活动
Tanium
Tanium 提供聚合终结点管理 (XEM) 参考平台来管理复杂的安全和技术环境。 Tanium 通过将跨 IT、风险、合规性和安全性的工作流集成到单个平台中,保护终结点免受网络威胁。 Tanium 提供跨设备的全面可见性、一组统一的控制措施、实时修正和通用分类,以大规模保护关键信息和基础结构。
备注
本文包含有关第三方插件的信息。 这是为了帮助完成集成方案而提供的。 但是,Microsoft不提供对第三方插件的故障排除支持。 请联系第三方供应商获取支持。
与 Microsoft Security Copilot 集成需要 Tanium 实例 URL 和 API 令牌。 在使用插件之前,需要执行以下步骤。
登录到 Tanium 控制台以检索配置 Tanium 插件所需的信息。
选择“模块>连接>概述”。 此时会显示“连接概述”页。
选择“设置”,然后选择“Microsoft Security Copilot”。 然后,按照以下步骤操作:
选择“Tanium 实例 URL 复制”,将 Tanium 实例 URL 复制到剪贴板。 将其粘贴到文本编辑器(如记事本)中。
选择“生成”以生成 API 令牌,并将令牌值复制到剪贴板。 将其粘贴到文本编辑器中。
通过从提示栏中选择“插件”按钮来访问“管理插件”。
在“其他”部分中,选择“Tanium”旁边的“设置”。
在“值”字段中,粘贴 Tanium 实例 URL 和 API 令牌。 然后保存你所做的更改。
配置 Tanium 插件后,可以使用它来检索有关组织中的终结点(设备)的信息。 下表列出了可以尝试的一些功能和示例提示:
功能 | 示例提示 |
---|---|
获取已登录用户 检索当前登录到终结点的用户 需要 Tanium Core Platform |
Using Tanium, return the user currently logged into the endpoint with the hostname hostname so that I can investigate possible unauthorized endpoint use. Return a Tanium Console Question Results URL so that I can view more real-time information for this endpoint. |
从终结点获取实时数据 基于 Tanium 传感器从终结点检索实时数据。 有关支持的传感器的详细信息 需要 Tanium Core Platform,依赖于传感器 |
Using Tanium, return the computer name and IP address of endpoints. Display the results in a table, alphabetically sorted by computer name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
对具有包版本的终结点进行计数 检索具有给定软件包的终结点的总计数 需要资产、SBOM |
Using Tanium, return the total number of endpoints with a software package for software-name, so that I can start cataloging which computers have the software installed. Display the results in a table, alphabetically sorted by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
列出具有包的终结点 检索最多 10 个具有给定软件包的终结点 需要资产、SBOM |
Using Tanium, return the endpoints with a software package for software-name so that I can start cataloguing which computers might have an out-of-date version. Display the results in a table, alphabetically sorted by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
列出进程 SHA-256 哈希和版本 检索给定进程的 SHA-256 文件哈希和版本 需要资产、SBOM 和威胁响应 |
Using Tanium, return the SHA-256 hash value and process version for the running process process-name, so that I can find other instances of this process based on the hash value. |
获取漏洞测试结果 返回终结点是否容易受到给定 CVE 攻击,以及它易受攻击的原因 需要 Tanium Comply |
Using Tanium, examine whether endpoint <hostname> is vulnerable to <cve-id>, and return the reasons that this endpoint is vulnerable, along with a suggested plan of action to remediate the intrusion. |
列出易受 CVE 影响的终结点 检索最多 10 个易受给定 CVE ID 攻击的终结点 需要 Tanium Comply |
Using Tanium, return the endpoints vulnerable to cve-id, so that I can remediate the vulnerability on these endpoints. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
查看终结点进程 检索所请求终结点的“威胁响应实时连接”页的 URL,其中包含正在运行的进程列表 需要直接连接、威胁响应 |
Using Tanium, return a Threat Response Live Connection URL for the endpoint with the hostname hostname, so that I can review the running processes and identify potential vulnerabilities. |
列出服务模块详细信息 检索终结点的正在运行的服务模块信息,包括名称、描述文字和映像路径 需要事件响应 |
Using Tanium, return information for the service modules running on the endpoint with the hostname hostname, so that I can review the list for unexpected service modules. Display the results in a table, alphabetically sorted by service module name, and return a Tanium Console Question Results URL so that I can view the real-time list of service modules. |
列出服务进程详细信息 检索终结点的正在运行的服务进程信息,包括名称、进程 ID 和文件路径 需要事件响应 |
Using Tanium, return information for the service processes running on the endpoint with the hostname hostname, so that I can review the list for unexpected service processes. Display the results in a table, alphabetically sorted by service process name, and return a Tanium Console Question Results URL so that I can view the real-time list of service processes. |
列出 WMI 事件使用者 检索在终结点上运行的 Windows Management Instrumentation (WMI) 事件使用者 需要事件响应 |
