium Threat Response Returns filename and hash(es) of file created or modified in previous N hours.
Index Query File Path Using Name Sensor Tanium Threat Response Returns paths of indexed files that match a supplied name
Index Query File Path and Hash Sensor Tanium Threat Response Returns path, name, and hash of index files matching supplied inputs
Index Query File Permissions Sensor Tanium Threat Response Returns permissions and other file details of Index files matching supplied input
Index Query Find Blacklist Matches Sensor Tanium Threat Response Returns indexed files matching stored blacklist
Index Resolved Config Sensor Tanium Threat Response Retrieves the config values currently in use by Index.
Injected Threads Sensor Tanium Threat Response
Returns threads executing possibly injected code. This is determined by finding thread start function addresses not mapped to a file on disk.
----Parameters----
Show PID/TID: By default is unchecked and will display [omitted] for both PID and TID. Check this box for both process and thread IDs to be displayed.
Show Omitted Results: By default believe false positives will be omitted from results. By checking this box you will see all possible false positive results.
----Columns----
Process: "full path of process. Will show mismatches when found between process and kernel paths"
PID: "Process ID when Show PID/TID is checked"
TID: "Thread ID when Show PID/TID is checked"
Header: "First 2 bytes of allocated memory region in hex"
Mapped File: "File mapped to this memory region or No Mapped File"
Memory Type: "Type of the pages in the memory region such as MEM_MAPPED or MEM_PRIVATE"
Allocated Protection: "Protection of the memory region when allocated such as PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY"
Page Protection: "Protection of the page in the memory region such as PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY"
Start Address: "The Win32 thread function start address"
Region Size: "The total size of the allocated memory region the Win32 thread function start address is in"
When no suspicious threads are found, "No injected threads found" is returned.
Installed Application Exists Sensor Tanium Core Content Determines whether a given substring exists in the Installed Applications list and returns True or False.
Example: True
Installed Application Version Sensor Tanium Core Content The version string of applications which match the parameter given.
Example: 11.5.502.146
Installed Applications Sensor Tanium Core Content List of the applications and versions of those applications installed on the client machine.
Example: Mozilla Firefox | 16.0.1
Installed HotFixes Sensor Tanium Core Content Returns a list of hotfixes that have previously been applied to the client machine.
Example: IY94310
Installed Pkgs Sensor Tanium Core Content Returns a list of installed Packages by name on Solaris systems.
Example: glibc-2.5-12
Installed RPMs Sensor Tanium Core Content Returns a list of installed RPMs by name on Linux systems.
Example: glibc-2.5-12
Installed Store Apps Sensor Tanium Core Content Returns the Application name and Version for native OS App Stores. On Windows, OS 8+ and Server 2012 R2+
Integrity Monitor - Active Watchlists Sensor Tanium Integrity Monitor Retrieves the active watchlists from the endpoint
Integrity Monitor - Endpoint ID Sensor Tanium Integrity Monitor Gets the Integrity Monitor ID (IMID) that Integrity Monitor has generated for the endpoint
Integrity Monitor - Event Count Sensor Tanium Integrity Monitor Returns a bucketed number of events for the last 24 hours from the endpoint.
Integrity Monitor - Event Count By Watchlist Sensor Tanium Integrity Monitor Returns a bucketed number of events grouped by Watchlist for the last 24 hours from the endpoint.
Integrity Monitor - Monitor Events Sensor Tanium Integrity Monitor Returns change type event counts from DB on endpoint.
Integrity Monitor - Monitor Events Unlabeled Sensor Tanium Integrity Monitor Returns change type event counts from DB on endpoint that are unlabeled.
Integrity Monitor - Tools Version Sensor Tanium Integrity Monitor Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Internet Explorer Version Sensor Tanium Core Content Returns the version of Internet Explorer installed on a system.
Example:8.0.6001.18702
Is AIX Sensor Tanium Default Content Returns whether the machine runs a AIX OS. True if so, False if not.
Example: True
Is DC Sensor Tanium Core Content Returns True if the endpoint has a Domain Controller role (Primary or Backup)
Example: True
Is File Digitally Signed Sensor Tanium Threat Response Checks whether or not the specified file is digitally signed. Uses the Windows WinVerifyTrust API to verify the signature embedded in the file.
Is Linux Sensor Tanium Default Content Returns whether the machine runs a Linux-based OS. True if so, False if not.
Example: True
Is Mac Sensor Tanium Default Content Returns whether the machine is a Mac. True if so, False if not.
Example: True
Is Managed Sensor Tanium Default Content Returns True if the endpoint is running the Tanium Client. Returns False if not.
Is Managed Sensor Tanium Discover Returns True if the endpoint is running the Tanium Client. Returns False if not.
Is Managed Container Host Sensor Tanium Containers Identifies managed endpoints that are container hosts and have the TCC/TCC Tools.
Is Python 2.7 Installed Sensor Tanium Deploy
Is Python 2.7 Installed Sensor Tanium Impact
Is Python 2.7 Installed Sensor Tanium Patch
Is Python 2.7 Installed Sensor Tanium Risk
Is Python 2.7 Installed Sensor Tanium Discover
Is Python 2.7 Installed Sensor Tanium Map
Is Python 2.7 Installed Sensor Tanium Reveal
Is Python 2.7 Installed Sensor Tanium Asset
Is Python 2.7 Installed Sensor Tanium Threat Response
Is Python 2.7 Installed Sensor Tanium Performance
Is Python 2.7 Installed Sensor Tanium Integrity Monitor
Is Python 2.7 Installed Sensor Tanium Enforce
Is Quarantined Sensor Tanium IR Quarantine Windows:
Returns "Yes" if a machine has a Ipsec Policy named "Tanium Qaurantine" applied, other wise returns "No".
Linux:
Returns "Yes" if a machine has an iptables rule named "Tanium Quarantine", otherwise returns "No".
Is Solaris Sensor Tanium Default Content Returns whether the machine runs a Solaris-based OS. True if so, False if not.
Example: True
Is Tanium Client Container Sensor Tanium Containers Returns True if the Tanium Client is executing in a Tanium Client Container, False otherwise.
Is Terminal Server Sensor Tanium Default Content Returns Yes or No depending on whether a Windows machine is a Terminal Server
Example: Yes
Is Virtual Sensor Tanium Default Content Returns Yes or No to indicate whether the hardware is virtual.
Echo: Yes
Is Windows Sensor Tanium Default Content Returns whether the machine runs Windows. True if so, False if not.
Example: True
Kaspersky Client Version Sensor Tanium Core Content Returns the version of the Kaspersky Antivirus Scanner.
Example:5.6
Kaspersky DAT Days Old Sensor Tanium Core Content Returns the age, in days, of the the Kaspersky Antivirus DAT file.
Example: 5
Kaspersky DAT Version Sensor Tanium Core Content Returns the version of the Kaspersky Antivirus DAT file.
Example: 5.0.0.3
Kernel Modules Sensor Tanium Core Content Returns loaded kernel modules on Linux systems.
Example:dcdbas
Kernel Version Sensor Tanium Core Content Returns running kernel version on Unix based systems.
Example:Linux 4.15.0-45-generic
Kubernetes Environment Sensor Tanium Containers Identifies the Kubernetes environment details, typically of the cloud provider.
Kubernetes Pods Sensor Tanium Containers Enumerates all Kubernetes running pods including those typically hidden from view.
Last Logged In User Sensor Tanium Core Content If no user is logged in, returns the last user to log in is reported. If a user is currently logged in, that user is returned.
Example: DOMAIN\Jane.Doe
Last Reboot Sensor Tanium Default Content Returns the time the last reboot occurred.
Example: Tue, 14 Jan 2020 18:37:13 -0800
Last System Crash Sensor Tanium Core Content Returns the date of the last system crash that occurred.
Example: 8/2/2012
Last System Crash in X Days Sensor Tanium Core Content Returns the date at which the last system crash occurred.
Example:5/2/2012
Linux AutoRuns Sensor Tanium Threat Response Linux AutoRuns and their types, from known categories such as Systemd, etc ...
Linux Network Manager Sensor Tanium IR Quarantine Returns "Yes" If Network Manager is enabled, otherwise "No"
Listen Ports Sensor Tanium Core Content Returns information network-aware processes and the ports they have bound to.
Example: googletalkplugin.exe Google Talk Plugin :60042
Listen Ports with Hash Sensor Tanium Threat Response Identifies listening TCP ports, including the process listening to the port, the hash of the process, the display name of the process (if available), and the listening IP Address and port.
Load Average Sensor Tanium Core Content Returns the average CPU load on a Mac or Linux system
Example: 0.00 0.03 0.10
Loaded Modules Not Matching Whitelist Sensor Tanium Threat Response Lists the MD5 hash and fully-qualified path of any loaded modules that are not on the current MD5 whitelist.
Loaded Modules Of Process Sensor Tanium Threat Response Lists the modules loaded by the specified process. The parameter is a regular expression of the process or module name.
Loaded Modules with Hash Sensor Tanium Threat Response Displays the fully-qualified path and hash of each loaded module.
Local Account Expiration Details Sensor Tanium Core Content Returns local accounts and days until they expire. Accounts which have no expiration date return "N/A"
Example:
user.name|19
Local Account Last Password Change Days Ago Sensor Tanium Core Content Returns local accounts and number of days ago that the password was changed.
Example:
user.name|19
Local Administrators Sensor Tanium Core Content Returns users and groups who are considered 'administrators' on non-windows platforms. For Windows, consider the Content-ADQuery solution.
Example: root
Local Administrators Without Groups Sensor Tanium Core Content Returns users which are considered local administrators on Mac and Linux. For Windows, consider the Content-ADQuery solution or try the "Local Administrators" sensor.
Example: root
Local Printers Sensor Tanium Core Content Returns printers which are not connected via Network
Example: HP LaserJet 4400c
Local User Login Dates Sensor Tanium Core Content Returns the names and dates of the last users to log in.
Example: John.Doe 7/25/2012
Local User Password Change Dates Sensor Tanium Core Content Returns the last time the password was set for each user account.
Example: taniumuser|2013-10-31
Locale Code Sensor Tanium Default Content Returns the OS Locale Code from the installed operating system. This differs from the LCID returned in the OS language sensor.
Example:0409
Logged In Users Sensor Tanium Default Content Provides a list of users currently logged in to the client machine. Includes Remote Desktop sessions on Windows.
Example: Administrator
Logical Volumes Sensor Tanium Core Content Returns the logical volume names on the endpoint.
Example: root
Login Hooks Sensor Tanium Threat Response Returns the file name and path of a login hook script.
Example: /Library/Scripts/badStuff.sh
Logon Security Event Log Search Sensor Tanium Threat Response Searches Windows Security Event log and equivalent logging sources on Mac for logon events.
Logout Hooks Sensor Tanium Threat Response Returns the file name and path of logout hook script.
Example: /Library/Scripts/badStuff.sh
Low Disk Space Sensor Tanium Core Content Returns disk drives which have less than 2 gigabytes free.
Example: C:
MAC Address Sensor Tanium Default Content Returns MAC addresses for all IP enabled network connections.
Example:00:0C:29:68:6A:D8
MD5 Exploit List Days Old Sensor Tanium Threat Response Retrieves the number of days since the MD5 Exploit List was last updated.
MD5 Hash Match Files Executing Sensor Tanium Threat Response Retrieves a fully-qualified path of an executable file for a running process that matches the specified MD5 hash. Results also indicate if the file is executing.
MD5 Hash Of File Sensor Tanium Threat Response Returns the MD5 hash for a file at a specified path.
MD5 Hash Single File Match Sensor Tanium Threat Response Indicates whether the file at the specified path matches the specified MD5 hash.
MD5 Whitelist Days Old Sensor Tanium Threat Response Returns the number of days since the MD5 whitelist was last updated.
Mac AutoRuns Sensor Tanium Threat Response Mac AutoRuns and their types, from known categories such as Launch Agents, Launch Daemons, Startup Items,
User Login Items, Kernel Extensions, etc ...
Mac Downloaded Files Sensor Tanium Threat Response Queries the ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvent* file for downloaded files.
Mac Firewall Settings Sensor Tanium Threat Response Enumerate the firewall settings on MacOS
Mac Gatekeeper Settings Sensor Tanium Threat Response Enumerate the Gatekeeper settings on MacOS
Mac Kext Details Sensor Tanium Threat Response Allows you to find allowed kernel extensions on a Mac
Manual Group Membership Sensor Tanium Default Content A list of manual group ids for internal use.
Example: 72
Manufacturer Sensor Tanium Discover Returns System or Motherboard manufacturer (OS Dependent).
Example: Apple
Manufacturer Sensor Tanium Core Content Returns System or Motherboard manufacturer (OS Dependent).
Example: Apple
Map - Active Applications Sensor Tanium Map Returns list of applications that were active during the selected time window
Map - Application Coverage Sensor Tanium Map Returns "Mapped" if the endpoint is a member of an application definition, otherwise "Unassigned".
Map - Coverage Status Sensor Tanium Map Returns "Optimal" if Map is installed and configured properly, "Needs Attention" if Map is not installed or not healthy, "Unsupported" if the operating system is not supported.
Map - Discover Seed Clients Sensor Tanium Map Returns clients for specified processes within the specified time period
Map - Discover Seed Details Sensor Tanium Map Returns details for specified processes within the specified time period
Map - Discover Seeds Sensor Tanium Map Returns a list of mappable processes identified on endpoints within the specified time period, filtered by listening ports
Map - Discover Tier Details Sensor Tanium Map Returns a list of incoming and outgoing connections related to the ip and port parameters.
Map - Endpoint Connections Sensor Tanium Map Returns a list of connections that have the target endpoint as source or destination
Map - Endpoint Health Sensor Tanium Map Returns "Healthy" if no health checks found or some combination of "Map CX Issue", "Core CX Issue", and/or "Recorder CX Issue" if any health checks are found for these extensions.
Map - Tools Version Sensor Tanium Map Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Maximum Process Memory Size Sensor Tanium Core Content Returns the maximum amount of memory, in Kilobytes, that a process can use. This may be free physical RAM and virtual RAM combined, or may be an arbitrary upper ceiling.
Example: 2097024
Memory Consumption Sensor Tanium Core Content Returns the percentage of used (committed) memory on a system.
Example: 27 percent
Model Sensor Tanium Core Content Returns the Model of a system.
Example: Precision T1600
Monitor Details Sensor Tanium Core Content Returns details of attached physical monitors.
Example: Model Name, Serial Number, VESA Manufacturer ID, Manufacture Date
Monitor Resolution Sensor Tanium Core Content Returns details about connected displays.
Example:1024 by 768 pixels, True Color, 60 Hertz
Motherboard Manufacturer Sensor Tanium Core Content Returns the Motherboard Manufacturer of a system.
Example:Lenovo
Motherboard Name Sensor Tanium Core Content Returns the motherboard product name of a system.
Example: 440BX Desktop Reference Platform
Motherboard Version Sensor Tanium Core Content Returns the Version of a motherboard.
Example:9230
Mutex Details Sensor Tanium Threat Response Returns details about a specified mutex object, including process, PID, user, handle ID, and mutex name.
Mutex Handles Of Process Sensor Tanium Threat Response Returns the open handles to file mutex objects for a specified process. The parameter is a regular expression for a process name.
NAT IP Address Sensor Tanium Discover Returns the IP Address of this client as seen from the Tanium Server. Example: 24.102.223.34
NET Version Sensor Tanium Core Content Returns the highest version number of all installed .NET.
Network Adapter Details Sensor Tanium Core Content Returns information on network adapters.
Example:Intel(R) Centrino(R) Ultimate-N 6300 AGN|Intel Corporation|Ethernet 802.3|00:24:D7:21:9C:70|65 Mbps|Wi-Fi
Network Adapter Name Sensor Tanium Core Content Returns the names of network adapters that are active.
Example: VMware Accelerated AMD PCNet Adapter
Network Adapter Type Sensor Tanium Core Content Returns the names of the network connections which are active.
Example: Local Area Connection
Network Adapters Sensor Tanium Discover Returns a list of network adapter addresses. Example: 192.168.0.1|01-0C-03-4D-25-D8
Network Details Sensor Tanium Threat Response Enumerates verbose network connection details
Network IP Gateway Sensor Tanium Core Content Returns the default gateway for all IP enabled network adapters.
Example: 192.168.10.254
Network Link Speed Sensor Tanium Core Content Returns the names and speeds of all network connections.
Example: WAN Miniport (IP) | 10000
Network Printer Details Sensor Tanium Core Content Returns the connected network printers.
Example: printer_name | driver | port
Network Printers Sensor Tanium Core Content Returns printers which are connected via Network
Example: HP LaserJet 4400c
Network Throughput Inbound Sensor Tanium Core Content Returns the current inbound throughput, in KB/Sec, of the network interface used to connect to the tanium server.
Example: 1024 KB/S
Network Throughput Outbound Sensor Tanium Core Content Returns the current output throughput, in KB/Sec, of the network interface used to connect to the tanium server.
Example: 1024 KB/S
Network Throughput Percentage Sensor Tanium Core Content Returns the current throughput, as a percentage of total possible, of the network interface used to connect to the tanium server.
Example: 50%
Network Throughput Total Sensor Tanium Core Content Returns the current total throughput, in KB/Sec, of the network interface used to connect to the tanium server.
Example: 2048 KB/S
No Screen Saver Password Sensor Tanium Core Content Returns the users which have no screen saver password set.
Example: Domain\John.Doe
Non-Approved Established Connections Sensor Tanium Threat Response Lists information about established connections that were opened by a prohibited process or to a prohibited destination. The Sensor definition can be modified to exclude process and IP range. Returns the process responsible for the connection, the display name of the process (if available), and the target IP Address and port.
Example: chrome.exe | Google Chrome | 173.194.79.99:80
Non-Approved Established Connections with Hash Sensor Tanium Threat Response Lists information about established connections that were opened by a prohibited process or to a prohibited destination. Returns the process responsible for the connection, the hash of the process, the display name of the process (if available), and the target IP Address and port. Processes and IP ranges can be excluded in the Sensor definition.
Number Of Users Sensor Tanium Core Content Returns the number of user sessions for which the operating system is storing state. This may differ from the number of interactively logged in users.
Example:3
Number of Application Crashes in Last X Days Sensor Tanium Core Content Returns the number of application crashes that have occurred in the last number of days supplied to the sensor.
Example: 3
Number of Fixed Drives Sensor Tanium Core Content Returns the number of fixed drives installed in the system.
Example:4
Number of Logged In Users Sensor Tanium Core Content Returns the number of interactively logged in users. On Windows, this will include Remote Desktop sessions.
Example: 2
Number of Processor Cores Sensor Tanium Core Content Returns the number of processor cores in all installed processors. Not supported on all OS patch levels.
Example:2
Number of Processors Sensor Tanium Core Content Returns the number of physical processors on a system. This may differ from the number of cores or number of logical processors.
Example:1
OS Boot Time Sensor Tanium Core Content Returns the Date and Time that the OS last booted in UTC.
Example: Mon, 05 Jan 2015 15:17:59 +0000
OS Platform Sensor Tanium Default Content Returns the platform of the operating system. Example: Windows
Onboard Devices Sensor Tanium Core Content Returns the name of any device which is built into the motherboard.
Example: ES1371
Online Sensor Tanium Default Content Returns, in all cases, the word True. This sensor is used in many ways, including to find a common target for machines which may have responded to a question with a 'where' clause - get "online from machines where IP address starts with 192.168.10." will allow you to target the respondents with an action or count responses.
Example:True
Online Random Sample Sensor Tanium Default Content Sample your population. Return True for X % of online devices, False for 100-X% online devices. Can be used for targeting sample audiences, such as Tagging for phased roll-out or sampled analysis of index logs

