diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d049dd0f6a89b..e81033eda58f8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -434,6 +434,16 @@ vonage/*.md @DataDog/saas vonage/manifest.json @DataDog/saas-integrations @DataDog/documentation vonage/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core +/asana/ @DataDog/saas-integrations +/asana/*.md @DataDog/saas-integrations @DataDog/documentation +/asana/manifest.json @DataDog/saas-integrations @DataDog/documentation +/asana/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend + +/tanium/ @DataDog/saas-integrations +/tanium/*.md @DataDog/saas-integrations @DataDog/documentation +/tanium/manifest.json @DataDog/saas-integrations @DataDog/documentation +/tanium/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend + plaid/ @DataDog/saas-integrations plaid/*.md @DataDog/saas-integrations @DataDog/documentation plaid/manifest.json @DataDog/saas-integrations @DataDog/documentation diff --git a/tanium/README.md b/tanium/README.md index 56d7dde243872..200db6ef13b11 100644 --- a/tanium/README.md +++ b/tanium/README.md @@ -1,43 +1,57 @@ -# Agent Check: tanium - ## Overview -This check monitors [tanium][1]. +[Tanium][1] is an enterprise platform designed for endpoint management. It provides security and IT operations teams with rapid visibility and control to secure and manage all network endpoints. -## Setup +This integration ingests the following logs: + +- **Threat Response Alerts**: This endpoint contains information about the core incident response lifecycle with integrated capabilities for alerting, analysis, containment, and remediation. +- **Threat Response Audit**: This endpoint contains information about the centralized view of audit events generated by the Tanium Threat Response. +- **Platform Audit**: This endpoint contains information about the authentication, API token usage, local settings, persona changes, user settings, and system settings information. + +This integration collects logs from the sources listed above and transmits them to Datadog for analysis in [Log Explorer][3] and [Cloud SIEM][4]. -### Installation +## Setup -The tanium check is included in the [Datadog Agent][2] package. -No additional installation is needed on your server. +### Generate API Credentials in Tanium -### Configuration +1. Login into Tanium. +2. From the main menu, navigate to **Administration** > **Permissions** > **API Tokens**. +3. Click **New API Token** and configure the token settings: + - **Expiration**: Enter the expiration interval in days. + - **Trusted IP addresses**: Enter the external IP addresses as `::/0,0.0.0.0/0` to enable any system to use the token. +4. Click on **Create**. +5. Click on **Yes** and copy the **token** for later use. +6. The Tanium host format is **\.cloud.tanium.com**. Replace **\** with your organization's specific subdomain. -!!! Add list of steps to set up this integration !!! +### Connect your Tanium Account to Datadog -### Validation +1. Add your Host and API Token. + | Parameters | Description | + | ------------------- |------------------------------------------------------------- | + | Host | The Host of your Tanium platform. | + | API Token | The API Token of your Tanium platform. | -!!! Add steps to validate integration is functioning as expected !!! +2. Click the Save button to save your settings. ## Data Collected -### Metrics +### Logs -tanium does not include any metrics. +The Tanium integration collects and forwards threat-response alerts, threat-response audit logs, and platform audit logs to Datadog. -### Service Checks +### Metrics -tanium does not include any service checks. +The Tanium integration does not include any metrics. ### Events -tanium does not include any events. - -## Troubleshooting +The Tanium integration does not include any events. -Need help? Contact [Datadog support][3]. +## Support -[1]: **LINK_TO_INTEGRATION_SITE** -[2]: https://app.datadoghq.com/account/settings/agent/latest -[3]: https://docs.datadoghq.com/help/ +For any further assistance, contact [Datadog support][2]. +[1]: https://www.tanium.com/ +[2]: https://docs.datadoghq.com/help/ +[3]: https://docs.datadoghq.com/logs/explorer/ +[4]: https://www.datadoghq.com/product/cloud-siem/ diff --git a/tanium/assets/dashboards/tanium_platform_audit_logs.json b/tanium/assets/dashboards/tanium_platform_audit_logs.json new file mode 100644 index 0000000000000..b729676bd5f1b --- /dev/null +++ b/tanium/assets/dashboards/tanium_platform_audit_logs.json @@ -0,0 +1,3112 @@ +{ + "title": "Tanium - Platform Audit Logs", + "description": "- This dashboard provides centralized visibility into system activity, user interactions, and key event insights for efficient monitoring and management.", + "widgets": [ + { + "id": 3098264915522038, + "definition": { + "type": "image", + "url": "https://www.tanium.com/wp-content/themes/main/lib/images/header-logo.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 495983273354694, + "definition": { + "type": "note", + "content": "This dashboard provides comprehensive visibility into critical activities logged by the Tanium. These logs cover a wide range of events, including authentication, API token usage, local settings, persona changes, user settings, and system settings.\n\nBy consolidating this information, the dashboard enables organizations to monitor security, ensure compliance, and detect potential anomalies. This focused approach enhances operational transparency and supports proactive IT governance.\n\nFor more information, see the [Tanium Documentation](https://docs.datadoghq.com/integrations/tanium).