Tanium Data

Tanium data is collected using Tanium Connect reports exported directly to Splunk via TCP. No Splunk add-on is required.


Step 1: Configure Tanium Connect - Vulnerability Report

In Tanium Connect, create a new Report:

  • Destination: Splunk TCP (point to your Splunk Heavy Forwarder host and port)
  • Format: Select the syslog connection format matching your Splunk TCP input

Required columns for the vulnerability report (sourcetype: tanium:vuln):

Column Name in Tanium Field in Splunk Description
Computer ID computer_id Unique Tanium device identifier
Computer Name computer_name Endpoint hostname
IPv4 Address ip_address Endpoint IP address
MAC Address mac_address Network MAC address
Operating System operating_system Full OS name
Check ID check_id CVE identifier (used as both the vulnerability ID and CVE value)
CISA Short Description cisa_short_description Vulnerability name / title
Severity severity Critical / High / Medium / Low
CVSS v4 Severity cvss_v4_severity CVSS v4 severity label
CVSS v4 Base Score cvss_v4_base_score CVSS v4 numeric score (primary)
CVSS v3 Base Score cvss_v3_score CVSS v3 numeric score (fallback)
CVSS v3 Severity cvss_v3_severity CVSS v3 severity label
Remediation remediation Remediation guidance text
Summary summary Full vulnerability description / summary
CPEs cpes Detected CPE strings
First Found Date first_found_date Date this vulnerability was first detected on the endpoint
Last Found Date last_found_date Date this vulnerability was most recently detected
Created Date created_date NVD CVE creation date

Optional: You can apply a filter in the Tanium Connect report to control which vulnerabilities are included or excluded from the export.


Step 2: Configure Tanium Connect - Splunk Basic Asset Report

Create a second Report for asset inventory. Name this report Splunk Basic Asset in Tanium Connect:

  • Destination: Same Splunk TCP endpoint
  • Format: Same syslog format

Required columns for the asset report (sourcetype: tanium:inventory):

Column Name in Tanium Field in Splunk Description
Computer ID computer_id Unique Tanium device identifier
Computer Name computer_name Endpoint hostname
Last Logged in User last_logged_in_user Most recently logged in user
Domain Name domain_name Domain the endpoint belongs to
Operating System operating_system Full OS name
IP Address ip_address Endpoint IP address
MAC Address mac_address Network MAC address
Chassis Type chassis_type Hardware chassis type (e.g. Virtual, Laptop)
Manufacturer manufacturer Hardware manufacturer
Computer Serial Number computer_serial_number Hardware serial number
Endpoint Fingerprint endpoint_fingerprint Unique endpoint fingerprint

Step 3: Configure Splunk HF Inputs

On the Splunk Heavy Forwarder, configure inputs.conf to receive the TCP stream from Tanium Connect. Use a generic tanium sourcetype — the correct sourcetype is assigned dynamically based on the report name embedded in each event.

[tcp://:<port>]
sourcetype = tanium
index = tanium

Since Tanium Connect does not allow configuring the sourcetype in its Splunk destination settings, you must add the following props.conf and transforms.conf entries on the Heavy Forwarder to route events to the correct sourcetype based on the report name in the raw event.

props.conf (Heavy Forwarder / Indexers):

[tanium]
TRANSFORMS-set_sourcetype = tanium_set_sourcetype_vuln, tanium_set_sourcetype_inventory

transforms.conf (Heavy Forwarder / Indexers):

[tanium_set_sourcetype_vuln]
REGEX = \[Report-Splunk-Vulnerability-Report@
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tanium:vuln

[tanium_set_sourcetype_inventory]
REGEX = \[Report-Splunk-Basic-Asset@
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::tanium:inventory

Step 4: Configure the Cyences Macro

Create an index named tanium, or update the cs_tanium macro from the Cyences app configuration page:

Cyences Settings > Cyences App Configuration > Products Setup > Tanium


Estimated Data Size

Data volume depends on the number of endpoints and vulnerabilities in your environment. Tanium Connect exports only scan result snapshots, so volume scales with findings count times scan frequency.


Copyright © 2024 CrossRealms International.

This site uses Just the Docs, a documentation theme for Jekyll.