Auditing events

Zero Trust provides an audit log that you can use to monitor zero trust events.

Review data sent to your IAM provider

1. From the Main menu, go to Shared Services > Zero Trust. The Zero Trust Overview page opens.
2. Review the data in the Sent to Microsoft Entra ID section.

   To view the Sent to Microsoft Entra ID section, you must have unrestricted management rights. If you have Zero Trust Microsoft Entra ID Audit read permission, you can use filters to view the audit entries on the Microsoft Entra ID Audit Log page.

   • To view the Microsoft Entra ID Audit Log page, see View audit log.
   • For information about how to set computer group permissions, see Tanium Console User Guide: Manage computer group assignments for a user.

3. (Optional) Use the following filter options to find specific entries if the list is long. The list shows only the entries that match all the filters that you specify.

   Event filter options

   Option	Description
   Select action	Use the Action buttons to toggle between All entries, entries for rules that Apply an extension attribute, and rules that Remove an extension attribute.
   Select extension attribute number	Select a value for Extension Attribute # to only show entries that removed or applied a value to the extension attribute.
   Select extension attribute	Select a value for Extension Attribute to only show entries that removed or applied the extension attribute.
   Filter items	Enter an alphanumeric string to match text in the Computer Name, IP Address, MAC Address, Rule, Extension Attribute #, and Extension Attribute columns.
   Filters	Expand Filters and specify any additional filters.
   Manage columns	In the header, click Customize Columns and drag the column names in the desired order. To remove a column, deselect the checkbox next to the column name.
   Refresh entries	Click Refresh . Any filters that you added apply to the updated results.

View audit log

Perform the following steps to review all audit entries, including entries generated from rules in audit mode.

Microsoft Entra ID

You require Zero Trust Microsoft Entra ID Audit read permission to access the Microsoft Entra ID Audit Log page.

1. From the Zero Trust menu, go to Audit Log. The Microsoft Entra ID Audit Log page shows a log of events captured by Tanium.
2. (Optional) Use the following filter options to find specific entries if the list is long. The list shows only the events that match all the filters that you specify.

   Event filter options

   Option	Description
   Select mode	Use the Enforcement Mode buttons to toggle between entries for All rules, Audit rules, and Enforce rules.
   Select action	Use the Action buttons to toggle between All entries, entries for rules that Apply an extension attribute, and rules that Remove an extension attribute.
   Select trigger mechanism	Use the Triggered by buttons to toggle between All rules, events triggered by a Rule, and entries recorded by users who Manually added an endpoint. For information, see Manually modify endpoint attribute.
   Filter items	Enter an alphanumeric string to match text in the Computer name, Device ID, Extension Attribute #, and Extension Attribute columns.
   Filters	Expand Filters and specify any additional filters.
   Manage columns	In the log header, click Customize Columns and drag the column names in the desired order. To remove a column, deselect the checkbox next to the column name.

3. (Optional) Take action on a rule. The following actions are available:

   Available actions

   Option	Description
   View audit entry	Click Open Side Panel in the row of the entry to view additional details for the entry.
   Export audit entries	Click Export, and then click Download when the audit log is ready. The ZIP file contains all visible log entries in a CSV format.
   Refresh entries	Click Refresh . Any filters that you added apply to the updated results.
   Manage columns	In the header, click Customize Columns and drag the column names in the desired order. To remove a column, deselect the checkbox next to the column name.

Send logs through Connect

Use Connect to send Zero Trust log entries to Connect destinations. You can configure Connect to send log entries as they occur through the event source in Connect. For information about event sources, see Tanium Connect User Guide: Connection Sources.

Before you begin

• Your Tanium license must include Connect.
• Tanium™ Connect 5.0 or later is required
• You must have access to Connect with the Connect Operator or Connect Administrator role.

Create a connection

The following steps describe the basic settings that you configure for a connection. Additional settings vary by connection destination. For details, see Tanium Connect User Guide: Managing connections.

1. From the Main menu, go to Modules > Connect.
2. From the Connect Overview page, scroll to the Connections section and click Create Connection.
3. In the General Information section, enter a Name and optional Description for the connection.
4. In the Configuration section, select Event for the Source.
5. Select Tanium Zero Trust for the Event Group.
6. Click Microsoft Entra ID Device Rule.
7. Select the Destination where you want Connect to send the data. Provide any additional configuration for the type of destination you select.
8. Scroll to the Configure Output section and select a Format for the exported data.
9. Scroll to the Enablement section and click Listen for this Event.

   Connections that use the event source run automatically when an event occurs. To disable the connection, deselect Listen for this Event.

10. Click Save.

When an event occurs, Connect sends the log entry to the destination that you set.