Default for % sample is 5%
Default Max Age is 60 minutes
Example: True
Example: False
Open Port Sensor Tanium Core Content Returns the ports which are listening on a local machine and the IP address the port is bound to. 0.0.0.0 indicates that the port is bound to all IP addresses.
Example: 0.0.0.0:80
Open Ports Sensor Tanium Discover Returns the top 1000 (according to Nmap) open tcp ports. Example: 135,443,445,902,912,1536,1537,1538,1539,1566
Open Share Details Sensor Tanium Core Content Returns a set of columns with details about open shares on a machine.
Example: name | path | status | type | permissions
Open Shares Sensor Tanium Core Content Returns information about shares on a PC.
Example: SHARENAME
Operating System Sensor Tanium Default Content Returns the name of the Operating System from all machines. This name may be localized.
Example: Windows Server 2008 R2 Enterprise
Operating System Boot Directory Sensor Tanium Core Content Returns the directory the Operating System boots from.
Example:\Windows
Operating System Build Number Sensor Tanium Core Content Returns the build number of the installed operating system.
Example:7601
Operating System Full Build Number Sensor Tanium Patch Returns the Build Number, and UBR.
Example: 14393.576
Operating System Generation Sensor Tanium Default Content Returns the generation of the Operating System from all machines.
Examples: Windows 10, Windows Server 2008 R2, Red Hat Enterprise Linux Server 6, Mac OS X 10.14
Operating System Install Date Sensor Tanium Core Content Returns the date the OS was installed.
Example: 8/24/2012
Operating System Language Sensor Tanium Default Content Returns the OS language along with any Language Packs installed.
Example: English-United States en-US
Operating System Language Code Sensor Tanium Default Content Returns the Language Code (LCID) of the Operating System. This differs from the Locale Code returned in the Locale Code sensor.
Example: 1033
Operating System Sku Sensor Tanium Default Content Returns the Operating System Sku value.
Examples: 48
Operating System Temp Directory Sensor Tanium Core Content Returns the gobal temp directory of the Operating System.
Example: C:\Temp
Organization Sensor Tanium Core Content Returns the Organization defined at OS install time.
Example: YourCorp
Outlook Version Sensor Tanium Core Content Returns the version of Microsoft Office Outlook installed.
Example: Outlook 2003, Version: 11.0
PCI Device Sensor Tanium Core Content Returns the names of PCI devices in the system.
Example:Intel(R) 82371AB/EB PCI Bus Master IDE Controller
PST Information Sensor Tanium Core Content Returns details of PST files that have been mounted by users on a system.
Example: c:\psts\huge.pst 4088 MB
Packet Loss Sensor Tanium Core Content Returns data about percent of packet loss on Windows machines.
Example: 5 %
Page File Details Sensor Tanium Core Content Returns information about the Page File(s) on a Windows system. Path, initial size, maximum size, size on disk, current used, and peak used.

