Transcription
Integrating Splunk with TaniumJanuary 18, 2022
The information in this document is subject to change without notice. Further, the information provided in this document isprovided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except asprovided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liabilitywhatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidentaldamages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use thisdocument, even if Tanium Inc. has been advised of the possibility of such damages.Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output,network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use ofactual IP addresses in illustrative content is unintentional and coincidental.Please visit https://docs.tanium.com for the most current Tanium product documentation.This documentation may provide access to or information about content, products (including hardware and software), andservices provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i)are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third PartyItems and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third PartyItems unless expressly set forth otherwise in an applicable agreement between you and Tanium.Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particularThird Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual propertyrights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of ThirdParty Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.Tanium is committed to the highest accessibility standards to make interaction with Tanium software more intuitive and toaccelerate the time to success. To ensure high accessibility standards, Tanium complies with the U.S. Federal regulations specifically Section 508 of the Rehabilitation Act of 1998. We have conducted third-party accessibility assessments over thecourse of product development for many years, and most recently a comprehensive audit against the WCAG 2.1 / VPAT2.3standards for all major product modules was completed in September 2019. Tanium can make available any VPAT reports on amodule-by-module basis as part of a larger solution planning process for any customer or prospect.As new products and features are continuously delivered, Tanium will conduct testing to identify potential gaps in compliancewith accessibility guidelines. Tanium is committed to making best efforts to address any gaps quickly, as is feasible, given theseverity of the issue and scope of the changes. These objectives are factored into the ongoing delivery schedule of features andreleases with our existing resources.Tanium welcomes customer input on making solutions accessible based on your Tanium modules and assistive technologyrequirements. Accessibility requirements are important to the Tanium customer community and we are committed to prioritizingthese compliance efforts as part of our overall product roadmap. Tanium maintains transparency on our progress andmilestones and welcomes any further questions or discussion around this work. Contact your TAM, sales representative, oremail [email protected] to make further inquiries.No part of the contents of this document or presentation may be reproduced or transmitted in any form or by any means withoutthe written permission of Tanium Inc.Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property oftheir respective owners. 2021 Tanium Inc. All rights reserved. 2021 Tanium Inc. All Rights ReservedPage 2
Table of ContentsIntroduction.5Requirements for integration .5Installing .5Install in Splunk Enterprise deployments. 5Install in a Splunk Cloud deployment. 6Configuring Splunk .6Create an index . 6Edit the search macro for TA-Tanium . 7Configure a network input . 8Configuring Tanium .10Configure connections using saved questions . 10Configure a connection for Threat Response alerts .13Disable Base64 encoding of events from Threat Response . 13Create a Threat Response connection . 14Configure connections for native sources from other modules .15Verify Data in Splunk .15Reference: Connection sources .16Configuring connections . 17Tanium Operations dashboard . 17Tanium Application Visibility dashboard . 18Tanium Asset dashboard . 18Tanium Discover dashboard . 19Tanium Data Leakage dashboard . 20Tanium User Endpoint Management dashboard . 21Security Operations dashboard . 23Tanium Patch dashboard . 24Tanium Integrity Monitor dashboard . 25 2021 Tanium Inc. All Rights ReservedPage 3
Tanium Comply dashboard . 25Tanium Connection Details dashboard . 26Tanium Threat Response dashboard . 27Tanium Health dashboard. 27Appendix A: Tanium coverage of Splunk Common Information Model (CIM)28 2021 Tanium Inc. All Rights ReservedPage 4
