Tanium-GeneralHostInfo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Tanium's real-time data can speed up investigations by providing important context for analysts, such as basic information about the computer's name, IP, and storage information. This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for general endpoint information for those hosts, and then adds a comment to the incident with that information. See [Tanium Help](https://help.tanium.com/bundle/ConnectAzureSentinel/page

Attribute	Value
Type	Playbook
Solution	Tanium
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	4
`keyvault`	Managed	1	1
`http`	Built-in	0	3

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_Received_Info_to_Incident	post	`/Incidents/Comment`	—
Get_Hosts_From_Incident	post	`/entities/host`	—
Add_comment__-_no_hosts_found	post	`/Incidents/Comment`	—
Add_comment__-_no_data_in_Tanium	post	`/Incidents/Comment`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_secret	get	`/secrets/@{encodeURIComponent('TaniumApiToken')}/value`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Get_next_page	POST	`@parameters('TaniumApiGatewayApi')`	—
Get_General_Host_Info	POST	`@parameters('TaniumApiGatewayApi')`	—
Requery_the_API_Gateway	POST	`@parameters('TaniumApiGatewayApi')`	—

Additional Documentation

📄 Source: Tanium-GeneralHostInfo/readme.md

Overview

This playbook will use the Tanium API to retrieve a set of general endpoint information from hosts associated with a Microsoft Sentinel incident.

The results of the playbook will be added as a comment to the incident.

Tanium-GeneralHostInfo screenshot

Prerequisites

Sentinel incidents with associated hosts running the Tanium client.
If this playbook is run against an incident with 1 or more hosts that are not running the Tanium client, then Tanium will not be able to provide information for those host(s). If the incident only contains hosts that are not running the Tanium client then a comment will be placed on the incident indicating that and the playbook will exit early.

[!TIP] Leverage the "Tanium Threat Response Alerts" analytics rule to generate Sentinel incidents for an Threat Response Alert from Tanium.

A Tanium API Token
A Tanium API token, granting access to your Tanium environment is required to make the necessary queries against the Tanium API.
An Azure Integration Account
Required to execute javascript needed to prepare query filters for Tanium API Gateway HTTP requests
Permission to Assign Roles to the Resource Group
For this playbook to successfully run it must have the Microsoft Sentinel Contributor role at the Resource Group scope. This is added as part of this ARM template, and therefore requires the user who is creating the playbook to have Microsoft.Authorization/roleAssignments/write on the resource group. Some examples of roles that meet this criteria for the user include:
- Owner
- User Access Administrator
- Role Based Access Control Administrator
- Global Administrator

Get the Template

Use the links below to create the playbook from our template.

Note

With the default deployment and configuration settings of the playbooks, your Tanium API Key is stored in a secure string workflow parameter. To update your Tanium API Key you must redeploy this playbook.

To allow Tanium API Key updates it is advised to use Azure Key Vault to securely store the Tanium API Key and update this playbook to use the Tanium API Key from the Key Vault instead of the secure string parameter.

Key Vault references