Tanium 6.x: Tanium Connection Manager

Tanium Server Versions 6.2 and prior can leverage the following resources inside of Tanium Connection Manager as a standalone executable. In versions 6.5 and greater, the Tanium Connection Manager is used only for the Active Directory Synchronization feature.

Introduction

The Tanium Connection Manager facilitates simple extension and integration of the Tanium Server via an extensible "Connector Plug-in" architecture and includes the following connector plug-in's at installation:

Log Forwarder's

  • ArcSight Forwarder
  • Splunk Forwarder
  • McAfee SIEM Forwarder
  • LogRyhthm Forwarder
  • Syslog Forwarder

Threat Feed / Indicator Connector's

  • VirusTotal Connector
  • Threat Stream Connector (preview)
  • Notification Connector

Utility Connector's

  • Notification Connector
  • Active Directory Synchronization Connector

Installation

The Tanium Connection Manager runs as a Windows service that you can install on the Tanium application server itself or on any other server with access to the Tanium Server port and the destination system if forwarding results.

  1. Contact your Tanium Technical Account Manager for the link to download the Tanium Connection Manager installer.
  2. Execute the TaniumConnectorSetup.exe installer as administrator and press Next on the Welcome message to proceed with the setup:
    CM_Setup_-_Welcome.png
  3. Accept the default installation folder (recommended) or choose an alternate folder location.
    CM_Setup_-_Choose_Install_Location.png
  4. Press Install to complete the installation process:

After the installer adds the “Tanium Connector” folder to your Windows Start Menu, creates a desktop shortcut to run the configuration UI, and completes the Windows Service install, it displays the configuration UI for first time setup.

Configuring the Tanium Connection Manager

When executing the UI from the Start Menu link or Desktop icon, be sure to launch it using the "run as administrator" option.

The Connection Manager's Configuration UI allows you to specify or perform the following:

  • Tanium Server Details
  • Tanium Connection Manger Service Details
  • Configure Connector Plug-ins
  • Configure Questions to ask and link to Connectors
  • Service Management and Configuration Testing

 

Tanium Server Configuration

From the Tanium Server tab, enter the following values:

  1. Tanium Server: The respective Tanium application server address expressed as either the server's Fully Qualified Domain Name (FQDN) or IP address.
  2. Authentication: Provide console authentication credentials using one of the following options:
    • User Authentication - Console User Name and password with appropriate permissions to ask saved and custom questions (Preferred authentication mode)
    • Session Key (Deprecated authentication method to support older versions)
    750px-CM_TaniumServerTab-Top.png
  3. Configuration: Specify the connection details for the Tanium Server and the Tanium Connection Manager service log settings:
    • Question Settings
    • Service Settings
    750px-CM_TaniumServerTab-Bottom.png

Connection Manager Plug-in Configuration

The Connector Plug-in's tab allows you to edit the connectors which represent the systems you would like to forward answers from Tanium Saved Questions. Adding a connector is a two-step process:

  1. Click the + icon to launch the dialog to select and describe a new connector definition.
    750px-CM_ConnectorPlug-ins_AddConnector.png
     
    The Connection Manager Configuration dialog enables you to create a new connector plug-in definition:
    Connector Type
    Select the system connector type that you want to handle answers to saved questions.
    Connector Name
    Enter a name to uniquely identify the connector when setting up questions, e.g. “Log Forwarder”.
    Description
    Enter a Description to define the purpose of the new connector.
    750px-CM_ConnectorPlug-ins_AddConnectorDetails.png
  2. Press OK to save your new connector.
  3. The connector configuration dialog appears for you to define the details of the respective connector. See the Tanium Connectors section for details on provided connectors.

Questions Configuration

The Question Details dialog allows you to select the question to ask, the connector to handle the question, and the frequency to ask the question along with an option to “Flatten” the results.

750px-Question_Details.png


To understand the effect of the “Flatten” option take for example the below saved question which contains a single value sensor combined with a multi-column with multi-value sensor:

Non-Approved_Established_Connections.png


Without the flatten option checked there would be one message for each physical row.

Alternatively, if flatten is checked then there will be a message generated for each of the rows in the “Non-Approved Established Connections Group” with the computer name being the same for each row.

Service Configuration

The Service configuration tab provides a central location to manage the Connection Manager service itself: view the service status, start and stop the service as well as test your service configuration while watching the log output. This is useful for testing new configurations, connectors and data receivers. When testing configurations, it may be helpful to enable debug logging from the Tanium Server tab.

Note: You must stop the service before running the configuration from the Web UI.
750px-CM_Configuration_-_Service_tab.png
 

 

Note: The service will not update its configuration until the service is started or resumed.

Tanium Connectors

Log Connector

The Log Connector enables you to export Saved Question answers to SIEM, Event Logging, and other tools. The Log Connector allows you to normalize the names and values, select different formats including Syslog, JSon, and Text Delimited values and to forward to TCP, UDP, or File Log receivers.

 

General Settings

The general settings enable you to normalize or escape special characters in the name and value fields returned by a Saved Question. For example, the below configuration escapes all white space characters and replaces them with dashes, for Names, and underscores for values.

Log_Connector_-_Connector_tab.png
 

Format Settings

The Format settings tab allows you to specify the format of the message to be forwarded to the connector. For Syslog formatted messages, you can specify the values to be presented in the Syslog defined header fields. Fields may be substituted from the response into the message header by enclosing the field name in curly braces.

In the example below, the Host name will consist of the Computer Name or IP Address, if the field exists in the question, while the MessageId will be the name of the saved question.

Log_Connector_-_Format_tab.png
 

Destination Settings

Log_Connector_-_Destination_tab.png
 

VirusTotal Connector

The VirusTotal Connector allows you to ask a question which returns an answer with a hash value (MD5, SHA1, SHA256, etc) and interfaces with Virus Total to return reports on whether the hash has been identified by the scan engines supported by VirusTotal.

This connector works a bit different that the Log Connector in that it maintains historic values for the hash, incrementally adding them as the answer changes, and submitting them to VirusTotal and reporting on the answers.

 

Connector Settings

The Connector settings control the interface to Virus Total allowing you to throttle the number and frequency of calls to the Virus Total API. Configuration Settings include:

  • Hash Field Name – The field from the Question answer that will be used to retrieve the hash value for evaluation by Virus Total.
  • BatchSize – The number of hashes to submit to VirusTotal for each request.
  • BatchLimit – The maximum number of API calls to make per interval of time, specified by BatchLimit.
  • BatchInterval – The number of minutes over which to apply the limit of calls to VirusTotal.

As an example, using a BatchSize of 5, BatchLimit of 4 and BatchInterval of 1 the connector will call the VirusTotal API 4 times every minute with 5 hashes in each call or 20 hashes per minute.

Note: VirusTotal will disable requests from IP addresses that exceed the limits of their license. Please contact VirusTotal directly to acquire a license for the Connection Manager API.
VirusTotal_Connector_-_Connector_Tab.png
 

Outputs Settings

The VirusTotal connector generates four output types with details on the reports from VirusTotal.

  • All Records – These are all records submitted to and reported on by VirusTotal.
  • Not Found – Details on the hashes that where not found by VirusTotal.
  • Positive – Details on the hashes that reported one or more positives from VirusTotal.
  • Negative – Details on the hashes that reported no positive results from VirusTotal.
VirusTotal_Connector_-_Outputs_Tab.png
 
Have more questions? Submit a request