Exporting findings and assessments

Create a connection in Tanium Connect to export compliance and vulnerability findings to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server.

The following instructions will export all compliance findings and all vulnerability findings. See Export assessments for instructions to export one assessment at a time.

Use the Tanium Comply (Assessments) Source in Connect to export vulnerability assessments. See Exporting vulnerability assessments. This provides the same functionality the Tanium Comply Source provided in previous versions.

Before you begin

  • You must have access to Connect with the Connect User role.
  • To customize columns, you must have Connect 4.9.49 or later and Comply 2.10.841 or later.

Exporting Findings

  1. From the Connect menu, click Connections and then click Create Connection.
  2. Enter a name and description for your connection in the General Information section.
  3. In the Advanced section, set the following:
    • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
    • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
  4. In the Configuration section set the Source and Destination as follows:
    1. Select Tanium Comply (Findings) as the Source.
    2. In the Finding Type list, select Compliance, or Vulnerability or Remote Vulnerability.
    3. In the Filter by Group field, select a single computer group to filter by.
    4. If needed, modify the Advanced Settings for the source:
      • Query Timeout: Specifies the timeout for the request.
      • Batch Size: Specifies how many rows are exported.
  5. Configure the connection destination.
    Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information on configuring destinations, see the Tanium Connect User Guide: Connection destinations.
  6. Configure the Format for the data. For information on configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.
  7. (Optional) In the Configure Output section, configure a Filter.

    You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.

    For more information about the types of filters you can configure, see Tanium Connect User Guide.

  8. (Optional) You can customize columns for the exported data. In the Columns section, select the available Source items and configure the Value Type and Customization, see Tanium Connect User Guide: Format data for emails.
  9. Configure the Schedule for the connection. For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. Enable the connection to run on a schedule.

    Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
  10. Click Save or Save and Run.

See Exported columns

Exporting vulnerability assessments

Create a connection in Tanium Connect to export data from vulnerability or remote vulnerability findings to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server.

Create a connection

  1. From the Connect menu, click Connections and then click Create Connection.
  2. Enter a name and description for your connection in the General Information section.
  3. In the Advanced section, set the following:
    • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
    • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
  4. In the Configure section set the Source and Destination as follows:
    1. Select Tanium Comply (Assessments) as the Source.
    2. In the Assessment Type list, Vulnerability is selected by default and is the only report type supported for use with Connect.
    3. Select an assessment from the Assessment Name list.
    4. The Include Endpoint findings and Include CVE details options determine which rows are exported from the assessment. Select one or both of these options.
    5. If needed, modify the Advanced Settings for the source:
      • Question Timeout: Specifies the timeout for the request.
      • Polling Interval: Specifies how often Comply is polled for updated data while the connection is active.
      • Batch Size: Specifies how many rows are exported.
      • Question completion percentage: The percentage of endpoints to provide responses from before exporting findings.
    6. Configure the connection destination.
      Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information on configuring destinations, see the Tanium Connect User Guide: Connection destinations.
  5. Configure the Format for the data. For information on configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.
  6. (Optional) Configure a Filter.

    You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.

    For more information about the types of filters you can configure, see Tanium Connect User Guide.

  7. (Optional) You can customize columns for the exported data. In the Columns section, select the available Source items and configure the Value Type and Customization, see Tanium Connect User Guide: Format data for emails.
  8. Configure the Schedule for the connection. For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. Enable the connection to run on a schedule.

    Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
  9. Click Save or Save and Run.

See Exported columns

Test a connection and review data

  1. From the Connect menu, click Connections.
  2. Click the connection that you created for your Comply report.
  3. Click Run Now. Confirm that you want to run the connection.
  4. View the summary of the run.
  5. View the assessment or finding in the destination that you configured for the connection.

Exported columns

The following columns are exported for each finding and assessment type.

 
Compliance findings Vulnerability findings Remote vulnerability findings Vulnerability assessments
Computer Name Computer Name IP Address rowType
IP Address IP Address MAC Address computerName
Operating System Generation Operating System Generation MAC Vendor ipAddress
Operating System Operating System Service Name CVE
Rule CVE Service Port first_found_date
Rule ID CVE Year Service Version last_found_date
Standard Title OS Name score
Standard Version Severity OS Version title
Profile CVSS Score CVE severity
Version CVSS Vector CVE Summary attack_vector
Status Category CVE Created CVE Published oval_source
Status CVE Modified CVE Updated oval_definition
Description MITRE Link CVE CVSS Score mitre_link
Rationale NIST Link CVE Links nist_link
Fix Text Secpod Link   secpod_link
CCE OVAL Definition   solution_links
CCI OVAL Source   created_date
Severity Solution Links   last_modified_date
  Remediation   remediations
  Criteria   details
  Details   criteria
      score_mapping
      id_mapping