Tanium-ListSecurityPatches

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Tanium's real-time data can speed up investigations by providing important context for analysts, such as which security patches are missing on the endpoints in question. This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, queries the Tanium API Gateway for applicable security patches for those endpoints, and then adds a comment to the incident with that information. See [Tanium Help](https://help.tanium.com/bundle/ConnectAzureSentinel/page/Integ

Attribute	Value
Type	Playbook
Solution	Tanium
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	4
`keyvault`	Managed	1	1
`http`	Built-in	0	3

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Get_Hosts_From_Incident	post	`/entities/host`	—
Add_comment__-_no_hosts_found	post	`/Incidents/Comment`	—
Add_Available_Patch_List_to_Incident	post	`/Incidents/Comment`	—
Add_comment__-_no_data_in_Tanium	post	`/Incidents/Comment`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_secret	get	`/secrets/@{encodeURIComponent('TaniumApiToken')}/value`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Get_next_page	POST	`@parameters('TaniumApiGatewayApi')`	—
List_Available_Patches	POST	`@parameters('TaniumApiGatewayApi')`	—
Refresh_API_Gateway_query	POST	`@parameters('TaniumApiGatewayApi')`	—

Additional Documentation

📄 Source: Tanium-SecurityPatches/readme.md

Tanium-SecurityPatches

Overview

This playbook will use the Tanium API to retrieve applicable security patches for the hosts associated with a Microsoft Sentinel incident.

The results of the playbook will be added as a comment to the incident.

Tanium-SecurityPatches screenshot

Prerequisites

Sentinel incidents with associated hosts running the Tanium client
If this playbook is run against an incident with 1 or more hosts that are not running the Tanium client, then Tanium will not be able to provide information for those host(s). If the incident only contains hosts that are not running the Tanium client then a comment will be placed on the incident indicating that and the playbook will exit early.

[!TIP] Leverage the "Tanium Threat Response Alerts" analytics rule to generate Sentinel incidents for an Threat Response Alert from Tanium.

A Tanium API Token
A Tanium API token, granting access to your Tanium environment is required to make the necessary queries against the Tanium API.
An Azure Integration Account
Required to execute javascript needed to prepare query filters for Tanium API Gateway HTTP requests.
Tanium Patch Module
Tanium Patch must be installed and running in your Tanium environment.
Permission to Assign Roles to the Resource Group
For this playbook to successfully run it must have the Microsoft Sentinel Contributor role at the Resource Group scope. This is added as part of this ARM template, and therefore requires the user who is creating the playbook to have Microsoft.Authorization/roleAssignments/write on the resource group. Some examples of roles that meet this criteria for the user include:
- Owner
- User Access Administrator
- Role Based Access Control Administrator
- Global Administrator

Get the Template

Use the links below to create the playbook from our template.

Note

With the default deployment and configuration settings of the playbooks, your Tanium API Key is stored in a secure string workflow parameter. To update your Tanium API Key you must redeploy this playbook.

To allow Tanium API Key updates it is advised to use Azure Key Vault to securely store the Tanium API Key and update this playbook to use the Tanium API Key from the Key Vault instead of the secure string parameter.

Key Vault references