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 422688396405106, + "definition": { + "title": "Overview", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 582018538532440, + "definition": { + "title": "Total Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 1272548581486866, + "definition": { + "title": "Logs by type over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 8184424141356950, + "definition": { + "title": "API Token", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7891400334881222, + "definition": { + "title": "Total API Token Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:api_token $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8702748035003160, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:api_token $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4124115783774196, + "definition": { + "title": "Total Created Tokens", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:api_token @type_name:CreateObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 2 + } + }, + { + "id": 7057506801874892, + "definition": { + "title": "Top Users Who Modified Tokens", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:api_token @type_name:UpdateObject -@last_modified_by:\"\" $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@last_modified_by", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 9, + "height": 4 + } + }, + { + "id": 6705122077069254, + "definition": { + "title": "Total Revoked Tokens", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:api_token @type_name:DeleteObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 2 + } + }, + { + "id": 6375097061069172, + "definition": { + "title": "Distribution of Events by Audit Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:api_token $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 4 + } + }, + { + "id": 5436549861232012, + "definition": { + "title": "API Token Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:platform-audit-logs @object_type_name:api_token $Last-Modified $Type-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "type_name", + "width": "auto" + }, + { + "field": "audit_name", + "width": "auto" + }, + { + "field": "last_modified_by", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 16 + } + }, + { + "id": 4889965628445246, + "definition": { + "title": "Authentication", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7221530526044772, + "definition": { + "title": "Total Authentication Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 3777786510456934, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 7540814825296572, + "definition": { + "title": "Total Failed Authentication Attempts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication @type_name:FailedCreateObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 8188250255588544, + "definition": { + "title": "Top Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 5595673740672488, + "definition": { + "title": "Distribution of Events by Authenticated Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication @authentication_type:* $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@authentication_type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1329608803545358, + "definition": { + "title": "Distribution of Events by Audit Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 4186011341740722, + "definition": { + "title": "Top Audit Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:authentication $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@audit_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 5782056781854484, + "definition": { + "title": "Authentication Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:platform-audit-logs @object_type_name:authentication $Last-Modified $Type-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "type_name", + "width": "auto" + }, + { + "field": "audit_name", + "width": "auto" + }, + { + "field": "@usr.name", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 17 + } + }, + { + "id": 953298368772146, + "definition": { + "title": "Local Settings", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1539766163730284, + "definition": { + "title": "Total Local Settings Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:local_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8219112248408828, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:local_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7024013966639684, + "definition": { + "title": "Distribution of Events by Audit Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:local_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 3301607158586732, + "definition": { + "title": "Local Settings Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:platform-audit-logs @object_type_name:local_setting $Last-Modified $Type-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "type_name", + "width": "auto" + }, + { + "field": "last_modified_by", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 12 + } + }, + { + "id": 693865502029316, + "definition": { + "title": "Persona", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 869016942399342, + "definition": { + "title": "Total Persona Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:persona $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4984935114572948, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:persona $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2448186907339322, + "definition": { + "title": "Total Created Persona", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:persona @type_name:CreateObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 2 + } + }, + { + "id": 6614526837027048, + "definition": { + "title": "Top Users Who Modified Persona", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:persona @type_name:UpdateObject -@last_modified_by:\"\" $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@last_modified_by", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 9, + "height": 4 + } + }, + { + "id": 2453176334289552, + "definition": { + "title": "Total Deleted Persona", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:persona @type_name:DeleteObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 2 + } + }, + { + "id": 4562702634203612, + "definition": { + "title": "Distribution of Events by Audit Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:persona $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 4 + } + }, + { + "id": 5240928446883554, + "definition": { + "title": "Persona Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:platform-audit-logs @object_type_name:persona $Last-Modified $Type-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "type_name", + "width": "auto" + }, + { + "field": "object_name", + "width": "auto" + }, + { + "field": "last_modified_by", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 52, + "width": 12, + "height": 16 + } + }, + { + "id": 7419228844392, + "definition": { + "title": "System Settings", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1389406996164014, + "definition": { + "title": "Total System Settings Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:system_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5623733657116126, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:system_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4534674629180080, + "definition": { + "title": "Top Users Who Modified Settings", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:system_setting @type_name:UpdateObject -@last_modified_by:\"\" $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@last_modified_by", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3133765214401972, + "definition": { + "title": "Distribution of Events by Audit Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:system_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4932925191712800, + "definition": { + "title": "Updated System Settings Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:system_setting $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@object_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@old_value", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@new_value", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 4 + } + }, + { + "id": 3752672721164148, + "definition": { + "title": "System Settings Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:platform-audit-logs @object_type_name:system_setting $Last-Modified $Type-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "type_name", + "width": "auto" + }, + { + "field": "object_name", + "width": "auto" + }, + { + "field": "last_modified_by", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 68, + "width": 12, + "height": 16 + } + }, + { + "id": 1940348445292304, + "definition": { + "title": "Users", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8498265340180632, + "definition": { + "title": "Total Users Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:user $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5964682760883774, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:user $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2466379732446670, + "definition": { + "title": "Distribution of Events by Audit Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:user $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 8327145696192430, + "definition": { + "title": "Top Created Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:user @type_name:CreateObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@object_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5349785570390230, + "definition": { + "title": "Top Updated Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:platform-audit-logs @object_type_name:user @type_name:UpdateObject $Last-Modified $Type-Name" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@object_name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7270461141098422, + "definition": { + "title": "User Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:platform-audit-logs @object_type_name:user $Last-Modified $Type-Name", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "type_name", + "width": "auto" + }, + { + "field": "object_name", + "width": "auto" + }, + { + "field": "last_modified_by", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 84, + "width": 12, + "height": 16 + } + }, + { + "id": 6318815126622146, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5913269995029142, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Tanium Platform Audit logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "pink", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2246708282476820, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:platform-audit-logs status:critical $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 924517000228036, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:platform-audit-logs status:high $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 7685826796026264, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:platform-audit-logs status:critical $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 7817209972175932, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:platform-audit-logs status:medium $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 8386591420587394, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:platform-audit-logs status:low $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3808261989156052, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:platform-audit-logs status:info $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 8791604226681644, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:platform-audit-logs status:high $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 2412900620565832, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:platform-audit-logs status:medium $Last-Modified $Type-Name" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 100, + "width": 12, + "height": 10, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "Last-Modified", + "prefix": "@last_modified_by", + "available_values": [], + "default": "*" + }, + { + "name": "Type-Name", + "prefix": "@type_name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/tanium/assets/dashboards/tanium_threat_response_alerts.json b/tanium/assets/dashboards/tanium_threat_response_alerts.json new file mode 100644 index 0000000000000..21162f3a78f26 --- /dev/null +++ b/tanium/assets/dashboards/tanium_threat_response_alerts.json @@ -0,0 +1,1646 @@ +{ + "title": "Tanium - Threat Response Alerts", + "description": "- This dashboard provides a comprehensive summary of Tanium Threat Response Alerts logs.", + "widgets": [ + { + "id": 2975728723421586, + "definition": { + "type": "image", + "url": "https://www.tanium.com/wp-content/themes/main/lib/images/header-logo.