Reference: Tanium Audit Source data

You can use Tanium Connect to retrieve Tanium Server audit logs through the Tanium Audit Source. Most audit logs contain entries when objects on the Tanium Server are created, modified, or deleted. The data that is available in the audit logs depends on the version of the Tanium Core Platform, and the type of audit.

You can configure Days of History Retrieved per connection run. If you set this to:

  • 0, the first connection run exports no prior days of audit log information. For each connection run after the first, the connection exports the audit log information generated since the previous connection run.

  • 1 or greater, the first connection run exports up to that many days of audit log information, prior to the connection run timestamp. For each connection run after the first, the connection exports up to that many prior days of audit log information generated since the previous connection run.

If set to 0, this export may contain a small number of audit log results if you select multiple audit types and some audit log results are generated after the connection run starts.

The following tables show the data returned by Tanium Core Platform 7.5.6.1067 and later.

Supported audit types

Connect supports the following audit types through the Tanium Audit Source:

Audit type object_type_name log value Audit information
Allowed URL white_listed_url_audit Includes entries when allowed URLs are created, modified, or deleted. ClosedAllowed URL log entry example

{"object_id":1234,"audit_name":"https://example.url.com", "creation_time":"2023-01-01T22:45:02Z","modification_time":"2023-01-01T22:45:02Z", "last_modified_by":"[email protected]","modifier_user_id":1234, "mod_user":{"id":1234,"name":"user","domain":"example","display_name":""},"details":"", "audit_row_id":1234, "type":2,"type_name":"DeleteObject", "object_name":"https://example.url.com","object_type_name":"white_listed_url_audit"}
API token api_token_audit Includes entries when API tokens are created, modified, or deleted. ClosedAPI token log entry example

{"object_id":12345,"audit_name":"RevokedToken ID 12345", "creation_time":"2023-01-01T11:10:37.000Z","modification_time":"2023-01-01T11:10:37.000Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"","display_name":""},"mod_persona":{"id":1234, "name":"user_example_persona"},"details":"Revoked for user 123 with persona 1234", "audit_row_id":12345,"type":2,"type_name":"DeleteObject", "object_name":"","object_type_name":"api_token_audit"}
Authentication authentication_audit Successful and failed sign-on attempts. ClosedAuthentication log entry example

{"object_id":123,"audit_name":"New Session Created", "creation_time":"2023-01-01T23:44:59.000Z","modification_time":"2023-01-01T23:44:59.000Z", "last_modified_by":"","modifier_user_id":0, "details":"User: [email protected]; Session ID: 12345678; Authentication Type: User; Originated from SOAPPluginScheduler", "audit_row_id":12345678,"type":0,"type_name":"CreateObject", "object_name":"","object_type_name":"authentication_audit"}
Content set content_set_privilege_audit Includes entries when content sets are created, modified, or deleted. ClosedContent set privilege log entry example

{"object_id":1234,"audit_name":"connect owner write", "creation_time":"2023-01-01T15:56:31Z","modification_time":"2023-01-01T15:56:31Z", "last_modified_by":"[email protected]","modifier_user_id":123,"mod_user":{"id":123,"name":"[email protected]", "domain":"","display_name":""},"details":"", "audit_row_id":123,"type":2,"type_name":"DeleteObject", "object_name":"screen sharing provisioning read", "object_type_name":"content_set_privilege_audit"}
Content set role content_set_role_audit Includes entries when roles are created, modified, or deleted. ClosedContent set role log entry example

{"object_id":1234,"audit_name":"example role read", "creation_time":"2023-01-01T20:41:36Z","modification_time":"2023-01-01T20:41:36Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Replaced content set role privileges [ ] with [ 12345 ]", "audit_row_id":1234,"type":0, "type_name":"CreateObject","object_name":"example role read", "object_type_name":"content_set_role_audit"}
Content set role membership content_set_role_membership_audit Includes entries when a user is assigned to a role or removed from a role. ClosedContent set role membership log entry example

{"object_id":1234,"audit_name":"ContentSetRoleMembership ID 1234", "creation_time":"2023-01-01T15:26:41Z","modification_time":"2023-01-01T15:26:41Z", "last_modified_by":"[email protected]","modifier_user_id":2345, "mod_user":{"id":2345,"name":"[email protected]","domain":"", "display_name":""},"details":"Assigned role 1234 to user 123", "audit_row_id":3456,"type":0,"type_name":"CreateObject", "object_name":"","object_type_name":"content_set_role_membership_audit"}
Content set role privilege content_set_role_privilege_audit Includes entries when privileges are created, modified, or deleted. ClosedContent set role privilege log entry example