Example: C:\pagefile.sys|3050 MB|3050 MB|3050 MB|413 MB|517 MB
Parentless Processes Sensor Tanium Threat Response Returns any running processes that do not have a parent process, or top level processes.
Example: "cmd.exe"
Patch - Applicable Patch Count Sensor Tanium Patch Returns the count of all applicable patches.
Patch - Applicable Patches by Year Sensor Tanium Patch Returns a row for every applicable patch on an endpoint
Example: MSXML 6.0 RTM Security Update (925673)|Critical|4/4/2012|KB925673|False|Windows|Windows Server 2012 R2|Security Updates
Patch - Block Lists Sensor Tanium Patch Returns the enforcement status for Block Lists

Example:
Type|ID|Status|Reason|OS|Version
Block List|1|Enforced||Windows|1
Patch - Coverage Status Sensor Tanium Patch Returns "Optimal" if Patch is installed and running, "Needs Attention" if Patch is not installed or is not healthy, "Unsupported" if the operating system is not supported, and Initializing if the system is in the process of installing tools or running the first scan.
Patch - Coverage Status Details Sensor Tanium Patch Returns "Optimal" if Patch is installed and running, "Needs Attention" if Patch is not installed or is not healthy, "Unsupported" if the operating system is not supported, and Initializing if the system is in the process of installing tools or running the first scan. Provides additional details for systems have a "Needs Attention" status to help administrators resolve client health issues.
Patch - Deployment Errors Sensor Tanium Patch Returns error messages for Deployments defined in the Patch Workbench

Example:
Deployment Id|Patch UID|Error Number|Error Message
1|9876abcde|4|Failed
2|0|-214123445|WU_ERROR_MSG
3|0|9|Install Script Failed
Patch - Deployment Results Sensor Tanium Patch Returns the deployment results for deployments defined in the Patch Workbench

Example:
Deployment Id|Patch UID|Patch Title|Result|Severity|Release Date|KB Articles
1|9876abcde|Some Patch Title|Succeeded|Critical|01/01/2020|222231
1|abcd9876e|Another Patch Title|Succeeded with Errors|Critical|01/01/2020|211231
2|cd76e1234|Failed Patch Title|Failed|Critical|01/01/2020|225231
Patch - Deployment Statuses Sensor Tanium Patch Returns the deployment statuses for deployments defined in the Patch Workbench

Example:
ID|Parent Status|Status
1|Complete|Complete, All Patches Applied
2|Complete|Error, No Patches Applied
Patch - Direct Download Statuses Sensor Tanium Patch Returns download statuses for endpoints that download update files from the internet

Example:
Patch1|Patch Title 1|Patch URL 1|Succeeded|...
Patch2|Patch Title 2|Patch URL 2|In Progress|...
Patch - Enforcement Status Sensor Tanium Patch Returns the enforcement status for Blacklists and Scan Configurations defined in the Patch Workbench

Example:
Type|ID|Status|Reason
Scan Configuration|1|Enforced|
Scan Configuration|2|Unenforced|Scan Configuration Not Found
Blacklist|1|Enforced|
Patch - Has Aged Applicable Patches Sensor Tanium Patch Returns a Yes/No answer for the question of whether the system has applicable patches that meet the specified Patch Age and Severity parameters.
Patch - Has Antivirus Compatibility Registry Key Sensor Tanium Patch Returns Yes or No if the QualityCompat registry setting that informs future patches that antivirus software was updated is set.
Patch - Has Enforced Maintenance Window Sensor Tanium Patch Returns Yes or No if a maintenance window policy is enforced on the endpoint.
Patch - Has Enforced Scan Configuration Sensor Tanium Patch Returns Yes or No if a scan configuration is being enforced.
Patch - Has Recent Scan Results Sensor Tanium Patch Returns a Yes/No answer for the question of whether the system has Patch scan results within the specified Scan Age Days.
Patch - In Maintenance Window Sensor Tanium Patch Returns "Yes" for an active maintenance window, "No" if outside of all maintenance windows, or "No Maintenance Windows Enforced" if the endpoint has no maintenance windows
Patch - Installation State Sensor Tanium Patch Returns a row for every applicable patch on an endpoint, and indicates whether it's installed or required.

Example: a5aa3417baf0e1e0672dd70abacee6ea|MSXML 6.0 RTM Security Update (925673)|Not Installed|True|Critical|4/4/2012|MS06-061|1853208|07609d43-d518-4e77-856e-d1b316d1b8a8|KB925673|CVE-2006-4686 CVE-2006-4685|http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|msxml6-kb925673-enu-amd64_cc347d98b9fe1e417cb73f0ddf004d1f94a4bfcf.exe|False|Windows|Windows Server 2012 R2|Security Updates
Patch - Is Process Running Sensor Tanium Patch Is the Patch process running on this endpoint? Example: Yes
Patch - Last Scan Duration Sensor Tanium Patch Returns the last scan duration rounded up to the nearest 30 seconds
Example: 1:30
Patch - Maintenance Windows Sensor Tanium Patch Returns the enforcement status for Maintenance Windows

Example:
Type|ID||Status|Reason|OS|Version
Maintenance Window|1|Enforced||Windows|1
Patch - Mean Time to Patch Sensor Tanium Patch Returns Mean Time to Patch from an endpoint
Patch - OS for Applicable Patches Sensor Tanium Patch Returns the Operating System name for systems with applicable patches
Patch - Offline CAB Build Date Sensor Tanium Patch The sensor returns the "Date" for the "index.xml" file inside the wsusscn2.cab ("CAB") file. Generally, the timestamp for the "index.xml" file is the day prior to "Patch Tuesday." This sensor is only applicable if the Offline CAB scan type is configured & deployed.
Patch - Offline CAB Days Old Sensor Tanium Patch The sensor returns the "Days Old" for the "index.xml" file inside the wsusscn2.cab ("CAB") file. Generally, the timestamp for the "index.xml" file is the day prior to "Patch Tuesday." This sensor is only applicable if the Offline CAB scan type is configured & deployed. "Days Old" provides the a numeric response of the days between the CAB file timestamp and the current date.
Patch - Patch List Applicability Sensor Tanium Patch Returns a row for every unique patch showing the lists that it matches

Example:
1,2,4|Patch1|...
1|Patch2|...
1,3,4|Patch3|...
Patch - Patch List Applicability Results Sensor Tanium Patch Returns a row for every unique patch showing the lists that it matches

Example:
1,2,4|Patch1|...
1|Patch2|...
1,3,4|Patch3|...
Patch - Patch List Compliance Sensor Tanium Patch Returns endpoint compliance with respect to each Patch List defined. Example:
1|All Patches|26-50 missing|Windows
1|All Patches|11-25 missing|Windows
3|Core Patches - QA|1-5 missing|Windows
4|Core Patches - Prod|Compliant|Windows
4|All Patches|1-5 missing|Red Hat
Patch - Repositories Sensor Tanium Patch Returns repository information for repositories defined and enabled on the endpoint
Patch - Repository Variables Sensor Tanium Patch Returns repository variables key:value pairs with corresponding operating system from an endpoint
Patch - Requires Patch 1 Cleanup Sensor Tanium Patch Returns Yes if a running TaniumPatch.vbs process is detected or if a Tanium Client\Tools\PatchMgmt directory is present.
Patch - Requires WSP Cleanup Sensor Tanium Patch Returns Yes or No if the systems has files leftover from Windows Security Patch that need to be cleaned up
Example: Yes
Patch - Scan Age Sensor Tanium Patch Returns the number of days since the last scan.

Example:
Days Since Successful Scan
No scan results found
0 Days
5 Days
30 Days
More than 30 days
Patch - Scan Configurations Sensor Tanium Patch Returns the enforcement status for Scan Configurations

Example:
Type|ID|Status|Reason|OS|Version
Scan Configuration|1|Enforced||Windows|1
Patch - Scan Errors Sensor Tanium Patch Returns error messages for Scan Configurations defined in the Patch Workbench

