Tanium and Security Orchestration, Automation, and Response (SOAR)

Tanium's real-time endpoint visibility and control is a natural fit for customers who wish to better manage incidents and automate repeatable tasks. These capabilities enable SOAR solutions to enrich Events with deep contextual data, scope and hunt systems and telemetry, perform deep investigative tasks, and trigger actions to progress or resolve the incident.

Use Cases

Ask a Tanium REST Question to enrich an Alert. A question like the one below is an example of a Tanium question targeting a specific computer. A couple of Tanium Sensors were added like Operating System, Chassis Type, IP Address, and Patch List Compliance. You can add any sensor to your own implementation. Ask more Asset questions about the software and/or hardware of the target. Alternatively use Tanium Patch or Comply Sensors to report patch and vulnerability status.

Get Operating System Build Number and Chassis Type and IP Address and Patch - Patch List Compliance [1,"",0,0,0,0,0,0,0,""] from all machines with Computer Name contains HOSTNAME

Hunt for systems that match a given indicator, in this case, an MD5 Hash of a file object. The following Tanium Question leverages Threat Response Index Sensors to check for the existence of an MD5 Hash (7bad660c935e6d0b71410165802451b5) and then provides more information about that file object for systems that have it on disk. This example could be modified to find systems matching a host of indicators. This includes, but is not limited to, file, network, logon, and process indicators.

Get Computer Name and Index Query File Details[0,,,,,,,10,7bad660c935e6d0b71410165802451b5] from all machines with Index Query File Exists[0,,,,,,7bad660c935e6d0b71410165802451b5,] contains Yes

Trigger an endpoint action as part of investigation or remediation. Delete a file, stop a process or service, quarantine a system, or collect deeper forensic information for offline analyses.

Any Tanium package like the ones below can be executed as part of SOAR Playbook:

Kill Process
Quarantine
Live Response (security / forensics collection)
Start/Stop Service
Kill Application
Any other package from Tanium or built by a customer

Direct Threat Response integration for deeper investigation and management. Customers may directly integrate with the Threat Response API. This allows for managing Snapshots, deep Trace investigation, Intel/Alert management, and evidence management.

Here are a few examples:

Generate a Trace Snapshot for offline analysis. Explore Trace data per endpoint. Download files from endpoints. Create and manage Indicator of Compromise documents (IOC)

Getting started

Please see the following for current REST platform documentation here.

API documentation for Threat Response is contained within the module under the Question Mark icon. Threat Response API