Tanium Threat Response

prerequisites to authenticate this connector, you need an api token capabilities this connector provides the following capabilities create connection create liveresponse action download file evidence get alert by id get collection configs get intel doc by id get response actions list alerts list connections list file evidence update alert state by id asset setup to generate an api token, please follow the instructions below from the homepage after logging into your tanium instance, navigate to administration > api tokens click on new api token at the right side of the page set the expiration, persona and trusted ip addresses details and click on create note only ip addresses mentioned in trusted ip addresses , will be able to make successful connections to the api if you want to allow any ip, use 0 0 0 0/0 as the trusted ip address configurations tanium threat response api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required session api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create connection create a user connection endpoint url /plugin/products/threat response/api/v1/conns/connect method post input argument name type required description target object optional parameter for create connection target hostname string optional name of the resource target clientid string optional unique identifier target platform string optional parameter for create connection target ip string optional parameter for create connection input example {"json body" {"target" {"hostname" "localhost","clientid" "2871630594","platform" "linux","ip" "10 70 145 92"}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 202,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "0dc48760 a134 4fb1 81b3 7775eaccced0","tanium threat response version" "4 5 131 0000","content encoding" "gzip","cache control" create liveresponse action creates a new liveresponse action endpoint url /plugin/products/threat response/api/v1/response actions method post input argument name type required description type string optional response action type do not change computername string optional name of the resource eid number optional unique identifier options object optional parameter for create liveresponse action options packagename string required package to deploy for this response action options packageparameters array required parameters for the package being deployed at least 4 parameters should be defined options packageparameters key string optional parameters for the create liveresponse action action options packageparameters value string optional parameters for the create liveresponse action action expirationtime string optional time value input example {"json body" {"type" "liveresponse","computername" "computername","eid" 4,"options" {"packagename" "threat response live response \[windows]","packageparameters" \[{"key" "$1","value" "memory collection"},{"key" "$2","value" "test aws"},{"key" "$3","value" "collectionset"},{"key" "$4","value" "destinationset"}]},"expirationtime" "2019 09 20t13 50 53 699z"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data type string response data data computername string response data data options object response data data options packagename string response data data options packageparameters array parameters for the create liveresponse action action data options packageparameters key string parameters for the create liveresponse action action data options packageparameters value string parameters for the create liveresponse action action data options packageskiplockflag boolean response data data status string response data data userid number response data data personaid object response data data username string response data data results object response data data expirationtime string response data data createdat string response data data updatedat string response data data id number response data data eid object response data output example {"status code" 201,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "44bbb276 26ce 4a5d 9952 d1bfb3a57442","tanium threat response version" "4 5 131 0000","content encoding" "gzip","cache control" download file evidence download the file evidence file endpoint url /plugin/products/threat response/api/v1/filedownload/data/{{id}} method get input argument name type required description path parameters id string required parameters for the download file evidence action input example {"path parameters" {"id" "string"}} output parameter type description file object attachments file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} get alert by id get an alert by id endpoint url /plugin/products/threat response/api/v1/alerts/{{id}} method get input argument name type required description path parameters id number required parameters for the get alert by id action input example {"path parameters" {"id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data state string response data data type string response data data guid string response data data priority object response data data severity string response data data inteldocid number response data data inteldocrevisionid number response data data scanconfigid number response data data scanconfigrevisionid number response data data computername string response data data computeripaddress string response data data eid number response data data details string response data data alertedat string response data data createdat string response data data updatedat string response data output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd","tanium threat response version" "4 5 126 0000","content encoding" "gzip","cache control" get collection configs gets all of the live response collection configs, with offset, limit endpoint url /plugin/products/threat response/api/v1/liveresponse/collectionconfigs method get input argument name type required description parameters limit number optional parameters for the get collection configs action parameters offset number optional parameters for the get collection configs action input example {"parameters" {"limit" 1000,"offset" 0}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id number response data data name string response data data description string response data data enabledmodules array response data data enabled boolean response data data userdefined boolean response data data revision number response data data createdat string response data data updatedat string response data data hashes array response data data filecollectors array