IBM QRadar SOAR

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------

Hi Jaroslav,

Thanks a lot for sharing it. I'll definitely have a look !

We have used the REST API function from fn_utilities package to get results from a saved question. They allow us to get results even if the machine is offline. Of course it can't be done for all data but for generic one it's quite usefull.



------------------------------
Clément Fouque
------------------------------

Original Message:
Sent: Thu May 23, 2019 11:57 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------

Hi Jaroslav,

This is cool!

Did you know anyone in the Community can submit Apps to our App Exchange.

App Exchange: https://exchange.xforce.ibmcloud.com/hub/Resilient

Signup/Login, scroll down and click Submissions Portal:



------------------------------
Shane Curtin
Integrations Engineer - IBM Resilient
------------------------------

Original Message:
Sent: Fri May 24, 2019 02:10 AM
From: Clément Fouque
Subject: Tanium integration GitHub repo

Hi Jaroslav,

Thanks a lot for sharing it. I'll definitely have a look !

We have used the REST API function from fn_utilities package to get results from a saved question. They allow us to get results even if the machine is offline. Of course it can't be done for all data but for generic one it's quite usefull.



------------------------------
Clément Fouque

Original Message:
Sent: Thu May 23, 2019 11:57 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------

Hi Shane,

that's awesome, if nothing else I get my code reviewed :)

Thank you

-Jaro

------------------------------
Jaroslav Brtan
------------------------------

Original Message:
Sent: Fri May 24, 2019 04:44 AM
From: Shane Curtin
Subject: Tanium integration GitHub repo

Hi Jaroslav,

This is cool!

Did you know anyone in the Community can submit Apps to our App Exchange.

App Exchange: https://exchange.xforce.ibmcloud.com/hub/Resilient

Signup/Login, scroll down and click Submissions Portal:



------------------------------
Shane Curtin
Integrations Engineer - IBM Resilient

Original Message:
Sent: Fri May 24, 2019 02:10 AM
From: Clément Fouque
Subject: Tanium integration GitHub repo

Hi Jaroslav,

Thanks a lot for sharing it. I'll definitely have a look !

We have used the REST API function from fn_utilities package to get results from a saved question. They allow us to get results even if the machine is offline. Of course it can't be done for all data but for generic one it's quite usefull.



------------------------------
Clément Fouque

Original Message:
Sent: Thu May 23, 2019 11:57 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------

Hi Clément,

could you please share what data you query for with saved questions? Just looking for some inspiration.
The integration I made is focused more on Incident Response.

Thank you

-Jaro

------------------------------
Jaroslav Brtan
------------------------------

Original Message:
Sent: Fri May 24, 2019 02:10 AM
From: Clément Fouque
Subject: Tanium integration GitHub repo

Hi Jaroslav,

Thanks a lot for sharing it. I'll definitely have a look !

We have used the REST API function from fn_utilities package to get results from a saved question. They allow us to get results even if the machine is offline. Of course it can't be done for all data but for generic one it's quite usefull.



------------------------------
Clément Fouque

Original Message:
Sent: Thu May 23, 2019 11:57 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------

Hi Jaroslav,

Due to Tanium architecture, you're only able to get results from systems that are currently online. At the time you do incident response, the system might be offline. To workaround this, we have created a saved question in Tanium with the merge feature. You'll have results presented as following

System1 - Value1 - Value2 - Age
PC01       - xxx        - xxx        - current
PC01       - xxx        - xxx        - 1 week

Even if the result is outdated, you can still get the latest value when the system was online. For example, we are retieving the last logged in user, last reboot and members of Local groups. You can think of user usage. Keep in mind that data is stored on servers, so you should be carefull with the storage it could take.

------------------------------
Clément Fouque
------------------------------

Original Message:
Sent: Tue May 28, 2019 04:52 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi Clément,

could you please share what data you query for with saved questions? Just looking for some inspiration.
The integration I made is focused more on Incident Response.

Thank you

-Jaro

------------------------------
Jaroslav Brtan

Original Message:
Sent: Fri May 24, 2019 02:10 AM
From: Clément Fouque
Subject: Tanium integration GitHub repo

Hi Jaroslav,

Thanks a lot for sharing it. I'll definitely have a look !

We have used the REST API function from fn_utilities package to get results from a saved question. They allow us to get results even if the machine is offline. Of course it can't be done for all data but for generic one it's quite usefull.



------------------------------
Clément Fouque

Original Message:
Sent: Thu May 23, 2019 11:57 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------

Hi Clément,

I store such data into mongodb so I can find anomalies during threat hunts.
There is a new version on GitHub which adds function tanium_search_agent.
Tanium seems to store information about connected agents for a month or so. This function helps to decide if an endpoint runs the agent.

-Jaro

------------------------------
Jaroslav Brtan
------------------------------

Original Message:
Sent: Wed May 29, 2019 04:58 AM
From: Clément Fouque
Subject: Tanium integration GitHub repo

Hi Jaroslav,

Due to Tanium architecture, you're only able to get results from systems that are currently online. At the time you do incident response, the system might be offline. To workaround this, we have created a saved question in Tanium with the merge feature. You'll have results presented as following

System1 - Value1 - Value2 - Age
PC01       - xxx        - xxx        - current
PC01       - xxx        - xxx        - 1 week

Even if the result is outdated, you can still get the latest value when the system was online. For example, we are retieving the last logged in user, last reboot and members of Local groups. You can think of user usage. Keep in mind that data is stored on servers, so you should be carefull with the storage it could take.

------------------------------
Clément Fouque

Original Message:
Sent: Tue May 28, 2019 04:52 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi Clément,

could you please share what data you query for with saved questions? Just looking for some inspiration.
The integration I made is focused more on Incident Response.

Thank you

-Jaro

------------------------------
Jaroslav Brtan

Original Message:
Sent: Fri May 24, 2019 02:10 AM
From: Clément Fouque
Subject: Tanium integration GitHub repo

Hi Jaroslav,

Thanks a lot for sharing it. I'll definitely have a look !

We have used the REST API function from fn_utilities package to get results from a saved question. They allow us to get results even if the machine is offline. Of course it can't be done for all data but for generic one it's quite usefull.



------------------------------
Clément Fouque

Original Message:
Sent: Thu May 23, 2019 11:57 AM
From: Jaroslav Brtan
Subject: Tanium integration GitHub repo

Hi,

I've been working on integration with the Tanium platform.  The app will allow you to query the endpoints for various data like running processes, autoruns, etc.

more can be found here:

https://github.com/ft44k/resilient_public/tree/master/tanium

------------------------------
Jaroslav Brtan
------------------------------