Configuring SIEM destinations

Before your connections can successfully send data to a destination, your Tanium as a Service instance must be configured. Contact Tanium Support with the destination URL or IP and service port to submit a request.

For more information, see Tanium as a Service Deployment Guide: Proxy access. For information on how to contact Tanium Support, see Contact Tanium Support.

Connect can send information to security information and event management (SIEM) products and services including Micro Focus ArcSight, IBM QRadar, LogRhythm, McAfee SIEM, and Splunk.

You can also configure a socket to receive data and configure a Tanium socket receiver destination. The configuration options for the destination are the same as SIEM destinations.

Specify general connection information

  1. On the Connect Overview page, scroll to the Connections section and click Create Connection.
  2. Enter a name and description for the connection.
  3. (Optional) In the General Information section, expand Advanced to configure the following settings:

    Log Level

    By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.

    Minimum Pass Percentage

    Minimum percentage of the expected rows that must be processed for the connection to succeed.

Configure the connection source

The connection source determines what data you are sending to the destination. This data is usually information from Tanium, such as a saved question, question log, system status, or event. The settings vary depending on which source you choose.

Configure the SIEM destination

Specify details about the server to which you want to send the SIEM data.

  1. For the Destination, select the type of SIEM that you are configuring.
  2. Specify a name for the destination.
    You can either indicate a unique name to save the configuration information as a new destination, or you can select an existing SIEM destination from the list.
  3. Specify how to connect with the server (TCP/UDP), and where you want the data to go, such as the SIEM host and port.
  4. If the connection uses TLS encryption, select Secure. You can also select Trust on First Use to accept the certificate presented from the server and trust only that certificate for future connection runs.

Configure filters

(Optional) In the Configure Output > Filters section, you can specify filters to modify the data that you are getting from your connection source before it is sent to the destination.

For more information about the types of filters you can configure, see Reference: Filtering options.

Format data

  1. When you select a SIEM destination, the data format that is normally expected by that SIEM is automatically selected. For example, if you select Splunk, the syslog format is already selected. However, you can customize the format as required. For more information about the data formats, see Reference: Format types.
  2. Choose the columns that you want to pass on to the SIEM destination.

    In the Configure Output > Columns section, you can change the Destination Label of each column and Value Type to force the column to be a String, Numeric, or Date/Time value.

    If you choose Numeric for the value, you can specify a default value that is used if the data cannot be coerced into a numeric value. You can specify any negative or positive number.

    If you choose Date/Time for the value, specify the Date/Time format that you want to use for the column. For more information about using a variable, see Time stamp variables.

Schedule the connection

Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.

If you do not enable the schedule, the connection only runs when you manually run it.

Use the Schedule section to update the schedule: 

  • Select Enable schedule.
  • In the Schedule Type, select Basic to build a schedule with the provided controls.
  • To view or edit the Cron expression directly, select Advanced - Define as a Cron Expression, and use the Advanced field to edit the Cron expression.

Save and verify connection

  1. After you enter the details for the connection, click Save. If needed, resolve any errors or missing information. When the connection gets created, the connection displays in the Connections section of the Connect Overview page.
  2. To view details about when the connection is running, click the name of the connection. On the resulting connection details page, click the Logs tab.
  3. To view an individual run log, expand the row table.