Exporting Impact data

You can export data from Impact to Tanium Connect. You can export data using the Tanium Impact or Tanium Threat Response data sources in Connect.

Connections to create

Purpose Source type Instructions Sample output
Export inbound and outbound Impact data for users, groups, or endpoints. Tanium Impact Create connection to export Impact data CSV example: Impact data export
Export Impact and outbound Impact scores as part of a Threat Response alert. Tanium Threat Response Tanium Threat Response User Guide: Export data to Tanium Connect JSON example: Threat Response alert with Impact data export

Create connection to export Impact data

  1. Create the connection.
    1. From the Main menu, open Tanium Connect. Click Create Connection.
    2. Name the connection.
  2. In the Source section, select the Tanium Impact source. Select the asset type to include.
  3. Select a destination. For more information, see Tanium Connect User Guide.
  4. Apply filters.
  5. Choose format settings and schedule.
  6. Click Save.

CSV example: Impact data export

The following is an example of Impact data exported to a CSV output using the Tanium Impact source in Connect.

JSON example: Threat Response alert with Impact data export

The following is an example of Impact data exported as part of a Threat Response alert in Connect. Note the Impact data in line 66.

Copy
[{"id":"1311","state":"unresolved","type":"detect.match","guid":"00000000-0000-0000-7da5-15056817fd17","priority"
:"high","severity":"info","intelDocId":149,"intelDocRevisionId":null,"scanConfigId":10,"scanConfigRevisionId":1,
"computerName":"My-verybadlaptop","computerIpAddress":"192.168.8.2","matchType":"process","eid":2001,"details":
"{\"finding\":{\"whats\":[{\"intel_intra_ids\":[{\"id\":1855798049},{\"id\":3033354457},{\"id\":3426971627}],\
"source_name\":\"recorder\",\"artifact_activity\":{\"relevant_actions\":[{\"verb\":6,\"target\":{\"file\":{\
"path\":\"C:\\\\Program Files\\\\Microsoft Office\\\\Updates\\\\Download\\\\PackageFiles\\\\6E48D237-4AC5-484B-
BF23-2F5E628DD32D\\\\root\\\\Office16\\\\Library\\\\Analysis\\\\ANALYS32.XLL\",\"size_bytes\":\"245760\",\
"modification_time\":\"2022-02-24T09:07:36.000Z\",\"instance_hash_salt\":\"132897442232920173\"},\"instance_hash\"
:\"308809884249771034\",\"artifact_hash\":\"10579797389185226535\"},\"timestamp\":\"2022-02-24T09:07:36.000Z\",\
"tanium_recorder_event_table_id\":\"4611686018476368681\"},{\"verb\":8,\"target\":{\"file\":{\"path\":\"C:\\\\
WINDOWS\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\OTele\\\\
officeclicktorun.exe.db-wal\",\"size_bytes\":\"12392\",\"modification_time\":\"2022-02-24T09:06:08.000Z\
",\"instance_hash_salt\":\"132899412650062637\"},\"instance_hash\":\"12150348097614906623\",\"artifact_hash\":
\"8976838609497398981\"},\"timestamp\":\"2022-02-24T09:06:08.000Z\",\"tanium_recorder_event_table_id\":\
"4611686018476365859\"},{\"verb\":6,\"target\":{\"file\":{\"path\":\"C:\\\\Program Files\\\\Microsoft Office
\\\\Updates\\\\Download\\\\PackageFiles\\\\6E48D237-4AC5-484B-BF23-2F5E628DD32D\\\\root\\\\Office16\\\\Library
\\\\Analysis\\\\ANALYS32.XLL\",\"size_bytes\":\"245760\",\"modification_time\":\"2022-02-24T09:07:36.000Z\",\
"instance_hash_salt\":\"132897442232920173\"},\"instance_hash\":\"308809884249771034\",\"artifact_hash\":\
"10579797389185226535\"},\"timestamp\":\"2022-02-24T09:07:36.000Z\",\"tanium_recorder_event_table_id\":\
"4611686018476368681\"}],\"acting_artifact\":{\"process\":{\"handles\":[],\"pid\":9320,\"arguments\"
:\"OfficeClickToRun.exe /update\",\"file\":{\"file\":{\"path\":\"C:\\\\Program Files\\\\Common Files\\\\
microsoft shared\\\\ClickToRun\\\\Updates\\\\16.0.14827.20198\\\\OfficeClickToRun.exe\",\"hash\":{\"md5\":
\"9af1a2a7cdf7521012e843a2c0c94d02\"}},\"instance_hash\":\"16551595934051318733\",\"artifact_hash\":\
"16551595934051318733\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\"}},\"parent\":
{\"process\":{\"handles\":[],\"pid\":3240,\"arguments\":\"\\\"C:\\\\Program Files\\\\Common Files\\\\Microsoft
Shared\\\\ClickToRun\\\\OfficeClickToRun.exe\\\" /service\",\"file\":{\"file\":{\"path\":\"C:\\\\Program Files
\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe\",\"hash\":{\"md5\":\
"67abab5bdbf1738078ee8609519ae756\"}},\"instance_hash\":\"9683604588018453200\",\"artifact_hash\":\
"9683604588018453200\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\"}},\"parent\"
:{\"process\":{\"handles\":[],\"pid\":696,\"arguments\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"file\":
{\"file\":{\"path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"hash\":{\"md5\":\
