Tanium Audit¶
About¶
Father and son founders David and Orion Hindawi make it their mission to empower the world’s largest organizations to manage and protect their mission-critical networks. This singular focus led to the creation of the Tanium platform, which solves the biggest security and IT management challenges organizations face by providing lightning-fast ability to see everything and do anything across computer networks – with unparalleled scale.
Product Details¶
Vendor URL: Tanium - The Power of Certainty
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Chronicle
Integration URL: n/a
Log Guide: Tanium User Documentation
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Unknown
Data Label: TANIUM_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| Tanium | metadata.vendor_name | All |
| Threat Response | metadata.product_name | All |
| Tanium_Threat_Response | observer.hostname | All |
| observer | observer.ip | All |
| device_action - Name/Message | metadata.product_event_type | All |
| src_user/User | principal.user.userid | All |
| Message/Name | metadata.description | All |
| Defined | metadata.event_type | All |
| MACHINE | extensions.auth.type | USER_LOGIN/USER_LOGOUT |
| Console | target.hostname | USER_LOGIN/USER_LOGOUT |
| ip_address | principal.ip | All |
| MACHINE | extensions.auth.type | USER_LOGIN/USER_LOGOUT |
| SETTING | target.resource.type | SETTING_UNCATEGORIZED/SETTING_DELETION/SETTING_CREATION |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| All non defined events | GENERIC_EVENT |
| "consoleAuthentication” and "New Session Created" | USER_LOGIN |
| "consoleAuthentication" and "User Logged Out" | USER_LOGOUT |
| Scan | SCAN_UNCATEGORIZED |
| Configuration | SETTING_UNCATEGORIZED |
| Configuration and "Deletion" | SETTING_DELETION |
| Configuration and "Addition" | SETTING_CREATION |
Log Sample¶
{"Start Time":"2021-06-16T17:54:23","Device Action":"consoleAuthentication","Source User Name":"none","Name":"User: USERNAME; Session ID: sess; Authentication Type: User; IP Address: 10.10.1.1","Message":"New Session Created","AuditText":""}
Sample Parsing¶
metadata.event_timestamp "2021-07-22T22:11:41.708644Z"
metadata.event_type "SCAN_UNCATEGORIZED"
metadata.vendor_name "Tanium"
metadata.product_name "Threat Response"
metadata.product_event_type "packages - Addition"
metadata.description "Discover - Execute Scan"
metadata.ingested_timestamp "2021-07-22T22:11:41.708644Z"
principal.hostname "hostname"
principal.user.userid "tanium"
observer.hostname "Tanium_Threat_Response"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon