Console
    Start free

    Collect Tanium Threat Response logs

    Supported in:

    This document explains how to ingest Tanium Threat Response logs to Google Security Operations using Tanium Connect's native AWS S3 export functionality. Tanium Threat Response produces threat detection alerts, investigation findings, and incident response data in JSON format, which can be directly exported to S3 using Tanium Connect without requiring custom Lambda functions. The parser transforms raw JSON data from Tanium Threat Response into a unified data model (UDM). It first attempts to parse the incoming message as JSON, handles potential errors, and then extracts and maps relevant fields to the UDM structure, including details about the affected host, user, process, network activity, and security findings.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Tanium Core Platform7.0 or later
    • Tanium Threat Responsemodule installed and configured
    • Tanium Connectmodule installed with valid license
    • Tanium Direct Connect1.9.30 or later for investigation capabilities
    • Privileged access to Tanium Consolewith administrative rights
    • Privileged access to AWS(S3, IAM)
    1. Sign in to the Tanium Console.
    2. Go to Modules > Threat Response.
    3. Click Settingsat the top right.
    4. In the Service Accountsection, configure the following:
      • Service Account User: Select a user with appropriate Threat Response permissions.
      • Verifythe account has Connect User role privilege.
      • Confirmaccess to Threat Response alerts and investigation data.
    5. Click Saveto apply the service account configuration.

    Collect Tanium Threat Response prerequisites

    1. Sign in to the Tanium Consoleas an administrator.
    2. Go to Administration > Permissions > Users.
    3. Create or identify a service account user with the following roles:
      • Threat Response Administratoror Threat Response Read Only Userrole.
      • Connect Userrole privilege.
      • Access to monitored computer groups (recommended: All Computersgroup).
      • Read Saved Questionpermission for Threat Response content sets.

    Configure AWS S3 bucket and IAM for Google SecOps

    1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
    2. Save bucket Nameand Regionfor future reference (for example, tanium-threat-response-logs ).
    3. Create a user following this user guide: Creating an IAM user .
    4. Select the created User.
    5. Select the Security credentialstab.
    6. Click Create Access Keyin the Access Keyssection.
    7. Select Third-party serviceas the Use case.
    8. Click Next.
    9. Optional: add a description tag.
    10. Click Create access key.
    11. Click Download CSV fileto save the Access Keyand Secret Access Keyfor later use.
    12. Click Done.
    13. Select the Permissionstab.
    14. Click Add permissionsin the Permissions policiessection.
    15. Select Add permissions.
    16. Select Attach policies directly
    17. Search for and select the AmazonS3FullAccesspolicy.
    18. Click Next.
    19. Click Add permissions.

    Configure Tanium Connect AWS S3 destination

    1. Sign in to the Tanium Console.
    2. Go to Modules > Connect.
    3. Click Create Connection.
    4. Provide the following configuration details:
      • Name: Enter a descriptive name (for example, Threat Response Alerts to S3 for SecOps ).
      • Description: Optional description (for example, Export threat detection alerts and investigation findings to AWS S3 for Google SecOps ingestion ).
      • Enable: Select to enable the connection to run on schedule.
    5. Click Next.

    Configure the connection source

    1. In the Sourcesection, provide the following configuration details:
      • Source Type: Select Saved Question.
      • Saved Question: Select one of the following Threat Response-related saved questions:
        • Threat Response - Alertsfor threat detection alerts.
        • Threat Response - Investigation Resultsfor investigation findings.
        • Threat Response - Intel Matchesfor threat intelligence matches.
        • Threat Response - Endpoint Activityfor suspicious endpoint activity.
        • Threat Response - Network Connectionsfor network-based threats.
      • Computer Group: Select All Computersor specific computer groups to monitor.
      • Refresh Interval: Set appropriate interval for data collection (for example, 10 minutesfor threat alerts).
    2. Click Next.

    Configure AWS S3 destination

    1. In the Destinationsection, provide the following configuration details:
      • Destination Type: Select AWS S3.
      • Destination Name: Enter a unique name (for example, Google SecOps ThreatResponse S3 Destination ).
      • AWS Access Key: Enter the AWS access key from the CSV file downloaded in the AWS S3 configuration step.
      • AWS Secret Access Key: Enter the AWS secret access key from the CSV file downloaded in the AWS S3 configuration step.
      • Bucket Name: Enter your S3 bucket name (for example, tanium-threat-response-logs ).
      • Region: Select the AWS region where your S3 bucket is located.
      • Key Prefix: Enter a prefix for the S3 objects (for example, tanium/threat-response/ ).
    2. Click Next.

    Configure filters

    1. In the Filterssection, configure data filtering options:
      • Send new items only: Select this option to send only new threat alerts since the last export.
      • Column filters: Add filters based on specific alert attributes if needed (for example, filter by alert severity, threat type, or investigation status).
    2. Click Next.

