Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Tanium Threat Response Alerts

Tanium Threat Response Alerts

Back
Iddd9aa0ff-7ac1-4448-879c-e1a18d5890b4
RulenameTanium Threat Response Alerts
DescriptionAlerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook
SeverityHigh
KindScheduled
Query frequency5m
Query period6m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tanium/Analytic Rules/TaniumThreatResponseAlerts.yaml
Version1.2.0
Arm templatedd9aa0ff-7ac1-4448-879c-e1a18d5890b4.json
Deploy To Azure
let cap = (s:string) { strcat(toupper(substring(s,0,1)), substring(s,1))  };
TaniumThreatResponse_CL
| extend TaniumUrl = pack("computer_name", Computer_Name_s, "alert_guid", Alert_Id_g, "ip_address", Computer_IP_s, "platform", Match_Details_finding_system_info_platform_s)
| extend TaniumTHRLabel = strcat(cap(Intel_Type_s)," - ", cap(Intel_Name_s), " - ", cap(Match_Details_match_type_s))
| where Computer_IP_s !contains "N/A"

queryPeriod: 6m
query: |
  let cap = (s:string) { strcat(toupper(substring(s,0,1)), substring(s,1))  };
  TaniumThreatResponse_CL
  | extend TaniumUrl = pack("computer_name", Computer_Name_s, "alert_guid", Alert_Id_g, "ip_address", Computer_IP_s, "platform", Match_Details_finding_system_info_platform_s)
  | extend TaniumTHRLabel = strcat(cap(Intel_Type_s)," - ", cap(Intel_Name_s), " - ", cap(Match_Details_match_type_s))
  | where Computer_IP_s !contains "N/A"  
name: Tanium Threat Response Alerts
entityMappings:
- fieldMappings:
  - columnName: TaniumUrl
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: Computer_IP_s
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Computer_Name_s
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: TaniumTHRLabel
    identifier: Name
  entityType: Malware
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tanium/Analytic Rules/TaniumThreatResponseAlerts.yaml
alertDetailsOverride:
  alertDisplayNameFormat: '{{TaniumTHRLabel}}'
  alertDescriptionFormat: 'Alert from Tanium Threat Response. GUID: {{Alert_Id_g}}; Computer Name: {{Computer_Name_s}}; IP: {{Computer_IP_s}}'
requiredDataConnectors: []
description: Alerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook
kind: Scheduled
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
version: 1.2.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
severity: High
relevantTechniques: []
triggerOperator: gt
triggerThreshold: 0
customDetails:
  TaniumAlertId: Alert_Id_g
  IntelId: Intel_Id_d
tactics: []
id: dd9aa0ff-7ac1-4448-879c-e1a18d5890b4