Tanium-UnquarantineHosts
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook starts with a Microsoft Sentinel incident, gets the hosts associated with that incident, then directs Tanium to un-quarantine those hosts. The status of the un-quarantine operation is commented on the Microsoft Sentinel incident. See Tanium Help for a guide to setting up the Tanium Connector for Sentinel. Don't forget to grant the role 'Key Vaults Secret User' to the
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Tanium |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 8 |
keyvault |
Managed | 1 | 1 |
http |
Built-in | 0 | 11 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_Issued_Actions_to_Incident | post | /Incidents/Comment |
— |
| Get_Hosts_From_Incident | post | /entities/host |
— |
| Add_comment__-_no_hosts_found | post | /Incidents/Comment |
— |
| Add_comment__-_no_data_in_Tanium | post | /Incidents/Comment |
— |
| Add_comment_to_incident_-_hosts_that_will_be_targeted | post | /Incidents/Comment |
— |
| Add_comment_to_incident_-_known_and_unknown_action_results | post | /Incidents/Comment |
— |
| Add_comment_to_incident_-_known_action_results | post | /Incidents/Comment |
— |
| Add_comment_to_incident_-_unknown_action_results | post | /Incidents/Comment |
— |
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_secret | get | /secrets/@{encodeURIComponent('TaniumApiToken')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_the_"All_Computers"_group | GET | @parameters('TaniumAllComputersUrl') |
— |
| Get_Linux_unquarantine_package | GET | @{concat(parameters('TaniumPackagesByNameUrlFragment'), uriComponent(variables('linuxPackageName')))} |
— |
| Issue_Linux_unquarantine_action | POST | @parameters('TaniumActionsApi') |
— |
| Get_Windows_unquarantine_package | GET | @{concat(parameters('TaniumPackagesByNameUrlFragment'), uriComponent(variables('windowsPackageName')))} |
— |
| Issue_Windows_unquarantine_action | POST | @parameters('TaniumActionsApi') |
— |
| Get_macOS_unquarantine_package | GET | @{concat(parameters('TaniumPackagesByNameUrlFragment'), uriComponent(variables('macOsPackageName')))} |
— |
| Issue_macOS_unquarantine_action | POST | @parameters('TaniumActionsApi') |
— |
| Get_General_Host_Info | POST | @parameters('TaniumApiGatewayApi') |
— |
| Requery_the_API_Gateway | POST | @parameters('TaniumApiGatewayApi') |
— |
| Get_next_page | POST | @parameters('TaniumApiGatewayApi') |
— |
| Get_action_result | GET | @{concat(parameters('TaniumActionResultDataUrlFragment'), items('Collect_action_results_for_each_issued_action')?['id'])} |
— |
Additional Documentation
📄 Source: Tanium-UnquarantineHosts/readme.md
Overview
This playbook will use Tanium to remove a previously applied Tanium quarantine from hosts associated with a Microsoft Sentinel incident. After the request to remove the quarantine has been made, it will wait for the unquarantine action to expire and then check its results.
The results of the playbook will be added as comments to the incident:
- The hosts that will be targeted
- The quarantine action(s)' deployment status
- The results of the quarantine action(s)
Prerequisites
- Sentinel incidents with associated hosts running the Tanium client
If this playbook is run against an incident with 1 or more hosts that are not running the Tanium client, then Tanium will not be able to provide information for those host(s). If the incident only contains hosts that are not running the Tanium client then a comment will be placed on the incident indicating that, and the playbook will exit early.
[!TIP] Leverage the "Tanium Threat Response Alerts" analytics rule to generate Sentinel incidents for an Threat Response Alert from Tanium.
A Tanium API Token
A Tanium API token, granting access to your Tanium environment is required to make the necessary queries against the Tanium API.An Azure Integration Account
Required to execute javascript needed to prepare query filters for Tanium API Gateway HTTP requestsTanium Threat Response 4.7+ Module
Tanium Threat Response must be installed and running your Tanium environment and must be version 4.7 or higher. If you are running a lower version see See Tanium Playbooks for more information.Permission to Assign Roles to the Resource Group
For this playbook to successfully run it must have the Microsoft Sentinel Contributor role at the Resource Group scope. This is added as part of this ARM template, and therefore requires the user who is creating the playbook to haveMicrosoft.Authorization/roleAssignments/writeon the resource group. Some examples of roles that meet this criteria for the user include:- Owner
- User Access Administrator
- Role Based Access Control Administrator
- Global Administrator
Get the Template
Use the links below to create the playbook from our template.
Note
With the default deployment and configuration settings of the playbooks, your Tanium API Key is stored in a secure string workflow parameter. To update your Tanium API Key you must redeploy this playbook.
To allow Tanium API Key updates it is advised to use Azure Key Vault to securely store the Tanium API Key and update this playbook to use the Tanium API Key from the Key Vault instead of the secure string parameter.
Key Vault references
- Key Vault | Microsoft Azure
- Azure Key Vault Connector reference | Microsoft Docs
- Secure access and data - Azure Logic Apps | Microsoft Docs.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