Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Tanium Threat Response Alerts

Tanium Threat Response Alerts

Back
Iddd9aa0ff-7ac1-4448-879c-e1a18d5890b4
RulenameTanium Threat Response Alerts
DescriptionAlerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook
SeverityHigh
KindScheduled
Query frequency5m
Query period6m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tanium/Analytic Rules/TaniumThreatResponseAlerts.yaml
Version1.1.0
Arm templatedd9aa0ff-7ac1-4448-879c-e1a18d5890b4.json
Deploy To Azure
let cap = (s:string) { strcat(toupper(substring(s,0,1)), substring(s,1))  };
TaniumThreatResponse_CL
| extend TaniumUrl = pack("computer_name", Computer_Name_s, "alert_guid", Alert_Id_g, "ip_address", Computer_IP_s, "platform", Match_Details_finding_system_info_platform_s)
| extend TaniumTHRLabel = strcat(cap(Intel_Type_s)," - ", cap(Intel_Name_s), " - ", cap(Match_Details_match_type_s))
| where Computer_IP_s !contains "N/A"

queryFrequency: 5m
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tanium/Analytic Rules/TaniumThreatResponseAlerts.yaml
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: TaniumUrl
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Computer_IP_s
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Computer_Name_s
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: TaniumTHRLabel
relevantTechniques: []
name: Tanium Threat Response Alerts
description: Alerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook
query: |
  let cap = (s:string) { strcat(toupper(substring(s,0,1)), substring(s,1))  };
  TaniumThreatResponse_CL
  | extend TaniumUrl = pack("computer_name", Computer_Name_s, "alert_guid", Alert_Id_g, "ip_address", Computer_IP_s, "platform", Match_Details_finding_system_info_platform_s)
  | extend TaniumTHRLabel = strcat(cap(Intel_Type_s)," - ", cap(Intel_Name_s), " - ", cap(Match_Details_match_type_s))
  | where Computer_IP_s !contains "N/A"  
queryPeriod: 6m
triggerOperator: gt
severity: High
tactics: []
id: dd9aa0ff-7ac1-4448-879c-e1a18d5890b4
version: 1.1.0
kind: Scheduled
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dd9aa0ff-7ac1-4448-879c-e1a18d5890b4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dd9aa0ff-7ac1-4448-879c-e1a18d5890b4')]",
      "properties": {
        "alertRuleTemplateName": "dd9aa0ff-7ac1-4448-879c-e1a18d5890b4",
        "customDetails": null,
        "description": "Alerts from Tanium Threat Response (THR) that can be acted upon by Microsoft Sentinel Playbook",
        "displayName": "Tanium Threat Response Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "TaniumUrl",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Computer_IP_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer_Name_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "TaniumTHRLabel",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tanium/Analytic Rules/TaniumThreatResponseAlerts.yaml",
        "query": "let cap = (s:string) { strcat(toupper(substring(s,0,1)), substring(s,1))  };\nTaniumThreatResponse_CL\n| extend TaniumUrl = pack(\"computer_name\", Computer_Name_s, \"alert_guid\", Alert_Id_g, \"ip_address\", Computer_IP_s, \"platform\", Match_Details_finding_system_info_platform_s)\n| extend TaniumTHRLabel = strcat(cap(Intel_Type_s),\" - \", cap(Intel_Name_s), \" - \", cap(Match_Details_match_type_s))\n| where Computer_IP_s !contains \"N/A\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT6M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}