IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

ADQuery 2.0.1.0003 en

From Tanium Knowledge Base
Jump to navigation Jump to search


Introduction: Index

It is not unusual to want to gather information from your endpoints about their Active Directory status, and the Tanium platform is well-suited to gathering that sort of information. But care needs to be taken when implementing tooling to gather such information. What seems like a simple command or wmi query could have a greater impact thaan expected. For example, if you wanted to get AD account information from a single endpoint, making a query of the AD server would be a reasonable way to do it; getting that same info from 1,000 endpoints could result in an effective DDOS of your AD server. Since Tanium sensors are designed to run quickly to get the data back as rapidly as possible and are typically run against thousands of systems, such a direct approach as querying an AD server is not a good approach. The content contained in the Tanium Active Directory Query solution is intended to address the need for AD information from endpoints while avoiding the dangers of the “direct query” approach.

Download Location

This content is available at: https://content.tanium.com/files/published/ADQuery/2017-11-01_12-10-03_2.0.1.0003-g749cb59/ADQuery.xml

Usage

Tanium Active Directory Query gathers AD information by leveraging a combination of Tanium packages and sensors. Since a Tanium sensor is meant to execute within 60 seconds, there is no facility to allow the underlying code to run over an extended time. That same limitation does not apply to Tanium packages, which can be deployed via actions with a distribute over time setting applied. That setting introduces a random delay (value between 0 and the specified max delay value) into the action execution, effectively spreading the execution, when viewed from the perspective of all the targeted endpoints, out over that time period. So an action deployed with a 60 minute distribute over time (DOT) value would see the targeted endpoints each running that action at more or less different time, starting from the specified start time. Since a random number is used for the actual delay time on each endpoint, the distribution of the actions firing will not necessarily be even (e.g. they won’t necessarily fire exactly 5 seconds apart) but given the randomness of the algorithm, it will effectively spread them out in a reasonable manner. What this means in the context of our AD query is that we can use an action with an appropriate DOT value to query the AD server from each endpoint without running the risk of overloading the server with too many simultaneous requests (since they will be spread out over time.) That action writes the results of the AD query to xml files on the endpoints and the corresponding sensors pick up their results from those files, an operation that is fast, low cost, and has no impact on the AD server(s).

Questions

AD Query - All Windows

Get Is Windows from all machines
Returns all Windows computers. Can be used for targeting of the Collect Active Directory Info package.

AD Query - Has Stale Computer Results

Get AD Query - Has Stale Results[Computer, 4] from all machines with AD Query - Has Stale Results[Computer, 4] containing "True"
Returns computers that have AD computer data older that four hours. Can be used for targeting of the Collect Active Directory Info package. Packages:

AD Query - Has Stale Local Administrator Results

Get AD Query - Has Stale Results[Admin, 4] from all machines with AD Query - Has Stale Results[Admin, 4] containing "True"
Returns computers that have Local Administrator data older that four hours. Can be used for targeting of the Collect Active Directory Info package. Packages:

AD Query - Has Stale Results

Get Target from all machines with ( AD Query - Has Stale Results[Computer, 4] containing "True" or AD Query - Has Stale Results[User, 4] containing "True" or AD Query - Has Stale Results[Admin, 4] containing "True" )
Returns computers that have AD user, computer, or Local Administrator data older that four hours. Can be used for targeting of the Collect Active Directory Info package. Packages:

AD Query - Has Stale User Results

Get AD Query - Has Stale Results[User, 4] from all machines with AD Query - Has Stale Results[User, 4] containing "True"
Returns computers that have AD user data older that four hours. Can be used for targeting of the Collect Active Directory Info package. Packages:

Packages

Collect Active Directory Info

Queries Active Directory for three data types.

  • Computer
    • Pulls back all non null AD attributes
    • Writes a new file each time ran
    • Outputs to compAttr.xml

  • User
    • Gets the five most recently used profiles on the local computer
    • Queries AD for each user object by SID
    • Pulls back all non null AD attributes
    • Queries Security Event Log back 30 days for logon events to determine a primary User
    • Marks a user attribute as the primary user
    • Writes a new file each time ran
    • Writes output to userAttr.xml

  • Local Administrator Group Membership
    • Writes a new file each time ran
    • Writes output to adminUsers.xml
    • Lists members of computers local administrators group broken out by
      • Account Type (User or Group)
      • Location (Domain or Local)

Should be ran with a Distribute Over Time (DOT) value in order to reduce the number of LDAP queires.

This package contains 1 files and 0 sensors.

Additional Properties:

  • Command Line: cmd /c cscript //T:300 collectAdInfo.vbs "$1" "$2" "$3"
  • Command Line Timeout: 300

Prompts:

Name / Value Prompt Help Type Possible / Default Values
Collect Computer Attributes Checkbox Disabled
Collect User Attributes Checkbox Disabled
Collect Local Administrators Checkbox Disabled

Files:

  • collectAdInfo.vbs

Sensors

AD Query - Logged In User Details

Returns details for the current logged on Active Directory user. Dependent on the AD Query content pack.

Columns

Name Type Description
Name Text
Department Text
Country Text
City Text
Email Text
Phone Number Text

AD Query - Computer Groups

Returns Active Directory group membership for the computer. Dependent on the AD Query content pack. Does not include nested groups.

AD Query - Primary User Groups

Returns Active Directory group membership for the primary user. Dependent on the AD Query content pack. Does not include nested groups.

AD Query - Primary User Details

Returns details for the primary user based on the number of interactive logon events. Dependent on the AD Query content pack.

Columns

Name Type Description
Name Text
Department Text
Country Text
City Text
Email Text
Phone Number Text

AD Query - Primary User

Returns the primary user based on the number of interactive logon events. Dependent on the AD Query content pack.

AD Query - User Attributes

Returns specified Active Directory attributes for the desired Active Directory user. Dependent on the AD Query content pack.

Parameters

Name Description Type Possible / Default Values
strUser Active Directory Username Text
strAttr Active Directory Attribute Text

AD Query - Local Administrators

Returns users and groups that are a member of the local administrators group. Dependent on the AD Query content pack.

Columns

Name Type Description
Name Text
Location Text
Type Text

AD Query - Has Stale Results

Returns True/False value based on the time the AD Query XML files were generated and a time period the Active Directory data should be considered stale.

Parameters

Name Description Type Possible / Default Values
type AD Data Type Selection

Computer
User
Admin

intHours Hours Old Numeric

AD Query - Computer Attributes

Returns specified Active Directory attribute from the computers Active Directory object. Dependent on the AD Query content pack.

Parameters

Name Description Type Possible / Default Values
strAttr Active Directory Attribute Text

AD Query - Logged In User Groups

Returns Active Directory group membership for the logged in user. Dependent on the AD Query content pack. Does not include nested groups.

Actions

Deploy Collect Active Directory Info


Deployes the Collect Active Directory Info package to the default action group with a three hour Distribute Over Time and a four hour reissue interval. Disabled by default. Packages: