Tanium Threat Response
This pack includes Cortex XSIAM content.
Tanium Threat Response
- Details
- Content
- Dependencies
- Version History
Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.
Tanium Threat Response
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure a Socket Receiver on the Tanium side.
Perform the following steps to configure the Socket Receiver:
- Go to Modules > Connect.
- Enter a name and description for the connection.
- From the Source dropdown, select Event.
- From the Event Group dropdown, select Tanium Threat Response or Tanium Detect..
- Select Match Alerts Raw.
- From the Destination dropdown, select Socket Receiver.
- Specify a unique name for the Destination Name.
- Under Host, fill in the name or the IP address of the SIEM.
- Specify the port number under Port.
- elect JSON from the dropdown under Format.
- Click the Listen for this Event checkbox.
- Click Save.
More information can be found here
Note:
Make sure to send the log in UTC time.
Don't modify the value type of the Timestamp field. This field is set to UTC by default.
The supported time format is yyyy-MM-ddThh:mm:ss.nnnZ (2022-01-01T10:00:00.000Z).
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - tanium
- product as product - threat_response
Classifiers
| Name | Description |
|---|---|
Tanium Threat Response |
Incident Fields
| Name | Description |
|---|---|
Tanium Threat Response Priority | |
Tanium Threat Response Event Id | |
Tanium Threat Response Intel Doc Id | |
Tanium Threat Response Intel Doc Revision Id | |
Tanium Threat Response GUID | |
Tanium Threat Response Type | |
Tanium Threat Response Scan Config Id | |
Tanium Threat Response Scan Config Revision Id |
Incident Types
| Name | Description |
|---|---|
Tanium TR Incident |
Integrations
| Name | Description |
|---|---|
| Tanium Threat Response v2 | Use the Tanium Threat Response integration to manage endpoint processes, evidence, alerts, files, snapshots, and connections. This integration works with Tanium Threat Response version 3.0.159 and above. |
| Tanium Threat Response | Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections. This Integration works with Tanium Threat Response version below 3.0.159. In order to use Tanium Threat Response version 3.0.159 and above, use Tanium Threat Response V2 Integration. |
Layouts
| Name | Description |
|---|---|
Tanium Threat Response |
Playbooks
| Name | Description |
|---|---|
Tanium Threat Response - Create Connection v2 | Creates a connection to a remote destination from Tanium Threat Response v2 v2 |
Tanium Threat Response - Request File Download | Request file download from Tanium Threat Response. |
Tanium Threat Response - Create Connection | Creates a connection to a remote destination from Tanium Threat Response. |
Tanium Threat Response - Request File Download v2 | Request file download from Tanium Threat Response v2. |
Classifiers
| Name | Description |
|---|---|
Tanium Threat Response |
Incident Fields
| Name | Description |
|---|---|
Tanium Threat Response Intel Doc Revision Id | |
Tanium Threat Response Event Id | |
Tanium Threat Response GUID | |
Tanium Threat Response Scan Config Id | |
Tanium Threat Response Scan Config Revision Id | |
Tanium Threat Response Priority | |
Tanium Threat Response Type | |
Tanium Threat Response Intel Doc Id |
Incident Types
| Name | Description |
|---|---|
Tanium TR Incident |
Integrations
| Name | Description |
|---|---|
| Tanium Threat Response v2 | Use the Tanium Threat Response integration to manage endpoint processes, evidence, alerts, files, snapshots, and connections. This integration works with Tanium Threat Response version 3.0.159 and above. |
| Tanium Threat Response | Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections. This Integration works with Tanium Threat Response version below 3.0.159. In order to use Tanium Threat Response version 3.0.159 and above, use Tanium Threat Response V2 Integration. |
Modeling Rules
| Name | Description |
|---|---|
Tanium Threat Response Modeling Rule |
Parsing Rules
| Name | Description |
|---|---|
Tanium Threat Response Parsing Rule |
Playbooks
| Name | Description |
|---|---|
Tanium Threat Response - Request File Download | Request file download from Tanium Threat Response. |
Tanium Threat Response - Create Connection | Creates a connection to a remote destination from Tanium Threat Response. |
Tanium Threat Response - Request File Download v2 | Request file download from Tanium Threat Response v2. |
Tanium Threat Response - Create Connection v2 | Creates a connection to a remote destination from Tanium Threat Response v2 v2 |
Required Content Packs (2)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
| Common Playbooks | By: Cortex XSOAR |
Optional Content Packs (1)
| Pack Name | Pack By |
|---|---|
| Common Types | By: Cortex XSOAR |
All level dependencies (5)
| Pack Name | Pack By |
|---|---|
| Rasterize | By: Cortex XSOAR |
| Base | By: Cortex XSOAR |
| Filters And Transformers | By: Cortex XSOAR |
| Cortex REST API | By: Cortex XSOAR |
| Common Playbooks | By: Cortex XSOAR |
2.2.0 - 5262746 (May 14, 2023)
- 25218
Download
Integrations
Tanium Threat Response v2
- Added the tanium-tr-get-response-actions command to retrieve the Response Actions matching the specified filters.
- Added the tanium-tr-response-action-gather-snapshot command which creates a "gatherSnapshot" Response Action for the specified host.
- 25218
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | September 23, 2020 | |
| Last Release | November 4, 2024 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
