Tanium Threat Response Actions

Threat Response leverages a set of capabilities called Response Actions that allow for targeting of threat focused Actions. These include Live Response, Quarantine, Trace Endpoint Snapshot, and File Download. In the Tanium Threat Response user interface a human operator might execute one of these actions based upon an Intel Alert. The responder would triage Alerts and take initial action to quarantine or gather more information.

Use Case

Tanium Response Actions are focused actions targeting endpoints that can be used as part of automation or incident triaging. Create playbooks or workflows that automatically download a file from an endpoint as part of an AntiVirus focused investigation. Automate the collection of unresolved endpoint files that might be malicious. Or in a different context in which we want to collect rich forensics data from an endpoint as part of a case triage and escalation. Trigger a Live Response memory collection from and endpoint and send that data to a memory forensic tool and escalate the incident to a specialist. A number of opportunities exist to leverage this framework to deliver key threat response actions.

Getting started

API documentation for Threat Response is contained within the module under the Question Mark icon. Threat Response API

More information on Tanium Response Actions can be found here.

The API endpoints for Response Actions include Create, Delete, Get, and Stop.

To get started construct a POST to the following endpoint:

/plugin/products/threat-response/api/v1/response-actions

The body will contain “type” such as “liveresponse”, a “computerName” target, and additional “options” are required for the given package.

For example as part of an ticket escalation involving memory analytics the operator could trigger a memory collection leveraging Live Response: 

{
    "type": "liveResponse",
    "computerName": "computerName",
    "options": {
        "packageName": "Threat Response - Live Response [Windows]",
        "packageParameters": [
            {
                "key": "$1",
                "value": "Memory Collection"
            },
            {
                "key": "$2",
                "value": "test aws"
            }
        ]
    },
    "expirationTime": "2019-09-20T13:50:53.699Z"
}

You may GET all Response Actions:

/plugin/products/threat-response/api/v1/response-actions

You can also stop a specific response action by ID:

/plugin/products/threat-response/api/v1/response-actions/stop/:id

Or in a break glass scenario stop all actions:

/plugin/products/threat-response/api/v1/response-actions/stop

Example in CURL

curl --location --request POST 'https:///plugin/products/threat-response/api/v1/response-actions' 
--header 'session: token-XXXXX' 
--header 'Content-Type: application/json' 
--data-raw '{    
    "type": "liveResponse",    
    "computerName": "computerName",    
    "options": {        
        "packageName": "Threat Response - Live Response [Windows]",                             "packageParameters": [            
            {                
                "key": "$1",                
                "value": "Memory Collection"            
            },            
            {                
                "key": "$2",                
                "value": "test aws"            
            }        
        ]    
    },    
    "expirationTime": "2019-09-20T13:50:53.699Z"
}'