Using Tanium, return the WMI event consumers running on the endpoint with the hostname hostname so that I can ensure only expected event consumers are running, and return a Tanium Console Question Results URL so that I can view the real-time list of event consumers. |
列出文件详细信息 按名称检索文件的详细信息,包括安装该文件的终结点、文件路径和文件大小 需要索引 |
Using Tanium, return information for the file named file-name so that I can determine if it is running on unintended endpoints. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view the real-time list. 或 Using Tanium, return information for the file named file-name installed on the endpoint with the hostname hostname, so that I can determine if it is running on unintended endpoints. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view real-time information. |
列出进程文件的子进程 返回基于给定进程文件名在终结点上运行的所有子进程 需要威胁响应 |
Using Tanium, list the child processes of process-name so that I can analyze resource usage. Display the results in a table, alphabetically sorted by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. 或 Using Tanium, list the child processes of process-name that are running on the computer with the hostname hostname, so that I can analyze resource usage. Display the results in a table, alphabetically sorted by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
使用 Process 命令列出终结点 检索最多 10 个运行给定命令行命令的终结点 需要威胁响应 |
Using Tanium, return the endpoints running the command line command process-command, so that I can ensure this process is not running on unexpected endpoints. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
使用进程名称列出终结点 检索最多 10 个运行给定进程的终结点 需要威胁响应 |
Using Tanium, return the endpoints running a process called process-name, so that I can ensure this process is not running on unexpected endpoints. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
使用进程 MD5 哈希列出终结点 检索与提供的 MD5 哈希值匹配的最多 10 个运行给定进程的终结点 需要威胁响应 |
Using Tanium, return all endpoints that are running a process with the MD5 hash value md5-hash-value, so that I can ensure this process is not running under a different file name. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
列出文件操作 从终结点检索历史文件操作信息,包括终结点名称、文件路径和文件操作类型,例如创建或删除 需要威胁响应 |
Using Tanium, return file operation information for the endpoint named hostname running on the file path "_partial-file-path" over the past time-frame so that I can determine if any malicious file behavior is occuring on the endpoint. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view the real-time list. 或 Using Tanium, return file operation information for files running on the file path "_partial-file-path" over the past time-frame so that I can determine if there is any malicious file creation or deletion. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view the real-time list. |
列出连接到 IPv4 地址的进程 检索在具有给定 IPv4 地址的终结点上运行的进程 需要威胁响应 |
Using Tanium, return the processes running on the endpoint with the IPv4 address ipv4-address, so that I can analyze any potential security intrusions and resource usage. Display the results in a table, sorted alphabetically by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
列出以用户身份运行的进程 检索以给定用户身份在终结点上运行的进程 需要威胁响应 |
Using Tanium, return the processes running as the user user-name, so that I can determine whether there are issues with unauthorized access. Display the results in a table, sorted alphabetically by computer name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. 或 Using Tanium, return the processes running as the user user-name on the endpoint with the hostname hostname, so that I can determine whether there are issues with unauthorized access. Display the results in a table, sorted alphabetically by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints. |
如果遇到错误(例如 无法完成请求或 发生未知错误),请确保插件已打开。 如果问题仍然存在,请注销Security Copilot,然后重新登录。
如果提示未调用正确的功能,或者提示调用其他一些功能集,则可能具有与要使用的功能集类似的自定义插件或其他插件。
若要提供反馈,请联系 Tanium。
其他资源
培训
认证
Microsoft Certified: Security Operations Analyst Associate - Certifications
使用 Microsoft Sentinel、Microsoft Defender for Cloud 和 Microsoft 365 Defender 调查、搜索和缓解威胁。