With Connect, you can integrate Tanium™ with a SIEM, log analytics tools, threat feeds, or send email notifications.
A connection is the link between a connection source and a connection destination. The connection source might be data that Tanium is creating, like an answer or a log message. The connection destination is something outside of Tanium that you are integrating with, like a security information and event management (SIEM) tool.
Connect includes templates for many common SIEM tools, file, log, and email formats. You can use these templates to integrate with configuration management databases (CMDB), trouble ticketing systems, and proprietary IT systems.
Before your connections can successfully send data to a destination, your Tanium™ Cloud instance must be configured. Configure a Tanium Cloud Management Portal (CMP) network egress allow list rule for each destination fully qualified domain name (FQDN) and associated port.
For more information, see Tanium Cloud Deployment Guide: Network egress.
- Configuring AWS S3 destinations
- Configuring Elasticsearch destinations
- Configuring email destinations
- Configuring file destinations
- Configuring HTTP destinations
- Configuring Microsoft Log Analytics destinations
- Configuring Palo Alto Networks WildFire and Tanium Threat Response
- Configuring SIEM destinations
- Configuring SMB file share destinations
- Configuring SQL Server destinations
- Configuring Tanium Reputation destinations: Tanium Reputation User Guide: Send data to the reputation service
The action history is a record of all actions issued by console operators. To view this record in Tanium, go to Administration > Actions > Action History. For more information, see Tanium Console User Guide: Manage actions that are completed or in progress.
Client Status, previously named System Status, includes the state of all the endpoints, including some useful information about the endpoint like IP Address, position in the network, and the last time it registered with the Tanium Server. For more information about the Client Status data, see Tanium Console User Guide: View the status of Tanium Client registration and communication.
Tanium solutions, like Tanium™ Discover,
Palo Alto Networks WildFire
Integration between Tanium and WildFire takes a list of confirmed malware from a Palo Alto Networks firewall and requests a full report from the WildFire system. The full malware report is then converted into a standard indicator of compromise (IOC) and passed to the Threat Response system for multiple endpoint compromise detection. For more information, see Configuring Palo Alto Networks WildFire and Tanium Threat Response.
Palo Alto Networks WildFire is available as a source after Threat Response is installed.
The question history log is a history of every question that has been asked. When you are using the question log as a data source in Connect, you can filter the log in several ways to reduce the total volume of data being sent. For more information, see Tanium Console User Guide: Question history.
A saved question is a Tanium question that you want to ask on a repeated basis. For more information about saved questions, see Tanium Interact User Guide: Managing saved questions.
When you select a saved question as a source, the Computer Group drop-down defaults to No Filter, which does not filter the saved question with a computer group. Select No Filter if you want to send recent saved question results from all endpoints to the destination. The endpoint results are subject to the computer group management rights of the user configuring the connection, and might not match the endpoint membership of the All Computers computer group. Select the All Computers computer group if you want to explicitly filter the saved question on the All Computers computer group.
You can use the following settings for saved question sources:
|Flatten Results||You might want to enable the Flatten Results setting to process results as individual records. For example, you might want to get notified when you see a new MD5 hash on a machine. Without the Flatten Results setting enabled, the entire data set that is retrieved by the saved question from a machine, such as all MD5 hashes, is considered to be a single record. Any change that is made to this data set shows up in the destination. By enabling the Flatten Results setting, Connect processes the new hashes on an individual basis (one MD5 hash from one machine) instead of all hashes from a machine as a single record.|
|Hide Errors||If the saved question returns an error, you can use the Hide Errors setting to prevent the error results from getting sent to the destination.|
|Hide No Results||If the saved question returns [No results], you can use the Hide No Results setting to prevent this result from being sent to the destination.|
|Include Recent Answers||
If you want to include results from machines that are offline, select Include Recent Answers, which returns the most recent answer to the saved question for the offline endpoint.
If you select Include Recent Answers, for the best results, you should also select No Filter from the Computer Group drop-down.
|Answer Complete Percent||Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.|
|Timeout||Minutes to wait for clients to reply before returning processed results when Answer Complete Percent is set to 0. If the Answer Complete Percent value is not met at the end of the time limit, then the connection run is marked as a failure. The maximum timeout is 10 minutes.|
|Batchsize||Number of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.|
Server Information Source
Use the server information in the following location as a connection source: https://<tanium_server>/info.json.
Tanium Asset comes with a set of predefined reports to help you prepare for audit and inventory activities. You can also create your own custom reports and views. For each report or view, you can create a connection that specifies a report or view as a data source. Currently supported destinations include Email, File, HTTP, Socket Receiver, Splunk, and SQL Server. For more information, see Tanium Asset User Guide: Asset overview.