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 3222341808078370, + "definition": { + "type": "note", + "content": "This dashboard provides a centralized view of real-time alerts generated by the Tanium and exclusively highlights newly created alerts, delivering actionable insights into emerging security threats.\n\nThis comprehensive approach enhances threat visibility, streamlines response times, and supports efficient security management, ensuring the stability and resilience of your IT environment.\n\nFor more information, see the [Tanium Documentation](https://docs.datadoghq.com/integrations/tanium).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7567816691740930, + "definition": { + "title": "Threat Response Alerts", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8582300429809520, + "definition": { + "title": "Total Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f4bebe" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 2953358536379410, + "definition": { + "title": "Alerts by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count", + "interval": 600000 + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "semantic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 437698652416320, + "definition": { + "title": "Alerts by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count", + "interval": 600000 + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1158565234381462, + "definition": { + "title": "Alerts by Priority", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@priority", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5365927068601620, + "definition": { + "title": "Top Match Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@matchType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 6996444820777464, + "definition": { + "title": "Top Alert Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 595187086297202, + "definition": { + "title": "Top Alerted Endpoints", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@computerName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7507773038631400, + "definition": { + "title": "Top Alerted Endpoint IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 407869379685704, + "definition": { + "title": "Endpoint Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@computerName", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@Endpoint.impactScore", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 7332218014058988, + "definition": { + "title": "Top Mitre Technique Name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@intelDoc.mitreAttack.techniques.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 5463663137083272, + "definition": { + "title": "Top Intel Doc Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@intelDoc.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 6, + "height": 4 + } + }, + { + "id": 260109840508664, + "definition": { + "title": "Top Intel Status", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@intelDoc.status", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 19, + "width": 6, + "height": 4 + } + }, + { + "id": 6237722220009586, + "definition": { + "title": "Top Intel Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@intelDoc.type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 23, + "width": 6, + "height": 4 + } + }, + { + "id": 7905874004969238, + "definition": { + "title": "Top 10 Intel Platforms", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@intelDoc.platforms", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 23, + "width": 6, + "height": 4 + } + }, + { + "id": 4336876155674404, + "definition": { + "title": "Threat Response Alerts Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:threat-response-alerts $Type $Priority $Match-Type $Computer-IP", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "matchType", + "width": "auto" + }, + { + "field": "type", + "width": "auto" + }, + { + "field": "priority", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "computerName", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "Endpoint.impactScore", + "width": "auto" + }, + { + "field": "intelDoc.type", + "width": "auto" + }, + { + "field": "intelDoc.name", + "width": "auto" + }, + { + "field": "intelDoc.status", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 27, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 32 + } + }, + { + "id": 3307231876890806, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5550163871053700, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Tanium Threat Response Alert logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "pink", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 7592305055902498, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-alerts status:critical $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 430707131455512, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-alerts status:high $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 6465924467804384, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:threat-response-alerts status:critical $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 4573076335392508, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-alerts status:medium $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5892041830734636, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-alerts status:low $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 4347821554093984, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-alerts status:info $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 6229831196528458, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:threat-response-alerts status:high $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 1881190306586430, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:threat-response-alerts status:medium $Type $Priority $Match-Type $Computer-IP" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 35, + "width": 12, + "height": 10 + } + } + ], + "template_variables": [ + { + "name": "Type", + "prefix": "@type", + "available_values": [], + "default": "*" + }, + { + "name": "Priority", + "prefix": "@priority", + "available_values": [], + "default": "*" + }, + { + "name": "Match-Type", + "prefix": "@matchType", + "available_values": [], + "default": "*" + }, + { + "name": "Computer-IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/tanium/assets/dashboards/tanium_threat_response_audit_logs.json b/tanium/assets/dashboards/tanium_threat_response_audit_logs.json new file mode 100644 index 0000000000000..29cb90c6dabe6 --- /dev/null +++ b/tanium/assets/dashboards/tanium_threat_response_audit_logs.json @@ -0,0 +1,1207 @@ +{ + "title": "Tanium - Threat Response Audit Logs", + "description": "- This dashboard provides a comprehensive summary of Tanium Threat Response Audit logs.", + "widgets": [ + { + "id": 3098264915522038, + "definition": { + "type": "image", + "url": "https://www.tanium.com/wp-content/themes/main/lib/images/header-logo.svg", + "sizing": "contain", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 495983273354694, + "definition": { + "type": "note", + "content": "This dashboard provides a centralized view of audit events generated by Tanium Threat Response.\n\nBy offering detailed insights into Threat Response actions, the dashboard empowers organizations to monitor activity, ensure accountability, and detect potential anomalies. This comprehensive visibility enhances security management and supports compliance with organizational policies.\n\nFor more information, see the [Tanium Documentation](https://docs.datadoghq.com/integrations/tanium).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 422688396405106, + "definition": { + "title": "Threat Response Audit Logs", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 582018538532440, + "definition": { + "title": "Total Audit Logs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7e7e7" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 1272548581486866, + "definition": { + "title": "Audit Logs over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Audit Logs", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "grey", + "order_by": "values", + "color_order": "monotonic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 3059377100030358, + "definition": { + "title": "Distribution of Events by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@action", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 8080294757081074, + "definition": { + "title": "Top Audit Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@table", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "grey" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1385411293717198, + "definition": { + "title": "Top Activities by Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "grey" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1321376038067332, + "definition": { + "title": "Top Endpoint IPs Involved in Connections", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs @table:LiveConnection $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 292585266172996, + "definition": { + "title": "Connection Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs @table:LiveConnection $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.target.hostname", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@state.target.platform", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@state.target.operatingSystem", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + }, + { + "id": 5116474089010534, + "definition": { + "title": "Updated Alerts Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:tanium service:threat-response-audit-logs @table:Alert @action:update $User-Name $Audit-Type $Action" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@state.idsUpdated", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@state.updatedFields.state", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 15, + "width": 4, + "height": 4 + } + }, + { + "id": 1814014987390962, + "definition": { + "title": "Threat Response Audit Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:tanium service:threat-response-audit-logs $User-Name $Audit-Type $Action", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "table", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "state", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 15, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 20, + "is_column_break": true + } + }, + { + "id": 6318815126622146, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5913269995029142, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Tanium Threat Response Audit logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "pink", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 2246708282476820, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:critical $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 924517000228036, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:high $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 7685826796026264, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:critical $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 7817209972175932, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:medium $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 8386591420587394, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:low $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3808261989156052, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:info $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 8791604226681644, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:high $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 2412900620565832, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:tanium service:threat-response-audit-logs status:medium $User-Name $Audit-Type $Action" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 10 + } + } + ], + "template_variables": [ + { + "name": "User-Name", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + }, + { + "name": "Audit-Type", + "prefix": "@table", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@action", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/tanium/assets/logs/tanium.yaml