Exporting audit data
Events and alerts generated by the engine are sent to Connect. By configuring a Connect destination, this information is actionable outside of Tanium.
To configure a Connect destination:
From the Connect menu, click Connections and then click Create Connection > Create.
Select Event as the source.
Select Tanium Threat Response as the event group and Select All Events.
Configure a Destination. Some destinations use specific destination names. When you edit a named destination, the changes affect all connections where that specific Destination Name is used.
Add a Regular Expression filter for the Event Name column. Regular expressions can vary, however an expression such as ^(?!detect.match).*$ is a good starting point as it removes Detect Alerts but includes all System Notifications.
The following events are sent to Connect:
|Engine events||Action type|
You can also audit actions that were performed in the Threat Response service by users. Export data from Threat Response to Tanium Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, to gain visibility into Threat Response actions that users have performed during a specific time range.
You can audit the following Threat Response actions:
|Threat Response component||Action type|
|Threat Response Settings (With the exception of engine or recorder specific settings)||
|Live Endpoint Connections||
|Live Response Collections||
|Live Response Destinations||
|Live Response File Collectors||
|Live Response Script Sets||
|Live Response Packages||
To export data from Threat Response to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection.
Before you begin
- You must have access to Connect with Connect User role.
- You must have Connect 4.10.5 or later and Threat Response 1.3.0 or later.
Create a connection
- From the Connect menu, click Connections and then click Create Connection > Create.
- Under General Information, provide a name and description for the connection. Select Enable. Select a Log Level.
- Under Source and Destination, Select Tanium Threat Response.
- In the type field, select Audit Report.
- In the Batch Size field, enter the number of rows of Threat Response data to return at a time. The default is 1000.
- In the Minutes to Collect field, enter the number of minutes prior to the start time to collect data. For an exhaustive log, leave this field blank.
- Select Send the Audit State Column to Tanium Connect as JSON to send the data in JSON format. If unselected, data is sent as a string object.
- Under Destination, select where you want Connect to send the audit data. Provide any additional configuration for the type of destination you select.
- Provide any filters you want to apply to the data. You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.
- Expand Columns to review the format of the output data. Make changes as appropriate and add any custom columns that are relevant.
- Click Save Changes.
Test a connection and review audit data
- From the Connect Overview page, click Connections.
- Click the connection that you created for Threat Response audit data.
- Click Run Now. Confirm that you want to run the connection.
- View the summary of the run.
- View the audit report in the destination that you configured for the connection.
Schedule the connection
For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections.
Last updated: 6/11/2021 10:49 AM | Feedback