Tanium-SCCMClientHealth
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Tanium's real-time data can speed up investigations by providing important context for analysts, such as pulling back Microsoft Configuration Manager (formerly SCCM) Health. This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for the SCCM Client Health for those hosts, and then adds a comment to the incident with that information. See [Tanium Help](https://help.tanium.com/bundle/ConnectAzureSentinel/page/Integratio
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Tanium |
| Source | View on GitHub |
Additional Documentation
📄 Source: Tanium-SCCMClientHealth/readme.md
Overview
This playbook will use the Tanium API to retrieve the SCCM Client health from hosts associated with a Microsoft Sentinel incident.
The results of the playbook will be added as a comment to the incident.
Prerequisites
- Sentinel incidents with associated hosts running the Tanium client
If this playbook is run against an incident with 1 or more hosts that are not running the Tanium client, then Tanium will not be able to provide information for those host(s). If the incident only contains hosts that are not running the Tanium client then a comment will be placed on the incident indicating that and the playbook will exit early.
[!TIP] Leverage the "Tanium Threat Response Alerts" analytics rule to generate Sentinel incidents for an Threat Response Alert from Tanium.
-
A Tanium API Token
A Tanium API token, granting access to your Tanium environment is required to make the necessary queries against the Tanium API. -
An Azure Integration Account
Required to execute javascript needed to prepare query filters for Tanium API Gateway HTTP requests -
Permission to Assign Roles to the Resource Group
For this playbook to successfully run it must have the Microsoft Sentinel Contributor role at the Resource Group scope. This is added as part of this ARM template, and therefore requires the user who is creating the playbook to haveMicrosoft.Authorization/roleAssignments/writeon the resource group. Some examples of roles that meet this criteria for the user include: - Owner
- User Access Administrator
- Role Based Access Control Administrator
- Global Administrator
Get the Template
Use the links below to create the playbook from our template.
Note
With the default deployment and configuration settings of the playbooks, your Tanium API Key is stored in a secure string workflow parameter. To update your Tanium API Key you must redeploy this playbook.
To allow Tanium API Key updates it is advised to use Azure Key Vault to securely store the Tanium API Key and update this playbook to use the Tanium API Key from the Key Vault instead of the secure string parameter.
Key Vault references
- Key Vault | Microsoft Azure
- Azure Key Vault Connector reference | Microsoft Docs
- Secure access and data - Azure Logic Apps | Microsoft Docs.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