Integrate Tanium as a Subscriber
CTIX automatically ingests threat data from multiple sources in different formats. It allows analysts to get a holistic view of the threats that are relevant to the organization from a centralized point. Tanium can use CTIX as a data source, using the TAXII protocol, and perform threat analysis.
Using this integration, Tanium can poll threat intel information from the CTIX application using the STIX and TAXII protocols. Tanium can fetch the malicious MD5, SHA1, or SHA256 hashes from CTIX.
After receiving CTIX data in Tanium, as an analyst, you can perform scans on your configured machines and look for these malicious hashes.
About Tanium
Tanium offers endpoint management and security platform for IT environments.
Configure Tanium as a STIX Subscriber
Configure Tanium as a STIX subscriber in the CTIX application to poll for threat data from the CTIX application using the TAXII credentials.
Before you Start:
The user should have Create STIX subscribers permission in CTIX.
Steps:
From Administration, select Integration Management and click Subscribers.
Click Add Subscriber and fill in the fields as follows:
Subscriber Name*: Enter the name of a subscriber.
Organization Name: Enter the organization name for the subscriber.
Organization Type(s): Select an organization type for the subscriber from the available list of sectors, e.g., Communications, E-commerce, Educational Systems, and so on.
Primary Contact Details: Enter primary contact details of the organization such as name, email, contact number, and contact address. You can create and manage multiple organization types from the Organization Type module. The email address is used to send source configuration credentials such as TAXII URL, Username, and Password to the Subscriber.
Secondary Contact Details: Enter secondary contact details of the organization such as Name, Email ID, Mobile Number, and Contact details. Click +Show Secondary Contact Details to enter secondary contact details.
IP Address*: Enter the IP address used for secure Threat Intel exchange. This IP address is allowed, listed, and used for sharing Intel Packages.
Collections: Select collections to be added to the subscriber. You can also modify collection preferences for a Subscriber after creating a subscriber.
Confidence*: Enter confidence score as a number between 0 and 100 for the subscribers to determine the level of confidence that users have for the details shared as the Threat Intel Packages shared from this subscriber.
Email Credentials: Enable this feature to automatically send credentials for source authentication to the mentioned organization's email address.
Include Reference Links: Select to automatically include any reference links in the email sent out to the subscribers.
Click Add Subscriber.
Click Download and save the TAXII and MISP credentials. After this window closes, you cannot view these credentials again.
Configure Threat Response Source in Tanium
Using the TAXII credentials generated for Tanium in the CTIX application, set up CTIX as a threat response source in Tanium.
Before you Start:
Have the STIX subscriber details ready that you created in the CTIX application for Tanium.
Steps:
Sign in to Tanium with valid credentials.
In the top-left corner, click the menu.
Click Threat Response, select Intel, and then select Sources.
Click New Source.
For type, select TAXII.
Provide the following information:
Provide a name and description for the integration.
TAXII URL: Enter the TAXII 1 URL generated from CTIX.
Username and password: Enter the STIX subscriber credentials generated from CTIX.
The collection generated from CTIX.
Initial History: Only enter this information if you want to poll past data.
Subscription Interval: This depends on the frequency with which you want to poll the data.
Click Create. The TAXII poll is created.
View CTIX Data in Tanium
You can see the hashes received from CTIX in Tanium using the TAXII protocol.
Sign in to Tanium with valid credentials.
Select Modules and then select Threat Response.
From Intel, select Sources. You can see the source created for CTIX here and the hashes received are stored here.