{"object_id":12345, "audit_name":"","creation_time":"2023-01-01T19:46:48Z", "modification_time":"2023-01-01T19:46:48Z","last_modified_by":"[email protected]", "modifier_user_id":1234,"mod_user":{"id":1234,"name":"[email protected]", "domain":"","display_name":""},"details":"","audit_row_id":12345, "type":2,"type_name":"DeleteObject","object_name":"", "object_type_name":"content_set_role_privilege_audit"}
Content set user group role membership content_set_user_group_role_membership_audit Includes entries when a role is assigned to or removed from a user group. ClosedContent set user group role membership log entry example

{"object_id":123,"audit_name":"ContentSetUserGroupRoleMembership ID 433", "creation_time":"2023-03-29T15:26:41Z","modification_time":"2023-03-29T15:26:41Z", "last_modified_by":"[email protected]","modifier_user_id":1234,"mod_user":{"id":1234, "name":"[email protected]","domain":"","display_name":""},"details":"Assigned role 1234 to user group 123", "audit_row_id":123,"type":0,"type_name":"CreateObject","object_name":"", "object_type_name":"content_set_user_group_role_membership_audit"}
Dashboard dashboard_audit Includes entries when dashboards are created, modified, or deleted. ClosedDashboard log entry example

{"object_id":123,"audit_name":"","creation_time":"2023-01-01T11:13:06Z", "modification_time":"2023-01-01T11:13:06Z","last_modified_by":"[email protected]", "modifier_user_id":123,"mod_user":{"id":123,"name":"[email protected]", "domain":"","display_name":""},"details":"","audit_row_id":123,"type":1, "type_name":"UpdateObject","object_name":"example dashboard", "object_type_name":"dashboard_audit"}
Dashboard group dashboard_group_audit Includes entries when dashboard groups are created, modified, or deleted. ClosedDashboard group log entry example

{"object_id": 123,"audit_name": "","creation_time": "2023-01-01T13:56:27Z", "modification_time": "2023-01-01T13:56:27Z","last_modified_by": "[email protected]", "modifier_user_id": 123,"mod_user": {"id": 123, "name": "[email protected]","domain": "","display_name": ""} ,"details": "","audit_row_id": 123,"type": 1, "type_name": "UpdateObject","object_name": "example category group", "object_type_name": "dashboard_group_audit"}
Downloader authorized certificate downloader_auth_cert_audit Includes entries when certificate authentication remote sources for downloads authentication are created, modified, or deleted. ClosedDownloader authorized certificate log entry example

{"object_id":123,"audit_name":"Updated downloader_auth_cert", "creation_time":"2023-01-01T00:56:16Z","modification_time":"2023-01-01T00:56:16Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Updated downloader_auth_cert (ID:123)", "audit_row_id":123,"type":1,"type_name":"UpdateObject", "object_name":"https://example.url.com","object_type_name":"downloader_auth_cert_audit"}
Downloader authorized user downloader_auth_user_audit Includes entries when credential authentication remote sources for downloads authentication are created, modified, or deleted. ClosedDownloader authorized user log entry example

{"object_id":123,"audit_name":"Deleted downloader_auth_user", "creation_time":"2022-01-01T16:21:38Z","modification_time":"2022-01-01T16:21:38Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"","display_name":""}, "details":"Deleted downloader_auth_user (ID:123)","audit_row_id":123,"type":2, "type_name":"DeleteObject","object_name":"example", "object_type_name":"downloader_auth_user_audit"}
Downloader trusted certificate downloader_trusted_cert_audit Includes entries when trusted certificates for downloads authentication are created, modified, or deleted. ClosedDownloader trusted certificate log entry example

{"object_id":123,"audit_name":"Created downloader_trusted_cert", "creation_time":"2023-01-01T16:56:56Z","modification_time":"2023-01-01T16:56:56Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Created downloader_trusted_cert (ID:1234)", "audit_row_id":1234,"type":0,"type_name":"CreateObject", "object_name":"","object_type_name":"downloader_trusted_cert_audit"}
Group group_audit Includes entries when groups are created, modified, or deleted. Includes entries for filter groups and management rights groups. ClosedGroup log entry example

