Collect Tanium Patch logs

This document explains how to ingest Tanium Patch logs to Google Security Operations using Tanium Connect's native AWS S3 export functionality. Tanium Patch produces patch deployment, compliance, and vulnerability data in JSON format, which can be directly exported to S3 using Tanium Connect without requiring custom Lambda functions. The parser transforms the assessment JSON data into Google SecOps's Unified Data Model (UDM). It first normalizes key names, extracts data from the JSON structure, and then maps relevant fields to UDM attributes, including vulnerability details, security result information, and asset details like hostname and operating system.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Tanium Core Platform7.0 or later
• Tanium Patchmodule installed and configured
• Tanium Connectmodule installed with valid license
• Privileged access to Tanium Consolewith administrative rights
• Privileged access to AWS(S3, IAM)

Configure Tanium Patch service account

1. Sign in to the Tanium Console.
2. Go to Modules > Patch.
3. Click Settingsat the top right.
4. In the Service Accountsection, configure the following:
   • Service Account User: Select a user with appropriate Patch permissions.
   • Verifythe account has Connect User role privilege.
5. Click Saveto apply the service account configuration.

Collect Tanium Patch prerequisites

1. Sign in to the Tanium Consoleas an administrator.
2. Go to Administration > Permissions > Users.

3. Create or identify a service account user with the following roles:

   • Patch Administratoror Patch Read Only Userrole.
   • Connect Userrole privilege.
   • Access to monitored computer groups (recommended: All Computersgroup).

Configure AWS S3 bucket and IAM for Google SecOps

1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
2. Save bucket Nameand Regionfor future reference (for example, tanium-patch-logs ).
3. Create a user following this user guide: Creating an IAM user .
4. Select the created User.
5. Select the Security credentialstab.
6. Click Create Access Keyin the Access Keyssection.
7. Select Third-party serviceas the Use case.
8. Click Next.
9. Optional: add a description tag.
10. Click Create access key.
11. Click Download CSV fileto save the Access Keyand Secret Access Keyfor later use.
12. Click Done.
13. Select the Permissionstab.
14. Click Add permissionsin the Permissions policiessection.
15. Select Add permissions.
16. Select Attach policies directly
17. Search for and select the AmazonS3FullAccesspolicy.
18. Click Next.
19. Click Add permissions.

Configure Tanium Connect AWS S3 destination

1. Sign in to the Tanium Console.
2. Go to Modules > Connect.
3. Click Create Connection.
4. Provide the following configuration details:
   • Name: Enter a descriptive name (for example, Patch Data to S3 for SecOps ).
   • Description: Optional description (for example, Export Patch compliance and deployment data to AWS S3 for Google SecOps ingestion ).
   • Enable: Select to enable the connection to run on schedule.
5. Click Next.

Configure the connection source

1. In the Sourcesection, provide the following configuration details:
   • Source Type: Select Saved Question.
   • Saved Question: Select one of the following Patch-related saved questions:
     • Patch - Deployment Resultsfor patch deployment status.
     • Patch - Missing Patchesfor vulnerability compliance data.
     • Patch - Installed Patchesfor installed patch inventory.
     • Patch - Patch Listfor comprehensive patch status.
   • Computer Group: Select All Computersor specific computer groups to monitor.
   • Refresh Interval: Set appropriate interval for data collection (for example, 1 hour).
2. Click Next.

Configure AWS S3 destination

1. In the Destinationsection, provide the following configuration details:
   • Destination Type: Select AWS S3.
   • Destination Name: Enter a unique name (for example, Google SecOps Patch S3 Destination ).
   • AWS Access Key: Enter the AWS access key from the CSV file downloaded in the AWS S3 configuration step.
   • AWS Secret Access Key: Enter the AWS secret access key from the CSV file downloaded in the AWS S3 configuration step.
   • Bucket Name: Enter your S3 bucket name (for example, tanium-patch-logs ).
   • Region: Select the AWS region where your S3 bucket is located.
   • Key Prefix: Enter a prefix for the S3 objects (for example, tanium/patch/ ).
2. Click Next.

Configure filters

1. In the Filterssection, configure data filtering options:
   • Send new items only: Select this option to send only new results since the last export.
   • Column filters: Add filters based on specific patch attributes if needed (for example, filter by patch severity, deployment status).
2. Click Next.

