Tanium Threat Response
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure a Socket Receiver on the Tanium side.
Perform the following steps to configure the Socket Receiver:
- Go to Modules > Connect.
- Enter a name and description for the connection.
- From the Source dropdown, select Event.
- From the Event Group dropdown, select Tanium Threat Response.
- Select Match Alerts Raw.
- From the Destination dropdown, select Socket Receiver.
- Specify a unique name for the Destination Name.
- Under Host, fill in the name or the IP address of the SIEM.
- Specify the port number under Port.
- elect JSON from the dropdown under Format.
- Click the Listen for this Event checkbox.
- Click Save.
More information can be found here
Note:
Make sure to send the log in UTC time.
Don't modify the value type of the "Timestamp" field. This field is set to UTC by default.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following values (not relevant for CEF and LEEF formats):
- vendor as vendor - tanium
- product as product - threat_response
