Tanium-QuarantineHosts
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
During an investigation, it may be critical to isolate endpoints quickly if a compromise is detected. It's also important to track quarantine actions for auditing purposes. This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, then directs Tanium to quarantine those hosts. The status of the quarantine operation is commented on the Microsoft Sentinel incident. See [Tanium Help](https://help.tanium.com/bundle/ConnectAzureSentinel/page/Integrations/M
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Tanium |
| Source | View on GitHub |
Additional Documentation
📄 Source: Tanium-QuarantineHosts/readme.md
Overview
This playbook will use Tanium to quarantine any hosts associated with a Microsoft Sentinel incident. After the quarantine request has been made, it will wait for the quarantine action to expire and then check its results.
The results of the playbook will be added as comments to the incident: 1. The hosts that will be targeted 2. The quarantine action(s)' deployment status 3. The results of the quarantine action(s)
Prerequisites
- Sentinel incidents with associated hosts running the Tanium client
If this playbook is run against an incident with 1 or more hosts that are not running the Tanium client, then Tanium will not be able to provide information for those host(s). If the incident only contains hosts that are not running the Tanium client then a comment will be placed on the incident indicating that, and the playbook will exit early.
[!TIP] Leverage the "Tanium Threat Response Alerts" analytics rule to generate Sentinel incidents for an Threat Response Alert from Tanium.
-
A Tanium API Token
A Tanium API token, granting access to your Tanium environment is required to make the necessary queries against the Tanium API. -
An Azure Integration Account
Required to execute javascript needed to prepare query filters for Tanium API Gateway HTTP requests -
Tanium Threat Response 4.7+ Module
Tanium Threat Response must be installed and running your Tanium environment and must be version 4.7 or higher. If you are running a lower version see See Tanium Playbooks for more information. -
Permission to Assign Roles to the Resource Group
For this playbook to successfully run it must have the Microsoft Sentinel Contributor role at the Resource Group scope. This is added as part of this ARM template, and therefore requires the user who is creating the playbook to haveMicrosoft.Authorization/roleAssignments/writeon the resource group. Some examples of roles that meet this criteria for the user include: - Owner
- User Access Administrator
- Role Based Access Control Administrator
- Global Administrator
Get the Template
Use the links below to create the playbook from our template.
Note
With the default deployment and configuration settings of the playbooks, your Tanium API Key is stored in a secure string workflow parameter. To update your Tanium API Key you must redeploy this playbook.
To allow Tanium API Key updates it is advised to use Azure Key Vault to securely store the Tanium API Key and update this playbook to use the Tanium API Key from the Key Vault instead of the secure string parameter.
Key Vault references
- Key Vault | Microsoft Azure
- Azure Key Vault Connector reference | Microsoft Docs
- Secure access and data - Azure Logic Apps | Microsoft Docs.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