IntroductionTanium provides a unified endpoint management and security platform that offers customers transformational scale,speed and reliability. From more efficient workflows between teams to eliminating gaps created by standalone solutions,Tanium helps simplify infrastructure in the most demanding IT environments.Integrate Tanium with the Splunk analytics platform to include critical data such as application and process information,suspicious open ports, external connections, network information, and detailed asset management data in enterpriseanalytics. Combining this data with network-level data, external threat intelligence feeds, and any other relevantapplication data available from Splunk can enhance your organization’s ability to identify and prevent attacks, as well asreduce the time to respond to and remediate issues.Tanium provides out-of-the-box integration with Splunk using the Tanium Splunk Application and TA-Tanium add-on forSplunk. Saved questions and events in Tanium provide the data for the associated Splunk dashboards.Note: Collecting data in Splunk could increase resource usage by Tanium Core Platform and contribute to usage ofyour Splunk license capacity. Work with your Tanium TAM and Splunk support to review and implement thisintegration.Requirements for integration Tanium Core Platform 7.3 or later Tanium Connect 4.10 or later (For more information, see Tanium Connect User Guide.) (Optional) Other Tanium modules necessary for specific data that you want to send to Splunk (Latest availableversion. Additional modules may require new licensing.) A supported version of Splunk Enterprise or Splunk Cloud (see the Compatibility section ngInstall in Splunk Enterprise deploymentsDownload Tanium components for SplunkDownload the application and add-on from Splunkbase.1.Tanium Splunk Application: https://splunkbase.splunk.com/app/1862/2.TA-Tanium add-on: https://splunkbase.splunk.com/app/4439Install in a single-instance Splunk Enterprise deploymentIn a single-instance Splunk Enterprise deployment (with a single server), install both the Tanium Splunk Application andthe TA-Tanium add-on on the Splunk Enterprise server.For specific instructions to install apps and add-ons in a single-instance Splunk Enterprise deployment, see SplunkEnterprise Documentation: Install an add-on in a single-instance Splunk Enterprise deployment. 2021 Tanium Inc. All Rights ReservedPage 5
Install in a distributed Splunk Enterprise deploymentIn a distributed Splunk Enterprise deployment, install the Tanium Splunk Application and TA-Tanium add-on as follows:1.Install the Tanium Splunk Application and the TA-Tanium add-on on any search head or search head clusterwhere users will access Tanium dashboards.2.Install the TA-Tanium add-on on search heads used for Splunk Enterprise Security or Splunk IT ServiceIntelligence.3.Install the TA-Tanium add-on on indexers used to index data from Tanium.4.Install the TA-Tanium add-on on heavy forwarders used to route data from Tanium.The Tanium App and TA-Tanium are not currently available for self-service install on Splunk Cloud. See Self Service AppInstall for more information.Install in a Splunk Cloud deploymentThe Tanium App and TA-Tanium are not currently available for self-service installation. For more information, see SelfService App Install, and contact Splunk Support for assistance with installation.Configuring SplunkAs a Splunk administrator, create an index to store Tanium data, edit the search macro for the TA-Tanium add-on, andconfigure a network input to receive Tanium data.Create an indexSplunk stores data in indexes. Tanium data sent to Splunk is stored in an events index. For more information about howSplunk indexes work with add-ons, see Add-ons and indexes in the Splunk Add-ons documentation.IMPORTANT: Before modifying indexing in a production environment, consult Splunk support.For more information about creating Splunk Indexes, see Splunk Enterprise Documentation: Create events indexes.For a standalone testing environment, configure a new events index named tanium.1.In Splunk Web, go to Settings Indexes and click New.2.Name the index tanium and set the appropriate maximum storage size for the test environment. 2021 Tanium Inc. All Rights ReservedPage 6
Edit the search macro for TA-TaniumBecause the index you use for Tanium data can depend on your Splunk environment, the TA-Tanium add-on uses asearch macro to define the index location.Edit the search macro to define the index you are using for Tanium data.1.In Splunk Web, go to Settings Advanced Search Search Macros. 2021 Tanium Inc. All Rights ReservedPage 7
2.Click tanium index.3.In the Definition field, edit the macro definition so that it specifies the appropriate index: index your index(For the standalone testing environment, enter index tanium.)Configure a network inputSplunk can accept syslog data directly from Tanium using a network input on an indexer.Note: In enterprise environments, Splunk might recommend using another syslog daemon. Please consult Splunksupport before implementing a network input or a specific syslog daemon in production. For background on usingalternative syslog daemons, see Splunk Blog: High Performance syslogging for Splunk using syslog-ng.For more information about using a network listener in Splunk, see Splunk Enterprise Documentation: Get data from TCPand UDP ports.To configure a network input on an indexer1.In Splunk Web, go to Add Data Monitor TCP / UDP.2.Select TCP and enter the Port you will use for communication between Tanium and Splunk.3.Click Next. 2021 Tanium Inc. All Rights ReservedPage 8
4.For Source Type, enter tanium.5.For Index, select the index that will store data from Tanium. (In the standalone test environment, select tanium.)6.Click Review and review the settings. If all settings are correct, click Submit.7.Test that the network port is now open by running the following command on a computer that can connect to theSplunk instance: nc -v IP ADDRESS PORT 2021 Tanium Inc. All Rights ReservedPage 9
