Exporting Impact data

You can export data from Impact to Tanium Connect. You can export data using the Tanium Impact or Tanium Threat Response data sources in Connect.

Connections to create

Purpose	Source type	Instructions	Sample output
Export inbound and outbound Impact data for users, groups, or endpoints.	Tanium Impact	Create connection to export Impact data	CSV example: Impact data export
Export Impact and outbound Impact scores as part of a Threat Response alert.	Tanium Threat Response	Tanium Threat Response User Guide: Export data to Tanium Connect	JSON example: Threat Response alert with Impact data export

Create connection to export Impact data

Create the connection.
1. From the Main menu, open Tanium Connect. Click Create Connection.
2. Name the connection.
In the Source section, select the Tanium Impact source. Select the asset type to include.
Select a destination. For more information, see Tanium Connect User Guide.
Apply filters.
Choose format settings and schedule.
Click Save.

CSV example: Impact data export

The following is an example of Impact data exported to a CSV output using the Tanium Impact source in Connect.

The CSV output contains two columns that do not display in the Impact workbench.

The impactRating column contains numeric values that map to the following impact ratings:
- 0= Low
- 1= Medium
- 2= High
- 3= Critical
The impactScore column is the total number of points for the endpoint, user, or group. The impact rating is determined from these points.

For more information, see Impact rating.

JSON example: Threat Response alert with Impact data export

The following is an example of Impact data exported as part of a Threat Response alert in Connect. Note the Impact data in line 66.

The JSON includes the impactScore, which does not display in the Impact workbench. The impactScore is the total number of points for the endpoint, user, or group. The impact rating is determined from these points. For more information, see Impact rating.

