Exporting audit data

Events and alerts generated by Threat Response are sent to Connect. By configuring a Connect destination, this information is actionable outside of Tanium.

Audit log pruning runs every 24 hours and the default retention for audit logs is 90 days. You can use the Threat Response API to change the number of days to a maximum of 365. If you need to retain audit logs for longer periods, send the data to Tanium Connect.

To configure a Connect destination:

  1. From the Connect menu, click Connections and then click Create Connection.

  2. Select Event as the source.

  3. Select Tanium Threat Response as the event group and Select All Events.

  4. Configure a Destination. Some destinations use specific destination names. When you edit a named destination, the changes affect all connections where that specific Destination Name is used.

  5. Add a Regular Expression filter for the Event Name column. Regular expressions can vary, however an expression such as ^(?!detect.match).*$ is a good starting point.

The following events are sent to Connect:

Detection events Action type
Group configurations
  • Creating
  • Deleting
  • Modifying
On-demand scans
  • Initiating
  • Deleting
Service settings
  • Resetting
  • Modifying
System user
  • Modifying
Labels
  • Modifying
  • Deleting
Intel
  • Creating
  • Deleting
  • Modifying
  • Modifying labels of intel
Alerts
  • Deleting
  • Modifying
  • Deleted batches of alerts
  • Modifying batches of alerts

You can also audit actions that were performed in the Threat Response service by users. Export data from Threat Response to Tanium Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, to gain visibility into Threat Response actions that users have performed during a specific time range.

You can audit the following Threat Response actions:

Threat Response component Action type
Profiles
  • Creating
  • Editing
  • Importing
  • Deleting
  • Reordering profiles
  • Deploying a profile
  • Duplicating
Configurations
  • Creating
  • Editing
  • Importing
  • Deleting
  • Duplicating
Filters
  • Creating
  • Editing
  • Importing
  • Deleting
  • Duplicating
Intel Deployment
  • Migrating
Service Account
  • Setting
  • Deleting
Threat Response Settings (With the exception of detection or recorder specific settings)
  • Creating
  • Editing
  • Deleting
Recorder Settings
  • Uploading Zone Server certifications
  • Adding, deleting, or deploying Zone server settings to endpoints
  • Saving values for default module server address, service URL for snapshot uploads, and the maximum number of rows to export from live connections
Live Endpoint Connections
  • Creating and deleting live endpoint connections
  • Viewing directories from live endpoint connections
  • Downloading and deleting files from live endpoint connections
  • Creating and deleting exports from live endpoint connections
  • Creating, uploading, and deleting snapshots from live endpoint connections
  • Creating and deleting events from live endpoint connections
Live Response Collections
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response Destinations
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response File Collectors
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response Script Sets
  • Creating
  • Editing
  • Duplicating
  • Deleting
Live Response Packages
  • Generating
Notifications
  • Creating
  • Deleting

Tanium Connect

To export data from Threat Response to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection.

Before you begin

  • You must have access to Connect with Connect User role.
  • You must have Connect 4.10.5 or later.

Create a connection

  1. From the Connect menu, click Connections and then click Create Connection .
  2. Under General Information, provide a name and description for the connection. Select Enable. Select a Log Level.
  3. Under Source and Destination, Select Tanium Threat Response.
  4. In the type field, select Audit Report.
  5. In the Batch Size field, enter the number of rows of Threat Response data to return at a time. The default is 1000.
  6. In the Minutes to Collect field, enter the number of minutes prior to the start time to collect data. For an exhaustive log, leave this field blank.
  7. Select Send the Audit State Column to Tanium Connect as JSON to send the data in JSON format. If selected, data is sent as a string object.
  8. Under Destination, select where you want Connect to send the audit data. Provide any additional configuration for the type of destination you select.
  9. Provide any filters you want to apply to the data. You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.
  10. Expand Columns to review the format of the output data. Make changes as appropriate and add any custom columns that are relevant.
  11. Click Save Changes.

Test a connection and review audit data

  1. From the Connect Overview page, click Connections.
  2. Click the connection that you created for Threat Response audit data.
  3. Click Run Now. Confirm that you want to run the connection.
  4. View the summary of the run.
  5. View the audit report in the destination that you configured for the connection.

Schedule the connection

For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections.