Collect Tanium Comply logs

This document explains how to ingest Tanium Comply logs to Google Security Operations using Amazon S3 using Tanium Connect's native S3 export capability. The parser transforms JSON log data into a unified data model (UDM). It extracts key vulnerability information like CVE ID, CVSS scores, affected IP addresses, and timestamps, then restructures them into the standardized UDM format for consistent security analysis.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Tanium Connectand Tanium Console
• Tanium Comply2.1 or later installed and configured
• Privileged access to AWS(S3, IAM)

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
2. Save bucket Nameand Regionfor future reference (for example, tanium-comply-logs ).
3. Create a user following this user guide: Creating an IAM user .
4. Select the created User.
5. Select the Security credentialstab.
6. Click Create Access Keyin the Access Keyssection.
7. Select Third-party serviceas the Use case.
8. Click Next.
9. Optional: add a description tag.
10. Click Create access key.
11. Click Download CSV fileto save the Access Keyand Secret Access Keyfor later use.
12. Click Done.
13. Select the Permissionstab.
14. Click Add permissionsin the Permissions policiessection.
15. Select Add permissions.
16. Select Attach policies directly
17. Search for and select the AmazonS3FullAccesspolicy.
18. Click Next.
19. Click Add permissions.

Configure permissions on Amazon S3 bucket

1. In the Amazon S3 console, choose the bucket that you previously created.
2. Click Permissions > Bucket policy.

3. In the Bucket Policy Editor, add the following policy:

     { 
     
    "Version" 
    : 
     
    "2012-10-17" 
    , 
     
    "Statement" 
    : 
     
    [ 
     
    { 
     
    "Effect" 
    : 
     
    "Allow" 
    , 
     
    "Principal" 
    : 
     
    { 
     
    "AWS" 
    : 
     
    "arn:aws:iam::YOUR_ACCOUNT_ID:user/tanium-connect-s3-user" 
     
    }, 
     
    "Action" 
    : 
     
    [ 
     
    "s3:PutObject" 
    , 
     
    "s3:PutObjectAcl" 
    , 
     
    "s3:GetObject" 
    , 
     
    "s3:ListBucket" 
     
    ], 
     
    "Resource" 
    : 
     
    [ 
     
    "arn:aws:s3:::tanium-comply-logs" 
    , 
     
    "arn:aws:s3:::tanium-comply-logs/*" 
     
    ] 
     
    } 
     
    ] 
    } 
    
   

4. Replace the following variables:

   • Change YOUR_ACCOUNT_ID to your AWS account ID.
   • Change tanium-comply-logs to your actual bucket name if different.
   • Change tanium-connect-s3-user to your actual IAM username if different.

5. Click Save.

Configure Tanium Connect for S3 export

1. Sign in to the Tanium Consoleas an administrator.
2. Go to Tanium Connect > Connections.
3. Click Create Connection.
4. In the General Informationsection, provide the following configuration details:
   • Name: Enter a descriptive name (for example, Tanium Comply to S3 ).
   • Description: Enter a meaningful description (for example, Export Tanium Comply findings to S3 for Google SecOps ingestion ).
   • Enable: Select to enable the connection.
   • Log Level: Select Information(default) or adjust as needed.

5. In the Configurationsection, for Source, select Tanium Comply (Findings).

6. Configure the Comply source settings:

   • Finding Type: Select the type of findings to export (All, Compliance, or Vulnerability).
   • Include Resolved Findings: Select whether to include findings that have been resolved.
   • Computer Groups: Select the computer groups to include in the export (default: All Computers).

7. For Destination, select AWS S3.

8. Provide the following configuration details:

   • Destination Name: Enter a name (for example, Google SecOps S3 Bucket ).
   • AWS Access Key: Enter the Access Key ID from the IAM user created earlier.
   • AWS Secret Key: Enter the Secret Access Key from the IAM user created earlier.
   • Bucket Name: Enter your S3 bucket name (for example, tanium-comply-logs ).
   • Bucket Path: Optional. Enter a path prefix (for example, tanium/comply/ ).
   • Region: Select the AWS region where your bucket resides (for example, us-east-1 ).

9. In the Formatsection, configure the output format:

   • Format Type: Select JSON.
   • Include Column Headers: Select if you want column headers included.
   • Generate Document: Deselect this option to send raw JSON data.

10. Optional: In the Configure Outputsection, configure filters and custom columns as needed.

11. In the Schedulesection, configure when the connection runs:

    • Schedule Type: Select Cron.
    • Cron Expression: Enter a cron expression for regular exports (for example, 0 */4 * * * for every 4 hours).
    • Start Date: Set the start date for the schedule.