    Format data for AWS S3

    1. In the Formatsection, configure the data format:
      • Format: Select JSON.
      • Options:
        • Include headers: Deselect to avoid headers in JSON output.
        • Include empty cells: Select based on your preference.
      • Advanced Options:
        • File naming: Use default timestamp-based naming.
        • Compression: Select Gzipto reduce storage costs and transfer time.
    2. Click Next.

    Schedule the connection

    1. In the Schedulesection, configure the export schedule:
      • Enable schedule: Select to enable automatic scheduled exports.
      • Schedule type: Select Recurring.
      • Frequency: Select Every 10 minutesfor timely threat response alerts.
      • Start time: Set appropriate start time for the first export.
    2. Click Next.

    Save and verify connection

    1. Review the connection configuration in the summary screen.
    2. Click Saveto create the connection.
    3. Click Test Connectionto verify the configuration.
    4. If the test is successful, click Run Nowto perform an initial export.
    5. Monitor the connection status in the Connect Overviewpage.

    Configure a feed in Google SecOps to ingest Tanium Threat Response logs

    1. Go to SIEM Settings > Feeds.
    2. Click + Add New Feed.
    3. In the Feed namefield, enter a name for the feed (for example, Tanium Threat Response logs ).
    4. Select Amazon S3 V2as the Source type.
    5. Select Tanium Threat Responseas the Log type.
    6. Click Next.
    7. Specify values for the following input parameters:
      • S3 URI: s3://tanium-threat-response-logs/tanium/threat-response/
      • Source deletion options: Select deletion option according to your preference.
      • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
      • Access Key ID: User access key with access to the S3 bucket.
      • Secret Access Key: User secret key with access to the S3 bucket.
      • Asset namespace: The asset namespace .
      • Ingestion labels: The label applied to the events from this feed.
    8. Click Next.
    9. Review your new feed configuration in the Finalizescreen, and then click Submit.

