Exporting findings and assessments

Create a connection in Tanium Connect to export compliance and vulnerability findings to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server.

The following instructions will export all compliance findings and all vulnerability findings. See Export an assessment for instructions to export one assessment at a time.

Use the Tanium Comply (Assessments) Source in Connect to export vulnerability assessments. See Exporting vulnerability assessments. This provides the same functionality the Tanium Comply Source provided in previous versions.

Before you begin

• You must have access to Connect with the Connect User role.
• It is recommended that you restart the Connect service after upgrading to Comply 2.13.
• To customize columns, you must have Connect 4.9.49 or later and Comply 2.10.841 or later.

Do not schedule exports during an upgrade maintenance window or during a Tanium Interact or Connect upgrade. In those cases, connections may be interrupted and fail.

Exporting findings

1. From the Connect menu, click Connections and then click Create Connection.
2. Enter a name and description for your connection in the General Information section.
3. In the Advanced section, set the following:
   • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
   • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
4. In the Configuration section set the Source and Destination as follows:
   1. Select Tanium Comply (Findings) as the Source.
      
   2. In the Finding Type list, select Compliance, or Vulnerability or Network Unauthenticated.
   3. In the Filter by Group field, select a single computer group to filter by.

   Only computer groups that have all fields registered in TDS are available here.

   4. In the Filter by Report field, select a defined report. The filters defined in the report export the data for the findings.

   5. If needed, modify the Advanced Settings for the source:
      • Query Timeout: Specifies the timeout for the request.
      • Batch Size: Specifies how many rows are exported.
5. Configure the connection destination.
   Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information on configuring destinations, see the Tanium Connect User Guide: Connection destinations.
6. (Optional) In the Configure Output section, configure a Filter.

   You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.
   

   For more information about the types of filters you can configure, see Tanium Connect User Guide.

7. Configure the Format for the data. For information on configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.
8. (Optional) You can customize columns for the exported data. In the Columns section, select the available Source items and configure the Destination Label, Value Type, and Customization, see Tanium Connect User Guide: Format data for emails. Note that customizing columns doesn't add new rows. It adds columns to existing rows.

• Any sensor that is registered in TDS and only has a single column in its sensor definition will appear as an option under Columns with a TDS Registered Sensor label.

  



• You can use Enhanced Tags to add labels to endpoints. If you are using an enhanced tag, it must be a single column sensor (Enhanced Tags - Single Value) and be harvested by TDS. For more information, see Enhanced Tags Documentation (Tanium KB). (Also note that "Evaluation Terms" in enhanced tags are reserved values to use for column headers.)




For the best results, if you use any sensors with a TDS Registered Sensor label as a column customization, rather than updating an existing connection, create a new connection with these custom columns, then disable and delete your existing connection.

• If you select to include First Found Date and Last Found Date columns, those sensors (Comply - CVE Findings - First Found and Comply - CVE Findings - Last Found) along with Absolute First Found and Last Scan (Comply - CVE Findings - Absolute First Found and Comply - CVE Findings - Last Scan), are now registered by default.

  See Column descriptions for details.
9. Configure the Schedule for the connection. For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. Enable the connection to run on a schedule.
   
   Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
10. Click Save or Save and Run.

See Exported columns

Exporting vulnerability assessments

Create a connection in Tanium Connect to export data from vulnerability or network unauthenticated findings to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server.

Create a connection

1. From the Connect menu, click Connections and then click Create Connection.
2. Enter a name and description for your connection in the General Information section.
3. In the Advanced section, set the following:
   • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
   • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
4. In the Configure section set the Source and Destination as follows:
   1. Select Tanium Comply (Assessments) as the Source.
      
   2. In the Assessment Type list, Vulnerability is selected by default and is the only report type supported for use with Connect.
   3. Select an assessment from the Assessment Name list.
   4. The Include Endpoint findings and Include CVE details options determine which rows are exported from the assessment. Select one or both of these options.
   5. If needed, modify the Advanced Settings for the source:
      • Question Timeout: Specifies the timeout for the request.
      • Polling Interval: Specifies how often Comply is polled for updated data while the connection is active.
      • Batch Size: Specifies how many rows are exported.
      • Question completion percentage: The percentage of endpoints to provide responses from before exporting findings.
   6. Configure the connection destination.
      Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information on configuring destinations, see the Tanium Connect User Guide: Connection destinations.
5. (Optional) Configure a Filter.