Example:
ID|Error Message
1|Missing Cab File
2|Failed to start Windows Update Service
Patch - Supported Scan Types Sensor Tanium Patch Returns the supported package scan types for the endpoint.
Patch - Tanium Scan Product Applicability Sensor Tanium Patch Returns a list of applicable Windows products as found by Tanium Scan.
Patch - Tools Version Sensor Tanium Patch Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Patch Installation History Sensor Tanium Patch Returns a list of patches that were installed along with the date and the tool that installed them (AV Definition updates and Windows Store updates are excluded)
Path Permissions Sensor Tanium Core Content Returns the permissions of the given file or folder path
Example: NT AUTHORITY\SYSTEM (I)(F)
Performance - Active Profile Sensor Tanium Performance Returns the id of the active profile or "None" if there is no active profile, as well as the revision of the profile.
Performance - Application Crashes Sensor Tanium Performance Returns application crashes including process, crash count and version over the specified duration.
Performance - Application Details Metric Analysis Sensor Tanium Performance Will return the utilization of a given metric over a certain time for the processes that make up an application.
Performance - Application Metric Analysis Sensor Tanium Performance Will return the utilization of an application (as defined by the processes in the parameter of this sensor).
Performance - Configured Sensor Tanium Performance Returns the endpoint configured state in regards to Performance. Return value examples: "Not Configured", "Configured", "Unsupported". If Not Configured, the endpoint will return why it is not configured. Return value examples: "Needs Tools", "Needs Profile".
Performance - Coverage Status Sensor Tanium Performance Returns the Performance coverage status. Return value examples: "Optimal", "Needs Attention", "Unsupported". See Performance - Configured sensor for reasons why the endpoint needs attention.
Performance - Endpoint Health Sensor Tanium Performance Returns the endpoint health in regards to Performance Tools. Return value examples: "Not Installed", "Tools Installed", 'Configured", "Has Events"
Performance - Event Category Match Count Sensor Tanium Performance Returns the count of events that occurred in a give duration for a given category. Categories: 'cpu', 'mem', 'disk', 'network', 'appcrash', '*'(all categories). 'ex. Event Category Match Count['24h', 'mem']
Performance - Event Category Match Counts Sensor Tanium Performance Returns bucketed counts of events for a category ID in a give duration.
Sample return values:
cpu 1-4
appcrash 9+
appcrash 1-4
Performance - Event Details Sensor Tanium Performance Returns detailed information about Performance events occurring within a specified timeframe for a specific event category.
Performance - Event Match Counts Sensor Tanium Performance Returns bucketed event count on Endpoint grouped by event type in a given duration.
EventType1 1-4
EventType2 9+
EventType2 1-4
Performance - Installed Profiles Sensor Tanium Performance Returns a list of profile ids
Performance - Process Metric Analysis Sensor Tanium Performance Performs a specified analysis (e.g. Avg) of a given process name, for a specific metric, over a certain number of hours.
Performance - Profile Versions Sensor Tanium Performance Returns the status ("Installed", "None Installed"), the profile id and the revision
Performance - System CPU Queue Length Metric Analysis Sensor Tanium Performance Performs a specified analysis (e.g. Avg) of the CPU Queue Length metric over a certain number of hours.
Performance - System CPU Utilization Analysis Sensor Tanium Performance Performs a specified analysis (e.g. Avg) of a specific CPU metric over a certain number of hours.
Performance - System Crashes Sensor Tanium Performance Returns system crashes including bug check references over the specified duration.
Performance - System Disk Metric Analysis Sensor Tanium Performance Performs a specified analysis (e.g. Avg) of a specific Disk metric over a certain number of hours.
Performance - System Memory Metric Analysis Sensor Tanium Performance Performs a specified analysis (e.g. Avg) of a specific Memory metric over a certain number of hours.
Performance - System Network Metric Analysis Sensor Tanium Performance Performs a specified analysis (e.g. Avg) of a specific Network metric over a certain number of hours.
Performance - TSDB Status Sensor Tanium Performance Returns information about the Tanium TSDB process on endpoints - version, space consumed, etc.
Performance - Tools Version Sensor Tanium Performance Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Performance - Top Process Metric Analysis Sensor Tanium Performance Returns the top x processes for a specified analysis (e.g. Avg), for a specific metric, over a certain number of hours.
Performance - Top Processes Sensor Tanium Performance Returns top process for events within the duration specified. This means more than one can be returned but only one per event.
Performance - Trends Application Metric Analysis Sensor Tanium Performance Will return the utilization of a particular computer resource from UTC midnight until machine's current UTC time for a given application. This application is defined by a list of processes provided by the user. Currently supported are CPU normalized (total, user, and kernel) and Memory
Performance - Trends Event Category Match Counts Sensor Tanium Performance Returns bucketed counts of events for a category name since UTC midnight.
Sample return values:
CPU 1-4
Application Crashes 9+
Application Crashes 1-4
Performance - Trends Event Summary Sensor Tanium Performance Returns Performance Event Summary for the past day.
Sample return values:
With Critical Events or Without Critical Events
Performance - Trends Process Metric Analysis Sensor Tanium Performance Will return the utilization of a particular computer resource from UTC midnight until machine's current UTC time for a given application. This application is defined by a list of processes provided by the user. Currently supported are CPU normalized (total, user, and kernel) and Memory
Performance - Trends System Metric Analysis Sensor Tanium Performance Will return the utilization of a particular computer resource from UTC midnight until machine's current UTC time. Currently supported are CPU (total, user, and kernel) and Memory
Performance - Trends Top Application Crashes Sensor Tanium Performance Returns up to the top x applications that have crashed the most from UTC midnight until machine's current UTC time
Performance - Trends Top Process Metric Analysis Sensor Tanium Performance Returns up to the top x processes for a specified analysis (e.g. Avg), for a specific metric, from UTC midnight until machine's current UTC time
Performance - Trends Top System Crashes Sensor Tanium Performance Returns up to the top x bugcheck codes that have occurred the most from UTC midnight to current time.
Physical Volumes Sensor Tanium Core Content Returns the logical volume names on the endpoint.
Example: /dev/sda1
Power Plans Active Sensor Tanium Core Content Returns the currently active power plan.
Example: High performance
Power Plans Available Sensor Tanium Core Content Returns the available power plans.
Example: High performance
PowerForensics File Record Sensor Tanium Threat Response Retrieves the Master File Table (MFT) modified, accessed, changed, and born times for a specified file name. Returns file name, STANDARD_INFORMATION (SI) time stamps, and FILE_NAME (FN) time stamps. All time stamps are returned in UTC format.
PowerForensics Master Boot Record Sensor Tanium Threat Response Retrieves the operating system name, enumerated through WMI, and the MD5 hash of the master boot record (MBR) code section.
PowerForensics Prefetch Sensor Tanium Threat Response Searches prefetch entries for previously executed applications with a provided file path.
PowerForensics Recently Opened Office Files by User Sensor Tanium Threat Response Returns the path of any recently opened Office files by User name (required) and file path (optional). Requires PowerShell 2.0 or later.
PowerForensics Shim Cache Sensor Tanium Threat Response Retrieves executables that might have been run from entries in the Microsoft Application Compatibility section of the Registry. If an Explorer window is opened to a location for a given executable, a shim cache entry might be created even if the executable was never run.
Example output: C:\Windows\System32\cmd.exe^N/A
Verbose Example output: C:\Windows\System32\cmd.exe^2016-04-11 14:28
PowerForensics UserAssist Search Sensor Tanium Threat Response Parses a specified NTUser.dat file for a user account. Returns the list of applications that were recently run in the Windows GUI. If an optional executable name is specified, only entries matching that executable are returned.
PowerShell Version Sensor Tanium Default Content Returns the version(s) of PowerShell installed on a system
Example: 2.0
Predicted Disk Failures Sensor Tanium Core Content Returns drives and the S.M.A.R.T. status of the drives on machines which have a failing drive reporting through S.M.A.R.T.
Example: Drive | SMART Report
Primary Owner Name Sensor Tanium Core Content Returns the name of the Primary System Owner on Windows. This is set at OS install time.
Example: John Doe
Primary WINS Server Sensor Tanium Core Content Returns the primary WINS server of a machine.
Example: WINS1
Printers Sensor Tanium Core Content Returns printers connected to a system.
Example:HP LaserJet 4400c
Process Count Sensor Tanium Core Content Parameter: Name of a process
This sensor will return the number of times that process occurs. Leave blank for a count of all processes.
Process Details Sensor Tanium Threat Response Returns verbose details about running processes
Processes Using Module Sensor Tanium Threat Response Lists processes that use a specified module.
Provision - Tools Version Sensor Tanium Provision Reports support and installation details.
Checks if the endpoint supports the tools and has enough disk space.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Python - Tools Version Sensor Tanium Initial Content - Python Reports support and installation details.

Checks if the endpoint supports the tools and has enough disk space.

If package has been deployed, reports the install location, version of tools, and if all the required tools are present.



Example (unsupported)

Incoming Claim=Unsupported Client Version

Unsupported



Example (uninstalled):

Not Installed

Linux Package Required



Example (installed):

1.0.0.0057

Linux Package Installed
Quarantined Sensors Sensor Tanium Default Content List of sensors that have been quarantined on the local endpoint.
Example: File Search
RAM Sensor Tanium Core Content Returns the total amount of installed RAM, in Megabytes.
Example: 2048 MB
RAM Max Capacity Sensor Tanium Core Content Returns the size of the maximum amount of RAM a machine can carry.
Example: 8 GB
RAM Slots Used and Unused Sensor Tanium Core Content Returns the number of used and unused RAM slots.
Example:2 6
RDP Client History Sensor Tanium Threat Response Returns Local Profile, RDP Target Name or IP, and Remote Logon Name for a remote desktop client. Note that if an attacker starts the RDP client with the /Public option, then this information is not recorded in the user profile registry hive.
RPM Database Details Sensor Tanium Core Content Returns data about a Linux machine's RPM database in key/value format.
Example: Corrupted|No
Ram Slots Unused Sensor Tanium Core Content Returns the number of empty, unused RAM slots.
Example:2
Reboot Required Sensor Tanium Core Content Returns data indicating that a reboot is required and, if so, for which reason.
Example: Yes
Recently Closed Connections Sensor Tanium Core Content Returns any recently closed connection, ie those connection currently in CLOSED_WAIT or TIME_WAIT. If the process that owned the connection can be determined, it will be included.
Example: Google Chrome | 173.194.79.99:80
Recorder - Amazon Linux Version Sensor Tanium Integrity Monitor Returns the version of Amazon Linux installed, e.g. 2
Recorder - Extension Settings Sensor Tanium Integrity Monitor Show Recorder Settings which have been set via Package.
Recorder - Extension Settings Sensor Tanium Threat Response Show Recorder Settings which have been set via Package.
Recorder - Extension Settings Sensor Tanium Map Show Recorder Settings which have been set via Package.
Recorder - Is BPF BCC Supported Sensor Tanium Map Returns 'True' if BPF BCC is supported on this endpoint
Recorder - Is BPF BCC Supported Sensor Tanium Threat Response Returns 'True' if BPF BCC is supported on this endpoint
Recorder - Is BPF BCC Supported Sensor Tanium Integrity Monitor Returns 'True' if BPF BCC is supported on this endpoint
Recorder - Is BPF CO-RE Supported Sensor Tanium Threat Response Returns 'True' if BPF CO-RE (Compile Once Run Everywhere) is supported on this endpoint
Recorder - Is BPF CO-RE Supported Sensor Tanium Integrity Monitor Returns 'True' if BPF CO-RE (Compile Once Run Everywhere) is supported on this endpoint
Recorder - Is BPF CO-RE Supported Sensor Tanium Map Returns 'True' if BPF CO-RE (Compile Once Run Everywhere) is supported on this endpoint
Recorder - Is BPF Supported Details Sensor Tanium Threat Response Returns details about if BPF is supported on this endpoint
Recorder - Is BPF Supported Details Sensor Tanium Integrity Monitor Returns details about if BPF is supported on this endpoint
Recorder - Is BPF Supported Details Sensor Tanium Map Returns details about if BPF is supported on this endpoint
Recorder - Is Extension Enabled Sensor Tanium Threat Response Returns Disabled if the recorder extension is not loaded, and is disabled by the client setting DisableExtension_recorder.

Otherwise, returns Enabled
Recorder - Is Extension Enabled Sensor Tanium Integrity Monitor Returns Disabled if the recorder extension is not loaded, and is disabled by the client setting DisableExtension_recorder.

Otherwise, returns Enabled
Recorder - Is Extension Enabled Sensor Tanium Map Returns Disabled if the recorder extension is not loaded, and is disabled by the client setting DisableExtension_recorder.

