Tanium Reveal¶
About¶
Reduce risk, hunt threats and recover from security incidents in seconds with real-time visibility, complete control and rapid response across endpoints everywhere. Tanium provides endpoint security at scale, all from a single platform for consolidated control and visibility.
Product Details¶
Vendor URL: Tanium Reveal
Product Type: DLP
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Tanium Reveal Integration Guide
Log Guide: Tanium Reveal Log Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: TANIUM_REVEAL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Computer Name | target.hostname |
| Computer-ID | target.resource.id |
| Computer-Name | target.hostname |
| Confirmed Hits | security_result.summary |
| File | target.file.full_path |
| Files-Matched | security_result.detection_fields.value |
| rule | security_result.rule_name |
| Rule Name | security_result.rule_name |
| Rule Name | metadata.product_event_type |
| Scan-Progress | security_result.detection_fields.value |
| Size | additional.fields.value.string_value |
| src_host | principal.hostname |
| Total-Matches | security_result.detection_fields.value |
| Unverified-Matches | security_result.detection_fields.value |
| Unverified-Matches1 | security_result.detection_fields.value |
Product Event Types¶
| Event | ConfirmedHits | metadata.event_type | alerting? |
|---|---|---|---|
| all others | GENERIC_EVENT | ||
| src_host not blank | SCAN_HOST | ||
| not = 0 and not blank | TRUE |
Log Sample¶
{"Computer Name":"hostname","File":"redactedfile","Size":"73.24 KB","Modified":"Wed, 04 Sep 2019 05:43:03 +0000","Rule Name":"Log4j Scan","Confirmed Hits":"2","Unconfirmed Hits":"0","Count":"1"}
Sample Parsing¶
metadata.event_timestamp = "2022-01-14T06:40:23.037726Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "TANIUM_REVEAL"
metadata.product_name = "TANIUM_REVEAL"
metadata.product_event_type = "Log4j Scan"
metadata.ingested_timestamp = "2022-01-14T06:40:23.037726Z"
additional.file_size = "73.24 KB"
target.hostname = "hostname"
target.file.full_path = "redactedfile"
target.asset.hostname = "hostname"
security_result.rule_name = "Log4j Scan"
security_result.summary = "Confirmed Hits 2"
security_result.severity = "HIGH"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.alert_state = "ALERTING"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming Soon