{"object_id":6411330,"audit_name":"example computer group", "creation_time":"2023-01-01T17:13:46Z","modification_time":"2023-01-01T17:13:46Z", "last_modified_by":"[email protected]","modifier_user_id":1234, "mod_user":{"id":1234,"name":"user","domain":"example","display_name":""}, "details":"","audit_row_id":12345,"type":0,"type_name":"CreateObject", "object_name":"example computer group","object_type_name":"group_audit"}
Intentional subnet intentional_subnet_audit Includes entries when intentional subnets are created, modified, or deleted. ClosedIntentional subnet log entry example

{"object_id":123,"audit_name":"Created intentional_subnet", "creation_time":"2023-01-01T19:18:28.000Z","modification_time":"2023-01-01T19:18:28.000Z", "last_modified_by":"[email protected]","modifier_user_id":123 ,"mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Created intentional_subnet (ID:123)", "audit_row_id":123,"type":0,"type_name":"CreateObject", "object_name":"www.example.com","object_type_name":"intentional_subnet_audit"}
Isolated subnet isolated_subnet_audit Includes entries when isolated subnets are created, modified, or deleted. ClosedIsolated subnet log entry example

{"object_id":123,"audit_name":"Created isolated_subnet", "creation_time":"2023-01-01T19:18:07.000Z","modification_time":"2023-01-01T19:18:07.000Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Created isolated_subnet (ID:0)", "audit_row_id":1,"type":0,"type_name":"CreateObject", "object_name":"","object_type_name":"isolated_subnet_audit"}
Local setting local_setting_audit Includes entries when local settings are created, modified, or deleted. ClosedLocal setting log entry example

{"object_id":123,"audit_name":"example_setting", "creation_time":"2023-01-01T19:14:20.000Z","modification_time":"2023-01-01T19:14:20.000Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Server: example server", "audit_row_id":1,"type":0, "type_name":"CreateObject","object_name":"", "object_type_name":"local_setting_audit"}
Package spec package_spec_audit Includes entries when packages are created, modified, or deleted. ClosedPackage log entry example

{"object_id":123456,"audit_name":"Example package", "creation_time":"2023-01-01T22:39:10.000Z","modification_time":"2023-01-01T22:39:10.000Z", "last_modified_by":"","modifier_user_id":0,"details":"", "audit_row_id":123456,"type":2,"type_name":"DeleteObject","object_name":"Example package", "object_type_name":"package_spec_audit"}
Persona persona_audit Includes entries when personas are created, modified, or deleted. ClosedPersona log entry example

{"object_id":1234,"audit_name":"example persona", "creation_time":"2023-01-01T17:26:56Z","modification_time":"2023-01-01T17:26:56Z" ,"last_modified_by":"[email protected]","modifier_user_id":1234, "mod_user":{"id":1234,"name":"[email protected]","domain":"", "display_name":"example persona"},"details":"Insert persona", "audit_row_id":1234,"type":0,"type_name":"CreateObject", "object_name":"example persona","object_type_name":"persona_audit"}
PKI key configuration pki_root_configuration_audit Includes entries when root key configurations are created, modified, or deleted. ClosedPKI key configuration log entry example

{"object_id":123,"audit_name":"","creation_time":"2023-01-01T14:39:19.000Z", "modification_time":"2023-01-01T14:39:19.000Z","last_modified_by":"[email protected]", "modifier_user_id":123,"mod_user":{"id":123,"name":"[email protected]", "domain":"","display_name":""},"details":"","audit_row_id":1, "type":0,"type_name":"CreateObject","object_name":"", "object_type_name":"pki_root_configuration_audit"}
PKI root key pki_root_key_audit Includes entries when root keys are created, modified, or deleted. ClosedPKI root key log entry example

{"object_id":123,"audit_name":"example_host Root 1", "creation_time":"2023-01-01T14:39:19.000Z","modification_time":"2023-01-01T14:39:19.000Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"","display_name":""}, "details":"Created key with fingerprint 8b0cd398201a1749a6e812342357783d90689058707d71c768083c1e336accf 7b5ce90b7b0abcd8175b963bb621fa32956785009cb610c4345f3ef713dfca983", "audit_row_id":1,"type":0,"type_name":"CreateObject","object_name":"", "object_type_name":"pki_root_key_audit"}
PKI server registration request pki_server_registration_requests_audit Includes entries when server registration requests are created, modified, or deleted. ClosedPKI server registration request log entry example