response data data filecollectors file name string response data data filecollectors file string response data data filecollectorsets array response data data filecollectorsets id number response data data filecollectorsets name string response data data filecollectorsets description string response data data filecollectorsets enabled boolean response data data filecollectorsets userdefined boolean response data data filecollectorsets revision number response data data filecollectorsets createdat string response data data filecollectorsets updatedat string response data output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "04d59489 3380 4d86 9b6c 1439da1c4a89","tanium threat response version" "4 5 131 0000","content encoding" "gzip","cache control" get intel doc by id get intel doc by id endpoint url /plugin/products/threat response/api/v1/intels/{{id}} method get input argument name type required description path parameters id number required parameters for the get intel doc by id action input example {"path parameters" {"id" 123}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data revisionid number response data data type string response data data typeversion string response data data intrinsicid string response data data md5 string response data data name string response data data description string response data data size number response data data alertcount number response data data unresolvedalertcount number response data data throttledfindingcount number response data data labelids array response data data labelids file name string response data data labelids file string response data data sourceid number response data data blobid string response data data isschemavalid boolean response data data contents string response data data createdat string response data data updatedat string response data data allowautodisable boolean response data output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd","tanium threat response version" "4 5 126 0000","content encoding" "gzip","cache control" get response actions gets all response actions endpoint url /plugin/products/threat response/api/v1/response actions method get input argument name type required description parameters offset number optional parameters for the get response actions action parameters limit number optional parameters for the get response actions action parameters sortby string optional parameters for the get response actions action parameters sortorder string optional parameters for the get response actions action parameters querypartialcomputername string optional parameters for the get response actions action parameters querystatus string optional parameters for the get response actions action parameters querytype string optional parameters for the get response actions action input example {"parameters" {"offset" 0,"limit" 1000,"sortby" "createdat","sortorder" "asc","querypartialcomputername" "computername","querystatus" "queued","querytype" "liveresponse"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id number response data data type string response data data status string response data data computername string response data data userid number response data data personaid object response data data username string response data data options object response data data options packagename string response data data options packageparameters array parameters for the get response actions action data options packageparameters key string parameters for the get response actions action data options packageparameters value string parameters for the get response actions action data options packageskiplockflag boolean response data data results object response data data results taskids array response data data results actionids array response data data results actionids file name string response data data results actionids file string response data data results errorcount number response data data results retrycount number response data data expirationtime string response data data createdat string response data output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "b4a6f11b 3743 484f 8c7e 3d3f0f8f3167","tanium threat response version" "4 5 131 0000","content encoding" "gzip","cache control" list alerts list alerts with optional filtering, sorting, and pagination endpoint url /plugin/products/threat response/api/v1/alerts method get input argument name type required description parameters state string optional parameters for the list alerts action parameters type string optional parameters for the list alerts action parameters matchtype string optional parameters for the list alerts action parameters path string optional parameters for the list alerts action parameters priority string optional parameters for the list alerts action parameters severity string optional parameters for the list alerts action parameters inteldocid number optional parameters for the list alerts action parameters inteltype string optional parameters for the list alerts action parameters inteldocname string optional parameters for the list alerts action parameters intelsource string optional parameters for the list alerts action parameters labelname string optional parameters for the list alerts action parameters mitreid string optional parameters for the list alerts action parameters scanconfigid number optional parameters for the list alerts action parameters computername string optional parameters for the list alerts action parameters computeripaddress string optional parameters for the list alerts action parameters platform string optional parameters for the list alerts action parameters details string optional parameters for the list alerts action parameters alertedatfrom string optional parameters for the list alerts action parameters alertedatuntil string optional parameters for the list alerts action parameters guid string optional parameters for the list alerts action parameters include string optional parameters for the list alerts action parameters sort string optional parameters for the list alerts action parameters expand string optional parameters for the list alerts action parameters limit number optional parameters for the list alerts action parameters offset number optional parameters for the list alerts action input example {"parameters" {"state" "string","type" "string","matchtype" "string","path" "string","priority" "string","severity" "string","inteldocid" 123,"inteltype" "string","inteldocname" "example name","intelsource" "string","labelname" "example