Tanium™ Audit Source
Tanium Server keeps detailed audit logs for server configuration and settings changes. However, accessing these logs requires direct access to the Tanium database. To access the audit logs, you can set them up as a data source in Connect. For more information, see Tanium Security Recommendations Guide: Enable and forward Tanium logs.
For information on data available with the Tanium Audit Source, see Reference: Tanium Audit Source data.
Tanium Comply enables you to export compliance and vulnerability findings to help support enterprise compliance goals. Use the Tanium Comply (Findings) source to export all compliance and all vulnerability findings. Use the Tanium Comply (Assessments) source to export all vulnerability assessments. For more information, see Tanium Comply User Guide: Exporting findings and assessments.
Tanium™ Data Service
The Tanium Data Service enables you to see stored sensor results for endpoints that are offline at the moment you issue a saved question. For more information, see Tanium Console User Guide: Manage sensor results collection.
Tanium™ Direct Connect
Tanium Direct Connect enables other Tanium modules to establish sessions with endpoints. You can create a connection that generates an audit report of Direct Connect sessions and actions that users performed on endpoints during Direct Connect sessions. For more information, see Tanium Direct Connect User Guide: Exporting an audit log.
Tanium Discover contains reports that maintain an inventory of interfaces in your environment. For each report, you can create a connection that specifies a report as a data source. For more information, see Tanium Discover User Guide: Discover overview.
Tanium™ Endpoint Configuration
Tanium Endpoint Configuration enables you to deliver configuration information to endpoints consistently for all Tanium solutions that are available in an environment. You can create a connection that generates an audit report of all Endpoint Configuration management actions, manifest actions, and configuration changes. For more information, see Tanium Endpoint Configuration User Guide: Exporting an audit log.
Tanium Impact identifies the users, groups, and endpoints that have the highest potential impact in your organization if compromised, based on the impact rating. You can create a connection that specifies all users, groups, or endpoints with the highest impact as a data source. For more information, see Tanium Impact User Guide: Impact overview.
Tanium™ Integrity Monitor
Tanium Integrity Monitor enables you to define watchlists of files, directories, and Windows registry paths that you want to monitor for changes. Use the Tanium Integrity Monitor source to export watchlist data. For more information, see Tanium Integrity Monitor User Guide: Integrity Monitor overview.
Use Tanium Reporting to create custom reports from data that is collected by the Tanium Data Service. You can create a connection that specifies a saved custom report and sub-view as a data source. For more information, see Tanium Reporting User Guide: Export reports through Tanium Connect.
Tanium Reputation is an aggregated repository of reputation data from various sources, including Palo Alto Networks WildFire, ReversingLabs, and VirusTotal. You can choose which type of status to include, such as only malicious or suspicious content. You can choose to include the full report, which includes the detailed information from the reputation source, not just the status of the reputation item. You must have one or more reputation sources configured to get information from this connection source. For more information, see Tanium Reputation User Guide: Reputation overview.
Tanium™ Threat Response
Tanium Threat Response contains audit reports for actions that were performed in Threat Response. For each report, you can create a connection that specifies a report as a data source. For more information, see Tanium Threat Response User Guide: Threat Response overview.
Tanium Trends provides data visualization panels from saved question or module sources. You can create boards that organize one or more panels. For each board, you can create a connection that specifies a board as a data source in HTML format. Valid destinations are AWS S3, Email, or File. For more information, see Tanium Trends User Guide: Trends overview.
A connection run is a single iteration of sending data from a connection source to a connection destination. Use Cron schedules to adjust the timing of each connection run. You can have connections run at different combinations of on the minute, hour, day, week, or month. You can see when connections are running and how much data is being sent with the schedule view. For more information about schedules, see Schedule connections.
In addition to connection source data from other Tanium products, Connect also integrates with other Tanium products to provide additional features and reporting of related data.
If you want to pre-populate reputation data with hashes from your environment, you can send data to Tanium Reputation from Connect. When this content is pre-populated, the reputation service can start querying about the status of the items from the reputation sources. For more information, see Tanium Reputation User Guide: Send data to the reputation service.
Connect features Trends charts that provide data visualization of Connect concepts. These boards are available in Trends and also appear on the Connect Overview page.
The Connect charts display how much data is sent to all destinations each day, and the number of total connections that are initiated and scheduled each hour. The charts include data for both failed and successful connection runs. The following panels are in the Connect board in Trends, and also display on the Connect Overview page:
- Bytes sent per day
- Data sent per day
- Connection runs per hour
- Scheduled connections per hour
For more information about how to import the Trends boards that are provided by Connect, see Tanium Trends User Guide: Importing the initial gallery.
Last updated: 8/9/2022 4:34 PM | Feedback