Sending and reporting events

Send events to a SIEM, SOAR, or other data lake or log solution using Connect. Reports are available if you are using basic labeling.

How you send events to external destinations is affected by whether you are using basic labeling or enhanced labeling. For more information about labeling methods, see Basic labeling and enhanced labeling.

Use Connect to send events

Send events from enhanced monitors

For enhanced monitors, you can create saved questions that include any of the sensors provided by Integrity Monitor, and then use those saved questions as connection sources in Connect.

When you are sending events to a SIEM, SOAR, or other data lake, send only unlabeled events and events that are required for regulatory compliance and auditing. (In some cases, this might include all events.)

  1. Create a saved question that returns the events you want to report using the Integrity Monitor Labeled File Events Details or Integrity Monitor Unlabeled File Events Details sensor. Include any other sensors you want to include as columns in the data. For more information, see Tanium Interact User Guide: Managing saved questions.
  2. Create a connection in Connect. Use Saved Question for the source type, and select the saved question that you created. For more information, see Tanium Connect User Guide: Overview.

Create incidents for unlabeled events in ServiceNow Incident Management

If you use ServiceNow Incident Management, you can create incidents based on unlabeled events by using an email destination in Connect and configuring email actions in ServiceNow to create incidents.

  1. Configure inbound email actions in ServiceNow to create incidents based on emails from Tanium. For more information, see ServiceNow Product documentation.
  2. Create a saved question using the Integrity Monitor Unlabeled File Events Details sensor. For more information, see Tanium Interact User Guide: Managing saved questions.
  3. From the Connect Overview page, click Create Connection.
  4. Configure the following settings in the connection:

    • Configure the settings in the General Information section.

    • For Source, select Saved Question, and select the Saved Question Name for the saved question you created.
    • Select the appropriate Computer Group.
    • Select Flatten Results.
    • For Destination, select Email.
    • In the Email section, enter a Destination Name and a Subject that ServiceNow expects for emails intended to create incidents for unlabeled events from Integrity Monitor.
    • Enter a From Address.
    • For To Addresses, enter the address where your ServiceNow instance receives email.
    • In the Mail Configuration section, configure the email settings for your environment.
    • In the Advanced section, select Attachment, and enter an Attachment File Name that ends with .csv.
    • In the Configure Output section, for Format, select CSV.
    • In the Schedule section, configure a schedule for the connection.
  5. Click Create Connection to save the new connection.

For more information about configuring email destinations in Connect, see Tanium Connect User Guide: Configuring email destinations.

Manually run the new email connection while monitoring incidents in ServiceNow to make sure that new incidents are successfully created. Open the first new incident and make sure that it includes a CSV file with the expected information.

Send events from basic monitors

  1. From the results grid for a monitor, click Send All Events To Connect.
  2. In the Create Connection prompt, click Yes.

    The connection is created using the Integrity Monitor File Events Overview saved question for the current monitor as the source, and events are sent to a CSV file by default.

  3. To modify the connection in Connect, click All events connection > Edit.
  4. On the Edit Connection page in Connect, configure the destination and any other appropriate settings.

For more information about Connect, see Tanium Connect User Guide: Connect overview.

To remove the connection, click All events connection > Delete.

Configure reports (basic labeling)

Reports show labels that were created during the specified time frame of the report. Events that occurred outside of the time interval might be included in the report, if the event was labeled within the time range of the report.

If you are using an enhanced monitor, you cannot use reports. Instead, you can use saved questions in Connect to send events to reports and external destinations. For more information, see Send events from enhanced monitors.

  1. From the Integrity Monitor menu, go to Monitors > Basic Monitors, and then click the name of the monitor.
  2. Click the Reports tab, and then click Enable Reports.

    If you want to stop reporting at any time for a specific monitor, click Disable reporting for this monitor.

  3. To view reports for a monitor, select the monitor and click the Reports tab. The most recent reports is listed first. A report shows all label events for the defined weekly report interval.
  4. A report could cover more or less than 7 days of labels if you change the report interval. Integrity Monitor reports in this manner to prevent duplication or gaps in the reports.

    Example 1: Reports run on Sunday at midnight. On Tuesday, you change the report to run on Wednesday at midnight. The first report on Wednesday covers 3 days.

    Example 2: Reports run on Sunday at midnight. On Thursday, you change the report to run on Wednesday at midnight. The first report on Wednesday covers 10 days.

To download a report as a zipped CSV file, click Download.

To delete a report, click Delete .

Set the weekly report schedule

By default, when you choose to run reports for a monitor, they are run every Sunday at 12:00 AM UTC. To change the schedule:

  1. From the Integrity Monitor Overview page, click Settings , and then click the General Settings tab.
  2. In the Weekly Report Schedule section, edit the Day of the Week and Time fields as appropriate for all reports.