Tanium for SOAR
The Tanium Platform offers integrations with leading service management platforms, SOAR platforms, ticketing platforms, and other IT security and operations platforms. Tanium open APIs help customers integrate Tanium products with other IT tools and services to accelerate and streamline IT operations.
Overview
To start using Tanium for SOAR activities, the necessary tools must be installed within the console and on the endpoint. Once the tools are installed, administrators will be able to see the various Tanium Modules under the Administration tab. Some activities will require the user to know the ip address or computer name of desired machines.
This document breaks the SOAR process down into the following sections:
Alert Generation
Sending Event Data from Tanium
Send events to a SIEM, SOAR, or other data lake or log solution using Connect.
Tanium Event Sources:
Connect - REST API
You can use the REST APIs for Connect to create, edit, and manage connections.
To view the Connect REST API documentation, navigate to the Connect Overview page, click Help , and click Connect API Documentation.
Triage - Tier 1
Streamline first response processes by reporting real-time data about endpoint status, including details about active processes, memory usage, software and hardware configurations, patch status, and more.
Accelerated Data Collection
Respond to a SOAR platform request for data artifacts from endpoints that may be under attack, or integrate with a ticketing system to append endpoint data to open tickets.
The examples below illustrate some of the methods available to retrieve meaningful and actionable data:
API Gateway - General
API Gateway - Direct Connect
*Prerequisites: Obtain Endpoint ID and Open Direct Connection:
-
Endpoint ID
- Get All Endpoint IDs
- Get Endpoint ID by Hostname
POST
/plugin/products/gateway/graphqlHeader Value Content-Typeapplication/json sessiontoken or session id Example request query:
query Endpoints($hostname: String) { endpoints(source: {tds: {}} filter: {path: "name", op: EQ, value: $hostname} ) { edges { node { name id } } } }
Example query variables:
{ "hostname": "WIN-SERVER01", "id": "1" }
Example response body:
{ "data": { "endpoints": { "edges": [ { "node": { "name": "WIN-SERVER01", "id": "1" } } ] } } }
API Gateway - Sensors
-
Service Status With Hash
Returns verbose details about running processes for services.
POST
/plugin/products/gateway/graphqlHeader Value Content-Typeapplication/json sessiontoken or session id Example request query:
query ParamSensorRead($hostname: String, $id:String) { endpoints(source: {ts: {}} filter: {filters: [{path: "name", op: EQ, value: $hostname}, {path: "id", op: EQ, value: $id}] any:false} ) { edges { node { name id sensorReadings( sensors: [{name: "Service Status with Hash", params: [{name: "HashType", value: "MD5"}]}] ) { columns { name values } } } } } }The value for HashType can be replaced with the following: MD5, SHA1, SHA256
Example query variables:
{ "hostname": "WIN-SERVER01", "id": "1" }
-
Running Processes With Hash
Returns path and hash of currently running processes.
POST
/plugin/products/gateway/graphqlHeader Value Content-Typeapplication/json sessiontoken or session id Example request query:
query ParamSensorRead($hostname: String, $id:String) { endpoints(source: {ts: {}} filter: {filters: [{path: "name", op: EQ, value: $hostname}, {path: "id", op: EQ, value: $id}] any:false} ) { edges { node { name id sensorReadings( sensors: [{name: "Running Processes with Hash", params: [{name: "HashType", value: "MD5"}]}] ) { columns { name values } } } } } }The value for HashType can be replaced with the following: MD5, SHA1, SHA256
Example query variables:
{ "hostname": "WIN-SERVER01", "id": "1" }
- Network Details
Enumerates verbose network connection details.
POST
/plugin/products/gateway/graphqlHeader Value Content-Typeapplication/json sessiontoken or session id
Example request query:
query ParamSensorRead($hostname: String, $id:String) { endpoints(source: {ts: {}} filter: {filters: [{path: "name", op: EQ, value: $hostname}, {path: "id", op: EQ, value: $id}] any:false} ) { edges { node { name id sensorReadings( sensors: [{name: "Network Details", params: [{name: "HOSTORIP", value: "WIN-UDTCGIK4LKU"}, {name: "HashType", value: "MD5"}]}] ) { columns { name values } } } } } }The value for HashType can be replaced with the following: MD5, SHA1, SHA256 The hostname for the sensor cannot be passed in using query variables
Example query variables:
{ "hostname": "WIN-SERVER01", "id": "1" }
* Logged In UsersProvides a list of users currently logged in to the client machine. Includes Remote Desktop sessions on Windows.
POST
/plugin/products/gateway/graphqlHeader Value Content-Typeapplication/json sessiontoken or session id Example request query:
query ParamSensorRead($hostname: String, $id:String) { endpoints(source: {ts: {}} filter: {filters: [{path: "name", op: EQ, value: $hostname}, {path: "id", op: EQ, value: $id}] any:false} ) { edges { node { name id sensorReadings( sensors: [{name: "Logged In Users"}] ) { columns { name values } } } } } }
Example query variables:
{ "hostname": "WIN-SERVER01", "id": "1" }
Threat Investigation - Tier 2
Investigate either individual endpoints or your entire environment in minutes without creating large network strain.
API Gateway - Methods
Threat Response - REST API
You can use the REST APIs for Threat Response to start an Investigation, view Recorder events, gather evidence, perform file and directory operations, and more.
To view the Threat Response REST API documentation, navigate to the Threat Response Overview page, click Help , navigate to the API tab, and click See API documentation.
Searching Historical Activity
The following sensors can be used to ask a Tanium REST Question and retrieve historical information:
- Trace DNS Queries
- Trace Executed Process Hashes
- Trace Loaded Drivers
- Trace Executed Processes
- Trace Logon Events
- Trace Executed Process Trees
- Trace Network Connections
- Trace File Operations
- Trace Image Loads
- Trace Registry Keys or Values
Searching For Files On Disk
Use the following Index Sensors to ask a Tanium REST Question about files that have been indexed
Remediation - Tier 3
Perform remote remediation actions like deleting files and managing native security controls like firewalls and antivirus.
API Gateway - Methods
Below are some example methods using the API Gateway, additional examples can be found on the Tanium Docs page for API Gateway.
Threat Response - REST API
You can use the REST APIs for Threat Response to start an Investigation, view Recorder events, gather evidence, perform file and directory operations, and more.
To view the Threat Response REST API documentation, navigate to the Threat Response Overview page, click Help , navigate to the API tab, and click See API documentation.