Otherwise, returns Enabled
Recorder - Legacy Installed Sensor Tanium Integrity Monitor Returns 'Yes' if legacy version of Tanium Recorder is installed, otherwise 'No'
Recorder - Legacy Installed Sensor Tanium Map Returns 'Yes' if legacy version of Tanium Recorder is installed, otherwise 'No'
Recorder - Legacy Installed Sensor Tanium Threat Response Returns 'Yes' if legacy version of Tanium Recorder is installed, otherwise 'No'
Recorder - Red Hat Enterprise Linux Version Sensor Tanium Threat Response Returns the version of Red Hat Enterprise Linux installed, e.g. 8.3
Recorder - Red Hat Enterprise Linux Version Sensor Tanium Map
Recorder - Red Hat Enterprise Linux Version Sensor Tanium Integrity Monitor Returns the version of Red Hat Enterprise Linux installed, e.g. 8.3
Recorder - Ubuntu Linux Version Sensor Tanium Map
Recorder - Ubuntu Linux Version Sensor Tanium Threat Response Returns the version of Ubuntu Linux installed, e.g. 18.04
Recorder - Ubuntu Linux Version Sensor Tanium Integrity Monitor Returns the version of Ubuntu Linux installed, e.g. 18.04
Registry Key Exists Sensor Tanium Core Content Returns True if the Registry Key exists, False if not. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand.
Example: True
Registry Key Subkeys Sensor Tanium Core Content Returns all subkeys of a supplied key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand.
Example: N/A | Tanium Client | 32-bit | HKLM\Software\Tanium\Tanium Client
Registry Key Value Exists Sensor Tanium Core Content Returns True if the Registry Value exists, False if not. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand.
Registry Key Value Names Sensor Tanium Core Content Returns all values contained in a supplied key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand.
Example: N/A | dwordValue | 64-bit | HKEY_LOCAL_MACHINE\Software\KeyPath\dwordValue
Registry Key Value Names with Data Sensor Tanium Core Content Returns the data and values in a supplied registry key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand.
Example: John~~4.1.314.7020~~REG_SZ~~32-bit~~HKLM\Software\Tanium\Tanium Client~~Version
Registry Value Data Sensor Tanium Core Content Returns the data of a supplied value in a supplied registry key. If HKEY_USERS is the given hive, it will loop through each logged in user's registry hive and attempt to output the user's name. HKEY_CURRENT_USER will also loop through all logged in user hives. HKLM, HKU, and HKCU are valid shorthand.
Example: John~~4.1.314.7020~~REG_SZ~~32-bit
Remote Desktop Event Log Search Sensor Tanium Threat Response Retrieves the most recent RDP events from the Terminal Services event log. Requires Tanium Client 6.0.314.1420 or later.
Reveal - Background Scan Results Sensor Tanium Reveal Returns the results of the background scan for one or more rules.
Reveal - Background Scan Summary Sensor Tanium Reveal Returns the Yes or No If an endpoint has one or more matches for a Reveal Rule.
Reveal - Confirmed Files Sensor Tanium Reveal Returns the full file path and file name for files confirmed to be in violation of the specified rules
Reveal - Coverage Status Sensor Tanium Reveal
Reveal - Endpoint Rule Result Sensor Tanium Reveal Returns if an endpoint has confirmed matches or match verifications needed for a specified Reveal rule.
Reveal - Endpoints with Confirmed Sensitive Data Sensor Tanium Reveal Returns if the endpoint contains confirmed sensitive data.
Reveal - Endpoints with Unconfirmed Sensitive Data Sensor Tanium Reveal Returns if the endpoint contains unconfirmed sensitive data.
Reveal - File Details Sensor Tanium Reveal Reveal details of indexed files that match supplied inputs.
Reveal - Index File Count Sensor Tanium Reveal Returns count of index files that match one or more supplied inputs
Reveal - Index File Details Sensor Tanium Reveal Returns details of index files that match one or more supplied inputs
Reveal - Index File Exists Sensor Tanium Reveal Returns Yes or No, using Index to determine whether the specified file exists based on the supplied input
Reveal - Index File Hash Recently Changed Sensor Tanium Reveal Returns details of index files that match one or more supplied inputs
Reveal - Installed Rule Sets Sensor Tanium Reveal Returns a string of comma-separated rule set IDs that are installed on the endpoint.
Reveal - Installed Rule Sets by Name Sensor Tanium Reveal Returns a string of comma-separated names of rule sets that are installed on the endpoint.
Reveal - Label Results Sensor Tanium Reveal Returns the number of files for each type of label that is supported by Reveal.
Reveal - Status Sensor Tanium Reveal Returns status and metrics for the Reveal tool on the endpoint.
Reveal - Tools Version Sensor Tanium Reveal Reports support and installation details.
Checks if the endpoint supports the tools and has enough disk space.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Reveal - Validation Results Sensor Tanium Reveal Returns the number of files with each validation.
Revision of CPU Sensor Tanium Core Content Returns the revision number of installed CPUs.
Example: 5898
Risk - Tools Version Sensor Tanium Risk Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Risk - Vector Base Score Sensor Tanium Risk Returns the base risk score components as key value pairs for a vector domain and name.
Run Command History Sensor Tanium Threat Response Lists the commands that were run from the Windows command prompt field on the Start menu.
Run Keys Sensor Tanium Core Content Returns the run keys that define which programs will be started when a user logs in.
Example: System|GlobalProtect|"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"
Run Level Sensor Tanium Core Content Returns the set run level of Linux systems
Example: 3
Run Once Keys Sensor Tanium Core Content Returns the run once keys that define which programs will be started when a user logs in.
Example: System|GlobalProtect|"C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe"
Running Applications Sensor Tanium Core Content Provides a list of applications that are running at the present time on the client machine.
Example: Google Chrome | 23.0.1271.64
Running Containers Sensor Tanium Containers Identifies all running containers, including those hidden and unknown to the orchestration layer (such as System or Rogue containers).
Running Processes Sensor Tanium Core Content Provides a list of processes currently running on the client machine.
Example: svchost.exe
Running Processes Memory Usage Sensor Tanium Core Content Returns all running processes along with the memory each process uses. This is the process's working set.
Example: lsass.exe|23 MB
Running Processes Of User Sensor Tanium Threat Response Provides a list of the currently running processes associated with the specified user.
Example: "svchost.exe"
Running Processes With Parent Sensor Tanium Threat Response Provides a list of the processes currently running and the parent process of the process.
Example: "wordpad.exe|explorer.exe"
Running Processes With User Sensor Tanium Threat Response Provides a list of the processes currently running and the owner of the process.
Example: "wordpad.exe|johndoe\CORP"
Running Processes with Hash Sensor Tanium Threat Response Lists the fully-qualified path and hash of each running executable.
Running Processes with MD5 Hash Sensor Tanium Threat Response Lists the fully-qualified path and MD5 hash of each running executable file.
Running Service Sensor Tanium Core Content Provides a list of currently running services on the client machine.
Example: DHCP Client
Running Service Short Name Sensor Tanium Core Content A list of the short names of all services currently in the running state.
Example: defragsvc
SCCM AutoAssignment Enabled Sensor Tanium Core Content - SCCM Checks if automatic site assignment is enabled
SCCM Available Programs Sensor Tanium Core Content - SCCM The list of available program advertisements.
SCCM Cache Percent Used Sensor Tanium Core Content - SCCM The percentage of used cache.
SCCM Cache Size Sensor Tanium Core Content - SCCM Returns the SCCM agent's configured (not current cache usage) cache size in MB
SCCM Client Cache Location Sensor Tanium Core Content - SCCM The location of the client's cache.
SCCM Client Communication Days Old Sensor Tanium Core Content - SCCM The number of days since last time the policy log file was updated.
SCCM Client Components Sensor Tanium Core Content - SCCM A listing of client components and their state.
SCCM Client Fallback Status Point Sensor Tanium Core Content - SCCM The configured fallback status point.
SCCM Client Health Sensor Tanium Core Content - SCCM Returns Healthy or Needs Attention for SCCM Client Health status, as well as a reason for not being healthy or those that Need Attention
Example: No|SCCM Client Not Running
SCCM Client ID Sensor Tanium Core Content - SCCM The client's ID (GUID).
SCCM Client Installed Sensor Tanium Core Content - SCCM Determines if the client service is installed.
SCCM Client MSI Properties Sensor Tanium Core Content - SCCM The Windows Installer parameters used the last time the client was successfully installed.
SCCM Client Running Sensor Tanium Core Content - SCCM Determines if the cliet service is running.
SCCM Client Version Sensor Tanium Core Content - SCCM Returns the version and a version description, if possible, of the SCCM client.
Example: 5.00.7958.1000|2012 R2
SCCM DCM Status Sensor Tanium Core Content - SCCM This sensor will return compliance status for each DCM baseline on the machine.
Example: My Baseline Name|Yes
SCCM Internet Client Sensor Tanium Core Content - SCCM Determines if the client is currently connected via Internet. It will report Always if the client is always on the Internet.
SCCM Management Point Sensor Tanium Core Content - SCCM The client's management point.
SCCM Mandatory Assignment Pending Sensor Tanium Core Content - SCCM Determines if a mandatory advertisement is pending.
SCCM Proxy Management Point Sensor Tanium Core Content - SCCM The client's proxy management point.
SCCM Server Roles Sensor Tanium Core Content - SCCM Determines if the server is acting as a Distribution Point, a Management Point, or a Software Update Point.
SCCM Site Code Sensor Tanium Core Content - SCCM The client's assigned site code.
SCCM Software Updates Scan Age Sensor Tanium Core Content - SCCM Returns the number of days since the last SCCM Software Updates Scan
SCCM Software Updates Scan Source Sensor Tanium Core Content - SCCM Returns the WSUS Server and Content Version of the last SCCM Software Updates Scan
SCCM WMI Health Sensor Tanium Core Content - SCCM Checks the health of client WMI namespaces.
SCSI Controller Caption Sensor Tanium Core Content A short description of the SCSI Controller as provided by the manufacturer.
Example: Dell PERC S100 S300 Controller
SCSI Controller Driver Name Sensor Tanium Core Content Name for SCSI Controller Driver as provided by the manufacturer.
Example: VClone
SELinux Status Sensor Tanium Core Content returns the SElinux mode from the /etc/selinux/config file, the current status, and current running mode of SELinux.
SHA1 Hash Match Files Executing Sensor Tanium Threat Response Matches a specified SHA1 hash against files that are currently executing. Returns the paths to matching executing files, and "Yes", or "No" if no executing files match.
SHA1 Hash Of File Sensor Tanium Threat Response Returns the SHA1 hash of a specified file path.
SHA1 Hash Single File Match Sensor Tanium Threat Response Compares the file at a specified path to a provided SHA1 hash. Returns "Yes" if the file at the specified path matches the hash.
SIP Settings Sensor Tanium Threat Response Returns the SIP settings on Macs. If all components are enabled, you will see only one line "System Integrity Protection status: enabled." Otherwise, each component will be shown with its status.
SIU - Installed Products Sensor Tanium Asset List products from Software Manager's Software Inventory Catalog.
SIU - Is Supported Sensor Tanium Asset Return "True" if SIU is supported on this platform, "False" if not
SIU - Product First Used Sensor Tanium Asset Get how long ago a product was first used
SIU - Product Last Used Sensor Tanium Asset Get how recently a product was used
SIU - Product Usage Sensor Tanium Asset Get bucketed average usage per day for a product
SQL Buffer Hit Ratio Sensor Tanium Core Content - MSSQL Returns the buffer cache hit ratio from SQL Server on the client machine.
Example: .5
SQL Clustered Sensor Tanium Core Content - MSSQL Returns whether or not the SQL server instance is clustered
Example: True
SQL Database Count Sensor Tanium Core Content - MSSQL The number of databases in SQL Server on the client machine.
Example: 4
SQL Database Recovery Mode Sensor Tanium Core Content - MSSQL Returns the database recovery mode for each database on the SQL Server on the client machine.
Example: master SIMPLE (SQLEXPRESS)
SQL Database Sizes Sensor Tanium Core Content - MSSQL Returns the database sizes for each database on the SQL Server on the client machine.
master 4MB (SQLEXPRESS)
SQL Log Sizes Sensor Tanium Core Content - MSSQL Returns the size of the log files for each database on the SQL Server on the client machine.
Example: master 0.75MB (SQLEXPRESS)
SQL Product Level Sensor Tanium Core Content - MSSQL Product level for SQL Server on client machine.
Example: SP4
SQL Product Version Sensor Tanium Core Content - MSSQL Product version from SQL Server on client machine.
Example: 10.50.1617.0
SQL Recovery Mode Sensor Tanium Core Content - MSSQL Returns database name and recovery mode for that database from all databases in SQL Server on client machine.
Example: ReportServer SIMPLE
SQL Server Agent Long Running Jobs Sensor Tanium Core Content - MSSQL Returns a list of long running SQL Server jobs on the client machine. Details include job name, start date, and duration.
Example: backupjob | 22-july-12 12:00 Am | 00:01:00:00
SQL Server CPU Consumption Sensor Tanium Core Content - MSSQL Current CPU utilization percentage by SQL Server process on client machine.
Example: 8%
SQL Server Databases Sensor Tanium Core Content - MSSQL List of database names from SQL Server on client machines.
Example: tanium
SQL Server Edition Sensor Tanium Core Content - MSSQL Returns the Edition of SQL Server installed on the client machine if it exists.
Example: Enterprise Edition (64-bit)
SSH Known Hosts Sensor Tanium Threat Response Retrieves entries from the .ssh/known_hosts file for a user.
SSL Server Audit Age Sensor Tanium Core Content - SSL/TLS Server Audit Returns age of the audit data in days.

