You can audit actions that were performed in the Threat Response service by users. Export data from Threat Response to Tanium Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, to gain visibility into Threat Response actions that users have performed during a specific time range.
You can audit the following Threat Response actions:
|Threat Response component||Action type|
|Threat Response Settings (With the exception of engine or recorder specific settings)||
|Live Endpoint Connections||
|Live Response Collections||
|Live Response Destinations||
|Live Response File Collectors||
|Live Response Script Sets||
|Live Response Packages||
To export data from Threat Response to Connect destinations such as Email, File, HTTP, Socket Receiver, Splunk, and SQL Server, create a connection.
Before you begin
- You must have access to Connect with Connect User role.
- You must have Connect 4.10.5 or later and Threat Response 1.3.0 or later.
Create a connection
- From the Connect menu, click Connections and then click Create Connection > Create.
- Under General Information, provide a name and description for the connection. Select Enable. Select a Log Level.
- Under Source and Destination, Select Tanium Threat Response.
- In the type field, select Audit Report.
- In the Batch Size field, enter the number of rows of Threat Response data to return at a time. The default is 1000.
- In the Minutes to Collect field, enter the number of minutes prior to the start time to collect data. For an exhaustive log, leave this field blank.
- Select Send the Audit State Column to Tanium Connect as JSON to send the data in JSON format. If unselected, data is sent as a string object.
- Under Destination, select where you want Connect to send the audit data. Provide any additional configuration for the type of destination you select.
- Provide any filters you want to apply to the data. You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.
- Expand Columns to review the format of the output data. Make changes as appropriate and add any custom columns that are relevant.
- Click Save Changes.
Test a connection and review audit data
- From the Connect Home page, click Connections.
- Click the connection that you created for Threat Response audit data.
- Click Run Now. Confirm that you want to run the connection.
- View the summary of the run.
- View the audit report in the destination that you configured for the connection.
Schedule the connection
For information on how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections.
Last updated: 11/20/2019 9:45 PM | Feedback