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[{"id":"1311","state":"unresolved","type":"detect.match","guid":"00000000-0000-0000-7da5-15056817fd17","priority"
:"high","severity":"info","intelDocId":149,"intelDocRevisionId":null,"scanConfigId":10,"scanConfigRevisionId":1,
"computerName":"My-verybadlaptop","computerIpAddress":"192.168.8.2","matchType":"process","eid":2001,"details":
"{\"finding\":{\"whats\":[{\"intel_intra_ids\":[{\"id\":1855798049},{\"id\":3033354457},{\"id\":3426971627}],\
"source_name\":\"recorder\",\"artifact_activity\":{\"relevant_actions\":[{\"verb\":6,\"target\":{\"file\":{\
"path\":\"C:\\\\Program Files\\\\Microsoft Office\\\\Updates\\\\Download\\\\PackageFiles\\\\6E48D237-4AC5-484B-
BF23-2F5E628DD32D\\\\root\\\\Office16\\\\Library\\\\Analysis\\\\ANALYS32.XLL\",\"size_bytes\":\"245760\",\
"modification_time\":\"2022-02-24T09:07:36.000Z\",\"instance_hash_salt\":\"132897442232920173\"},\"instance_hash\"
:\"308809884249771034\",\"artifact_hash\":\"10579797389185226535\"},\"timestamp\":\"2022-02-24T09:07:36.000Z\",\
"tanium_recorder_event_table_id\":\"4611686018476368681\"},{\"verb\":8,\"target\":{\"file\":{\"path\":\"C:\\\\
WINDOWS\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\OTele\\\\
officeclicktorun.exe.db-wal\",\"size_bytes\":\"12392\",\"modification_time\":\"2022-02-24T09:06:08.000Z\
",\"instance_hash_salt\":\"132899412650062637\"},\"instance_hash\":\"12150348097614906623\",\"artifact_hash\":
\"8976838609497398981\"},\"timestamp\":\"2022-02-24T09:06:08.000Z\",\"tanium_recorder_event_table_id\":\
"4611686018476365859\"},{\"verb\":6,\"target\":{\"file\":{\"path\":\"C:\\\\Program Files\\\\Microsoft Office
\\\\Updates\\\\Download\\\\PackageFiles\\\\6E48D237-4AC5-484B-BF23-2F5E628DD32D\\\\root\\\\Office16\\\\Library
\\\\Analysis\\\\ANALYS32.XLL\",\"size_bytes\":\"245760\",\"modification_time\":\"2022-02-24T09:07:36.000Z\",\
"instance_hash_salt\":\"132897442232920173\"},\"instance_hash\":\"308809884249771034\",\"artifact_hash\":\
"10579797389185226535\"},\"timestamp\":\"2022-02-24T09:07:36.000Z\",\"tanium_recorder_event_table_id\":\
"4611686018476368681\"}],\"acting_artifact\":{\"process\":{\"handles\":[],\"pid\":9320,\"arguments\"
:\"OfficeClickToRun.exe /update\",\"file\":{\"file\":{\"path\":\"C:\\\\Program Files\\\\Common Files\\\\
microsoft shared\\\\ClickToRun\\\\Updates\\\\16.0.14827.20198\\\\OfficeClickToRun.exe\",\"hash\":{\"md5\":
\"9af1a2a7cdf7521012e843a2c0c94d02\"}},\"instance_hash\":\"16551595934051318733\",\"artifact_hash\":\
"16551595934051318733\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\"}},\"parent\":
{\"process\":{\"handles\":[],\"pid\":3240,\"arguments\":\"\\\"C:\\\\Program Files\\\\Common Files\\\\Microsoft
Shared\\\\ClickToRun\\\\OfficeClickToRun.exe\\\" /service\",\"file\":{\"file\":{\"path\":\"C:\\\\Program Files
\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe\",\"hash\":{\"md5\":\
"67abab5bdbf1738078ee8609519ae756\"}},\"instance_hash\":\"9683604588018453200\",\"artifact_hash\":\
"9683604588018453200\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\"}},\"parent\"
:{\"process\":{\"handles\":[],\"pid\":696,\"arguments\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"file\":
{\"file\":{\"path\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"hash\":{\"md5\":\
"d8e577bf078c45954f4531885478d5a9\"}},\"instance_hash\":\"6947451072025863585\",\"artifact_hash\":\
"6947451072025863585\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\"}},\"parent\":
{\"process\":{\"handles\":[],\"pid\":564,\"arguments\":\"wininit.exe\",\"file\":{\"file\":{\"path\":\"C:\\\\
Windows\\\\System32\\\\wininit.exe\",\"hash\":{\"md5\":\"f3828d75795d5ae4b2d8b828026a4eaa\"}},\"instance_hash\":
\"17707501397744506371\",\"artifact_hash\":\"17707501397744506371\"},\"user\":{\"user\":{\"name\":\"SYSTEM\",\
"domain\":\"NT AUTHORITY\"}},\"parent\":{\"process\":{\"handles\":[],\"pid\":464},\"instance_hash\":\