Example: 91-180
SSL Server Audit Port Exclusions Sensor Tanium Core Content - SSL/TLS Server Audit It is possible to configure a particular endpoint to exclude specific ports from the audit scan if the target application is too fragile to scan. This sensor returns the exclusions applied on a particular endpoint.

Example: 443,8443
SSL Server Audit Python Exists Sensor Tanium Core Content - SSL/TLS Server Audit Confirms that a valid python interpreter exists on the ednpoint.
SSL Server Audit Tools Required Sensor Tanium Core Content - SSL/TLS Server Audit SSL Server Audit tools - can be used to target installs/updates
Not Installed: not been deployed or pieces missing
Version Incorrect: was previously deployed, but an older version
Required: either Not Installed OR Incorrect Version
Unavailable: not available for the OS
Installed: already deployed
SSL Server Certificate CA Short Name Sensor Tanium Risk This sensor returns a shortened Certificate Authority name, used by Tanium Risk to populate its dashboards.
SSL Server Certificate CA Short Name Sensor Tanium Core Content - SSL/TLS Server Audit This sensor returns a shortened Certificate Authority name, used by Tanium Risk to populate its dashboards.
SSL Server Certificate Details Sensor Tanium Risk
Return SSL Server Certificate Details for all open ports audited. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none
SSL Server Certificate Details Sensor Tanium Core Content - SSL/TLS Server Audit
Return SSL Server Certificate Details for all open ports audited. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none
SSL Server Certificate Details - Exclude Tanium Sensor Tanium Core Content - SSL/TLS Server Audit
Return SSL Server Certificate Details for all open ports audited. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none
SSL Server Certificate Details Exclude Ports Sensor Tanium Core Content - SSL/TLS Server Audit
Return SSL Server Certificate Details for all open ports audited, except those listed in the parameter. Example: 443~2019-12-24~2021-12-24~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none
SSL Server Certificate Expiry Sensor Tanium Core Content - SSL/TLS Server Audit Returns bucketed number of days until certificate expires.
Example: 443,91-180
SSL Server Certificate Expiry Sensor Tanium Risk Returns bucketed number of days until certificate expires.
Example: 443,91-180
SSL Server Certificate Expiry - Exclude Tanium Sensor Tanium Core Content - SSL/TLS Server Audit Returns bucketed number of days until certificate expires. Port 17472 is excluded from the results.
Example: 443,91-180
SSL Server Certificate Expiry Exclude Ports Sensor Tanium Core Content - SSL/TLS Server Audit List ports excluded from the audit report on a given machine.
Example: 443
SSL Server Certificate Extended Key Usage Sensor Tanium Core Content - SSL/TLS Server Audit Return the Extended Key Usage field for the certificates on each ssl-server-audit-port-exclusions.py

Example: 443~server_auth,client_auth
SSL Server Certificate Issuer Sensor Tanium Core Content - SSL/TLS Server Audit Returns the issuer of the certificate for the port specified in the parameter.

Example: Common Name: acme-ACME-DC01-CA; Domain Component: acme, lab
SSL Server Certificate Key Usage Sensor Tanium Core Content - SSL/TLS Server Audit Returns the key usage fields for the certificate.

Example: 443~digital_signature,key_encipherment,key_cert_sign
SSL Server Certificate Public Key Details Sensor Tanium Core Content - SSL/TLS Server Audit Return Key length and algorithm for the public key presented on each port.

Example: 8088~rsa~2048
SSL Server Certificate Signature Algorithm Details Sensor Tanium Core Content - SSL/TLS Server Audit Return signature algorithm and hash algorithm for the certificates used along with the associated port.

Example: 8089~rsassa_pkcs1v15~sha256
SSL Server Certificate Subject Sensor Tanium Core Content - SSL/TLS Server Audit Returns the subject field of the certicate in use on the port given as a parameter.

Example: Common Name: www.tanium.com
SSL Server Cipher Suite Sensor Tanium Risk Returns the SSL Protocol and available cipher suites available on each port.
Example:TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256~deflate~false~8089
SSL Server Cipher Suite Sensor Tanium Core Content - SSL/TLS Server Audit Returns the SSL Protocol and available cipher suites available on each port.
Example:TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256~deflate~false~8089
SSL Server Enhanced Certificate Details Sensor Tanium Core Content - SSL/TLS Server Audit Return Enhanced Certificate Details.
Example: 443~2019-12-24~2021-12-24~rsa~2048~rsassa_pkcs1v15~sha256~Organizational Unit: AndyLab, Locality: Sandhurst, State/Province: England, Country: GB~Common Name: andylab-LAB-DC04-CA; Domain Component: andylab, local~unauthorised~none~none~140000000c2cf994f1b11f23bb00000000000c~710830c33964b526dd4831a5988ade0b5905b7ed
SSL Server Key Exchange Sensor Tanium Core Content - SSL/TLS Server Audit Returns the Key Exchange parameters for each port in use.

Example: TLS1.2~TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA~520~443
SSL Server Protocols Sensor Tanium Core Content - SSL/TLS Server Audit List ports and supported SSL/TLS Protocols.
Example: 443,TLS1.2
SSL Server Root Certificate Authority Sensor Tanium Core Content - SSL/TLS Server Audit Returns the status of the CA used to sign each ssl-server-root-certificate-authority.py

