Tanium Threat Response Intel

Tanium Intel is used to define conditions that might indicate malicious behavior on endpoints. Threat Response can leverage a variety of intel sources to identify and alert on potential threats. You can create and deploy Intel documents to endpoints in your environment for evaluation. Please see the following documentation here to learn more about Threat Response Intel.

The Threat Response module has its own REST API. The documentation is accessed in the module workbench under the Question Mark icon.

Threat Response API

Use Case

Tanium Threat Response supports OpenIOC, STIX, CybOX, Yara and Tanium Signals. You may upload any of these document types as part of a simple POST to an API endpoint. Use cases that leverage this capability might want to automatically generate Intel as part of an investigation workflow. Perhaps an automated AntiVirus workflow that searches for MD5 hashes that have been confirmed to be malicious but are unresolved by the endpoints AV solution. A full workflow might start with a REST platform Question to find systems with unresolved files and a Threat Response API command to collect the file from the endpoint. Send collected files to an operator or analytics tool. If the file is determined to be malicious add its MD5 hash to an Intel document and hunt for other systems. Consume the generated Alerts via Tanium Connect or via the Threat Response API. Substitute the source of the initial event from AntiVirus to a network security tool. In this modified use case the network security solution is providing source telemetry that is searched or collected from an endpoint for additional analysis using Tanium.

Carefully plan and test this process. It will be important to make sure there is a match between the source intelligence and telemetry key/values available in Tanium Threat Response

Creating Intel

Tanium Signals are used for the continuous, real-time evaluation of process, network, registry (Windows only), and file events on endpoints. In addition to the default Signals available as a feed from Tanium, you can author your own custom Signals to detect suspicious or interesting process behavior in your environment.

These guides will explain Signals and their syntax in more detail.
Introduction to Authoring Signals
Tanium Signal Authoring Handbook

New intel can be posted to the intels endpoint in the Threat Response API.

/plugin/products/threat-response/api/v1/intels

You will need a Header modification:

key=Content-Disposition value=filename=telemetry.ioc

Please note that the key Content-Disposition will have a value that matches the type of source document. For example for Yara the value would be filename=telemtry.yara for STIX it would be filename=telemetry.stix.

In the Body you will have the raw intelligence document with no additional key/values. The body should only contain the target intelligence.

Once Intel has been created it needs to be deployed to endpoints. Use Deploy Intel /plugin/products/threat-response/api/v1/intel/deploy and Intel Status /plugin/products/threat-response/api/v1/intel/status to deploy and check on status.

Example in CURL

curl --location --request POST 'https:///plugin/products/threat-response/api/v1/intels' 
--header 'Content-Disposition: filename=testingioc.ioc' 
--header 'session: token-XXXXX' 
--header 'Content-Type: application/xml' 
--data-raw OPENIOC/STIX/CybOX Definition Here

Last Updated: May 17, 2023