"12417824902308500885\",\"artifact_hash\":\"133628619820746138\"},\"start_time\":\"2022-02-21T18:20:54.000Z\",\
"tanium_unique_id\":\"1217629972152873483\"},\"instance_hash\":\"12195983035047296839\",\"artifact_hash\":\
"11849315847930828064\"},\"start_time\":\"2022-02-21T18:20:54.000Z\",\"tanium_unique_id\":\"11375085314266065265\"},
\"instance_hash\":\"5014940827374301866\",\"artifact_hash\":\"16653308074585833820\"},\"start_time\":\"2022-02-
21T18:20:59.000Z\",\"tanium_unique_id\":\"8043614338822129387\"},\"instance_hash\":\"4937418741321620235\",\
"artifact_hash\":\"9064172419262849089\"},\"start_time\":\"2022-02-24T09:06:03.000Z\",\"tanium_unique_id\":\
"4638862404773214281\"},\"instance_hash\":\"16504704767541148257\",\"artifact_hash\":\"14589750266879349142\",\
"is_intel_target\":true}}}],\"intel_id\":\"149:3\",\"hunt_id\":\"10\",\"threat_id\":\"1855798049,3033354457,
3426971627\",\"source_name\":\"recorder\",\"system_info\":{\"os\":\"Microsoft Windows 10 Pro\",\"bits\"
:64,\"platform\":\"Windows\",\"build_number\":\"19044\",\"patch_level\":\"10.0.19044.0.0\"},\"first_seen\":\
"2022-02-24T09:07:37.000Z\",\"last_seen\":\"2022-02-24T09:07:37.000Z\",\"finding_id\":\"9053665738863672599\",
\"reporting_id\":\"reporting-id-placeholder\"},\"match\":{\"version\":1,\"type\":\"process\",\"source\":\
"recorder\",\"hash\":\"14589750266879349142\",\"properties\":{\"pid\":9320,\"args\":\"OfficeClickToRun.exe /
update\",\"recorder_unique_id\":\"4638862404773214281\",\"start_time\":\"2022-02-24T09:06:03.000Z\",\"ppid\
":3240,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\"9af1a2a7cdf7521012e843a2c0c94d02\",\"fullpath\
":\"C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\Updates\\\\16.0.14827.20198\\\\
OfficeClickToRun.exe\"},\"parent\":{\"pid\":3240,\"args\":\"\\\"C:\\\\Program Files\\\\Common Files\\\\Microsoft 
Shared\\\\ClickToRun\\\\OfficeClickToRun.exe\\\" /service\",\"recorder_unique_id\":\"8043614338822129387\",\
"start_time\":\"2022-02-21T18:20:59.000Z\",\"ppid\":696,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\
"67abab5bdbf1738078ee8609519ae756\",\"fullpath\":\"C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\
ClickToRun\\\\OfficeClickToRun.exe\"},\"parent\":{\"pid\":696,\"args\":\"C:\\\\WINDOWS\\\\system32\\\\
services.exe\",\"recorder_unique_id\":\"11375085314266065265\",\"start_time\":\"2022-02-21T18:20:54.000Z\",\
"ppid\":564,\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\"d8e577bf078c45954f4531885478d5a9\",\
"fullpath\":\"C:\\\\Windows\\\\System32\\\\services.exe\"},\"parent\":{\"pid\":564,\"args\":\"wininit.exe\",
\"recorder_unique_id\":\"1217629972152873483\",\"start_time\":\"2022-02-21T18:20:54.000Z\",\"ppid\":464,\
"user\":\"NT AUTHORITY\\\\SYSTEM\",\"file\":{\"md5\":\"f3828d75795d5ae4b2d8b828026a4eaa\",\"fullpath\":\
"C:\\\\Windows\\\\System32\\\\wininit.exe\"},\"parent\":{\"pid\":464}}}}}}}","alertedAt":"2022-02-24T09:10:
03.319Z","createdAt":"2022-02-24T09:10:03.369Z","updatedAt":"2022-02-24T09:10:03.369Z","Endpoint":
{"id":3,"impactScore":15,"impactAssetId":20,"impactOutboundAssetCount":7}," intelDocName":"Persistence 
using Office Templates and Trusts","eventType":"process","path":"C:\\Program Files\\Common Files\\microsoft
shared\\ClickToRun\\Updates\\16.0.14827.20198\\OfficeClickToRun.exe","hash":"9af1a2a7cdf7521012e843a2c0c94d02"
,"platform":"Windows","os":"Microsoft Windows 10 Pro","intelDocType":"tanium-signal","intelSourceId":4,
"intelSourceName":"Tanium Signals","mitreAttack":"{\"techniques\":[{\"id\":\"T1221\",\"name\":\"Template 
Injection\"},{\"id\":\"T1137\",\"name\":\"Office Application Startup\"},{\"id\":\"T1137.001\",\"name\":\"Office 
Application Startup: Office Template Macros\"},{\"id\":\"T1137.006\",\"name\":\"Office Application Startup: 
Add-ins\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\"},{\"id\":\"T1059.003\",\
"name\":\"Command and Scripting Interpreter: Windows Command Shell\"}]}"}]