Tanium Threat Response v2.2.27

Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.

Author:
Cortex XSOAR
Support:
xsoar
URL:
https://www.paloaltonetworks.com/cortex
Default data source:
Tanium Threat Response v2
agentixxsiam
Endpoint

Classifiers (1)

Incident types (1)

README

Tanium Threat Response

This pack includes Cortex XSIAM content.

<~XSIAM>

Configuration on Server Side

You need to configure a Socket Receiver on the Tanium side.

Perform the following steps to configure the Socket Receiver:

  1. Go to Modules > Connect.
  2. Enter a name and description for the connection.
  3. From the Source dropdown, select Event.
  4. From the Event Group dropdown, select Tanium Threat Response or Tanium Detect..
  5. Select Match Alerts Raw.
  6. From the Destination dropdown, select Socket Receiver.
  7. Specify a unique name for the Destination Name.
  8. Under Host, fill in the name or the IP address of the SIEM.
  9. Specify the port number under Port.
  10. elect JSON from the dropdown under Format.
  11. Click the Listen for this Event checkbox.
  12. Click Save.

More information can be found here

Note:
Make sure to send the log in UTC time.
Don’t modify the value type of the Timestamp field. This field is set to UTC by default.
The supported time format is yyyy-MM-ddThh:mm:ss.nnnZ (2022-01-01T10:00:00.000Z).

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - tanium
    • product as product - threat_response
      </~XSIAM>