Skip to main content

Tanium

Download With Dependencies

Tanium endpoint security and systems management

Tanium

This pack includes Cortex XSIAM content.

Configuration on Server Side

Tanium Integrity Monitor logs

In order to forward Tanium Integrity Monitor logs, follow the steps below.

You will need to configure a Socket Receiver on the Tanium side.

  1. Go to Modules > Interact.
  2. Copy the following question to the "Ask a Question" box under Explore Data and run it.
Get Computer Name and Last Logged In User and Integrity Monitor - Monitor Events[10,0,360,15,0,""] from all machines
  1. Click Save and configure the question as described in the next steps.
  2. Under Name, write "XSIAM Integrity Montior".
  3. From the Content Set dropdown, select Base.
  4. Verify that the text under Question Text matches the question mentioned in step 2.
  5. Check the "Reissue this question every" checkbox, and set it to 2 hours.
  6. Go to Modules > Connect.
  7. Enter a name and description for the connection.
  8. From the Source dropdown, select Saved Question.
  9. From the Saved Question Name dropdown, select XSIAM Integrity Montior.
  10. From the Destination dropdown, select Socket Receiver.
  11. Specify a unique name for the Destination Name.
  12. Under Host, fill in the name or the IP address of the SIEM.
  13. Specify the port number under Port.
  14. Select JSON from the dropdown under Format.
  15. Check the "Enable Schedule" checkbox under Schedule.
  16. Set the Timezone to UTC.
  17. From the Frequency dropdown, select Multiple runs per day, every day.
  18. From the Hour Interval dropdown, select Every 2nd hour.
  19. From the Minute dropdown, select On the hour.
  20. Click Save.

More information can be found here

Note:
Make sure to send the logs in UTC time.
Modify the value type of the "Event Time" field to "Date/Time" and select "ISO 8601 UTC (Zulu)".
The supported time format is yyyy-MM-ddThh:mm:ssZ (2021-01-15T10:00:00Z). The relevant field is "Event Time".
Example:

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

Tanium Integrity Monitor logs

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - tanium
    • product as product - integrity_monitor

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJuly 23, 2020
Last ReleaseNovember 28, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.