With Tanium Connect™ (Connect), you can integrate Tanium® with a SIEM, log analytics tools, threat feeds, or send email notifications.
A connection is the link between a connection source and a connection destination. The connection source might be data that Tanium is creating, like an answer or a log message. The connection destination is something outside of Tanium that you are integrating with, like a security information and event management (SIEM) tool.
Connect includes templates for many common SIEM tools, file, log, and email formats. You can use these templates to integrate with configuration management databases (CMDB), trouble ticketing systems, and proprietary IT systems.
The action history is a record of all actions issued by console operators. To view this record in Tanium, click Actions > Action History. For more information, see Tanium Platform User Guide: Managing Action History.
Tanium Server keeps detailed audit logs for server configuration and settings changes. However, accessing these logs requires direct access to the Tanium database. To access the audit logs, you can set them up as a data source in Connect.
Tanium solutions, like Tanium IOC Detect™ and Tanium Discover™, can forward events to Connect as a data source. These events can then be used as a connection source in a connection and sent to any of the available connection destinations.
Palo Alto WildFire
Integration between Tanium and WildFire takes a list of confirmed malware from a Palo Alto firewall and requests a full report from the WildFire system. The full malware report is then converted into a standard indicator of compromise (IOC) and passed to the Tanium IOC Detect system for multiple endpoint compromise detection. For more information, see Configuring Palo Alto Networks WildFire and Tanium IOC Detect.
The question history log is a history of every question that has been asked. When you are using the question log as a data source in Tanium Connect, you can filter the log in several ways to reduce the total volume of data being sent. For more information, see Tanium Platform User Guide: Question History.
The reputation service is an aggregated repository of reputation data from various sources, including as Palo Alto WildFire and VirusTotal. You can choose which type of status to include, such as only malicious or suspicious content. You can choose to include the full report, which includes the detailed information from the reputation source, not just the status of the reputation item. You must have one or more reputation sources configured to get information from this connection source. For more information, see Configuring reputation data.
A saved question is a Tanium question that you want to ask on a repeated basis. For more information about saved questions, see Tanium Platform User Guide: Working with Saved Questions. You can use the following settings for saved questions:
|Use Cached Data||
To reduce the impact on endpoints, consider using the Use Cached Data setting. When enabled, the Use Cached Data setting pulls saved question results from the cache on the Tanium Server. If the saved question has not been asked before the connection is created, the connection asks the saved question the first time it runs.
You might want to enable the Flatten setting to process results as individual records. For example, you might want to get notified when you see a new MD5 hash on a machine. Without the Flatten setting enabled, the entire data set that is retrieved by the saved question from a machine, such as all MD5 hashes, is considered to be a single record. Any change that is made to this data set shows up in the destination. By enabling the Flatten setting, Connect processes the new hashes on an individual basis (one MD5 hash from one machine) instead of all hashes from a machine as a single record.
|Hide Errors||If the saved question returns an error, you can use the Hide Errors setting to prevent the error results from getting sent to the destination.|
|Hide No Results||If the saved question returns [No results], you can use the Hide No Results setting to prevent this result from being sent to the destination.|
|Recent||If you want to include results from machines that are offline, select Recent, which returns the most recent answer to the saved question for the offline endpoint.|
|Answer Complete Percent||
Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.
|Timeout||Minutes to wait for clients to reply before returning processed results.|
|Batch Size||Number of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.|
Use the server information in the following location as a connection source: https://<tanium_server>/info.json.
System status includes the state of all the endpoints, including some useful information about the endpoint like IP Address, position in the network, and the last time it registered with the Tanium Server. For more information about the system status data, see Tanium Platform User Guide: Monitoring System Status.
VirusTotal is an online catalog of known malware. The connection source for a connection is a combination of Tanium and VirusTotal data. For more information, see Configuring VirusTotal.
A connection run is a single iteration of sending data from a connection source to a connection destination. Use Cron schedules to adjust the timing of each connection run. You can have connections run at different combinations of on the minute, hour, day, week, or month. You can see when connections are running and how much data is being sent with the schedule view. For more information about schedules, see Schedule connections.
Last updated: 8/11/2017 2:28 PM | Feedback