Tanium Threat Response

prerequisites to authenticate this connector, you need an api token capabilities this connector provides the following capabilities create connection create liveresponse action download file evidence get alert by id get collection configs get intel doc by id get response actions list alerts list connections list file evidence update alert state by id asset setup to generate an api token, please follow the instructions below from the homepage after logging into your tanium instance, navigate to administration > api tokens click on new api token at the right side of the page set the expiration, persona and trusted ip addresses details and click on create note only ip addresses mentioned in trusted ip addresses , will be able to make successful connections to the api if you want to allow any ip, use 0 0 0 0/0 as the trusted ip address configurations tanium threat response api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required session api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create connection create a user connection endpoint url /plugin/products/threat response/api/v1/conns/connect method post input argument name type required description target object optional parameter for create connection hostname string optional name of the resource clientid string optional unique identifier platform string optional parameter for create connection ip string optional parameter for create connection output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 202, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "0dc48760 a134 4fb1 81b3 7775eaccced0", "tanium threat response version" "4 5 131 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "mon, 18 mar 2024 06 41 07 gmt" }, "reason" "accepted", "json body" "remote\ localhost 2871630594 " } ] create liveresponse action creates a new liveresponse action endpoint url /plugin/products/threat response/api/v1/response actions method post input argument name type required description type string required response action type do not change computername string required name of the resource eid number optional unique identifier options object required parameter for create liveresponse action packagename string required package to deploy for this response action packageparameters array required parameters for the package being deployed at least 4 parameters should be defined key string optional parameter for create liveresponse action value string optional value for the parameter expirationtime string optional time value output parameter type description status code number http status code of the response reason string response reason phrase data object response data type string type of the resource computername string name of the resource options object output field options packagename string name of the resource packageparameters array parameters for the create liveresponse action action key string output field key value string value for the parameter packageskiplockflag boolean output field packageskiplockflag status string status value userid number unique identifier personaid object unique identifier username string name of the resource results object result of the operation expirationtime string time value createdat string output field createdat updatedat string output field updatedat id number unique identifier eid object unique identifier example \[ { "status code" 201, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "44bbb276 26ce 4a5d 9952 d1bfb3a57442", "tanium threat response version" "4 5 131 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "tue, 19 mar 2024 05 57 37 gmt" }, "reason" "created", "json body" { "data" {} } } ] download file evidence download the file evidence file endpoint url /plugin/products/threat response/api/v1/filedownload/data/{{id}} method get input argument name type required description id string required unique identifier output parameter type description file object attachments file string output field file file name string name of the resource example \[ { "file" { "file" "string", "file name" "example name" } } ] get alert by id get an alert by id endpoint url /plugin/products/threat response/api/v1/alerts/{{id}} method get input argument name type required description id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data id number unique identifier state string output field state type string type of the resource guid string unique identifier priority object output field priority severity string output field severity inteldocid number unique identifier inteldocrevisionid number unique identifier scanconfigid number unique identifier scanconfigrevisionid number unique identifier computername string name of the resource computeripaddress string output field computeripaddress eid number unique identifier details string output field details alertedat string output field alertedat createdat string output field createdat updatedat string output field updatedat example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd", "tanium threat response version" "4 5 126 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "thu, 29 feb 2024 08 51 32 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get collection configs gets all of the live response collection configs, with offset, limit endpoint url /plugin/products/threat response/api/v1/liveresponse/collectionconfigs method get input argument name type required description limit number optional parameter for get collection configs offset number optional parameter for get collection configs output parameter type description status code number http status code of the response reason string response reason phrase data array response data id number unique identifier name string name of the resource description string output field description enabledmodules array output field enabledmodules enabled boolean output field enabled userdefined boolean output field userdefined revision number output field revision createdat string output field createdat updatedat string output field updatedat hashes array output field hashes filecollectors array output field filecollectors file name string name of the resource file string output field file filecollectorsets array output field filecollectorsets id number unique identifier name string name of the resource description string output field description enabled boolean output field enabled userdefined boolean output field userdefined revision number output field revision createdat string output field createdat updatedat string output field updatedat example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "04d59489 3380 4d86 9b6c 1439da1c4a89", "tanium threat response version" "4 5 131 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "tue, 19 mar 2024 19 01 14 gmt" }, "reason" "ok", "json body" { "data" \[], "meta" {} } } ] get intel doc by id get intel doc by id endpoint url /plugin/products/threat response/api/v1/intels/{{id}} method get input argument name type required description id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data id number unique identifier revisionid number unique identifier type string type of the resource typeversion string type of the resource intrinsicid string unique identifier md5 string output field md5 name string name of the resource description string output field description size number output field size alertcount number count value unresolvedalertcount number count value throttledfindingcount number count value labelids array unique identifier file name string name of the resource file string output field file sourceid number unique identifier blobid string unique identifier isschemavalid boolean unique identifier contents string response content createdat string output field createdat updatedat string output field updatedat allowautodisable boolean output field allowautodisable example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd", "tanium threat response version" "4 5 126 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "thu, 29 feb 2024 08 51 32 gmt" }, "reason" "ok", "json body" { "data" {} } } ] get response actions gets all response actions endpoint url /plugin/products/threat response/api/v1/response actions method get input argument name type required description offset number optional parameter for get response actions limit number optional parameter for get response actions sortby string optional parameter for get response actions sortorder string optional parameter for get response actions querypartialcomputername string optional name of the resource querystatus string optional status