Example: 3389~self signed
Scheduled Tasks Sensor Tanium Threat Response Returns scheduled tasks on a system, created either with "at" or "schtasks". Time and frequency information is omitted to limit unique strings.
Screen Saver Active Sensor Tanium Core Content Indicates whether a screen saver is enabled on the client machine.
Example: True
Semaphore Details Sensor Tanium Threat Response Returns details about a specified semaphore.
Example: symphony.exe|2400|WIN764\Administrator|2B4|\BaseNamedObjects\daemon242861781sem
Service Sensor Tanium Core Content Gets a list of all Services on the client machine.
Example: Task Scheduler
Service Details Sensor Tanium Core Content Details about all installed services on the client machine, including name, display name, running status, and startup mode.
Example: MDM | Machine Debug Manager | Running | Auto
Service Login Names Sensor Tanium Core Content A list of accounts under which services are configured to run. This list will not include the default accounts, including LocalSystem, LocalService, and NetworkService.
Example: .\servuser
Service Module Details Sensor Tanium Threat Response Lists services that are running at the time the Question is asked. The details include the path to the service executable (if it is a stand-alone service), the module (DLL) path (if it is a hosted service), and the loaded modules if the service implements a COM application.
Service Module Details with Hash Sensor Tanium Threat Response Collects a comprehensive list of stand-alone services, hosted services, COM+ application components, and the selected hash (MD5, SHA1, and SHA256) of the binary.
Service Pack Sensor Tanium Core Content The Service Pack level of the machine if available, and "No Service Pack found" if unavailable.
Example: Service Pack 1
Service Process Details Sensor Tanium Threat Response Returns verbose details about running processes for Services.
Service Status with Hash Sensor Tanium Threat Response Provides information about each of the Microsoft Windows Services that are installed on the endpoint, including the hash and whether the service is running.
Service System Event Log Search Sensor Tanium Threat Response Searches and stacks Windows service start, stop, or install entries in the System event log that occurred within a specified time period.
Share Folder Permissions Sensor Tanium Core Content A list of all shared folders and the permissions currently enabled for those folders.
Example: Downloads, BUILTIN\Administrators-FULL | \CREATOR OWNER-FULL | NT AUTHORITY\SYSTEM-FULL
Shared Network Printer Details Sensor Tanium Core Content Details on any shared printers available from the client machine. Details include printer name, print server, and share name.
Example: \PRINTSERVER1\PRINTER2 | netserver | \PRINTSERVER1\PRINTER2
Shell History Sensor Tanium Threat Response Retrieves the requested command(s) from the shell history files of all users (if found), or only one user if specified.
Short Hostname Sensor Tanium Core Content The assigned name of the client machine, minus any domain suffix.
Example: workstation-1
Software Management - Errors Sensor Tanium Deploy Get the last 10 error log messages from the software management process.
Software Management - Tools Version Sensor Tanium Deploy Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Sound Card Sensor Tanium Core Content Name of sound card in client machine.
Example: SoundMAX Integrated Digital HD Audio
Startup Programs Sensor Tanium Core Content A list of programs configured to automatically run on the client machine. Also includes the command line entry to run the program.
Example: Windows Mobile Device Center | C:\Windows\WindowsMobile\wmdc.exe
Static IP Addresses Sensor Tanium Core Content A list of the static IP addresses currently held by the client machine.
Example: 192.168.1.1
Stopped Service Sensor Tanium Core Content Returns a list of all services currently stopped on the client machine.
Example: DHCP Client
Stopped Service Short Name Sensor Tanium Core Content A list of the short names of all services currently in the stopped state.
Example: defragsvc
Storage Encryption Status Sensor Tanium Core Content Reports endpoint encryption status for BitLocker on Windows and FileVault on Mac.
Storage Encryption Status Sensor Tanium Risk Reports endpoint encryption status for BitLocker on Windows and FileVault on Mac.
Subnet Mask Sensor Tanium Default Content A list of all of the configured subnet masks for the network adapters of the client machine. Subnet masks are always represented in dotted decimal notation for ipv4 networks, and as descriptions of prefix lengths for ipv6.
Example: 255.255.0.0 (IPv4) or inet6:/64 (IPv6)
Successful Elevated Privileges Sensor Tanium Threat Response Lists successful attempts at elevating privileges for a user. Returns user ID, month and day, and time at which the attempt occurred.
System Directory Sensor Tanium Core Content The location of the system directory on Windows machines.
Example: C:\Windows\system32
System Disk Free Space Sensor Tanium Core Content The amount of free disk space on the main system drive.
Example: C:|4 GB
System Drive Sensor Tanium Core Content Hard drive location hosting system directory on Windows machines.
Example: C:
System Environment Variables Sensor Tanium Core Content Returns the currently defined system variables
Example: windir=c:\Windows
System Slots Available Sensor Tanium Core Content Returns the number of open slots in the system on Windows client machines.
Example: 3
System Slots In Use Sensor Tanium Core Content Returns the number of used slots in the system on Windows client machines.
Example: 1
System UUID Sensor Tanium Core Content System unique identifier UUID.
Example: 3e6be9de-8139-11d1-9106-a43f08d823a6
Tanium Action Log Sensor Tanium Default Content Provided with an action number as a parameter, this sensor returns the log from the action from each client machine that executed the action.
Example: 2012-11-02 03:30:17 +0000|Command Completed
Tanium Back Peer Address Sensor Tanium Default Content Returns the IP address of the back peer specified in th Tanium registry entry at HKLM\SOFTWARE\Tanium\Tanium Client\Status\PeerAddress on windows and TaniumClientStatus.ini on non-windows endpoints.
Example: 192.168.1.123
Tanium Buffer Count Sensor Tanium Default Content The number of buffered messages currently queued to be processed by the Tanium client on each client machine.
Example: 2
Tanium Client API Downloads Sensor Tanium Default Content Determines what the Tanium Client API downloads are active. Returns the name, status and URL.
Tanium Client Action Timing Sensor Tanium Default Content The number of seconds it took to download and complete the Action once a Client first sees the Action.
Example: 300 seconds
Tanium Client Architecture Sensor Tanium Asset Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Discover Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Patch Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Reveal Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Enforce Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Integrity Monitor Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Map Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Default Content Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Impact Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Deploy Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client Architecture Sensor Tanium Performance Provides the target architecture for which the installed Tanium Client was compiled.
Tanium Client CPU Sensor Tanium Default Content The current percentage of cpu utilization being used by the Tanium Client process on each client machine. The reported value will be higher than average since the Tanium Client is actively in use while evaluating this Sensor. Example: 1.4
Tanium Client Container Version Sensor Tanium Containers Returns the version of the Tanium Client Container.
Tanium Client Core Health Sensor Tanium Default Content Determines whether the Tanium Client is able to execute the default content set successfully. Returns any error conditions.
Example: Error: Windows Script Host version must be at least 5.6
Tanium Client Directory Permissions Sensor Client Service Hardening Returns the current status of the Tanium Client directories permissions and if they have been set as restricted to SYSTEM.
Example: Restricted - SYSTEM
Tanium Client Downloads Directory Details Sensor Tanium Default Content Returns the path to and size of the Tanium Client "Downloads" directory. This is the directory to which Tanium Package files are downloaded. It is considered temporary space and will clean itself out periodically.
Example: C:\Program Files (x86)\Tanium\Tanium Client\Downloads|139.4 MB
Tanium Client Dump Files Sensor Tanium Default Content Report date and size of Tanium Client dumpfiles.
Tanium Client Explicit Setting Sensor Tanium Default Content Returns the value of a supplied Tanium Client Setting fom the Tanium Clients registry key. Supply only the client setting name, for instance: ServerName and the output will appear as follows:
Example: berkeley.tanium.com
Tanium Client Folder Size Sensor Tanium Default Content Returns the total size of the Tanium Client directory.
Example: 821 MB
Tanium Client IP Address Sensor Tanium Default Content The local IP address the client is using to communicate with the Tanium Server.
Example: 192.168.10.2
Tanium Client Installation Date Sensor Tanium Default Content The date on which the currently installed Tanium Client was installed on each client machine.
Example: Wed, 13 Nov 2013 00:00:00 -0480
Tanium Client Installation Time Sensor Tanium Default Content The date and time on which the currently installed Tanium Client was installed on each client machine.
Example: Wed, 13 Nov 2013 08:18:00 -0480
Tanium Client Logging Level Sensor Tanium Default Content Logging level setting between 1 and 100 of the Tanium Client on the client machine.
Example: 41
Tanium Client Management - Tools Version Sensor Tanium Client Management Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Tanium Client NAT IP Address Sensor Tanium Default Content The IP address the Tanium Client is communicating to the server with. This can be a public IP, or IP of a NAT device, for example.
Example: 65.128.25.253
Tanium Client Neighborhood Sensor Tanium Default Content Returns the Forward Peers and Backwards Peers returned by the server with which the client should communicate.
Example: 10.0.0.1:17472, 10.0.02:17472 | 10.0.0.10:17472
Tanium Client Service Control Status Sensor Client Service Hardening Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.
Example: Service Control Restricted to Administrators
Tanium Client Subnet Sensor Tanium Default Content The Subnet in use by the Tanium Client.
Example: 192.168.10.0/24
Tanium Client Uninstall Hidden Sensor Client Service Hardening Returns whether the Tanium Client is hidden from the Add-Remove programs list.
Example: Yes
Tanium Client Version Sensor Tanium Default Content Version number of the Tanium Client on the client machine.
Example: 4.1.314.7020
Tanium Current Directory Sensor Tanium Default Content Installation directory of the Tanium Client on the client machine.
Example: C:\Program Files\Tanium\Tanium Client
Tanium Driver Status Sensor Tanium Threat Response Returns information about the Tanium Driver

Example (not installed):
Driver Controller Version N/A
Driver Version N/A
Driver Location: Not installed
Service Installation: Not installed
Service Status: Not started
Install Recommended

Example (installed):
EnableNetworkMonitor: 0
EnableHttpMonitor: 0
EnableApiMonitor: 0
HttpMonitorPorts: 80
Service Status: SERVICE_RUNNING
Driver install path: \SystemRoot\system32\drivers\TaniumRecorderDrv.sys
Tanium Driver Status Sensor Tanium Integrity Monitor Returns information about the Tanium Driver

Example (not installed):
Driver Controller Version N/A
Driver Version N/A
Driver Location: Not installed
Service Installation: Not installed
Service Status: Not started
Install Recommended

Example (installed):
EnableNetworkMonitor: 0
EnableHttpMonitor: 0
EnableApiMonitor: 0
HttpMonitorPorts: 80
Service Status: SERVICE_RUNNING
Driver install path: \SystemRoot\system32\drivers\TaniumRecorderDrv.sys
Tanium Driver Status Sensor Tanium Map Returns information about the Tanium Driver

Example (not installed):
Driver Controller Version N/A
Driver Version N/A
Driver Location: Not installed
Service Installation: Not installed
Service Status: Not started
Install Recommended

