Exporting audit data

You can audit actions that were performed in the Threat Response service by users. Export data from Threat Response to Tanium Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, to gain visibility into Threat Response actions that users have performed during a specific time range.

You can audit the following Threat Response actions:

Threat Response component Action type
Profiles
  • Creating
  • Editing
  • Importing
  • Deleting
  • Reordering profiles
  • Deploying a profile
  • Duplicating
Configurations
  • Creating
  • Editing
  • Importing
  • Deleting
  • Duplicating
Filters
  • Creating
  • Editing
  • Importing
  • Deleting
  • Duplicating
Intel Deployment
  • Migrating
Service Account
  • Setting
  • Deleting
Threat Response Settings (With the exception of engine or recorder specific settings)
  • Creating
  • Editing
  • Deleting
Recorder Settings
  • Uploading Zone Server certifications
  • Adding, deleting, or deploying Zone server settings to endpoints
  • Uploading a Sysmon distribution ZIP file and saving Sysmon settings
  • Saving values for default module server address, service URL for snapshot uploads, and the maximum number of rows to export from live connections
Live Endpoint Connections
  • Creating and deleting live endpoint connections
  • Viewing directories from live endpoint connections
  • Downloading and deleting files from live endpoint connections
  • Creating and deleting exports from live endpoint connections
  • Creating, uploading, and deleting snapshots from live endpoint connections
  • Creating and deleting events from live endpoint connections
Live Response Collections
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response Destinations
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response File Collectors
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response Script Sets
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response Packages
  • Generating

Tanium Connect

To export data from Threat Response to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection.

Before you begin

  • You must have access to Connect with Connect User role.
  • You must have Connect 4.10.5 or later and Threat Response 1.3.0 or later.

Create a connection

  1. From the Connect menu, click Connections and then click Create Connection > Create.
  2. Under General Information, provide a name and description for the connection. Select Enable. Select a Log Level.
  3. Under Source and Destination, Select Tanium Threat Response.
  4. In the type field, select Audit Report.
  5. In the Batch Size field, enter the number of rows of Threat Response data to return at a time. The default is 1000.
  6. In the Minutes to Collect field, enter the number of minutes prior to the start time to collect data. For an exhaustive log, leave this field blank.
  7. Select Send the Audit State Column to Tanium Connect as JSON to send the data in JSON format. If unselected, data is sent as a string object.
  8. Under Destination, select where you want Connect to send the audit data. Provide any additional configuration for the type of destination you select.
  9. Provide any filters you want to apply to the data. You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.
  10. Expand Columns to review the format of the output data. Make changes as appropriate and add any custom columns that are relevant.
  11. Click Save Changes.

Test a connection and review audit data

  1. From the Connect Home page, click Connections.
  2. Click the connection that you created for Threat Response audit data.
  3. Click Run Now. Confirm that you want to run the connection.
  4. View the summary of the run.
  5. View the audit report in the destination that you configured for the connection.

Schedule the connection

For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections.

Last updated: 11/20/2019 9:45 PM | Feedback