    UDM Mapping Table

    Log field UDM mapping Logic
    Alert Id
    		 security_result.rule_instance The value of this field is taken from the "Alert Id" field in the raw log.
    Computer IP
    		 principal.ip The value of this field is taken from the "Computer IP" field in the raw log.
    Computer IP
    		 target.ip The value of this field is taken from the "Computer IP" field in the raw log.
    Computer Name
    		 principal.hostname The value of this field is taken from the "Computer Name" field in the raw log.
    Computer Name
    		 target.hostname The value of this field is taken from the "Computer Name" field in the raw log.
    id
    		 target.resource.attribute.labels The value of this field is taken from the "id" field in the raw log. The key is hardcoded to "id".
    Intel Id
    		 security_result.rule_id The value of this field is taken from the "Intel Id" field in the raw log.
    Intel Labels
    		 security_result.description The value of this field is taken from the "Intel Labels" field in the raw log.
    Intel Name
    		 security_result.summary The value of this field is taken from the "Intel Name" field in the raw log.
    Intel Name
    		 security_result.threat_name The value of this field is taken from the "Intel Name" field in the raw log.
    Intel Type
    		 security_result.rule_type The value of this field is taken from the "Intel Type" field in the raw log.
    MatchDetails.finding.system_info.bits
    		 principal.asset.platform_software.bits The value of this field is taken from the "MatchDetails.finding.system_info.bits" field in the raw log.
    MatchDetails.finding.system_info.os
    		 principal.asset.platform_software.platform_version The value of this field is taken from the "MatchDetails.finding.system_info.os" field in the raw log.
    MatchDetails.finding.system_info.patch_level
    		 principal.asset.platform_software.platform_patch_level The value of this field is taken from the "MatchDetails.finding.system_info.patch_level" field in the raw log.
    MatchDetails.finding.system_info.platform
    		 principal.asset.platform_software.platform The value of this field is taken from the "MatchDetails.finding.system_info.platform" field in the raw log.
    MatchDetails.match.contexts.0.event.registrySet.keyPath
    		 target.registry.registry_key The value of this field is taken from the "MatchDetails.match.contexts.0.event.registrySet.keyPath" field in the raw log.
    MatchDetails.match.contexts.0.event.registrySet.valueName
    		 target.registry.registry_value_name The value of this field is taken from the "MatchDetails.match.contexts.0.event.registrySet.valueName" field in the raw log.
    MatchDetails.match.properties.args
    		 security_result.about.process.command_line The value of this field is taken from the "MatchDetails.match.properties.args" field in the raw log.
    MatchDetails.match.properties.file.fullpath
    		 target.process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.file.fullpath" field in the raw log.
    MatchDetails.match.properties.file.md5
    		 target.process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.file.md5" field in the raw log.
    MatchDetails.match.properties.file.sha1
    		 target.process.file.sha1 The value of this field is taken from the "MatchDetails.match.properties.file.sha1" field in the raw log.
    MatchDetails.match.properties.file.sha256
    		 target.process.file.sha256 The value of this field is taken from the "MatchDetails.match.properties.file.sha256" field in the raw log.
    MatchDetails.match.properties.fullpath
    		 target.process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.fullpath" field in the raw log.
    MatchDetails.match.properties.local_port
    		 principal.port The value of this field is taken from the "MatchDetails.match.properties.local_port" field in the raw log.
    MatchDetails.match.properties.md5
    		 target.process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.md5" field in the raw log.
    MatchDetails.match.properties.parent.args
    		 security_result.about.process.command_line The value of this field is taken from the "MatchDetails.match.properties.parent.args" field in the raw log.
    MatchDetails.match.properties.parent.file.fullpath
    		 target.process.parent_process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.parent.file.fullpath" field in the raw log.
    MatchDetails.match.properties.parent.file.md5
    		 target.process.parent_process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.parent.file.md5" field in the raw log.
    MatchDetails.match.properties.parent.parent.file.fullpath
    		 target.process.parent_process.parent_process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.parent.parent.file.fullpath" field in the raw log.
    MatchDetails.match.properties.parent.parent.file.md5
    		 target.process.parent_process.parent_process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.parent.parent.file.md5" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.file.fullpath
    		 target.process.parent_process.parent_process.parent_process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.file.fullpath" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.file.md5
    		 target.process.parent_process.parent_process.parent_process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.file.md5" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.parent.file.fullpath
    		 target.process.parent_process.parent_process.parent_process.parent_process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.parent.file.fullpath" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.parent.file.md5
    		 target.process.parent_process.parent_process.parent_process.parent_process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.parent.file.md5" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.parent.parent.file.fullpath
    		 target.process.parent_process.parent_process.parent_process.parent_process.parent_process.file.full_path The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.parent.parent.file.fullpath" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.parent.parent.file.md5
    		 target.process.parent_process.parent_process.parent_process.parent_process.parent_process.file.md5 The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.parent.parent.file.md5" field in the raw log.
    MatchDetails.match.properties.parent.pid
    		 target.process.parent_process.pid The value of this field is taken from the "MatchDetails.match.properties.parent.pid" field in the raw log.
    MatchDetails.match.properties.parent.parent.pid
    		 target.process.parent_process.parent_process.pid The value of this field is taken from the "MatchDetails.match.properties.parent.parent.pid" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.pid
    		 target.process.parent_process.parent_process.parent_process.pid The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.pid" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.parent.pid
    		 target.process.parent_process.parent_process.parent_process.parent_process.pid The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.parent.pid" field in the raw log.
    MatchDetails.match.properties.parent.parent.parent.parent.parent.pid
    		 target.process.parent_process.parent_process.parent_process.parent_process.parent_process.pid The value of this field is taken from the "MatchDetails.match.properties.parent.parent.parent.parent.parent.pid" field in the raw log.
    MatchDetails.match.properties.pid
    		 target.process.pid The value of this field is taken from the "MatchDetails.match.properties.pid" field in the raw log.
    MatchDetails.match.properties.protocol
    		 network.ip_protocol The value of this field is taken from the "MatchDetails.match.properties.protocol" field in the raw log.
    MatchDetails.match.properties.remote_ip
    		 target.ip The value of this field is taken from the "MatchDetails.match.properties.remote_ip" field in the raw log.
    MatchDetails.match.properties.remote_port
    		 target.port The value of this field is taken from the "MatchDetails.match.properties.remote_port" field in the raw log.
    MatchDetails.match.properties.sha1
    		 target.process.file.sha1 The value of this field is taken from the "MatchDetails.match.properties.sha1" field in the raw log.
    MatchDetails.match.properties.sha256
    		 target.process.file.sha256 The value of this field is taken from the "MatchDetails.match.properties.sha256" field in the raw log.
    MatchDetails.match.properties.user
    		 target.administrative_domain The domain name is extracted from the "MatchDetails.match.properties.user" field in the raw log by looking for a backslash character (""). The characters before the backslash are considered as the domain name.
    MatchDetails.match.properties.user
    		 target.user.userid The username is extracted from the "MatchDetails.match.properties.user" field in the raw log by looking for a backslash character (""). The characters after the backslash are considered as the username.
    MITRE Techniques
    		 security_result.threat_id The value of this field is taken from the "MITRE Techniques" field in the raw log.
    params
    		 security_result.detection_fields The value of this field is taken from the "params" field in the raw log. The key is hardcoded to "params_" concatenated with the index of the parameter.
    Timestamp
    		 metadata.event_timestamp The value of this field is taken from the "Timestamp" field in the raw log.
    N/A
    		 is_alert This field is hardcoded to "true" if the "Computer IP" field in the raw log is not empty.
    N/A
    		 metadata.log_type This field is hardcoded to "TANIUM_THREAT_RESPONSE".
    N/A
    		 metadata.product_event_type This field is hardcoded to "Tanium Signal".
    N/A
    		 metadata.product_name This field is hardcoded to "Threat Response".
    N/A
    		 metadata.vendor_name This field is hardcoded to "Tanium".
    N/A
    		 network.http.method This field is hardcoded to "POST" if the value of the "method" field in the raw log is "submit".

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: