Collect Tanium Stream logs

This document explains how to ingest Tanium Stream logs to Google Security Operations using Tanium Connect's native AWS S3 export functionality. Tanium Stream provides real-time endpoint telemetry, threat hunting data, and behavioral analytics in JSON format, which can be directly exported to S3 using Tanium Connect without requiring custom Lambda functions. The parser transforms raw JSON logs from Tanium Stream into a unified data model (UDM). It first normalizes common fields and then applies specific logic based on the "logType" or "eventType" to map relevant information into the appropriate UDM fields, handling various event types like network connections, user logins, process launches, and file modifications.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Tanium Core Platform 7.0 or later
• Tanium Stream module installed and configured
• Tanium Connect module installed with valid license
• Tanium Threat Response 3.4.346 or later (if using TR integration)
• Privileged access to Tanium Console with administrative rights
• Privileged access to AWS (S3, IAM)

Configure Tanium Stream service account

1. Sign in to the Tanium Console.
2. Go to Modules > Stream.
3. Click Settings at the top right.
4. In the Service Account section, configure the following:
   • Service Account User: Select a user with appropriate Stream permissions.
   • Verify the account has Connect User role privilege.
   • Confirm access to Stream data sources and endpoints.
5. Click Save to apply the service account configuration.

Collect Tanium Stream prerequisites

1. Sign in to the Tanium Console as an administrator.
2. Go to Administration > Permissions > Users.
3. Create or identify a service account user with the following roles:
   • Stream Administrator or Stream Read Only User role.
   • Connect User role privilege.
   • Access to monitored computer groups (recommended: All Computers group).
   • Read Saved Question permission for Stream content sets.

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucket following this user guide: Creating a bucket
2. Save bucket Name and Region for future reference (for example, tanium-stream-logs).
3. Create a user following this user guide: Creating an IAM user.
4. Select the created User.
5. Select the Security credentials tab.
6. Click Create Access Key in the Access Keys section.
7. Select Third-party service as the Use case.
8. Click Next.
9. Optional: add a description tag.
10. Click Create access key.
11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
12. Click Done.
13. Select the Permissions tab.
14. Click Add permissions in the Permissions policies section.
15. Select Add permissions.
16. Select Attach policies directly
17. Search for and select the AmazonS3FullAccess policy.
18. Click Next.
19. Click Add permissions.

Configure Tanium Connect AWS S3 destination

1. Sign in to the Tanium Console.
2. Go to Modules > Connect.
3. Click Create Connection.
4. Provide the following configuration details:
   • Name: Enter a descriptive name (for example, Stream Telemetry to S3 for SecOps).
   • Description: Optional description (for example, Export endpoint telemetry and threat hunting data to AWS S3 for Google SecOps ingestion).
   • Enable: Select to enable the connection to run on schedule.
5. Click Next.

Configure the connection source

1. In the Source section, provide the following configuration details:
   • Source Type: Select Saved Question.
   • Saved Question: Select one of the following Stream-related saved questions:
     • Stream - Endpoint Events for real-time endpoint telemetry.
     • Stream - Network Events for network activity monitoring.
     • Stream - Process Events for process execution tracking.
     • Stream - File Events for file system activity.
     • Stream - Threat Hunting Data for behavioral analytics.
   • Computer Group: Select All Computers or specific computer groups to monitor.
   • Refresh Interval: Set appropriate interval for data collection (for example, 5 minutes for real-time telemetry).
2. Click Next.

Configure AWS S3 destination

1. In the Destination section, provide the following configuration details:
   • Destination Type: Select AWS S3.
   • Destination Name: Enter a unique name (for example, Google SecOps Stream S3 Destination).
   • AWS Access Key: Enter the AWS access key from the CSV file downloaded in the AWS S3 configuration step.
   • AWS Secret Access Key: Enter the AWS secret access key from the CSV file downloaded in the AWS S3 configuration step.
   • Bucket Name: Enter your S3 bucket name (for example, tanium-stream-logs).
   • Region: Select the AWS region where your S3 bucket is located.
   • Key Prefix: Enter a prefix for the S3 objects (for example, tanium/stream/).
2. Click Next.

Configure filters

1. In the Filters section, configure data filtering options:
   • Send new items only: Select this option to send only new telemetry data since the last export.
   • Column filters: Add filters based on specific event attributes if needed (for example, filter by event type, process name, or threat indicators).
2. Click Next.

Format data for AWS S3

1. In the Format section, configure the data format:
   • Format: Select JSON.
   • Options:
     • Include headers: Deselect to avoid headers in JSON output.
     • Include empty cells: Select based on your preference.
   • Advanced Options:
     • File naming: Use default timestamp-based naming.
     • Compression: Select Gzip to reduce storage costs and transfer time.
2. Click Next.

Schedule the connection

1. In the Schedule section, configure the export schedule:
   • Enable schedule: Select to enable automatic scheduled exports.
   • Schedule type: Select Recurring.
   • Frequency: Select Every 5 minutes for near real-time telemetry data.
   • Start time: Set appropriate start time for the first export.
2. Click Next.

Save and verify connection

1. Review the connection configuration in the summary screen.
2. Click Save to create the connection.
3. Click Test Connection to verify the configuration.
4. If the test is successful, click Run Now to perform an initial export.
5. Monitor the connection status in the Connect Overview page.

Configure a feed in Google SecOps to ingest Tanium Stream logs

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. In the Feed name field, enter a name for the feed (for example, Tanium Stream logs).
4. Select Amazon S3 V2 as the Source type.
5. Select Tanium Stream as the Log type.
6. Click Next.
7. Specify values for the following input parameters:
   • S3 URI: s3://tanium-stream-logs/tanium/stream/
   • Source deletion options: Select deletion option according to your preference.
   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
   • Access Key ID: User access key with access to the S3 bucket.
   • Secret Access Key: User secret key with access to the S3 bucket.
   • Asset namespace: The asset namespace.
   • Ingestion labels: The label applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.