Tanium Data
Tanium data is collected using Tanium Connect reports exported directly to Splunk via TCP. No Splunk add-on is required.
Step 1: Configure Tanium Connect - Vulnerability Report
In Tanium Connect, create a new Report:
- Destination: Splunk TCP (point to your Splunk Heavy Forwarder host and port)
- Format: Select the syslog connection format matching your Splunk TCP input
Required columns for the vulnerability report (sourcetype: tanium:vuln):
| Column Name in Tanium | Field in Splunk | Description |
|---|---|---|
| Computer ID | computer_id | Unique Tanium device identifier |
| Computer Name | computer_name | Endpoint hostname |
| IPv4 Address | ip_address | Endpoint IP address |
| MAC Address | mac_address | Network MAC address |
| Operating System | operating_system | Full OS name |
| Check ID | check_id | CVE identifier (used as both the vulnerability ID and CVE value) |
| CISA Short Description | cisa_short_description | Vulnerability name / title |
| Severity | severity | Critical / High / Medium / Low |
| CVSS v4 Severity | cvss_v4_severity | CVSS v4 severity label |
| CVSS v4 Base Score | cvss_v4_base_score | CVSS v4 numeric score (primary) |
| CVSS v3 Base Score | cvss_v3_score | CVSS v3 numeric score (fallback) |
| CVSS v3 Severity | cvss_v3_severity | CVSS v3 severity label |
| Remediation | remediation | Remediation guidance text |
| Summary | summary | Full vulnerability description / summary |
| CPEs | cpes | Detected CPE strings |
| First Found Date | first_found_date | Date this vulnerability was first detected on the endpoint |
| Last Found Date | last_found_date | Date this vulnerability was most recently detected |
| Created Date | created_date | NVD CVE creation date |
Optional: You can apply a filter in the Tanium Connect report to control which vulnerabilities are included or excluded from the export.
Step 2: Configure Tanium Connect - Splunk Basic Asset Report
Create a second Report for asset inventory. Name this report Splunk Basic Asset in Tanium Connect:
- Destination: Same Splunk TCP endpoint
- Format: Same syslog format
Required columns for the asset report (sourcetype: tanium:inventory):
| Column Name in Tanium | Field in Splunk | Description |
|---|---|---|
| Computer ID | computer_id | Unique Tanium device identifier |
| Computer Name | computer_name | Endpoint hostname |
| Last Logged in User | last_logged_in_user | Most recently logged in user |
| Domain Name | domain_name | Domain the endpoint belongs to |
| Operating System | operating_system | Full OS name |
| IP Address | ip_address | Endpoint IP address |
| MAC Address | mac_address | Network MAC address |
| Chassis Type | chassis_type | Hardware chassis type (e.g. Virtual, Laptop) |
| Manufacturer | manufacturer | Hardware manufacturer |
| Computer Serial Number | computer_serial_number | Hardware serial number |
| Endpoint Fingerprint | endpoint_fingerprint | Unique endpoint fingerprint |
Step 3: Configure Splunk HF Inputs
On the Splunk Heavy Forwarder, configure inputs.conf to receive the TCP stream from Tanium Connect. Use a generic tanium sourcetype — the correct sourcetype is assigned dynamically based on the report name embedded in each event.
[tcp://:<port>]
sourcetype = tanium
index = tanium
Since Tanium Connect does not allow configuring the sourcetype in its Splunk destination settings, you must add the following props.conf and transforms.conf entries on the Heavy Forwarder to route events to the correct sourcetype based on the report name in the raw event.
props.conf (Heavy Forwarder / Indexers):
[tanium]
TRANSFORMS-set_sourcetype = tanium_set_sourcetype_vuln, tanium_set_sourcetype_inventory
transforms.conf (Heavy Forwarder / Indexers):
[tanium_set_sourcetype_vuln]
REGEX = \[Report-Splunk-Vulnerability-Report@
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tanium:vuln
[tanium_set_sourcetype_inventory]
REGEX = \[Report-Splunk-Basic-Asset@
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tanium:inventory
Step 4: Configure the Cyences Macro
Create an index named tanium, or update the cs_tanium macro from the Cyences app configuration page:
Cyences Settings > Cyences App Configuration > Products Setup > Tanium
Estimated Data Size
Data volume depends on the number of endpoints and vulnerabilities in your environment. Tanium Connect exports only scan result snapshots, so volume scales with findings count times scan frequency.