To review or edit existing inputs In Splunk Web, go to Settings Data Inputs.Configuring TaniumExport Tanium data to Splunk using Connect. The connection sources used in Connect include saved questions, events,and native sources from other modules. For the specific connection sources, see Reference: Connection sources.Configure connections using saved questionsFor saved question connection sources, prepare saved questions with the specific names used in the Splunkconfiguration, and then configure the connection in Connect.Prepare saved questionsEach dashboard in the Tanium Splunk Application is based on data collected from saved questions listed inReference: connection sources.Best practice: Enable only one dashboard at a time, so that you can more easily identify issues and mitigate anyimpact on the Tanium or Splunk infrastructure.Create saved questions for each dashboard you want to use in Splunk.1.From the Main menu, go to Modules Interact.2.Ask a question (or copy a saved question) that matches a listing in Reference: Connection sources. For moreinformation about asking questions and managing saved questions, see Tanium Interact User Guide.Note: Make sure to remove extra characters or smart quotes that might be copied from another location.3.Click Save. 2021 Tanium Inc. All Rights ReservedPage 10
4.Name the saved question to match the listing in Reference: Connection sources. If you use a different name, youmust also edit the Splunk configuration to retrieve the data from this question.5.Make sure that Reissue this question every is not selected (unless you are otherwise directed in Reference:Connection sources). Tanium Connect manages the scheduling and execution of the question.6.Click Create Saved Question.Configure Connect to export data from saved questionsConfigure Connect to execute saved questions and export the resulting data to Splunk.1.From the Main menu, go to Modules Connect.2.Click Create Connection.3.For Name, enter the name of the saved question you created.4.In the Source section, click Saved Question and select the saved question you created.5.(Optional) Select a Computer Group for the question.6.For Destination, select Splunk (via a socket).7.Select the Destination Name for your Splunk destination, or create one if you have not yet done so.8.(For a new destination) Enter the Host and Port for your Splunk instance, and select TCP for Network Protocol. 2021 Tanium Inc. All Rights ReservedPage 11
9.Expand the Configure Output section. For Format, select Syslog RFC 5424. Expand the Advancedsubsection, and make sure that Send Question Source is selected.10. Expand the Schedule section, and configure the times when Connect should send this saved question to theendpoints and return collected data to Splunk. For example, security questions might be asked every 1 to 4hours, and operational questions might be asked every 4 to 24 hours. Work with your Splunk administrator andTAM to configure and tune these values appropriately for your environment. 2021 Tanium Inc. All Rights ReservedPage 12
11. Click Save. To test the data connection, click Run Now.Configure a connection for Threat Response alertsConfigure Connect to send events from Threat Response to Splunk. This section assumes you have completedconfiguration of a Saved Question export to Splunk.Disable Base64 encoding of events from Threat Response1.From the Main Menu, go to Modules Threat Response.2.Click Settings3.Clear the selection for Base64 encode events sent to Connect., and click the Misc tab. 2021 Tanium Inc. All Rights ReservedPage 13
Create a Threat Response connection1.From the Main menu, go to Modules Connect.2.Click Create Connection.3.For Name, enter Tanium Threat Response Alerts.4.For Source, select Event, and for Event Group, select Tanium Detect. Select Match Alerts Raw.Important: Select only Match Alerts Raw. Make sure the other check boxes are not selected.5.For Destination, select Splunk (via a socket).6.Select the Destination Name for your Splunk destination, or create one if you have not yet done so.7.(For a new destination) Enter the Host and Port for your Splunk instance, and select TCP for Network Protocol. 2021 Tanium Inc. All Rights ReservedPage 14
8.For Format, select JSON.9.Expand the Columns section and click Add Column. For Source Column Name, enter Question. Select UserSpecified Value and String for Custom Column Type, and enter Tanium Threat Response Alerts forDestination Value.10. Click Save.Note: Event connections cannot be scheduled, and the Run Now button is disabled. Alert events must be generatedby Threat Response to pass through the Connection.IMPORTANT: Do not use filters with this connection. Filters can interfere with the Match Details field in the results.Configure connections for native sources from other modulesTo configure connections using other modules as sources, see the connection settings and any additional instructions forthe specific source in Reference: Connection sources. For general information about configuring connections, includingusing the listed settings for native sources from other modules, see Tanium Connect User Guide: Configuring SIEMdestinations.Verify Data in SplunkOnce Tanium Connect configuration is complete, verify that logs are sent by Tanium and processed by Splunk.1.In Splunk Web, go to Apps Tanium.2.Click Search.3.In the New Search field enter index ”tanium” and select a time range when data arrival is expected.Note: Time zone differences may cause an offset. If data does not appear, select All Time. 2021 Tanium Inc. All Rights ReservedPage 15
