Configuring file destinations

File destinations are not supported with Tanium as a Service.

You can configure flat text or JSON files as your connection destination. By default, files are written to the \Program Files\Tanium\Tanium Module Server\services\connect-files\output directory on Windows. On a Tanium™ Appliance, files are written to /opt/mounts/connect by default, or you can specify a file share mount for Connect. For more information, see Tanium Appliance Deployment Guide: Configure solution module file share mounts.

Specify general connection information

  1. On the Connect Overview page, scroll to the Connections section and click Create Connection.
  2. Enter a name and description for the connection.
  3. (Optional) In the General Information section, expand Advanced to configure the following settings:

    Log Level

    By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.

    Minimum Pass Percentage

    Minimum percentage of the expected rows that must be processed for the connection to succeed.

Configure the connection source

The connection source determines what data you are sending to the destination. This data is usually information from Tanium, such as a saved question, question log, system status, or event. The settings vary depending on which source you choose.

Action History

The action history is a record of all actions issued by console operators. To view this record in Tanium, go to Administration > Actions > Action History. For more information, see Tanium Platform User Guide: Managing Action History.

Event

Tanium solutions, like Tanium™ Discover, Tanium™ Network Quarantine, and Tanium™ Integrity Monitor, can forward events to Connect as a data source. These events can then be used as a connection source in a connection and sent to any of the available connection destinations. For more information, see Tanium Discover User Guide: Configure event notifications, Tanium Network Quarantine User Guide: Configuring notifications, and Tanium Integrity Monitor User Guide: Sending events from basic monitors.

Palo Alto WildFire

Integration between Tanium and WildFire takes a list of confirmed malware from a Palo Alto firewall and requests a full report from the WildFire system. The full malware report is then converted into a standard indicator of compromise (IOC) and passed to the Threat Response system for multiple endpoint compromise detection. For more information, see Configuring Palo Alto Networks WildFire and Tanium Threat Response.

Question History

The question history log is a history of every question that has been asked. When you are using the question log as a data source in Connect, you can filter the log in several ways to reduce the total volume of data being sent. For more information, see Tanium Platform User Guide: Question History.

Saved Question

A saved question is a Tanium question that you want to ask on a repeated basis. For more information about saved questions, see Tanium Interact User Guide: Managing saved questions.

You can use the following settings for saved question sources:

Setting Description
Flatten Results You might want to enable the Flatten Results setting to process results as individual records. For example, you might want to get notified when you see a new MD5 hash on a machine. Without the Flatten Results setting enabled, the entire data set that is retrieved by the saved question from a machine, such as all MD5 hashes, is considered to be a single record. Any change that is made to this data set shows up in the destination. By enabling the Flatten Results setting, Connect processes the new hashes on an individual basis (one MD5 hash from one machine) instead of all hashes from a machine as a single record.
Hide Errors If the saved question returns an error, you can use the Hide Errors setting to prevent the error results from getting sent to the destination.
Hide No Results If the saved question returns [No results], you can use the Hide No Results setting to prevent this result from being sent to the destination.
Include Recent Answers If you want to include results from machines that are offline, select Include Recent Answers, which returns the most recent answer to the saved question for the offline endpoint.
Answer Complete Percent

Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.
Timeout Minutes to wait for clients to reply before returning processed results when Answer Complete Percent is set to 0. If the Answer Complete Percent value is not met at the end of the time limit, then the connection run is marked as a failure.
Batchsize Number of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.

Server Information Source

Use the server information in the following location as a connection source: https://<tanium_server>/info.json.

System Status

System Status includes the state of all the endpoints, including some useful information about the endpoint like IP Address, position in the network, and the last time it registered with the Tanium Server. For more information about the System Status data, see Tanium Platform User Guide: Monitoring System Status.

Tanium™ Asset

Tanium Asset comes with a set of predefined reports to help you prepare for audit and inventory activities. You can also create your own custom reports and views. For each report or view, you can create a connection that specifies a report or view as a data source. Currently supported destinations include Email, File, HTTP, Socket Receiver, Splunk, and SQL Server. For more information, see Tanium Asset User Guide: Asset overview.

Tanium Audit Source

Tanium Server keeps detailed audit logs for server configuration and settings changes. However, accessing these logs requires direct access to the Tanium database. To access the audit logs, you can set them up as a data source in Connect. For more information, see Tanium Security Recommendations Guide: Enable and forward Tanium logs.

Tanium™ Comply

Tanium Comply comes with a set of predefined reports and allows you to create custom reports to help support enterprise compliance goals. For Vulnerability reports, you can create a connection that specifies a report as a data source. For more information, see Tanium Comply User Guide: Comply overview.

Tanium Data Service

The Tanium Data Service enables you to see stored sensor results for endpoints that are offline at the moment you issue a saved question. For more information, see Tanium Console User Guide: Manage sensor results collection.

