Skip to content

Tanium Reveal

Tanium Reveal

About

Reduce risk, hunt threats and recover from security incidents in seconds with real-time visibility, complete control and rapid response across endpoints everywhere. Tanium provides endpoint security at scale, all from a single platform for consolidated control and visibility.

Product Details

Vendor URL: Tanium Reveal

Product Type: DLP

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Tanium Reveal Integration Guide

Log Guide: Tanium Reveal Log Guide

Parser Details

Log Format: JSON

Expected Normalization Rate: Near 100%

Data Label: TANIUM_REVEAL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Computer Name target.hostname
Computer-ID target.resource.id
Computer-Name target.hostname
Confirmed Hits security_result.summary
File target.file.full_path
Files-Matched security_result.detection_fields.value
rule security_result.rule_name
Rule Name security_result.rule_name
Rule Name metadata.product_event_type
Scan-Progress security_result.detection_fields.value
Size additional.fields.value.string_value
src_host principal.hostname
Total-Matches security_result.detection_fields.value
Unverified-Matches security_result.detection_fields.value
Unverified-Matches1 security_result.detection_fields.value

Product Event Types

Event ConfirmedHits metadata.event_type alerting?
all others GENERIC_EVENT
src_host not blank SCAN_HOST
not = 0 and not blank TRUE

Log Sample

{"Computer Name":"hostname","File":"redactedfile","Size":"73.24 KB","Modified":"Wed, 04 Sep 2019 05:43:03 +0000","Rule Name":"Log4j Scan","Confirmed Hits":"2","Unconfirmed Hits":"0","Count":"1"}

Sample Parsing

metadata.event_timestamp = "2022-01-14T06:40:23.037726Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "TANIUM_REVEAL"
metadata.product_name = "TANIUM_REVEAL"
metadata.product_event_type = "Log4j Scan"
metadata.ingested_timestamp = "2022-01-14T06:40:23.037726Z"
additional.file_size = "73.24 KB"
target.hostname = "hostname"
target.file.full_path = "redactedfile"
target.asset.hostname = "hostname"
security_result.rule_name = "Log4j Scan"
security_result.summary = "Confirmed Hits 2"
security_result.severity = "HIGH"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.alert_state = "ALERTING"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.