12. Click Save Changes.

13. From the Connect Overviewpage, go to Connections.

14. Click the connection you created ( Tanium Comply to S3).

15. Click Run Nowto test the connection.

16. Confirm that you want to run the connection.

17. Monitor the connection status and verify that compliance findings are being exported to your S3 bucket.

Optional: Create read-only IAM user & keys for Google SecOps

1. Go to AWS Console > IAM > Users > Add users.
2. Click Add users.
3. Provide the following configuration details:
   • User: Enter secops-reader .
   • Access type: Select Access key – Programmatic access.
4. Click Create user.
5. Attach minimal read policy (custom): Users > secops-reader > Permissions > Add permissions > Attach policies directly > Create policy.

6. In the JSON editor, enter the following policy:

     { 
     
    "Version" 
    : 
     
    "2012-10-17" 
    , 
     
    "Statement" 
    : 
     
    [ 
     
    { 
     
    "Effect" 
    : 
     
    "Allow" 
    , 
     
    "Action" 
    : 
     
    [ 
    "s3:GetObject" 
    ], 
     
    "Resource" 
    : 
     
    "arn:aws:s3:::tanium-comply-logs/*" 
     
    }, 
     
    { 
     
    "Effect" 
    : 
     
    "Allow" 
    , 
     
    "Action" 
    : 
     
    [ 
    "s3:ListBucket" 
    ], 
     
    "Resource" 
    : 
     
    "arn:aws:s3:::tanium-comply-logs" 
     
    } 
     
    ] 
    } 
    
   

7. Set the name to secops-reader-policy .

8. Go to Create policy > search/select > Next > Add permissions.

9. Go to Security credentials > Access keys > Create access key.

10. Download the CSV(these values are entered into the feed).

Configure a feed in Google SecOps to ingest Tanium Comply logs

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. In the Feed namefield, enter a name for the feed (for example, Tanium Comply logs ).
4. Select Amazon S3 V2as the Source type.
5. Select Tanium Complyas the Log type.
6. Click Next.
7. Specify values for the following input parameters:
   • S3 URI: s3://tanium-comply-logs/tanium/comply/ (adjust path if you used a different bucket name or path).
   • Source deletion options: Select deletion option according to your preference.
   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
   • Access Key ID: User access key with access to the S3 bucket (from the read-only user created above).
   • Secret Access Key: User secret key with access to the S3 bucket (from the read-only user created above).
   • Asset namespace: The asset namespace .
   • Ingestion labels: The label to be applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM Mapping Table

Log field	UDM mapping	Logic
Computer Name	entity.entity.asset.hostname	Directly mapped from "Computer Name" field after replacing spaces with underscores.
CVE	entity.entity.asset.vulnerabilities.cve_id	Directly mapped from "CVE" field.
CVSS v3 Score	entity.entity.asset.vulnerabilities.cvss_base_score	Directly mapped from "CVSS v3 Score" field after renaming to cvss_base_score.
CVSS v3 Severity	entity.entity.asset.vulnerabilities.severity_details	Directly mapped from "CVSS v3 Severity" field.
CVSS v3 Vector	entity.entity.asset.vulnerabilities.cvss_vector	Directly mapped from "CVSS v3 Vector" field.
First Found Date	entity.entity.asset.vulnerabilities.first_found	Parsed from "First Found Date" field and converted to RFC 3339 UTC format. If the date contains "-", it's appended with "T00:00:00Z". Otherwise, the date is extracted using grok and then converted.
IP Address	entity.entity.asset.ip	Each IP address from the "IP Address" array is mapped to a separate "ip" field in the UDM.
Last Found Date	entity.entity.asset.vulnerabilities.last_found	Parsed from "Last Found Date" field and converted to RFC 3339 UTC format. If the date contains "-", it's appended with "T00:00:00Z". Otherwise, the date is extracted using grok and then converted.
Title	entity.entity.asset.vulnerabilities.name	Directly mapped from "Title" field.
collection_time.nanos	entity.metadata.collected_timestamp.nanos	Directly mapped from the "collection_time.nanos" field.
collection_time.seconds	entity.metadata.collected_timestamp.seconds	Directly mapped from the "collection_time.seconds" field.
time	entity.metadata.interval.start_time	Parsed from "time" field and converted to RFC 3339 UTC format.
-	entity.metadata.entity_type	Set to "ASSET".
-	entity.metadata.product_entity_id	Set to "Tanium: " concatenated with the value of the "computerName" field.
-	entity.metadata.product_name	Set to "Comply".
-	entity.metadata.vendor_name	Set to "Tanium".

Need more help? Get answers from Community members and Google SecOps professionals.