Exporting findings and assessments

Create a connection in Tanium Connect to export compliance and vulnerability findings to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server.

The following instructions will export all compliance findings and all vulnerability findings. See Export an assessment for instructions to export one assessment at a time.

Use the Tanium Comply (Assessments) Source in Connect to export vulnerability assessments. See Exporting vulnerability assessments. This provides the same functionality the Tanium Comply Source provided in previous versions.

Before you begin

  • You must have access to Connect with the Connect User role.
  • To customize columns, you must have Connect 4.9.49 or later and Comply 2.10.841 or later.

Exporting findings

  1. From the Connect menu, click Connections and then click Create Connection.
  2. Enter a name and description for your connection in the General Information section.
  3. In the Advanced section, set the following:
    • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
    • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
  4. In the Configuration section set the Source and Destination as follows:
    1. Select Tanium Comply (Findings) as the Source.
    2. In the Finding Type list, select Compliance, or Vulnerability or Remote Vulnerability.
    3. In the Filter by Group field, select a single computer group to filter by.
    4. In the Filter by Report field, select a defined report. The filters defined in the report export the data for the findings.

    5. If needed, modify the Advanced Settings for the source:
      • Query Timeout: Specifies the timeout for the request.
      • Batch Size: Specifies how many rows are exported.
  5. Configure the connection destination.
    Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information on configuring destinations, see the Tanium Connect User Guide: Connection destinations.
  6. Configure the Format for the data. For information on configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.
  7. (Optional) In the Configure Output section, configure a Filter.

    You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.

    For more information about the types of filters you can configure, see Tanium Connect User Guide.

  8. (Optional) You can customize columns for the exported data. In the Columns section, select the available Source items and configure the Value Type and Customization, see Tanium Connect User Guide: Format data for emails.
  9. If you select to include First Found Date and Last Found Date columns (They are not included by default.), you must register the CVE sensors in Tanium Interact or you will get the following errors.

    First found represents the first time a vulnerability is identified in an environment. Note that if a vulnerability is found and remediated and then found again, the first found date is set to the date of the most recent first finding.

  10. Configure the Schedule for the connection. For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. Enable the connection to run on a schedule.

    Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
  11. Click Save or Save and Run.

See Exported columns

Exporting vulnerability assessments

Create a connection in Tanium Connect to export data from vulnerability or remote vulnerability findings to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server.

Create a connection

  1. From the Connect menu, click Connections and then click Create Connection.
  2. Enter a name and description for your connection in the General Information section.
  3. In the Advanced section, set the following:
    • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
    • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
  4. In the Configure section set the Source and Destination as follows:
    1. Select Tanium Comply (Assessments) as the Source.
    2. In the Assessment Type list, Vulnerability is selected by default and is the only report type supported for use with Connect.
    3. Select an assessment from the Assessment Name list.
    4. The Include Endpoint findings and Include CVE details options determine which rows are exported from the assessment. Select one or both of these options.
    5. If needed, modify the Advanced Settings for the source:
      • Question Timeout: Specifies the timeout for the request.
      • Polling Interval: Specifies how often Comply is polled for updated data while the connection is active.
      • Batch Size: Specifies how many rows are exported.
      • Question completion percentage: The percentage of endpoints to provide responses from before exporting findings.
    6. Configure the connection destination.
      Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information on configuring destinations, see the Tanium Connect User Guide: Connection destinations.
  5. Configure the Format for the data. For information on configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.
  6. (Optional) Configure a Filter.

    You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.

    For more information about the types of filters you can configure, see Tanium Connect User Guide.

  7. (Optional) You can customize columns for the exported data. In the Columns section, select the available Source items and configure the Value Type and Customization, see Tanium Connect User Guide: Format data for emails.
  8. If you select to include first_found_date or last_found_date columns, you must register the CVE sensors in Tanium Interact or you will get the following errors.

    First found represents the most recent date a finding was remediated. For example, if a finding was resolved, and a CVE is updated resulting in a new finding, First found displays the new remediation date.

  9. Configure the Schedule for the connection. For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. Enable the connection to run on a schedule.

    Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
  10. Click Save or Save and Run.

See Exported columns

Test a connection and review data

  1. From the Connect menu, click Connections.
  2. Click the connection that you created for your Comply report.
  3. Click Run Now. Confirm that you want to run the connection.
  4. View the summary of the run.
  5. View the assessment or finding in the destination that you configured for the connection.

Exported columns

The following columns are exported for each finding and assessment type.

 
Compliance findings Vulnerability findings Remote vulnerability findings Vulnerability assessments
Computer Name Computer Name IP Address computerName
IP Address IP Address MAC Address ipAddress
Operating System Generation Operating System Generation MAC Vendor CVE
Operating System Operating System Service Name first_found_date
Rule CVE Service Port last_found_date
Rule ID CVE Year Service Version score
Standard Title OS Name title
Standard Version Severity OS Version severity
Profile CVSS Score CVE attack_vector
Version CVSS Vector CVE Summary oval_source
Status Category CVE Created CVE Published oval_definition
Status CVE Modified CVE Updated mitre_link
Description MITRE Link CVE CVSS Score nist_link
Rationale NIST Link CVE Links secpod_link
Fix Text Secpod Link   solution_links
CCE OVAL Definition   created_date
CCI OVAL Source   last_modified_date
Severity Solution Links   remediations
  Remediation   details
  Criteria1   criteria1
  Details   score_mapping
      id_mapping
1 Microsoft Excel does not properly handle line breaks in vulnerability CSV file exports. As a workaround, you can view the file with another tool or exclude the criteria column from the CSV export.