Sending and reporting events

Send events to a SIEM, SOAR, or other data lake or log solution using Connect.

Use Connect to send events

You can create saved questions that include any of the sensors provided by Integrity Monitor and then use those saved questions as connection sources in Connect.

When you send events to a SIEM, SOAR, or other data lake, send only unlabeled events and events that are required for regulatory compliance and auditing. (In some cases, all events might be required.)

Create a saved question that returns the events you want to report using the Integrity Monitor - Monitor Events or Integrity Monitor - Monitor Events Unlabeled sensor. Include any other sensors you want to include as columns in the data. For more information, see Tanium Interact User Guide: Managing saved questions.
Create a connection in Connect. Use Saved Question for the source type, and select the saved question that you created. For more information, see Tanium Connect User Guide: Overview.

Create incidents for unlabeled events in ServiceNow Incident Management

If you use ServiceNow Incident Management, you can create incidents based on unlabeled events by using an email destination in Connect and configuring email actions in ServiceNow to create incidents.

Configure inbound email actions in ServiceNow to create incidents based on emails from Tanium. For more information, see ServiceNow Product documentation: Inbound email actions.
Create a saved question using the Integrity Monitor - Monitor Events Unlabeled sensor. For more information, see Tanium Interact User Guide: Managing saved questions.
From the Connect menu, click Connections > Create Connection.
Configure the following settings in the connection:
- Specify a Name and optional Description for the connection.
- For Source, select Saved Question.
- In the Saved Question Name list, select the saved question you created.
- Select the appropriate Computer Group.
- Select Flatten Results.
- For Destination, select Email (O365) or Email (SMTP).
- Complete the Email configuration by following the steps in the corresponding topic in the Connect User Guide:
  - Email (O365): Connect User Guide: Configure the email results destination
  - Email (SMTP): Connect User Guide: Configure the email results destination. In the Advanced section, select Attachment, and enter an Attachment File Name that ends with .csv.
- In the Configure Output section, for Format, select CSV.
- In the Schedule section, configure a schedule for the connection.
Click Save.

Manually run the new email connection while monitoring incidents in ServiceNow to make sure that new incidents are successfully created. Open the first new incident and confirm that it includes a CSV file with the expected information.