name","mitreid" "string","scanconfigid" 123,"computername" "example name","computeripaddress" "string","platform" "string","details" "string","alertedatfrom" "string","alertedatuntil" "string","guid" "string","include" "string","sort" "string","expand" "string","limit" 123,"offset" 123}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta totalcount number count value meta filteredcount number count value data array response data data id number response data data state string response data data type string response data data guid string response data data priority object response data data severity string response data data inteldocid number response data data inteldocrevisionid number response data data scanconfigid number response data data scanconfigrevisionid number response data data computername string response data data computeripaddress string response data data eid number response data data details object response data data matchtype string response data data path string response data data alertedat string response data data createdat string response data data updatedat string response data output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd","tanium threat response version" "4 5 126 0000","content encoding" "gzip","cache control" list connections list user connections endpoint url /plugin/products/threat response/api/v1/conns method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "4cb9ada9 7f2a 4d3e 8ae1 552a43853b01","tanium threat response version" "4 5 131 0000","content encoding" "gzip","cache control" list file evidence get all file evidence records from the database endpoint url /plugin/products/threat response/api/v1/filedownload method get input argument name type required description parameters limit number optional maximum number of results to return default 1000 parameters offset number optional offset into the result set default 0 parameters sort string optional column by which to sort default downloaded input example {"parameters" {"limit" 1000,"offset" 0,"sort" "downloaded"}} output parameter type description status code number http status code of the response reason string response reason phrase fileevidence array unique identifier fileevidence uuid string unique identifier fileevidence hostname string unique identifier fileevidence path string unique identifier fileevidence downloaded string unique identifier fileevidence hash string unique identifier fileevidence size number unique identifier fileevidence created string unique identifier fileevidence created by string unique identifier fileevidence created by proc string unique identifier fileevidence last modified string unique identifier fileevidence last modified by string unique identifier fileevidence last modified by proc string unique identifier fileevidence tags string unique identifier fileevidence comments string unique identifier fileevidence createdat string unique identifier fileevidence updatedat string unique identifier totalcount number count value output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "7da57a9c 244b 4f9d bd46 cb7579476934","tanium threat response version" "4 5 131 0000","content encoding" "gzip","cache control" update alert state by id update the state of a single alert by id endpoint url /plugin/products/threat response/api/v1/alerts/{{id}} method put input argument name type required description path parameters id number required parameters for the update alert state by id action state string optional parameter for update alert state by id input example {"path parameters" {"id" 123},"state" "string"} output parameter type description status code number http status code of the response reason string response reason phrase alert object output field alert alert id number unique identifier alert state string output field alert state alert type string type of the resource alert guid string unique identifier alert priority object output field alert priority alert severity string output field alert severity alert inteldocid number unique identifier alert inteldocrevisionid number unique identifier alert scanconfigid number unique identifier alert scanconfigrevisionid number unique identifier alert computername string name of the resource alert computeripaddress string output field alert computeripaddress alert eid number unique identifier alert details string output field alert details alert matchtype string type of the resource alert path string output field alert path alert alertedat string output field alert alertedat alert createdat string output field alert createdat alert updatedat string output field alert updatedat output example {"status code" 200,"response headers" {"x frame options" "sameorigin","x content type options" "nosniff","x xss protection" "1","referrer policy" "no referrer","strict transport security" "max age=63072000; includesubdomains;","content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ","server" "envoy","x request id" "dad03cb0 49fc 49e4 86ec e5f2165dd8fd","tanium threat response version" "4 5 126 0000","content encoding" "gzip","cache control" response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate content encoding http response header content encoding gzip content security policy http response header content security policy default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 'self';worker src 'self';media src 'self';style src 'self' 'unsafe inline';img src data blob 'self';frame ancestors 'self';font src 'self' data ;upgrade insecure requests;connect src data blob 'unsafe inline';block all mixed content; content type the media type of the resource application/json date the date and time at which the message was originated mon, 18 mar 2024 06 41 07 gmt expires the date/time after which the response is considered stale 0 pragma http response header pragma no cache referrer policy http response header referrer policy no referrer server information about the software used by the origin server envoy strict transport security http response header strict transport security max age=63072000; includesubdomains; tanium threat response version http response header tanium threat response version 4 5 131 0000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x envoy upstream service time http response header x envoy upstream service time 52 x frame options http response header x frame options sameorigin x request id a unique identifier for the request dad03cb0 49fc 49e4 86ec e5f2165dd8fd x xss protection http response header x xss protection 1