{"object_id":123,"audit_name":"","creation_time":"2023-01-01T14:39:19.000Z", "modification_time":"2023-01-01T14:39:19.000Z","last_modified_by":"[email protected]", "modifier_user_id":123,"mod_user":{"id":123,"name":"[email protected]","domain":"","display_name":""}, "details":"","audit_row_id":1,"type":0,"type_name":"CreateObject", "object_name":"","object_type_name":"pki_server_registration_requests_audit"}
Platform setting system_setting_audit Includes entries when platform settings are created, modified, or deleted. ClosedPlatform setting log entry example

{"object_id":5,"audit_name":"max_strings_total_mb","creation_time":"2023-01-01T22:34:32Z","modification_time":"2023-01-01T22:34:32Z","last_modified_by":"", "modifier_user_id":0,"details":"Last updated by 'root' through the command line.","audit_row_id":1234, "type":1,"type_name":"UpdateObject", "object_name":"max_strings_total_mb", "object_type_name":"system_setting_audit"}
Plugin schedule plugin_schedule_audit Includes entries when plugin schedules are created, modified, or deleted. ClosedPlugin schedule log entry example

{"object_id":12345,"audit_name":"Connect Scheduled Connections For 1234:[email protected]","creation_time":"2023-01-01T06:06:07.000Z", "modification_time":"2023-01-01T06:06:07.000Z","last_modified_by":"[email protected]", "modifier_user_id":1234,"mod_user":{"id":1234,"name":"[email protected]","domain":"", "display_name":""},"details":"", "audit_row_id":12345,"type":0,"type_name":"CreateObject", "object_name":"Connect Scheduled Connections For 1234:[email protected]", "object_type_name":"plugin_schedule_audit"}
Saved action saved_action_audit Includes entries when saved actions are created, modified, or deleted. ClosedSaved action log entry example

{"object_id":123456,"audit_name":"Example saved action", "creation_time":"2023-01-01T23:05:53.000Z","modification_time":"2023-01-01T23:05:53.000Z", "last_modified_by":"[email protected]","modifier_user_id":1234,"mod_user":{"id":1234,"name":"user","domain":"example","display_name":""},"details":"","audit_row_id":123456, "type":2,"type_name":"DeleteObject", "object_name":"Example saved action","object_type_name":"saved_action_audit"}
Saved question saved_question_audit Includes entries when saved questions are created, modified, or deleted. ClosedSaved question log entry example

{"object_id":12345,"audit_name":"Example saved question","creation_time":"2023-01-01T21:06:04.000Z", "modification_time":"2023-01-01T21:06:04.000Z", "last_modified_by":"[email protected]", "modifier_user_id":1234,"mod_user":{"id":123,"name":"user","domain":"example","display_name":""},"details":"","audit_row_id":123456, "type":0,"type_name":"CreateObject","object_name":"Example saved question", "object_type_name":"saved_question_audit"}
Sensor sensor_audit Includes entries when sensors are created, modified, or deleted. ClosedSensor log entry example

{"object_id":1234,"audit_name":"example sensor","creation_time":"2023-01-01T17:07:27Z","modification_time":"2023-01-01T17:07:27Z","last_modified_by":"[email protected]", "modifier_user_id":123,"mod_user":{"id":123,"name":"[email protected]", "domain":"","display_name":""},"details":"", "audit_row_id":12345,"type":1, "type_name":"UpdateObject", "object_name":"example sensor","object_type_name":"sensor_audit"}
Separated subnet separated_subnet_audit Includes entries when separated subnets are created, modified, or deleted. ClosedSeparated subnet log entry example

{"object_id":123,"audit_name":"Created separated_subnet ","creation_time":"2023-01-01T19:17:54.000Z","modification_time":"2023-01-01T19:17:54.000Z", "last_modified_by":"[email protected]", "modifier_user_id":123,"mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""},"details":"Created separated_subnet (ID:0)","audit_row_id":123,"type":0,"type_name":"CreateObject", "object_name":"", "object_type_name":"separated_subnet_audit"}
Users user_audit Includes entries when users are created, modified, or deleted. ClosedUser log entry example

{"object_id":1234,"audit_name":"[email protected]","creation_time":"2023-01-01T14:46:43Z","modification_time":"2023-01-01T14:46:43Z", "last_modified_by":"","modifier_user_id":1234,"details":"Auto-provisioned user","audit_row_id":1234,"type":0,"type_name":"CreateObject","object_name":"[email protected]", "object_type_name":"user_audit"}
User group user_group_audit Includes entries when user groups are created, modified, or deleted. ClosedUser group log entry example

{"object_id":265,"audit_name":"ContentSetUserGroupRoleMembership ID 1234","creation_time":"2023-01-01T15:26:41Z","modification_time":"2023-01-01T15:26:41Z","last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]","domain":"", "display_name":""}, "details":"Assigned role 1234 to user group 123","audit_row_id":1234,"type":1,"type_name":"UpdateObject","object_name":"example user group", "object_type_name":"user_group_audit"}
Zone server assignment zone_server_assignments_audit Includes entries when zone server assignments are created, modified, or deleted. ClosedZone server assignment log entry example

{"object_id":123,"audit_name":"","creation_time":"2023-01-01T11:13:06Z", "modification_time":"2023-01-01T11:13:06Z", "last_modified_by":"[email protected]","modifier_user_id":123, "mod_user":{"id":123,"name":"[email protected]", "domain":"","display_name":""},"details":"","audit_row_id":123,"type":1, "type_name":"UpdateObject","object_name":"example zone server assignment", "object_type_name":"zone_server_assignments_audit"}

General audit table columns

Column Description
audit_row_id The row ID from the database table.
audit_name The type of audit entry. Use this field to identify the audit type of the entry when you retrieve more than one audit type.
creation_time

The UTC timestamp of when the object was created.
details Contains a description of the action.
last_modified_by The name of the user who last modified the object.
mod_persona Details for the persona who last modified the object. This field is null if no persona was used.
mod_user Details for the user who last modified the object.
modification_time

The UTC timestamp of the last time that the object was modified.
modifier_user_id The unique ID of the user who last modified the object. If the ID is 0, this is a system-generated event.
object_id The ID of the object.
object_name The name of the object that was modified. This field is empty for authentication audits.
object_type_name The audit entry category. Use this field when you export audit entries of multiple categories to identify the audit type for individual entries.
type The type of action that generated the audit entry. Values include:
  • 0 - Create
  • 1 - Update
  • 2 - Delete
type_name The type of action that initiated the audit entry, in string form. Values include:
  • CreateObject
  • DeleteObject
  • FailedCreateObject
  • UpdateObject

Authentication audit table columns

The authentication audit table is different from the other audit log tables because it tracks sign-on attempts, not configuration changes.

Column Description
audit_row_id The row ID from the database table.
audit_name The type of audit entry. Use this field to identify the audit type of the entry when you retrieve more than one audit type.
creation_time

The UTC timestamp of the sign-on attempt.
details

Contains a description of the sign-on attempt. A successful sign-on shows the user, session ID, and IP address. A failed sign-on contains a reason for the failed attempt.

Examples:

  • Failed Authentication Invalid session supplied. Session ID doesn't exist.
  • User: Administrator; Session ID: 2151; IP Address: 192.168.61.180
  • User: Administrator; Session ID: 69; Authentication Type: User; Originated from SOAPPluginScheduler
  • Incorrect User User does not exist: fake_user; IP Address: 192.168.61.180
last_modified_by Not used.
mod_persona Not used.
mod_user Details for the user who initiated the sign-on attempt.
modification_time The UTC timestamp of the sign-on attempt.
modifier_user_id The unique ID of the user who initiated the sign-on attempt. If the ID is 0, this is a system-generated event; see the details column for more information.
object_id The ID of the user who initiated the sign-on attempt. If the ID is 0, the user does not exist; see the details column for more information.
object_name Not used for authentication audits.
object_type_name The type of audit entry. Use this field when you export audit entries of multiple types to identify the audit type for individual entries.
type The ID of the type of sign-on event that generated the entry. Values include:
  • 0 - New session created
  • 1 - Unused
  • 2 - User signed out
  • 3 - Failed authentication
type_name The type of the sign-on event that generated the entry. Values include:
  • CreateObject - New session created
  • DeleteObject - User Logged out
  • FailedCreateObject - Failed authentication