Collect Tanium audit logs

This document explains how to ingest Tanium audit logs to Google Security Operations using Amazon S3 using Tanium Connect's native S3 export capability. The parser extracts the logs, initially clearing numerous default fields. It then parses the log message using grok and the json filter, extracting fields like timestamp, device IP, and audit details. The parser maps these extracted fields to the UDM, handling various data types and conditional logic to populate appropriate UDM fields based on the presence and values of specific Tanium audit log attributes.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Tanium Connect and Tanium Console
• Privileged access to AWS (S3, IAM)

Create an Amazon S3 bucket

1. Open the Amazon S3 console.
2. If required, you can change the Region.
   • From the navigation bar, select the Region where you want your Tanium Audit logs to reside.
3. Click Create Bucket.
   • Bucket Name: Enter a meaningful name for the bucket (for example, tanium-audit-logs).
   • Region: Select your preferred Region (for example, us-east-1).
   • Click Create.

Create an IAM user with full access to Amazon S3

1. Open the IAM console.
2. Click Users > Add user.
3. Enter a user name (for example, tanium-connect-s3-user).
4. Select both Programmatic access and/or AWS Management Console access as needed.
5. Select either Autogenerated password or Custom password.
6. Click Next: Permissions.
7. Choose Attach existing policies directly.
8. Search for and select the AmazonS3FullAccess policy to the user.
9. Click Next: Tags.
10. Click Next: Review.
11. Click Create user.
12. Copy and save the Access Key ID and Secret Access Key for future reference.

Configure permissions on Amazon S3 bucket

1. In the Amazon S3 console, choose the bucket that you previously created.
2. Click Permissions > Bucket policy.

3. In the Bucket Policy Editor, add the following policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/tanium-connect-s3-user"
         },
         "Action": [
           "s3:PutObject",
           "s3:PutObjectAcl",
           "s3:GetObject",
           "s3:ListBucket"
         ],
         "Resource": [
           "arn:aws:s3:::tanium-audit-logs",
           "arn:aws:s3:::tanium-audit-logs/*"
         ]
       }
     ]
   }
   

4. Replace the following variables:

   • Change YOUR_ACCOUNT_ID to your AWS account ID.
   • Change tanium-audit-logs to your actual bucket name if different.
   • Change tanium-connect-s3-user to your actual IAM username if different.

5. Click Save.

Configure Tanium Connect for S3 export

Create an AWS S3 connection in Tanium Connect

1. Sign in to the Tanium Console as an administrator.
2. Go to Tanium Connect > Connections.
3. Click Create Connection.
4. In the General Information section, provide the following configuration details:
   • Name: Enter a descriptive name (for example, Tanium Audit to S3).
   • Description: Enter a meaningful description (for example, Export Tanium audit logs to S3 for Google SecOps ingestion).
   • Enable: Select to enable the connection.
   • Log Level: Select Information (default) or adjust as needed.

Configure the connection source

1. In the Configuration section, for Source, select Tanium Audit.
2. Configure the audit source settings:
   • Days of History Retrieved: Enter the number of days of historical audit data to retrieve (for example, 7 for one week).
   • Audit Types: Select the audit types you want to export. Choose from:
     • Action History: Actions issued by console operators.
     • Authentication: User authentication events.
     • Content: Content changes and modifications.
     • Groups: Computer group changes.
     • Packages: Package-related activities.
     • Sensors: Sensor modifications.
     • System Settings: System configuration changes.
     • Users: User management activities.

Configure the AWS S3 destination

1. For Destination, select AWS S3.
2. Provide the following configuration details:
   • Destination Name: Enter a name (for example, Google SecOps S3 Bucket).
   • AWS Access Key: Enter the Access Key ID from the IAM user created earlier.
   • AWS Secret Key: Enter the Secret Access Key from the IAM user created earlier.
   • Bucket Name: Enter your S3 bucket name (for example, tanium-audit-logs).
   • Bucket Path: Optional. Enter a path prefix (for example, tanium/audit/).
   • Region: Select the AWS region where your bucket resides (for example, us-east-1).

Configure the format and schedule

1. In the Format section, configure the output format:
   • Format Type: Select JSON.
   • Include Column Headers: Select if you want column headers included.
   • Generate Document: Deselect this option to send raw JSON data.
2. In the Schedule section, configure when the connection runs:
   • Schedule Type: Select Cron.
   • Cron Expression: Enter a cron expression for regular exports (for example, 0 */1 * * * for hourly exports).
   • Start Date: Set the start date for the schedule.
3. Click Save Changes.

Test and run the connection

1. From the Connect Overview page, go to Connections.
2. Click the connection you created (Tanium Audit to S3).
3. Click Run Now to test the connection.
4. Confirm that you want to run the connection.
5. Monitor the connection status and verify that audit logs are being exported to your S3 bucket.

Optional: Create read-only IAM user & keys for Google SecOps

1. Go to AWS Console > IAM > Users > Add users.
2. Click Add users.
3. Provide the following configuration details:
   • User: Enter secops-reader.
   • Access type: Select Access key – Programmatic access.
4. Click Create user.
5. Attach minimal read policy (custom): Users > secops-reader > Permissions > Add permissions > Attach policies directly > Create policy.

6. In the JSON editor, enter the following policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": ["s3:GetObject"],
         "Resource": "arn:aws:s3:::tanium-audit-logs/*"
       },
       {
         "Effect": "Allow",
         "Action": ["s3:ListBucket"],
         "Resource": "arn:aws:s3:::tanium-audit-logs"
       }
     ]
   }
   

7. Set the name to secops-reader-policy.

8. Go to Create policy > search/select > Next > Add permissions.

9. Go to Security credentials > Access keys > Create access key.

10. Download the CSV (these values are entered into the feed).

Configure a feed in Google SecOps to ingest Tanium Audit logs

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. In the Feed name field, enter a name for the feed (for example, Tanium Audit logs).
4. Select Amazon S3 V2 as the Source type.
5. Select Tanium Audit as the Log type.
6. Click Next.
7. Specify values for the following input parameters:
   • S3 URI: s3://tanium-audit-logs/tanium/audit/ (adjust path if you used a different bucket name or path).
   • Source deletion options: Select deletion option according to your preference.
   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
   • Access Key ID: User access key with access to the S3 bucket (from the read-only user created above).
   • Secret Access Key: User secret key with access to the S3 bucket (from the read-only user created above).
   • Asset namespace: The asset namespace.
   • Ingestion labels: The label to be applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.