Tanium-ResolveThreatResponseAlert
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Maintaining alert hygiene in multiple consoles can be overwhelming. This playbook helps teams keep Tanium Threat Response up-to-date when using Microsoft Sentinel to centrally manage alerts. This playbook will resolve any Tanium Threat Response alerts associated with a Microsoft Sentinel incident. See Tanium Help for a guide to setting up the Tanium Connector for Sentinel. Don't forget
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Tanium |
| Source | View on GitHub |
Additional Documentation
Overview
This playbook will resolve any associated alerts in Tanium Threat Response associated with a Microsoft Sentinel incident. The result of resolving the alert will be added as a comment on the incident.
Prerequisites
-
Sentinel incidents created using the "Tanium Threat Response Alerts" analytic rule
Only Microsoft Sentinel Incidents created by the "Tanium Threat Response Alerts" analytic rule will have the required metadata to allow resolving the associated Tanium Threat Response alert. -
A Tanium API Token
A Tanium API token, granting access to your Tanium environment is required to make the necessary queries against the Tanium API. -
Tanium Threat Response Module
Tanium Threat Response must be installed and operational in your Tanium environment. -
Permission to Assign Roles to the Resource Group
For this playbook to successfully run it must have the Microsoft Sentinel Contributor role at the Resource Group scope. This is added as part of this ARM template, and therefore requires the user who is creating the playbook to haveMicrosoft.Authorization/roleAssignments/writeon the resource group. Some examples of roles that meet this criteria for the user include: - Owner
- User Access Administrator
- Role Based Access Control Administrator
- Global Administrator
Post-Deployment Instructions
You must authorize the API Connections used by this playbook after deployment. See Tanium Playbooks for more information about our playbooks and how to create a playbook from this template.
Get the Template
Use the links below to create the playbook from our template.
Note
With the default deployment and configuration settings of the playbooks, your Tanium API Key is stored in a secure string workflow parameter. To update your Tanium API Key you must redeploy this playbook.
To allow Tanium API Key updates it is advised to use Azure Key Vault to securely store the Tanium API Key and update this playbook to use the Tanium API Key from the Key Vault instead of the secure string parameter.
Key Vault references
- Key Vault | Microsoft Azure
- Azure Key Vault Connector reference | Microsoft Docs
- Secure access and data - Azure Logic Apps | Microsoft Docs.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