"d8e577bf078c45954f4531885478d5a9\"}},\"instance_hash\":\"6947451072025863585\",\"artifact_hash\":\
"6947451072025863585\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\"}},\"parent\":
{\"process\":{\"handles\":[],\"pid\":564,\"arguments\":\"wininit.exe\",\"file\":{\"file\":{\"path\":\"C:\\\\
Windows\\\\System32\\\\wininit.exe\",\"hash\":{\"md5\":\"f3828d75795d5ae4b2d8b828026a4eaa\"}},\"instance_hash\":
\"17707501397744506371\",\"artifact_hash\":\"17707501397744506371\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\
"domain\":\"NT AUTHORITY\"}},\"parent\":{\"process\":{\"handles\":[],\"pid\":464},\"instance_hash\":\
"12417824902308500885\",\"artifact_hash\":\"133628619820746138\"},\"start_time\":\"2022-02-21T18:20:54.000Z\",\
"tanium_unique_id\":\"1217629972152873483\"},\"instance_hash\":\"12195983035047296839\",\"artifact_hash\":\
"11849315847930828064\"},\"start_time\":\"2022-02-21T18:20:54.000Z\",\"tanium_unique_id\":\"11375085314266065265\"},
\"instance_hash\":\"5014940827374301866\",\"artifact_hash\":\"16653308074585833820\"},\"start_time\":\"2022-02-
21T18:20:59.000Z\",\"tanium_unique_id\":\"8043614338822129387\"},\"instance_hash\":\"4937418741321620235\",\
"artifact_hash\":\"9064172419262849089\"},\"start_time\":\"2022-02-24T09:06:03.000Z\",\"tanium_unique_id\":\
"4638862404773214281\"},\"instance_hash\":\"16504704767541148257\",\"artifact_hash\":\"14589750266879349142\",\
"is_intel_target\":true}}}],\"intel_id\":\"149:3\",\"hunt_id\":\"10\",\"threat_id\":\"1855798049,3033354457,
3426971627\",\"source_name\":\"recorder\",\"system_info\":{\"os\":\"Microsoft Windows 10 Pro\",\"bits\"
:64,\"platform\":\"Windows\",\"build_number\":\"19044\",\"patch_level\":\"10.0.19044.0.0\"},\"first_seen\":\
"2022-02-24T09:07:37.000Z\",\"last_seen\":\"2022-02-24T09:07:37.000Z\",\"finding_id\":\"9053665738863672599\",
\"reporting_id\":\"reporting-id-placeholder\"},\"match\":{\"version\":1,\"type\":\"process\",\"source\":\
"recorder\",\"hash\":\"14589750266879349142\",\"properties\":{\"pid\":9320,\"args\":\"OfficeClickToRun.exe /
update\",\"recorder_unique_id\":\"4638862404773214281\",\"start_time\":\"2022-02-24T09:06:03.000Z\",\"ppid\
":3240,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\"9af1a2a7cdf7521012e843a2c0c94d02\",\"fullpath\
":\"C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\Updates\\\\16.0.14827.20198\\\\
OfficeClickToRun.exe\"},\"parent\":{\"pid\":3240,\"args\":\"\\\"C:\\\\Program Files\\\\Common Files\\\\Microsoft 
Shared\\\\ClickToRun\\\\OfficeClickToRun.exe\\\" /service\",\"recorder_unique_id\":\"8043614338822129387\",\
"start_time\":\"2022-02-21T18:20:59.000Z\",\"ppid\":696,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\
"67abab5bdbf1738078ee8609519ae756\",\"fullpath\":\"C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\
ClickToRun\\\\OfficeClickToRun.exe\"},\"parent\":{\"pid\":696,\"args\":\"C:\\\\WINDOWS\\\\system32\\\\
services.exe\",\"recorder_unique_id\":\"11375085314266065265\",\"start_time\":\"2022-02-21T18:20:54.000Z\",\
"ppid\":564,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\"d8e577bf078c45954f4531885478d5a9\",\
"fullpath\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},\"parent\":{\"pid\":564,\"args\":\"wininit.exe\",
\"recorder_unique_id\":\"1217629972152873483\",\"start_time\":\"2022-02-21T18:20:54.000Z\",\"ppid\":464,\
"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\"f3828d75795d5ae4b2d8b828026a4eaa\",\"fullpath\":\
"C:\\\\Windows\\\\System32\\\\wininit.exe\"},\"parent\":{\"pid\":464}}}}}}}","alertedAt":"2022-02-24T09:10:
03.319Z","createdAt":"2022-02-24T09:10:03.369Z","updatedAt":"2022-02-24T09:10:03.369Z","Endpoint":
{"id":3,"impactScore":15,"impactAssetId":20,"impactOutboundAssetCount":7}," intelDocName":"Persistence 
using Office Templates and Trusts","eventType":"process","path":"C:\\Program Files\\Common Files\\microsoft
shared\\ClickToRun\\Updates\\16.0.14827.20198\\OfficeClickToRun.exe","hash":"9af1a2a7cdf7521012e843a2c0c94d02"
,"platform":"Windows","os":"Microsoft Windows 10 Pro","intelDocType":"tanium-signal","intelSourceId":4,
"intelSourceName":"Tanium Signals","mitreAttack":"{\"techniques\":[{\"id\":\"T1221\",\"name\":\"Template 
Injection\"},{\"id\":\"T1137\",\"name\":\"Office Application Startup\"},{\"id\":\"T1137.001\",\"name\":\"Office 
Application Startup: Office Template Macros\"},{\"id\":\"T1137.006\",\"name\":\"Office Application Startup: 
Add-ins\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\"},{\"id\":\"T1059.003\",\
"name\":\"Command and Scripting Interpreter: Windows Command Shell\"}]}"}]