   You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.
   

   For more information about the types of filters you can configure, see the Tanium Connect User Guide.

6. Configure the Format for the data. For information on configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.

7. (Optional) You can customize columns for the exported data. In the Columns section, select the available Source items and configure the Destination Label, Value Type, and Customization, see Tanium Connect User Guide: Format data for emails. Note that customizing columns doesn't add new rows. It adds columns to existing rows.

• If you select to include First Found Date and Last Found Date columns, those sensors (Comply - CVE Findings - First Found and Comply - CVE Findings - Last Found) along with Absolute First Found and Last Scan (Comply - CVE Findings - Absolute First Found and Comply - CVE Findings - Last Scan), are now registered by default.

  See Column descriptions for details.
8. Configure the Schedule for the connection. For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. Enable the connection to run on a schedule.
   
   Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
9. Click Save or Save and Run.

See Exported columns

Column descriptions

If you select to include First Found Date, Last Found Date, Absolute First Found Date, and Last Scan Date columns, you should understand the following distinctions with each sensor.

Sensor	Description
Comply - Compliance Findings - First Found	This returns the first found date for all the unique compliance findings present on an endpoint. If the compliance finding state changes (from Pass to Fail, for example), this date is reset to the new discovery date.
Comply - Compliance Findings - Last Scan	This returns the last scan date for all the unique compliance findings present on an endpoint.
Comply - CVE Findings - First Found	This returns the first time a vulnerability is identified in an environment. Note that if a vulnerability is found and remediated and then found again, the first found date is set to the date of the most recent first finding.
Comply - CVE Findings - Last Found	This returns the last found date for all observed vulnerabilities that the endpoint is currently vulnerable to.
Comply - CVE Findings - Absolute First Found	This returns the very first time a vulnerability is found on an endpoint, and this date is not reset if the vulnerability is remediated. Last scan date is useful for determining if findings have been remediated and to calculate mean time to remediate (MTTR).
Comply - CVE Findings - Last Scan	This returns the last scan date for all observed vulnerabilities that the endpoint is currently vulnerable to.

Test a connection and review data

1. From the Connect menu, click Connections.
2. Click the connection that you created for your Comply report.
3. Click Run Now. Confirm that you want to run the connection.
4. View the summary of the run.
5. View the assessment or finding in the destination that you configured for the connection.

Exported columns

The following columns are exported for each finding and assessment type.

Compliance findings	Vulnerability findings	Network unauthenticated findings	Vulnerability assessments
Computer Name	Computer Name	IP Address	computerName
IP Address	IP Address	MAC Address	ipAddress
Operating System Generation	Operating System Generation	MAC Vendor	CVE
Operating System	Operating System	Service Name	first_found_date
Rule	CVE	Service Port	absolute_first_found_date
Rule ID	CVE Year	Service Version	last_found_date
Standard	First Found Date	OS Name	last_scan_date
Standard Version	Absolute First Found Date	OS Version	score
Profile	Last Found Date	CVE	title
Version	Last Scan Date	CVE Summary	severity
Status Category	Title	CVE Published	attack_vector
Status	Severity	CVE Updated	oval_source
Description	CVSS Score	CVE CVSS Score	oval_definition
Rationale	CVSS Vector	CVE Links	mitre_link
Fix Text	CVSS V2 Score		nist_link
CCE	CVSS V2 Vector		secpod_link
CCI	CVSS V2 Severity		solution_links
Severity	CVSS V3 Score		created_date
First Found Date	CVSS V3 Vector		last_modified_date
Last Scan Date	CVSS V3 Severity		remediations
Test ID	CVE Created		details
Expected Objects	CVE Modified		criteria1
Expected States	MITRE Link		score_mapping
Actual Values	NIST Link		id_mapping
	Secpod Link
	OVAL Definition
	OVAL Source
	Solution Links
	Remediation
	Criteria1
	Details
	Common Platform Enumerations
	Affected Products
	Affected Platforms
	Test ID
	Expected Objects
	Expected States
	Actual Values
	CISA KEV
	CISA Vendor
	CISA Product
	CISA Vulnerability Name
	CISA Description
	CISA Required Action
	CISA Notes
	CISA Date Added
	CISA Due Date
1 Microsoft Excel does not properly handle line breaks in vulnerability CSV file exports. As a workaround, you can view the file with another tool or exclude the criteria column from the CSV export.