Tanium Threat Response Alerts
One of the key features of Tanium Threat Response is the management of Intel and Alerts. Intel documents contain definitions that define possible malicious activity. Please see the following for detailed information on Threat Response Intel here.
Alerts are generated when Intel is detected on an endpoint. Please see the following for detailed information on Threat Response Alerts here.
Use Case
Use the Connect based source for Threat Response and push Alerts to SIEM or SOAR workflows. Configure formats including SYSLOG or JSON and destinations like Socket Receiver or HTTP. Use these alerts to begin an investigation by a SOC analyst. Create automations that take specific action or enrich these alerts with other data sources.
The Tanium Threat Response module allows direct API access for pulling Alerts. Pull alerts via a polling mechanism and similarly leverage this information for human and/or automation workflows.
Getting started
Information on sending alert data via Tanium Connect can be found here.
Tanium Connect can also push Alerts to a number of destinations including SocketReceiver and HTTP.
API documentation for Threat Response is contained within the module under the Question Mark icon.
Pull alerts via API based upon a particular Computer Name or IP Address. Get alerts that have a particular tag or MITRE ID for narrowly focused investigations.
A number of endpoints are available for your use cases.
To get alert counts with filtering and sorting:
curl --location --request GET 'https:///plugin/products/threat-response/api/v1/alerts/count'
--header 'session: token-XXXXX'
--header 'Content-Type: application/json'
--data-raw '{"n": "30" }'
To get alert details with filtering and sorting:
curl --location --request GET 'https:///plugin/products/threat-response/api/v1/alerts'
--header 'session: token-XXXXX'
--header 'Content-Type: application/json'
To get Alert Summary information such as by state or platform:
curl --location --request GET 'https:///plugin/products/threat-response/api/v1/summary'
--header 'session: token-XXXXX'
--header 'Content-Type: application/json'
*You can also manage alerts with the Delete and Update API endpoints.
Alert Details
If we dive deeper into the alert body we see a structure. The alert begins with information on the alert itself as well as computer name and IP.
- Alert Id
- Computer IP
- Computer Name
- Intel ID
- Intel Labels
- Intel Type
- MITRE Techniques
- Time Stamp
Under ‘finding’ and ‘system_info’ we have some additional system information.
bits (bitness)
build_number
os
patch_level
platform
The ‘match’ section we have detailed information on the root event.
Tanium Process and Event ID’s
args
path
file md5 (or other hash)
PID/PPID
start time
remote port/ip
Windows Registry
user
*In some cases the alert can also include information at different ancestry levels. These additional event levels if present will be indicated with a 'parent' name designation.
Last Updated: