Tanium Threat Response Alerts

One of the key features of Tanium Threat Response is the management of Intel and Alerts. Intel documents contain definitions that define possible malicious activity. Please see the following for detailed information on Threat Response Intel here.

Alerts are generated when Intel is detected on an endpoint. Please see the following for detailed information on Threat Response Alerts here.

Use Case

Use the Connect based source for Threat Response and push Alerts to SIEM or SOAR workflows. Configure formats including SYSLOG or JSON and destinations like Socket Receiver or HTTP. Use these alerts to begin an investigation by a SOC analyst. Create automations that take specific action or enrich these alerts with other data sources.

The Tanium Threat Response module allows direct API access for pulling Alerts. Pull alerts via a polling mechanism and similarly leverage this information for human and/or automation workflows.

Getting started

Information on sending alert data via Tanium Connect can be found here.

Tanium Connect can also push Alerts to a number of destinations including SocketReceiver and HTTP.

Threat Response Alert

API documentation for Threat Response is contained within the module under the Question Mark icon. Threat Response API

Pull alerts via API based upon a particular Computer Name or IP Address. Get alerts that have a particular tag or MITRE ID for narrowly focused investigations.

A number of endpoints are available for your use cases.

To get alert counts with filtering and sorting:

curl --location --request GET 'https:///plugin/products/detect3/api/v1/alerts/count' 
--header 'session: token-XXXXX' 
--header 'Content-Type: application/json'
--data-raw '{"n": "30" }'

To get alert details with filtering and sorting:

curl --location --request GET 'https:///plugin/products/detect3/api/v1/alerts' 
--header 'session: token-XXXXX' 
--header 'Content-Type: application/json'

To get Alert Summary information such as by state or platform:

curl --location --request GET 'https:///plugin/products/detect3/api/v1/summary' 
--header 'session: token-XXXXX' 
--header 'Content-Type: application/json'

*You can also manage alerts with the Delete and Update API endpoints.

Alert Details

If we dive deeper into the alert body we see a structure. The alert begins with information on the alert itself as well as computer name and IP.

  • Alert Id
  • Computer IP
  • Computer Name
  • Intel ID
  • Intel Labels
  • Intel Type
  • MITRE Techniques
  • Time Stamp

Under ‘finding’ and ‘system_info’ we have some additional system information.

  • bits (bitness)

  • build_number

  • os

  • patch_level

  • platform

The ‘match’ section we have detailed information on the root event.

  • Tanium Process and Event ID’s

  • args

  • file path

  • file md5 (or other hash)

  • PID/PPID

  • start time

  • user

*In some cases the alert can also include information at different ancestry levels. These additional event levels if present will be indicated with a 'parent' name designation.