Tanium · Arazzo Workflow

Tanium Ask A Sensor Question And Get Results

Version 1.0.0

Resolve a sensor by name, ask a question that selects it, poll until answered, then read the result data.

1 workflow 1 source API 1 provider
View Spec View on GitHub ComplianceEndpoint ManagementPatch ManagementSecurityThreat DetectionUnified Endpoint ManagementArazzoWorkflows

Provider

tanium

Workflows

sensor-question-results
Resolve a sensor by name, ask a question selecting it, and read results.
Looks up a sensor by name, asks a question that selects that sensor across endpoints, polls the question until issued, and returns the result data.
4 steps inputs: sensorName, sessionToken outputs: questionId, rows, sensorHash
1
resolveSensor
getSensorByName
Resolve the sensor by name to obtain its name and hash for use in the question selection.
2
askQuestion
createQuestion
Create and ask a question that selects the resolved sensor across managed endpoints.
3
pollQuestion
getQuestion
Poll the question by id until the server confirms it has been issued to endpoints.
4
readResults
getQuestionResults
Retrieve the result data rows collected from responding endpoints for the confirmed question.

Source API Descriptions

openapi
platformApi https://raw.githubusercontent.com/api-evangelist/tanium/refs/heads/main/openapi/tanium-platform-rest-api-openapi.yml

Arazzo Workflow Specification

tanium-sensor-question-results-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Tanium Ask A Sensor Question And Get Results
  summary: Resolve a sensor by name, ask a question that selects it, poll until answered, then read the result data.
  description: >-
    Sensors collect specific data from endpoints and are selected by name and
    hash inside questions. This workflow resolves a sensor by name to obtain its
    name and hash, creates and asks a question that selects that sensor, polls
    the question by id until it has been issued, and reads the collected result
    data. Every step spells out its request inline, including the session header
    used for token authentication, so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: platformApi
  url: ../openapi/tanium-platform-rest-api-openapi.yml
  type: openapi
workflows:
- workflowId: sensor-question-results
  summary: Resolve a sensor by name, ask a question selecting it, and read results.
  description: >-
    Looks up a sensor by name, asks a question that selects that sensor across
    endpoints, polls the question until issued, and returns the result data.
  inputs:
    type: object
    required:
    - sessionToken
    - sensorName
    properties:
      sessionToken:
        type: string
        description: API token or session token passed in the session header.
      sensorName:
        type: string
        description: Name of the sensor to resolve and select in the question.
  steps:
  - stepId: resolveSensor
    description: >-
      Resolve the sensor by name to obtain its name and hash for use in the
      question selection.
    operationId: getSensorByName
    parameters:
    - name: session
      in: header
      value: $inputs.sessionToken
    - name: name
      in: path
      value: $inputs.sensorName
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      sensorName: $response.body#/data/name
      sensorHash: $response.body#/data/hash
  - stepId: askQuestion
    description: >-
      Create and ask a question that selects the resolved sensor across managed
      endpoints.
    operationId: createQuestion
    parameters:
    - name: session
      in: header
      value: $inputs.sessionToken
    requestBody:
      contentType: application/json
      payload:
        selects:
        - sensor:
            name: $steps.resolveSensor.outputs.sensorName
            hash: $steps.resolveSensor.outputs.sensorHash
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      questionId: $response.body#/data/id
  - stepId: pollQuestion
    description: >-
      Poll the question by id until the server confirms it has been issued to
      endpoints.
    operationId: getQuestion
    parameters:
    - name: session
      in: header
      value: $inputs.sessionToken
    - name: id
      in: path
      value: $steps.askQuestion.outputs.questionId
    successCriteria:
    - condition: $statusCode == 200
    - context: $response.body
      condition: $.data.id != null
      type: jsonpath
    outputs:
      confirmedId: $response.body#/data/id
    onSuccess:
    - name: questionReady
      type: goto
      stepId: readResults
      criteria:
      - context: $response.body
        condition: $.data.id != null
        type: jsonpath
  - stepId: readResults
    description: >-
      Retrieve the result data rows collected from responding endpoints for the
      confirmed question.
    operationId: getQuestionResults
    parameters:
    - name: session
      in: header
      value: $inputs.sessionToken
    - name: id
      in: path
      value: $steps.pollQuestion.outputs.confirmedId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      rowCount: $response.body#/data/result_sets/0/row_count
      rows: $response.body#/data/result_sets/0/rows
  outputs:
    sensorHash: $steps.resolveSensor.outputs.sensorHash
    questionId: $steps.askQuestion.outputs.questionId
    rows: $steps.readResults.outputs.rows