Tanium Discover

Tanium Discover contains reports that maintain an inventory of interfaces in your environment. For each report, you can create a connection that specifies a report as a data source. For more information, see Tanium Discover User Guide: Discover overview.

Tanium™ Reputation

Tanium Reputation is an aggregated repository of reputation data from various sources, including Palo Alto WildFire, ReversingLabs, and VirusTotal. You can choose which type of status to include, such as only malicious or suspicious content. You can choose to include the full report, which includes the detailed information from the reputation source, not just the status of the reputation item. You must have one or more reputation sources configured to get information from this connection source. For more information, see Tanium Reputation User Guide: Reputation overview.

Tanium™ Threat Response

Tanium Threat Response contains audit reports for actions that were performed in Threat Response. For each report, you can create a connection that specifies a report as a data source. For more information, see Tanium Threat Response User Guide: Threat Response overview.

Tanium™ Trends

Tanium Trends provides data visualization panels from saved question or module sources. You can create boards that organize one or more panels. For each board, you can create a connection that specifies a board as a data source in HTML format. Valid destinations are AWS S3, Email, or File. For more information, see Tanium Trends User Guide: Trends overview.

Configure the file destination

Specify details about the file that you want Connect to create, including the file name and how you want to save the file.

  1. Name the destination.

    You can either indicate a unique name to save the configuration information as a new destination, or you can select an existing file destination from the list.
  2. Indicate the file name or use a variable, as listed in Reference: Variables. On Windows, files are written to the \Program Files\Tanium\Tanium Module Server\services\connect-files\output directory.
    • The file name can include a subdirectory to create in the \Program Files\Tanium\Tanium Module Server\services\connect-files\output directory, or just the file name. For example, if you specify high_cpu_results\cpu_results.txt, the file is written to: \Program Files\Tanium\Tanium Module Server\services\connect-files\output\high_cpu_results\cpu_results.txt.
    • If you want to point to the file directory on the Module Server from another location, create a symbolic link with the mklink command. For example, if you wanted a symbolic link from the c:\logs\mylogs directory to the Connect logs directory, you might run: 

      mklink /d "c:\logs\mylogs" "c:\Program Files\Tanium\Tanium Module Server\services\connect-files\output\logs\mylogs"

    • You can choose to compress the resulting file as a gzip or zip file. The file extension is automatically added to the end of the file name.

    On Tanium Appliance, files are written to /opt/mounts/connect or you can specify a file share mount for Connect. For more information, see Tanium Appliance Deployment Guide: Configure solution module file share mounts.

  3. (Optional) In the Advanced section, add a time stamp to the file name.
    You can choose from the formats that are available, or enter your own time stamp format in ISO 8601 format.
  4. (Optional) Compress or replace files.
    Choose whether you want to replace the contents of the file when the connection runs, or if you want to append to the file contents. If you choose to replace the file contents, you can also compress the resulting file in zip or gzip format.

Configure filters

(Optional) In the Configure Output > Filters section, you can specify filters to modify the data that you are getting from your connection source before it is sent to the destination.

For more information about the types of filters you can configure, see Reference: Filtering options.

Format data for file

You can choose to save your file in any of the available formats, as listed in Reference: Format types. Each format has slightly different configuration options, but all allow you to choose which column data to save.

In the Configure Output > Columns section, you can change the Destination Label of each column and Value Type to force the column to be a String, Numeric, or Date/Time value.

If you choose Numeric for the value, you can specify a default value that is used if the data cannot be coerced into a numeric value. You can specify any negative or positive number.

If you choose Date/Time for the value, specify the Date/Time format that you want to use for the column. For more information about using a variable, see Time stamp variables.

Schedule the connection

Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.

If you do not enable the schedule, the connection only runs when you manually run it.

Use the Schedule section to update the schedule: 

  • Select Enable schedule.
  • In the Schedule Type, select Basic to build a schedule with the provided controls.
  • To view or edit the Cron expression directly, select Advanced - Define as a Cron Expression, and use the Advanced field to edit the Cron expression.

A quick reference to Cron syntax follows. You can use Crontab to build a Cron expression.

 ┌──────────── minute
 │ ┌────────── hour
 │ │ ┌──────── day of month
 │ │ │ ┌────── month
 │ │ │ │ ┌──── day of week
 │ │ │ │ │
 │ │ │ │ │
 * * * * *

Each asterisk is a field that must be included in the Cron expression. The field value can either be an asterisk (any value) or one of the following values:

Table 1:   Valid values for Cron fields
Field Value
minute 0-59
hour 0-23
day of month 1-31
month 1-12
day of week (Sunday is 0 and 7) 0-7

Save and verify connection

  1. After you enter the details for the connection, click Save. If needed, resolve any errors or missing information. When the connection gets created, the connection displays in the Connections section of the Connect Overview page.
  2. To view details about when the connection is running, click the name of the connection. On the resulting connection details page, click the Logs tab.
  3. To view an individual run log, expand the row table.