Release Notes Core AD Query Content (Version 3.1)
Thank you for choosing Tanium. This article documents changes between releases of Core AD Query Content, formerly known as "Active Directory Query"
Important
Any Scheduled Actions running the Collect Active Directory Info package need to be recreated (or updated if using Platform 7.5 and Console 3) to recognize the updated package after any update of Core AD Query Content. These Scheduled Actions must be run with a Distribute Over Time (DoT) value in order to offset LDAP queries to Domain Controllers - the recommended DoT is 3 hours.
Core AD Query Content 3.1.8
Release Date: February 22, 2022
Improvements
- improvements to cmd.exe usage
Fixes
- Last Logged in User sensor no longer fails on non en-US machines
- Last Run Status now correctly reports failed message
Core AD Query Content 3.1.4
Release Date: November 2, 2021
NOTE: As always any scheduled actions that push the "Collect Active Directory Info" package need to be recreated in order for the collected data to match the current version of this solution.
Fixes
- Corrected a case sensitivity issue in "AD Query Computer Group Memberships" and "AD Query Computer Has Group Membership" sensors.
- Corrected an issue with the "AD Query - Has Stale Results" sensor not returning True/False results
- Corrected an issue causing user's in trusted domains from being reported correctly
- Corrected an issue causing the inventory process to abruptly fail
- Corrected an issue causing unresolvable SIDs to incorrectly be identified as a user or group
- Corrected an issue causing unresolved SIDs to display an empty string instead of their SID
- Corrected a typo in the "AD Query - Has Stale Results" sensor
Enhancements
- Reduced the max age limit of user profiles limit to reduce the number of outdated profiles being processed
- Improved handling of "Not enough time has elapsed" messages in the AD Query - Last Run Status sensor
- The inventory process has added checks to verify failed inventory actions are not re-run
- The inventory process no longer uses the last modified date of a user profile to determine the last logon date for a user
- Added an ability to pre-stage domain info
- Event Log data is now used to supplement certain user and domain data. *Requires the Event Log to be configured to record successful user logon events
- Improved inventory run time reporting
Known Issues
- The "AD Query - Last Run Status" sensor will incorrectly return "Script failed for unknown reasons" if a prior inventory run completes without error and the following inventory run is too soon.
Core AD Query Content 3.1.3
Release Date: February 23, 2021
NOTE: As always any scheduled actions that push the "Collect Active Directory Info" package need to be recreated in order for the collected data to match the current version of this solution.
Fixes
- Corrected an issue allowing certain domain group types to be included in local group inventory on Domain Controllers.
- Corrected an issue in the AD Query - User Has Group Membership sensor that caused it to incorrectly return a True result if a searched name was part of another group having a longer name that contained the searched name.
- Corrected an issue causing the AD Query - Has Stale Result sensor to fail user inventory age.
- Corrected an issue preventing xml elements in the inventory file to be updated if an additional computer or user attribute had its character case changed when new inventory collection actions were run.
- Corrected an issue with "AD Query - Has Stale Results" results on non-English Windows installs.
Enhancements
- Added an inventory cleanup process to remove objects that have not been inventoried in more than 45 days.
- Improved Primary User detection to no longer include secondary logons.
- The AD Query - Has Stale Results sensor now includes an additional check to verify the inventory file was last updated by the current content version. This helps customers determine if they are running outdated scheduled actions that reference a out of date Collect Active Directory Info package version.
Other
- Removed support for reporting results from legacy inventory files (compAttr.xml, localGroups.xml, and userAttr.xml) which were left remaining on endpoints when Core ADQuery Content version 3 was released. Leaving these files in place provided the following benefits:
- Sensors were still able to return valid results in the time period following the upgrade to the version 3 content and the next time an endpoint ran the version 3 Collect Active Directory Info package.
- Any customers who had custom content were granted a time window to migrate their custom content that referenced the legacy inventory files to now reference the new version 3 inventory file.
Notes
- The legacy inventory files will be removed the next time an endpoint runs the Collect Active Directory Info package version 3.1.2.
- Sensors in this release will now only return results from the new version 3 inventory file. This provides customers better notification of any endpoints which are not completing their inventory cycle.
Core AD Query Content 3.1.1
Release Date: December 3, 2020
Improvements
- Improve handling of Azure AD based users
Fixes
- Correct an issue causing the inventory process to fail when the Event Log query returns a large amount of data.
- Correct an issue causing the name resolution randomization to fail and having name resolution occur for all objects every time the inventory process ran.
Core AD Query Content 3.1.0
Release Date: October 20, 2020
Fixes
- Improve resiliency when converting binary object SIDs to string format
- Improve resiliency when directly binding to domain objects
Feature Improvements
- Fix logging of unsupported inventory attributes
- Add macOS support to the "AD Query - Primary User Details" and "AD Query - Has Stale Results" sensors
- Add Windows and macOS "Primary User Email Addresses" sensor
- All reading computer properties
Supported Tanium Platforms
Tanium Server 7.2, 7.3, 7.4
Product Documentation and Resources
- Please work with your Tanium TAM in order to most effectively use this content.
- ADQuery Documentation
- Tanium Product Documentation
- Tanium User Research
- Software Updates and Announcements Signup