value querytype string optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase data array response data id number unique identifier type string type of the resource status string status value computername string name of the resource userid number unique identifier personaid object unique identifier username string name of the resource options object output field options packagename string name of the resource packageparameters array parameters for the get response actions action key string output field key value string value for the parameter packageskiplockflag boolean output field packageskiplockflag results object result of the operation taskids array unique identifier actionids array unique identifier file name string name of the resource file string output field file errorcount number error message if any retrycount number count value expirationtime string time value createdat string output field createdat example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "b4a6f11b 3743 484f 8c7e 3d3f0f8f3167", "tanium threat response version" "4 5 131 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "tue, 19 mar 2024 06 06 42 gmt" }, "reason" "ok", "json body" { "data" \[], "meta" {} } } ] list alerts list alerts with optional filtering, sorting, and pagination endpoint url /plugin/products/threat response/api/v1/alerts method get input argument name type required description state string optional parameter for list alerts type string optional type of the resource matchtype string optional type of the resource path string optional parameter for list alerts priority string optional parameter for list alerts severity string optional parameter for list alerts inteldocid number optional unique identifier inteltype string optional type of the resource inteldocname string optional name of the resource intelsource string optional parameter for list alerts labelname string optional name of the resource mitreid string optional unique identifier scanconfigid number optional unique identifier computername string optional name of the resource computeripaddress string optional parameter for list alerts platform string optional parameter for list alerts details string optional parameter for list alerts alertedatfrom string optional parameter for list alerts alertedatuntil string optional parameter for list alerts guid string optional unique identifier include string optional parameter for list alerts sort string optional parameter for list alerts expand string optional parameter for list alerts limit number optional parameter for list alerts offset number optional parameter for list alerts output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta totalcount number count value filteredcount number count value data array response data id number unique identifier state string output field state type string type of the resource guid string unique identifier priority object output field priority severity string output field severity inteldocid number unique identifier inteldocrevisionid number unique identifier scanconfigid number unique identifier scanconfigrevisionid number unique identifier computername string name of the resource computeripaddress string output field computeripaddress eid number unique identifier details object output field details matchtype string type of the resource path string output field path alertedat string output field alertedat createdat string output field createdat updatedat string output field updatedat example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd", "tanium threat response version" "4 5 126 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "thu, 29 feb 2024 08 51 32 gmt" }, "reason" "ok", "json body" { "meta" {}, "data" \[] } } ] list connections list user connections endpoint url /plugin/products/threat response/api/v1/conns method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "4cb9ada9 7f2a 4d3e 8ae1 552a43853b01", "tanium threat response version" "4 5 131 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "mon, 18 mar 2024 06 43 41 gmt" }, "reason" "ok", "json body" \[ {} ] } ] list file evidence get all file evidence records from the database endpoint url /plugin/products/threat response/api/v1/filedownload method get input argument name type required description limit number optional maximum number of results to return default 1000 offset number optional offset into the result set default 0 sort string optional column by which to sort default downloaded output parameter type description status code number http status code of the response reason string response reason phrase fileevidence array unique identifier uuid string unique identifier hostname string name of the resource path string output field path downloaded string output field downloaded hash string output field hash size number output field size created string output field created created by string output field created by created by proc string output field created by proc last modified string output field last modified last modified by string output field last modified by last modified by proc string output field last modified by proc tags string output field tags comments string output field comments createdat string output field createdat updatedat string output field updatedat totalcount number count value example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "7da57a9c 244b 4f9d bd46 cb7579476934", "tanium threat response version" "4 5 131 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "mon, 18 mar 2024 06 54 23 gmt" }, "reason" "ok", "json body" { "fileevidence" \[], "totalcount" 1 } } ] update alert state by id update the state of a single alert by id endpoint url /plugin/products/threat response/api/v1/alerts/{{id}} method put input argument name type required description id number required unique identifier state string required parameter for update alert state by id output parameter type description status code number http status code of the response reason string response reason phrase alert object output field alert id number unique identifier state string output field state type string type of the resource guid string unique identifier priority object output field priority severity string output field severity inteldocid number unique identifier inteldocrevisionid number unique identifier scanconfigid number unique identifier scanconfigrevisionid number unique identifier computername string name of the resource computeripaddress string output field computeripaddress eid number unique identifier details string output field details matchtype string type of the resource path string output field path alertedat string output field alertedat createdat string output field createdat updatedat string output field updatedat example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "server" "envoy", "x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd", "tanium threat response version" "4 5 126 0000", "content encoding" "gzip", "cache control" "no cache, no store, must revalidate", "pragma" "no cache", "expires" "0", "content type" "application/json", "date" "thu, 29 feb 2024 08 51 32 gmt" }, "reason" "ok", "json body" { "alert" {} } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate content encoding http response header content encoding gzip content security policy http response header content security policy default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 'self';worker src 'self';media src 'self';style src 'self' 'unsafe inline';img src data blob 'self';frame ancestors 'self';font src 'self' data ;upgrade insecure requests;connect src data blob 'unsafe inline';block all mixed content; content type the media type of the resource application/json date the date and time at which the message was originated mon, 18 mar 2024 06 54 23 gmt expires the date/time after which the response is considered stale 0 pragma http response header pragma no cache referrer policy http response header referrer policy no referrer server information about the software used by the origin server envoy strict transport security http response header strict transport security max age=63072000; includesubdomains; tanium threat response version http response header tanium threat response version 4 5 126 0000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x envoy upstream service time http response header x envoy upstream service time 667 x frame options http response header x frame options sameorigin x request id a unique identifier for the request b4a6f11b 3743 484f 8c7e 3d3f0f8f3167 x xss protection http response header x xss protection 1