Format data for AWS S3

1. In the Formatsection, configure the data format:
   • Format: Select JSON.
   • Options:
     • Include headers: Deselect to avoid headers in JSON output.
     • Include empty cells: Select based on your preference.
   • Advanced Options:
     • File naming: Use default timestamp-based naming.
     • Compression: Select Gzipto reduce storage costs and transfer time.
2. Click Next.

Schedule the connection

1. In the Schedulesection, configure the export schedule:
   • Enable schedule: Select to enable automatic scheduled exports.
   • Schedule type: Select Recurring.
   • Frequency: Select Hourlyfor regular patch data export.
   • Start time: Set appropriate start time for the first export.
2. Click Next.

Save and verify connection

1. Review the connection configuration in the summary screen.
2. Click Saveto create the connection.
3. Click Test Connectionto verify the configuration.
4. If the test is successful, click Run Nowto perform an initial export.
5. Monitor the connection status in the Connect Overviewpage.

Configure a feed in Google SecOps to ingest Tanium Patch logs

1. Go to SIEM Settings > Feeds.
2. Click + Add New Feed.
3. In the Feed namefield, enter a name for the feed (for example, Tanium Patch logs ).
4. Select Amazon S3 V2as the Source type.
5. Select Tanium Patchas the Log type.
6. Click Next.
7. Specify values for the following input parameters:
   • S3 URI: s3://tanium-patch-logs/tanium/patch/
   • Source deletion options: Select deletion option according to your preference.
   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
   • Access Key ID: User access key with access to the S3 bucket.
   • Secret Access Key: User secret key with access to the S3 bucket.
   • Asset namespace: The asset namespace .
   • Ingestion labels: The label applied to the events from this feed.
8. Click Next.
9. Review your new feed configuration in the Finalizescreen, and then click Submit.

UDM Mapping Table

Log field	UDM mapping	Logic
Bulletins	principal.asset.vulnerabilities.vendor_vulnerability_id	The value is taken from the "Bulletins" field in the raw log, for the corresponding index of the "Title" field. If the value is "None", the field is not mapped.
ComputerName	principal.hostname	The value is taken from the "ComputerName" field in the raw log.
ComputerName	principal.asset.hostname	The value is taken from the "ComputerName" field in the raw log.
CVEIDs	principal.asset.vulnerabilities.cve_id	The value is taken from the "CVEIDs" field in the raw log, for the corresponding index of the "Title" field. If the value is "None", the field is not mapped.
KBArticles	principal.asset.vulnerabilities.vendor_knowledge_base_article_id	The value is taken from the "KBArticles" field in the raw log, for the corresponding index of the "Title" field. If the value is empty, the field is not mapped.
KBArticles	security_result.summary	The value is taken from the "KBArticles" field in the raw log, for the corresponding index of the "Title" field. If the value is empty, the field is not mapped.
OSType	principal.asset.platform_software.platform	If the value contains "Windows", the platform is set to "WINDOWS". If the value contains "Linux", the platform is set to "LINUX". If the value contains "Mac", the platform is set to "MAC".
Severity	principal.asset.vulnerabilities.severity	The value is taken from the "Severity" field in the raw log, for the corresponding index of the "Title" field. If the value is "Critical", the severity is set to "HIGH". If the value is "Important", the severity is set to "MEDIUM". Otherwise, the severity is set to "UNKNOWN_SEVERITY".
Severity	principal.asset.vulnerabilities.severity_details	The value is taken from the "Severity" field in the raw log, for the corresponding index of the "Title" field. If the value is "Critical" or "Important", the severity details are set to the raw log value.
Title	principal.asset.vulnerabilities.name	The value is taken from the "Title" field in the raw log.
Title	security_result.description	The value is taken from the "Title" field in the raw log, for the corresponding index of the "InstallStatus" field. If the "InstallStatus" value is not "Installed", the description is set to the raw log value.
-	metadata.event_timestamp	The value is taken from the "create_time" field in the raw log.
-	metadata.event_type	The value is set to "SCAN_HOST".
-	metadata.log_type	The value is taken from the "log_type" field in the raw log.
-	metadata.product_name	The value is set to "Patch".
-	metadata.vendor_name	The value is set to "Tanium".
-	principal.asset.vulnerabilities.vendor	The value is set to "Tanium".
-	security_result.category	The value is set to "DATA_AT_REST".

Need more help? Get answers from Community members and Google SecOps professionals.