4.Make sure that the returned data is complete. Verify that Splunk is identifying key-value pairs properly byselecting Smart Mode or Verbose Mode for the search mode.Reference: Connection sourcesWhen you export data to Splunk using Connect, you can use saved questions, events, and native sources from othermodules as connection sources.The connection sources in this section are grouped into the dashboards available in the Tanium Splunk Application,organized according to functionality and relevant modules. Before activating the Splunk dashboard, configure theassociated connection sources in Tanium. Some dashboards contain the same data sources; customize your Splunkenvironment according to your needs. 2021 Tanium Inc. All Rights ReservedPage 16
Configuring connectionsFor general information about configuring connections, including using the listed settings for native sources from othermodules, see Tanium Connect User Guide: Configuring SIEM destinations. Some native sources list additional specificinstructions.For more information about creating connections using the listed saved questions, see Configure connections usingsaved questions.For information about creating connections for events from Threat Response, see Configure a connection for ThreatResponse alerts.Name each saved question and corresponding connection to match the listing in this guide. If you use a different namefor a saved question, you must also edit the Splunk configuration to retrieve the data from this question.Tanium Operations dashboardThe Tanium Operations dashboard helps track the health and resource availability of systems that are managed byTanium. The saved questions used in the dashboard provide information on CPU, memory, and disk usage, as well assystem uptime.Tanium Operations saved question connection sourcesQuestion nameSaved questionSplunk Highest CPUUsage by ProcessGet Computer Name and Last Logged In User and High CPU Processes[5]from all machinesSplunk HighestMemory Usage byProcessGet Computer Name and Last Logged In User and High MemoryProcesses[5] from all machinesSplunk High CPUUtilizationGet Computer Name and Last Logged In User and CPU Consumption fromall machines with CPU Consumption 75Splunk High MemoryUtilizationGet Computer Name and Last Logged In User and RAM and MemoryConsumption from all machines with Memory Consumption 75Splunk Low DiskSpaceGet Computer Name and Logged In Users and Disk Used Percentage andDisk Free Space Below Threshold from all machines with Disk FreeSpace Below Threshold contains GBSplunk Packet LossGet Computer Name and Last Logged In User and Network Adapters andPacket Loss from all machines with Is Windows equals "true"Splunk High UptimeOver 30 DaysGet Computer Name and Last Logged In User and Operating System andHigh Uptime from all machines with all High Uptime contains daysSplunk Machine UserGet Computer Name and IP Address and Last Logged In Users from allmachines 2021 Tanium Inc. All Rights ReservedPage 17
Tanium Application Visibility dashboardThe saved questions and connection sources in the Tanium Application Visibility dashboard provide information aboutall running applications, services, and processes with MD5 hashes across all endpoints, as well as stopped services,installed applications, and uninstallable applications, which can help identify potential operational or security issues. Thisdashboard uses only information from Tanium Core Platform.Tanium Application Visibility saved question connection sourcesQuestion nameSaved questionSplunk RunningProcesses with MD5HashGet Computer Name and Last Logged In User and Running Processeswith Hash[MD5] from all machinesNote: Needs IR ToolsdeploymentSplunk RunningApplicationsGet Computer Name and Last Logged In User and Running Applicationsfrom all machines with Is Windows equals "true"Splunk Running ServicesGet Computer Name and Last Logged In User and Running Service fromall machinesSplunk Stopped ServicesGet Computer Name and Last Logged In User and Stopped Service fromall machines with ( Is Windows equals true or Is Mac equals true )Splunk InstalledApplicationsGet Computer Name and Last Logged In User and InstalledApplications from all machinesSplunk UninstallableApplicationsGet Computer Name and Last Logged In User and InstalledApplications contains "Is Uninstallable" from all machines with IsWindows equals "true"Tanium Asset dashboardThe saved questions and connection sources in the Tanium Asset dashboard use default functionality within TaniumCore Platform to send asset related information from the endpoint, including manufacturer, CPU, free disk space, memoryand last logged-in user to track an asset within an environment. The Tanium Asset module expands this functionality toinclude user- and system-installed software, as well as extended department, tracking, and management information. 2021 Tanium Inc. All Rights ReservedPage 18
