Tanium Threat Response v2.2.27
Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.
- Author:
- Cortex XSOAR
- Support:
- xsoar
- Default data source:
- Tanium Threat Response v2
agentixxsiam
Endpoint
Classifiers (1)
Incident fields (8)
Incident types (1)
Integrations (2)
Layouts (1)
Modeling rules (1)
Parsing rules (1)
Playbooks (2)
README
Tanium Threat Response
This pack includes Cortex XSIAM content.
<~XSIAM>
Configuration on Server Side
You need to configure a Socket Receiver on the Tanium side.
Perform the following steps to configure the Socket Receiver:
- Go to Modules > Connect.
- Enter a name and description for the connection.
- From the Source dropdown, select Event.
- From the Event Group dropdown, select Tanium Threat Response or Tanium Detect..
- Select Match Alerts Raw.
- From the Destination dropdown, select Socket Receiver.
- Specify a unique name for the Destination Name.
- Under Host, fill in the name or the IP address of the SIEM.
- Specify the port number under Port.
- elect JSON from the dropdown under Format.
- Click the Listen for this Event checkbox.
- Click Save.
More information can be found here
Note:
Make sure to send the log in UTC time.
Don’t modify the value type of the Timestamp field. This field is set to UTC by default.
The supported time format is yyyy-MM-ddThh:mm:ss.nnnZ (2022-01-01T10:00:00.000Z).
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - tanium
- product as product - threat_response
</~XSIAM>