Sending and reporting events

Send events to a SIEM, SOAR, or other data lake or log solution using Connect.

Use Connect to send events

You can create saved questions that include any of the sensors provided by Integrity Monitor, and then use those saved questions as connection sources in Connect.

When you are sending events to a SIEM, SOAR, or other data lake, send only unlabeled events and events that are required for regulatory compliance and auditing. (In some cases, all events might be required.)

  1. Create a saved question that returns the events you want to report using the Integrity Monitor - Monitor Events or Integrity Monitor - Monitor Events Unlabeled sensor. Include any other sensors you want to include as columns in the data. For more information, see Tanium Interact User Guide: Managing saved questions.
  2. Create a connection in Connect. Use Saved Question for the source type, and select the saved question that you created. For more information, see Tanium Connect User Guide: Overview.

Create incidents for unlabeled events in ServiceNow Incident Management

If you use ServiceNow Incident Management, you can create incidents based on unlabeled events by using an email destination in Connect and configuring email actions in ServiceNow to create incidents.

  1. Configure inbound email actions in ServiceNow to create incidents based on emails from Tanium. For more information, see ServiceNow Product documentation.
  2. Create a saved question using the Integrity Monitor - Monitor Events Unlabeled sensor. For more information, see Tanium Interact User Guide: Managing saved questions.
  3. From the Connect Overview page, click Create Connection.
  4. Configure the following settings in the connection:

    • Configure the settings in the General Information section.

    • For Source, select Saved Question, and select the Saved Question Name for the saved question you created.
    • Select the appropriate Computer Group.
    • Select Flatten Results.
    • For Destination, select Email.
    • In the Email section, enter a Destination Name and a Subject that ServiceNow expects for emails intended to create incidents for unlabeled events from Integrity Monitor.
    • Enter a From Address.
    • For To Addresses, enter the address where your ServiceNow instance receives email.
    • In the Mail Configuration section, configure the email settings for your environment.
    • In the Advanced section, select Attachment, and enter an Attachment File Name that ends with .csv.
    • In the Configure Output section, for Format, select CSV.
    • In the Schedule section, configure a schedule for the connection.
  5. Click Create Connection to save the new connection.

For more information about configuring email destinations in Connect, see Tanium Connect User Guide: Configuring email destinations.

Manually run the new email connection while monitoring incidents in ServiceNow to make sure that new incidents are successfully created. Open the first new incident and make sure that it includes a CSV file with the expected information.