Tanium Asset saved question connection sourcesQuestionnameSaved questionSplunk BasicAssetGet Computer Name and Last Logged In User and Domain Name and OperatingSystem and IP Address and MAC Address and "DHCP Enabled?" and Chassis Typeand Manufacturer and Computer Serial Number from all machinesSplunkHardwareCPUGet Computer Name and Last Logged In User and CPU Details and RAM from allmachinesTanium Asset native connection sourcesSourceConnection detailsTaniumDiscoverName: Splunk Discover ReportsSource: Tanium DiscoverReport: AllFormat Advanced SD-ID: Question {Source}EventName: Discover NotificationSource: EventEvent Group: Discover NotificationsLost Interface: selectedAdd a column:Expand the Columns section and click Add Column. For Source Column Name, enterQuestion, select User Specified Value and String for Custom Column Type, and enter DiscoverEvent for Destination Value.ClientStatusName: Splunk Client StatusSource: Client StatusFormat Advanced SD-ID: Question {Source}Tanium Discover dashboardThe saved question and connection sources in the Tanium Discover dashboard use functionality from Tanium CorePlatform and the Tanium Discover module to send asset and interface related information. Events include Lost, NewUnmanaged, and New Managed Interfaces, as well as system data such as device type, open ports, and operatingsystem. This dashboard, together with Tanium Asset and Tanium Operations dashboards, provides details on managedand unmanaged endpoints, system details, and operations. 2021 Tanium Inc. All Rights ReservedPage 19
Tanium Discover native connection sourcesSourceConnection detailsTaniumDiscoverName: Splunk Discover ReportsSource: Tanium DiscoverReport: AllFormat Advanced SD-ID: Question {Source}EventName: Splunk Discover Lost InterfaceSource: EventEvent Group: Discover NotificationsLost Interface: selectedAdd a column:Expand the Columns section and click Add Column. For Source Column Name, enterQuestion, select User Specified Value and String for Custom Column Type, and enter DiscoverEvent for Destination Value.EventName: Splunk Discover New Managed InterfaceSource: EventEvent Group: Discover NotificationsNew Managed Interface: selectedAdd a column:Expand the Columns section and click Add Column. For Source Column Name, enterQuestion, select User Specified Value and String for Custom Column Type, and enter DiscoverEvent for Destination Value.EventName: Splunk Discover New Unmanaged InterfaceSource: EventEvent Group: Discover NotificationsNew Unmanaged Interface: selectedAdd a column:Expand the Columns section and click Add Column. For Source Column Name, enterQuestion, select User Specified Value and String for Custom Column Type, and enter DiscoverEvent for Destination Value.ClientStatusName: Splunk Client StatusSource: Client StatusFormat Advanced SD-ID: Question {Source}Tanium Data Leakage dashboardThe saved questions in the Tanium Data Leakage dashboard use functionality from Tanium Threat Response to monitorall connections made by an endpoint and the processes that initiated the connections. Use this data to identify and reportconnections to lists of unapproved applications such as Dropbox or Google Docs, and report the systems making thoseconnections. Work with your TAM to configure and deploy the Non-Approved Established Connection sensor. 2021 Tanium Inc. All Rights ReservedPage 20
Tanium Data Leakage saved question connection sourcesQuestion nameSaved questionSplunk Non-ApprovedEstablished ConnectionsGet Computer Name and Tanium Client IP Address and LastLogged In User and Non-Approved Established Connections fromall machines with Non-Approved Established Connectionscontains ":"Note: Threat Response Toolsmust be deployed toendpoints to use this question.Splunk Open PortsGet Computer Name and Last Logged In User and Open Portsfrom all machinesNote: Threat Response Toolsmust be deployed toendpoints to use this question.Splunk Listening Ports with MD5HashGet Computer Name and Last Logged In User and Listen Portswith MD5 Hash from all machinesNote: Threat Response Toolsmust be deployed toendpoints to use this question.Splunk Open SharesGet Computer Name and Open Share Details and Last Logged InUser from all machinesTanium User Endpoint Management dashboardThe saved questions and connection source in the Tanium User Endpoint Management dashboard use functionalityfrom Threat Response and Tanium Core Platform to monitor all connections made by an endpoint and the processes thatinitiated the connections. Additionally, this dashboard provides a dedicated panel for Threat Response alerts, grouped byuser. Use this data to identify and report connections to lists of unapproved applications such as Dropbox or GoogleDocs, and report the systems making those connections. Work with your TAM to configure and deploy the NonApproved Established Connection sensor.To configure Threat Response Alerts, see Configure a connection for Threat Response alerts. 2021 Tanium Inc. All Rights ReservedPage 21
Tanium User Endpoint Management alerts connection sourcesQuestion nameSaved questionSplunk Threat Response AlertsSee Configure a connection for Threat Response alerts.Tanium User Endpoint Management saved question connection sourcesSourceConnection detailsSplunk Non
Jan 18, 2022 · In a single-instance Splunk Enterprise deployment (with a single server), install both the Tanium Splunk Application and the TA-Tanium add-on on the Splunk Enterprise server. For specific instructions to install apps and add-ons in a single-instance Splunk Enterprise deployment, see Splunk Enterprise
