Tanium Threat Response Intel

The Tanium Threat Response module has its own API that is available for external usage. This would allow end users to create and deploy Intel documents to endpoints for evaluation. Please see the following documentation here on Threat Response Intel.

API documentation for Threat Response is contained within the module under the Question Mark icon.

Threat Response API

Use Case

Tanium Threat Response supports OpenIOC, STIX, CybOX, Yara and Tanium Signals. You may upload any of these document types as part of a simple POST endpoint. Use cases that leverage this capability might want to automatically generate Intel as part of an investigation workflow. Perhaps an automated AntiVirus workflow that searches for MD5 hashes that have been confirmed to be malicious but are unresolved by the endpoints AV solution. A full workflow might start with a REST platform Question to find systems with unresolved files and a Threat Response API command to collect the file from the endpoint. Send collected files to an operator or analytics tool. If the file is determined to be malicious add its MD5 hash to an Intel document and hunt for other systems. Consume the generated Alerts via Tanium Connect or via the Threat Response API. Substitute the source of the initial event from AntiVirus to a network security tool. In this modified use case the network security solution is providing source telemetry that is searched or collected from an endpoint for additional analysis using Tanium.

Carefully plan and test this process. It will be important to make sure there is a match between the source intelligence and telemetry key/values available in Tanium Threat Response

Getting started

To get started we’ll use POST and the Threat Response endpoint API

/plugin/products/detect3/api/v1/intels

You will need a Header modification:

key=Content-Disposition value=filename=telemetry.ioc

Please note that the key Content-Disposition will have a value that matches the type of source document. For example for Yara the value would be filename=telemtry.yara for STIX it would be filename=telemetry.stix.

In the Body you will have the raw intelligence document with no additional key/values. The body should only contain the target intelligence.

Once Intel has been created it needs to be deployed to endpoints. Use Deploy Intel /plugin/products/threat-response/api/v1/intel/deploy and Intel Status /plugin/products/threat-response/api/v1/intel/status to deploy and check on status.

Example in CURL

curl --location --request POST 'https:///plugin/products/detect3/api/v1/intels' 
--header 'Content-Disposition: filename=testingioc.ioc' 
--header 'session: token-XXXXX' 
--header 'Content-Type: application/xml' 
--data-raw OPENIOC/STIX/CybOX Definition Here