Tanium
This pack includes Cortex XSIAM content.
Configuration on Server Side
Tanium Integrity Monitor logs
In order to forward Tanium Integrity Monitor logs, follow the steps below.
You will need to configure a Socket Receiver on the Tanium side.
- Go to Modules > Interact.
- Copy the following question to the "Ask a Question" box under Explore Data and run it.
Get Computer Name and Last Logged In User and Integrity Monitor - Monitor Events[10,0,360,15,0,""] from all machines
- Click Save and configure the question as described in the next steps.
- Under Name, write "XSIAM Integrity Montior".
- From the Content Set dropdown, select Base.
- Verify that the text under Question Text matches the question mentioned in step 2.
- Check the "Reissue this question every" checkbox, and set it to 2 hours.
- Go to Modules > Connect.
- Enter a name and description for the connection.
- From the Source dropdown, select Saved Question.
- From the Saved Question Name dropdown, select XSIAM Integrity Montior.
- From the Destination dropdown, select Socket Receiver.
- Specify a unique name for the Destination Name.
- Under Host, fill in the name or the IP address of the SIEM.
- Specify the port number under Port.
- Select JSON from the dropdown under Format.
- Check the "Enable Schedule" checkbox under Schedule.
- Set the Timezone to UTC.
- From the Frequency dropdown, select Multiple runs per day, every day.
- From the Hour Interval dropdown, select Every 2nd hour.
- From the Minute dropdown, select On the hour.
- Click Save.
More information can be found here
Note:
Make sure to send the logs in UTC time.
Modify the value type of the "Event Time" field to "Date/Time" and select "ISO 8601 UTC (Zulu)".
The supported time format is yyyy-MM-ddThh:mm:ssZ (2021-01-15T10:00:00Z). The relevant field is "Event Time".
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
Tanium Integrity Monitor logs
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
- Click Add New.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - tanium
- product as product - integrity_monitor