Collect Tanium Integrity Monitor logs

This document explains how to ingest Tanium Integrity Monitor logs to Google Security Operations using Tanium Connect's native AWS S3 export functionality. Tanium Integrity Monitor produces file and registry integrity monitoring events in JSON format, which can be directly exported to S3 using Tanium Connect without requiring custom Lambda functions. The parser first extracts fields like "computer_name", "process_path", and "change_type" from the "message" field of Tanium Integrity Monitor JSON logs using pattern matching. Then, it structures these extracted fields and some directly parsed JSON fields into the unified data model (UDM) format, handling both single-value and multi-value fields.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to Tanium Consolewith Integrity Monitor and Connect modules installed
• Privileged access to AWS(S3, IAM)

Collect Tanium Integrity Monitor prerequisites

1. Sign in to the Tanium Consoleas an administrator.
2. Go to Administration > Permissions > Users.
3. Create or identify a service account user with the following roles:
   • Integrity Monitor Service Accountrole.
   • Connect Userrole privilege.
   • Access to monitored computer groups (recommended: All Computersgroup).

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
2. Save bucket Nameand Regionfor future reference (for example, tanium-integrity-monitor-logs ).
3. Create a user following this user guide: Creating an IAM user .
4. Select the created User.
5. Select the Security credentialstab.
6. Click Create Access Keyin the Access Keyssection.
7. Select Third-party serviceas the Use case.
8. Click Next.
9. Optional: add a description tag.
10. Click Create access key.
11. Click Download CSV fileto save the Access Keyand Secret Access Keyfor later use.
12. Click Done.
13. Select the Permissionstab.
14. Click Add permissionsin the Permissions policiessection.
15. Select Add permissions.
16. Select Attach policies directly
17. Search for and select the AmazonS3FullAccesspolicy.
18. Click Next.
19. Click Add permissions.

Configure Tanium Connect AWS S3 destination

1. Sign in to the Tanium Console.
2. Go to Modules > Connect.
3. Click Create Connection.
4. Provide the following configuration details:
   • Name: Enter a descriptive name (for example, Integrity Monitor to S3 for SecOps ).
   • Description: Optional description (for example, Export IM events to AWS S3 for Google SecOps ingestion ).
   • Enable: Select to enable the connection to run on schedule.
5. Click Next.

Configure the connection source

1. Select Integrity Monitor Eventsas the source type.
2. Provide the following configuration details:
   • Source: Select Integrity Monitor - Monitor Events.
   • Service Account: The connection will use the Tanium Connect service account configured in Integrity Monitor settings.
   • Monitor: Select All Monitorsor choose specific monitors to export.
   • Event types: Select event types to include:
     • File events: Include file creation, modification, deletion events.
     • Registry events: Include registry key changes (Windows only).
     • Permission events: Include file permission changes.
   • Include labeled events: Select to include events with labels.
   • Include unlabeled events: Select to include events without labels.
3. Click Next.

Configure AWS S3 destination

1. Select AWS S3as the destination type.
2. Provide the following configuration details:
   • Destination name: Enter a unique name (for example, Google SecOps S3 Destination ).
   • AWS Access Key: Enter the AWS access key from the previous step.
   • AWS Secret Access Key: Enter the AWS secret access key from the previous step.
   • Bucket name: Enter your S3 bucket name (for example, tanium-integrity-monitor-logs ).
   • Region: Select the AWS region where your S3 bucket is located.
   • Key prefix: Enter a prefix for the S3 objects (for example, tanium/integrity-monitor/ ).
   • Advanced Settings:
     • File naming: Select Date and time-based naming.
     • File format: Select JSON Linesfor optimal Google SecOps ingestion.
     • Compression: Select Gzipto reduce storage costs.
3. Click Next.

Optional: Configure filters

1. Configure data filters if needed:
   • New items only: Select to send only new events since last export.
   • Event filters: Add filters based on event attributes if specific filtering is required.
   • Computer group filters: Select specific computer groups if needed.
2. Click Next.

Format data for AWS S3

1. Configure the data format:
   • Format: Select JSON.
   • Include headers: Deselect to avoid headers in JSON output.
   • Field mappings: Use default field mappings or customize as needed.
   • Timestamp format: Select ISO 8601format for consistent time representation.
2. Click Next.

Schedule the connection

1. In the Schedulesection, configure the export schedule:
   • Enable schedule: Select to enable automatic scheduled exports.
   • Schedule type: Select Recurring.
   • Frequency: Select Hourlyfor regular data export.
   • Start time: Set appropriate start time for the first export.
2. Click Next.

Save and verify connection

1. Review the connection configuration in the summary screen.
2. Click Saveto create the connection.
3. Click Test Connectionto verify the configuration.
4. If the test is successful, click Run Nowto perform an initial export.
5. Monitor the connection status in the Connect Overviewpage.

Configure a feed in Google SecOps to ingest Tanium Integrity Monitor logs

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. In the Feed namefield, enter a name for the feed (for example, Tanium Integrity Monitor logs ).
4. Select Amazon S3 V2as the Source type.
5. Select Tanium Integrity Monitoras the Log type.
6. Click Next.
7. Specify values for the following input parameters:
   • S3 URI: s3://tanium-integrity-monitor-logs/tanium/integrity-monitor/
   • Source deletion options: Select deletion option according to your preference.
   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
   • Access Key ID: User access key with access to the S3 bucket.
   • Secret Access Key: User secret key with access to the S3 bucket.
   • Asset namespace: The asset namespace .
   • Ingestion labels: The label applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM Mapping Table

Log Field	UDM Mapping	Logic
Computer Name	principal.hostname	Directly mapped from the "Computer Name" field in the raw log.
Count	additional.fields.value.string_value	Directly mapped from the "Count" field in the raw log.
CreateNewFile	security_result.category_details	Directly mapped from the "Change Type" field in the raw log when its value is "CreateNewFile".
Hash	target.file.sha256	Directly mapped from the "Hash" field in the raw log.
"No events matched the filters"	security_result.about.labels.value	Directly mapped from the "ID" field in the raw log when its value is "No events matched the filters".
	additional.fields.key	Hardcoded to "Count" by the parser.
	metadata.event_timestamp	Populated with the create_time field from the raw log.
	metadata.event_type	Set to "STATUS_UPDATE" by the parser logic when the "principal_hostname" field is successfully extracted.
	metadata.log_type	Hardcoded to "TANIUM_INTEGRITY_MONITOR" by the parser.
	metadata.product_name	Hardcoded to "Tanium Integrity Monitor" by the parser.
	metadata.vendor_name	Hardcoded to "Tanium Integrity Monitor" by the parser.
	security_result.about.labels.key	Hardcoded to "ID" by the parser.

Need more help? Get answers from Community members and Google SecOps professionals.