Getting Data In

How to integrate Tanium with Splunk?

akshatj2
Path Finder

Hi,

We need to integrate Tanium with Splunk but it seems there are no app/or add-on available. I tried to search online and everywhere its mentioned it can be easily integrated but no information is available. Can anyone provide me with details for integration. Also the modules available in tanium that is supported with Splunk.

0 Karma

ussina04
Explorer

I did have covered the steps from the above document.

But still we are not able to see any relevant data. i have seen these logs like thousands of time :

2018-11-07T05:33:06.609000-08:00 "thetaniumservername" Tanium[1299088] 5

0 Karma

muralikoppula
Communicator

Here is the Splunk configuration guide - https://docs.tanium.com/connect/connect/siem.html

The syslog-ng server need to be configured on source(Tanium) side to send logs to Splunk

0 Karma

ussina04
Explorer

Is the app going to be installed only on search heads or both searchheads and forwarder..??

0 Karma

akshatj2
Path Finder

The app is used to build dashboards and reports from Tanium logs and contain only search time operations.

It needs to be installed on Search Head only.

To integrate tanium with Splunk, tanium has inbuilt connector which can be configured to send tanium queries as events to Splunk(a total of 19 queries are executed by tanium).

you need to enable a syslog input on specific port on your forwarder and set sourcetype to "tanium" in inputs.conf.

TGanga
Explorer

I'm trying to integrate Tanium Connect with Splunk Cloud ( Not Splunk Enterprise ) to forward data from Tanium to Splunk Cloud in the 'syslog' format. In this regard, I would like to know details on the following - 1. Connection settings that need to be done in Tanium Connect ( like what to be filled in port no ,host name etc ) , 2. Is there any difference in forwarding data from Tanium Connect to Splunk Enterprise and Splunk Cloud OR is it same for both, 3. what are the list of ports that need to be opened in the system where Tanium console is installed, 4. Which port is used for communication between Tanium connect and Splunk cloud, 5. Any URL that need to be white-listed in the Firewall that is present in the network where, Tanium is present, 6. what are the methods that are implemented in Splunk cloud to secure data, 7. What are the security measures that are followed while sending data from Tanium to Splunk cloud etc.,

0 Karma

rnoyes
New Member

To ingest Tanium data you will need to have configured a Connector within the Tanium console. Saved questions, Detect, IOC and various other iformation can be forwarded to Splunk and utilized within the Splunk app mentioned in the previous post. Tanium support or the Tanium Connect user guide provides details on how to set this up.

0 Karma

Anam
Community Manager
Community Manager

Hey akshajt2

I found this app on splunkbase: https://splunkbase.splunk.com/app/1862/
I don't have any experience with it but it might be what you are looking for.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!