Reference: Tanium Audit Source data

You can use Tanium Connect to retrieve Tanium Server audit logs through the Tanium Audit Source. Most audit logs contain entries when objects on the Tanium Server are created, modified, or deleted. The data that is available in the audit logs depends on the version of the Tanium Core Platform, and the type of audit.

The following tables show the data returned by Tanium Core Platform 7.4.4.1147 and later.

Supported audit types

Connect supports the following audit types through the Tanium Audit Source:

Audit type Audit information
Authentication Successful and failed sign-on attempts.
Content set Includes entries when content sets are created, modified, or deleted.
Content set role Includes entries when roles are created, modified, or deleted.
Content set role privilege Includes entries when privileges are created, modified, or deleted.
Dashboard Includes entries when dashboards are created, modified, or deleted.
Dashboard group Includes entries when dashboard groups are created, modified, or deleted.
Group Includes entries when groups are created, modified, or deleted. Includes entries for filter groups and management rights groups.
Package spec Includes entries when packages are created, modified, or deleted.
Plugin schedule Includes entries when plugin schedules are created, modified, or deleted.
Saved action Includes entries when saved actions are created, modified, or deleted.
Saved question Includes entries when saved questions are created, modified, or deleted.
Sensor Includes entries when sensors are created, modified, or deleted.
System setting Includes entries when global settings are created, modified, or deleted.
User Includes entries when users are created, modified, or deleted.
User group Includes entries when user groups are created, modified, or deleted.
Allowed URL Includes entries when allowed URLs are created, modified, or deleted.

General audit table columns

Column Description
audit_row_id The row ID from the database table.
creation_time

The UTC timestamp of when the object was created.

details Contains a description of the action.
last_modified_by The name of the user who last modified the object.
mod_persona Details for the persona who last modified the object. This field is null if no persona was used.
mod_user Details for the user who last modified the object.
modification_time

The UTC timestamp of the last time that the object was modified.

modifier_user_id The unique ID of the user who last modified the object.
object_id The ID of the object.
type The type of action that generated the audit entry.
audit_type The type of audit entry. Use this field to identify the audit type of the entry when you retrieve more than one audit type.

Authentication audit table columns

The authentication audit table is different from the other audit log tables because it tracks sign-on attempts, not configuration changes.

Column Description
audit_row_id The row ID from the database table.
creation_time

The UTC timestamp of the sign-on attempt.

details

Contains a description of the sign-on attempt. A successful sign-on shows the user, session ID, and IP address. A failed sign-on contains a reason for the failed attempt.

Examples:

  • Failed Authentication Invalid session supplied. Session ID doesn't exist.
  • User: Administrator; Session ID: 2151; IP Address: 192.168.61.180
  • User: Administrator; Session ID: 69; Authentication Type: User; Originated from SOAPPluginScheduler
  • Incorrect User User does not exist: fake_user; IP Address: 192.168.61.180
last_modified_by Not used.
mod_persona Not used.
mod_user Details for the user who initiated the sign-on attempt.
modification_time The UTC timestamp of the sign-on attempt.
modifier_user_id The unique ID of the user who initiated the sign-on attempt.
object_id The ID of the user who initiated the sign-on attempt. If the ID is 0, the user does not exist; see the details column for more information.
type The type of the sign-on event that generated the entry. Values include:
  • CreateObject - New session created
  • DeleteObject - User Logged out
  • FailedCreateObject - Failed authentication
audit_type The type of audit entry. Use this field to identify the audit type of the entry when you retrieve more than one audit type.