Example (installed):
EnableNetworkMonitor: 0
EnableHttpMonitor: 0
EnableApiMonitor: 0
HttpMonitorPorts: 80
Service Status: SERVICE_RUNNING
Driver install path: \SystemRoot\system32\drivers\TaniumRecorderDrv.sys
Tanium Driver Supported Sensor Tanium Integrity Monitor Returns 'True' if the driver is supported on this platform, 'False' otherwise
Tanium Driver Supported Sensor Tanium Threat Response Returns 'True' if the driver is supported on this platform, 'False' otherwise
Tanium Driver Supported Sensor Tanium Map Returns 'True' if the driver is supported on this platform, 'False' otherwise
Tanium Driver Version Sensor Tanium Integrity Monitor Returns version information for the Tanium Driver
Tanium Driver Version Sensor Tanium Map Returns version information for the Tanium Driver
Tanium Driver Version Sensor Tanium Threat Response Returns version information for the Tanium Driver
Tanium File Contents Sensor Tanium Default Content Provided with a parameter indicating the path to a file in the Tanium current directory, this sensor will return the contents of that file.
Example:
Tanium File Exists Sensor Tanium Default Content Provided with a parameter indicating the path to a file in the Tanium current directory, returns True or False based on whether that file exists in the specified location.
Example: True
Tanium File Version Sensor Tanium Default Content Provided with a parameter indicating the path to a file in the Tanium client directory, returns the version of the file in the specified location.
Example: True
Tanium Module Server Version Sensor Tanium Default Content Version number of Tanium Module Server installed.
Example: 6.5.314.4316
Tanium Peer Address Sensor Tanium Default Content Returns the IP address of the peer specified in the Tanium registry entry at HKLM\SOFTWARE\Tanium\Tanium Client\Status\PeerAddress on windows and TaniumClientStatus.ini on non-windows endpoints.
Example: 192.168.1.123
Tanium PowerShell Execution Policy Sensor Tanium Default Content Retrieves the PowerShell Execution Policy as the Tanium Client sees it
Tanium PowerShell Execution Policy Sensor Tanium Risk Retrieves the PowerShell Execution Policy as the Tanium Client sees it
Tanium Provision - Deployment Progress Sensor Tanium Provision Displays the progress of any active Provision deployments, as well as the historical results from devices previously deployed using Provision.
Tanium Provision - Deployment Progress Minimal Sensor Tanium Provision Displays the progress of any active Provision deployments, as well as the historical results from devices previously deployed using Provision.
Tanium Provision - Has PXE Tag Sensor Tanium Provision Tanium Provision augmentation of custom tags sensor. This will return true or false if the PROVISION_PXE tag exists on the endpoint.
Example: True
Tanium Provision - TaniumODJ Status Sensor Tanium Provision Reports on the overall status of the Tanium ODJ service
Tanium Provision - TaniumPXE Bundle Detail Sensor Tanium Provision Reports on the detailed status of each bundle for the Tanium PXE service
Tanium Provision - TaniumPXE Status Sensor Tanium Provision Reports on the overall status of the Tanium PXE service
Tanium Reboot Days Ago Sensor Tanium Default Content Returns the number of days since a Tanium Reboot Action occurred.
Example: 2
Tanium Sensor Randomization Enabled Sensor Tanium Default Content Returns if sensor execution is randomized on an endpoint, for better distribution on VDI / VM environments.
Example: Yes
Tanium Server Name Sensor Tanium Default Content Retrieves the Tanium Server Name from the Client's Registry
Example: server.domain.com
Tanium Server Name List Sensor Tanium Default Content Retrieves the Tanium Server Name List from the Client's Registry
Example: server.domain.com,server1.domain.com
Tanium Server Version Sensor Tanium Default Content Version number of Tanium Server installed.
Example: 6.2.314.3218
Tanium Service Control Status Sensor Client Service Hardening Returns whether the Tanium services have special permissions set such that regular users, or non-SYSTEM users, can control the service.
Example: Tanium Client|Restricted to Local SYSTEM|D:(A;;CCDCLCSWRPWPDTLOCRSDRCWO;;;SY)(A;;CCLCSWLOCRRC;;;AU)
Tanium Tool Hash Check Sensor Tanium Threat Response Calculates the hash (MD5, SHA1 or SHA256) of every executable file recursively within the Tanium directory. Returns the relative path to each executable file and the computed hash. Examine output to identify computers with older or different binary versions.
Tanium Zone Server Version Sensor Tanium Default Content Version number of Tanium Zone Server installed.
Example: 6.5.314.4316
Target Sensor Tanium Default Content Simple sensor that returns the word "Target" that is used when targeting actions within Tanium.
Example: Target
Threat Response - Daily Stream Stats Sensor Tanium Threat Response This sensor is used to collect the statistics recorded for Stream. The results are reported as a RFC 3339 date and the total bytes transferred for that date. The bytes transferred are grouped into the following buckets: "0 B", "<= 10 MB", "<= 50 MB", "<= 100 MB", "<= 200 MB", "<= 1 GB", "1 GB+".
Threat Response - HTTP Headers Sensor Tanium Threat Response Returns historical data from each endpoint containing HTTP headers.
Threat Response - Health Check Sensor Tanium Threat Response Aggregates health and status data for display in the Health and Reports page in the Threat Response workbench. The data returned by this sensor is not intended for troubleshooting or remediating issues outside of the Threat Response workbench.
Threat Response - Security Events Sensor Tanium Threat Response Returns historical data from each endpoint regarding security events.
Threat Response - Status Sensor Tanium Threat Response Performs checks to determine if the Threat Response software is installed and functional.
Threat Response - Tools Version Sensor Tanium Threat Response Reports support and installation details.
Checks if the endpoint supports the tools and has enough disk space.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Threat Response Stream - Tools Version Sensor Tanium Threat Response Reports support and installation details.
Checks if the endpoint supports the tools and has enough disk space.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
Time Zone Sensor Tanium Default Content The currently specified time zone for the client machine.
Example: (UTC-08:00) Pacific Time (US & Canada)
Time Zone Offset Sensor Tanium Default Content Returns the time offset in minutes. Example: -0700
Total Memory Sensor Tanium Core Content The total physical memory installed in the client machine.
Example: 8000 MB
Total Swap Sensor Tanium Core Content Total swap space configured by client machine.
Example: 4000 MB
Trace DNS Queries Sensor Tanium Threat Response Returns historical data from each endpoint regarding DNS queries.
Trace Executed Process Hashes Sensor Tanium Threat Response Returns the md5 hashes of process executed within a specified time range.
Trace Executed Process Trees Sensor Tanium Threat Response Generates process trees from a process name (regex). With "As Parent" the specified process name appears at the top of the tree. With "As Child" it appears at the bottom.
Trace Executed Processes Sensor Tanium Threat Response Returns historical data from each endpoint regarding process executions.
Trace File Operations Sensor Tanium Threat Response Returns historical data from each endpoint regarding filesystem activity.
Trace Image Loads Sensor Tanium Threat Response Returns historical data from each endpoint regarding Image Loads.
Trace Loaded Drivers Sensor Tanium Threat Response Returns historical data from each endpoint regarding loaded drivers.
Trace Logon Events Sensor Tanium Threat Response Returns historical data from each endpoint regarding logon events.
Trace Network Connections Sensor Tanium Threat Response Returns historical data from each endpoint regarding network connections made by processes.
Trace Registry Keys or Values Sensor Tanium Threat Response Returns historical data from each endpoint regarding registry activity.
UAC Status Sensor Tanium Core Content Returns Enabled or Disabled based on the status of Windows User Access Control on the client machine.
Example: Enabled
USB Device Sensor Tanium Core Content Returns a list of USB devices currently plugged in to the client machine.
Example: HID Keyboard Device
USB Device Details Sensor Tanium Core Content Returns of details of attached USB devices, including Description, vendor ID, and product ID.
Example: Generic USB Hub|VMware, Inc.|Virtual USB Hub
USB Storage Devices Sensor Tanium Core Content Returns a list of USB storage devices currently plugged in to the client machine.
Example: USB Mass Storage Device
USB Write Protected Sensor Tanium Risk Outputs True if USB storage devices connected to the client machine are set to write protected mode and false if not.
Example: False
USB Write Protected Sensor Tanium Core Content Outputs True if USB storage devices connected to the client machine are set to write protected mode and false if not.
Example: False
Unencrypted Wireless Networks Sensor Tanium Core Content Details of wireless networks that are currently open and unencrypted. Details include SSID, MAC address, connection state, network type, radio type, authentication, receive rate, transmit rate, and signal strength.
Example: hotspotwifi | xx-xx-xx-xx-xx-xx | connected | Infrastructure | 802.11g | WEP | 54 | 54 | 99%
Unmanaged Assets Sensor Tanium Discover IP addresses of machines in the network that do not have the Tanium Client running. When possible, unmanaged assets will return the IP address, the machine name, and the MAC address.
Example: ping | 192.168.1.2 | my-machine-name | 00-22-9a-3e-91-5f | VMWare | windows | 22,135,443 | 7.x
Unsuccessful Elevated Privileges Sensor Tanium Threat Response Lists unsuccessful attmpts to elevate privilege level for a user. Returns user ID, month and day, and time at which the attempt occurred.
Uptime Sensor Tanium Core Content Time since reboot in days of the client machine.
Example: 48 days
Used Memory Sensor Tanium Core Content Memory in use in MB from client machine.
Example: 6348 MB
Used Swap Sensor Tanium Core Content Swap space in use in MB by the client machine.
Example: 2164 MB
User Accounts Sensor Tanium Core Content List of local user accounts on a machine.
Examples: Administrator
User Details Sensor Tanium Core Content Returns a list of local users to the Windows machine and the user's full name.
Example:johndoe|John Doe
User Profile Directory Details Sensor Tanium Core Content Returns the location of all user profiles and if the directory currently exists
Example:C:\Users\John.Doe|True
User Sessions Sensor Tanium Core Content Provides the terminal services session information, similar to what is available from the "query session" command.
Example:console|Administrator|1|Active||
Username Sensor Tanium Default Content Returns the currently logged in user, and No User if nobody is logged in.
On Windows, this sensor returns only users logged into the local console, but not users logged in over RDP. The "User Sessions" sensor includes RDP users.
Example: Domain\JDoe
VMware Guest Sensor Tanium Default Content Returns True if client machine is a guest VM in VMware.
Example: True
Video Driver Version Sensor Tanium Core Content The version number of the video driver on the client machine.
Example: 6.1.7600.16385
Video Graphics Card RAM Sensor Tanium Core Content Amount of RAM in the video card in the client machine.
Example: 256MB
Video/Graphics Card Sensor Tanium Core Content Description of the video card in the client machine.
Example: ATI Radeon HD 2400 Pro
Virtual Platform Sensor Tanium Default Content Returns the virtual platform or technology used for the virtual machine, if it is a virtual machine.
Example: VMware
Volume Group Names Sensor Tanium Core Content Display Volume Group Names
WMI Event Consumers Sensor Tanium Threat Response Lists Windows Management Instrumentation (WMI) event consumers. Returns script path for ActiveScriptEventConsumers and command for CommandLineEventConsumers.
WSUS Server Sensor Tanium Patch Returns the configured value for WSUS Server and WSUS Status server, if any. Returns 'Not Configured' if values do not exist.
Exmaple: https://wsus001.domain.com:80 | https://wsus001.domain.com
Windows Audit Policy Sensor Tanium Threat Response Retrieves the Windows Audit Policy; Trace records the operating system audit data typically seen in the Windows Security Event Log. This policy can be altered. However, if Group Policy is set, it might overwrite the log.
Windows Automatic Update Status Sensor Tanium Patch Determines if Automatic Updates are enabled or not and returns the result
Example: Disabled
Windows Credential Security Settings Sensor Tanium Risk Returns the results of 10 Windows configuration settings that affect security.
Windows Credential Security Settings Sensor Tanium Threat Response Returns the results of 10 Windows configuration settings that affect security.
Windows Features Sensor Tanium Core Content Returns the currently installed and enabled Windows Features on a Windows 7 or later system.
Example: MicrosoftWindowsPowerShell
Windows OS Major Version Sensor Tanium Default Content Returns the Windows OS Major Version.
Example: 6.1
Windows OS Release ID Sensor Tanium Default Content Returns the Windows OS Release ID.
Example: 1607
Windows OS Type Sensor Tanium Default Content Will output "Windows Server" or "Windows Workstation" depending on the OS type.
Example: Windows Server
Windows Security Center Registered Antivirus Software Sensor Tanium Core Content List antivirus software registered with the Windows Security Center along with their current status.
Windows Security Center Registered Antivirus Software Sensor Tanium Risk List antivirus software registered with the Windows Security Center along with their current status.
Windows Server Installed Roles Sensor Tanium Default Content Returns the currently installed roles on a Windows Server.
Example: File Server
Windows Update Agent Version Sensor Tanium Patch The version of the Windows Update Agent on the client machine.
Example: 7.6.7600.256
Wireless Network Connected SSID Sensor Tanium Core Content Returns the SSID (name) of a wireless network a machine is connected to.
Example: linksys
Wireless Network Details Sensor Tanium Core Content Details of currently active wireless network connection by client machine: SSID, MAC address, connection state, network type, radio type, authentication, receive rate, transmit rate, and signal strength from 0 (minimum) to 5 (maximum).
Example: hotspotwifi | xx-xx-xx-xx-xx-xx | connected | Infrastructure | 802.11g | WPA2-Personal | 54 | 54 | 4
Wireless Network SSID Strength Sensor Tanium Core Content Returns the SSID name and signal strength of a connected wireless network from 0 (minimum) to 5 (maximum).
Example: linksys|4
Wireless Network Used by Tanium Sensor Tanium Core Content Returns the SSID name, the IP Address, and the MAC address of connected wireless networks only if the Tanium Client is using those networks to communicate.
Example: linksys|192.168.10.5|00D55FED214C1A2C
Wireless Networks Using WEP Sensor Tanium Core Content Details of currently active wireless network connection using WEP authentication by client machine. Details include SSID, MAC address, connection state, network type, radio type, authentication, receive rate, transmit rate, and signal strength.
Example: hotspotwifi | xx-xx-xx-xx-xx-xx | connected | Infrastructure | 802.11g | WEP | 54 | 54 | 99%
Wireless Networks Visible Sensor Tanium Core Content Returns details of all wireless networks a machine can see, whether they are connected or not. Details include SSID, Network Type, Authentication Method, and Encryption Level.
Example: hotspotwifi | Infrastructure | WPA2-Personal
Workgroup Sensor Tanium Core Content The configured workgroup for each Windows machine not joined to a domain.
Example: mycompanyworkgroup
Zero Trust - Tools Version Sensor Tanium Risk Reports support and installation details.
If tools have been installed, reports the version of tools and if all the required tools are present.

Example (unsupported)
Incoming Claim=Unsupported Client Version
Unsupported

Example (uninstalled):
Not Installed
Linux Package Required

Example (installed):
1.0.0.0057
Linux Package Installed
x64/x86? Sensor Tanium Default Content Returns whether the client machine is 64-bit or 32-bit (x86).
Example: X86-based PC