b/tanium/assets/logs/tanium.yaml new file mode 100644 index 0000000000000..f1fc008b830d7 --- /dev/null +++ b/tanium/assets/logs/tanium.yaml @@ -0,0 +1,152 @@ +id: tanium +metric_id: tanium +backend_only: false +facets: + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Tanium + enabled: true + filter: + query: source:tanium + processors: + - type: date-remapper + name: Define `alertedAt`, `createdAt`, `creation_time` as the official date of + the log + enabled: true + sources: + - alertedAt + - createdAt + - creation_time + - type: attribute-remapper + name: Map `state.target.ip`, `computerIpAddress` to `network.client.ip` + enabled: true + sources: + - state.target.ip + - computerIpAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `mod_user.id`, `userId` to `usr.id` + enabled: true + sources: + - mod_user.id + - userId + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `mod_user.name`, `userName` to `usr.name` + enabled: true + sources: + - mod_user.name + - userName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Platform Audit Logs for Authentication + enabled: true + filter: + query: service:platform-audit-logs @object_type_name:authentication + processors: + - type: grok-parser + name: Parsing authentication logs for platform audits + enabled: true + source: details + samples: + - "User: test@example.com; Session ID: 111111; 10.10.10.10" + - "Failed Authentication Expired session supplied. User: + test@example.com; Last Used: 2024-12-29 06:24:46 +0000; Now: + 2024-12-29 06:29:50 +0000" + - "Failed Authentication JWT authentication failed: IP Address: + 10.10.10.10. User access token has been invalidated" + - "Failed Authentication JWT authentication failed: IP Address: + 10.10.10.10. JWTInvalidToken: Invalid JSON Web Token. Token has + expired. now=2024-12-31 06:18:12 +0000 exp=2024-12-31 05:35:00 + +0000" + - "User: test@example.com; Session ID: 111111; Authentication Type: + JsonWebToken; IP Address: 10.10.10.10" + grok: + supportRules: "" + matchRules: >- + new_system_user_session_created_rule UserID: %{word:usr.id}; + Session ID: %{integer:session_id}; IP Address: %{ip:network.client.ip} + + new_session_created_rule User: %{regex("[^;]*"):usr.name}; Session ID: %{integer:session_id}; Authentication Type: %{regex("[^;]*"):authentication_type}(; Originated from %{notSpace:originated_from})?(; IP Address: %{ip:network.client.ip})? + + user_logged_out User: %{regex("[^;]*"):usr.name}; Session ID: %{integer:session_id}; (IP Address: )?%{ip:network.client.ip} + + authentication_failed_rule1 Failed Authentication (Deleted|Expired) session supplied.%{regex(" *")}User: %{regex("[^;]*"):usr.name}; Last Used: %{date("yyyy-MM-dd HH:mm:ss Z"):last_used}; Now: %{date("yyyy-MM-dd HH:mm:ss Z"):now} + + authentication_failed_rule2 Failed Authentication JWT authentication failed: IP Address: %{ip:network.client.ip}. (JWTInvalidToken: Invalid JSON Web Token. Token has expired. now=%{date("yyyy-MM-dd HH:mm:ss Z"):now} exp=%{date("yyyy-MM-dd HH:mm:ss Z"):exp}|User access token has been invalidated) + - type: pipeline + name: Platform Audit Logs for System Settings + enabled: true + filter: + query: service:platform-audit-logs @object_type_name:system_setting + processors: + - type: grok-parser + name: Parsing system settings logs for platform audits + enabled: true + source: details + samples: + - Updated 'ias_auth_jwks_download_timeout_seconds' from 20 to 10 + - Updated 'jwt_settings' from {\"username_claim\":\"email\"} to + {\"username_claim\":\"email\"} + - "Created setting 'HotCachePercentage' with a value of: 80" + grok: + supportRules: "" + matchRules: >- + update_rule Updated '%{word:setting}' from %{regex(".*(?= + to)"):old_value} to %{data:new_value} + + create_rule Created setting '%{word:setting}' with a value of: %{data:value} + - type: pipeline + name: " Message Remapping for Platform Audit Logs" + enabled: true + filter: + query: service:platform-audit-logs + processors: + - type: message-remapper + name: Define `details` as the official message of the log + enabled: true + sources: + - details + - name: Lookup on `severity` to `status` + enabled: true + source: severity + target: status + lookupTable: |- + info,Info + low,Notice + medium,Warning + high,Critical + critical,Alert + type: lookup-processor + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status diff --git a/tanium/assets/logs/tanium_tests.yaml b/tanium/assets/logs/tanium_tests.yaml new file mode 100644 index 0000000000000..cb7c38564d9ab --- /dev/null +++ b/tanium/assets/logs/tanium_tests.yaml @@ -0,0 +1,785 @@ +id: "tanium" +tests: + - + sample: |- + { + "eid" : 1, + "ackedAt" : "2024-12-26T06:26:52.692Z", + "groupingId" : 2, + "matchType" : "process", + "type" : "detect.match", + "receivedAt" : "2024-12-26T06:20:09.415Z", + "lastEIDResolutionAttempt" : "2024-12-26T06:20:17.210Z", + "scanConfigRevisionId" : 1, + "path" : "C:\\test.exe", + "createdAt" : "2024-12-26T06:20:09.636Z", + "alertedAt" : "2024-12-26T06:15:52.000Z", + "Endpoint" : { + "id" : 2 + }, + "computerName" : "AssetTag-EID", + "details" : "", + "scanConfigId" : 2, + "id" : 2, + "state" : "unresolved", + "intelDocId" : 79, + "updatedAt" : "2024-12-26T06:26:52.699Z", + "severity" : "info", + "findingId" : "", + "priority" : "high", + "firstEIDResolutionAttempt" : "2024-12-26T06:20:17.210Z", + "intelDocRevisionId" : 1, + "guid" : "00000000-0000-0000-0000-000000000001", + "computerIpAddress" : "10.10.10.10", + "intelDoc" : { + "sourceId" : 9, + "disabledEndpointCount" : 0, + "isSchemaValid" : true, + "description" : "Control panel items can be used to execute arbitrary code and is a well known bypass mechanism for red teams and attackers.", + "source" : { + "createdAt" : "2024-12-19T18:26:29.536Z", + "nameSlug" : "tanium-signals", + "name" : "Tanium Signals", + "description" : "Tanium authored Signals stream", + "id" : 9, + "type" : "tanium-signals", + "enabled" : true, + "updatedAt" : "2025-01-06T09:34:08.431Z" + }, + "type" : "tanium-signal", + "intrinsicId" : "Control Panel Items", + "platforms" : [ "windows" ], + "revisionId" : 1, + "createdAt" : "2024-12-19T18:26:40.490Z", + "typeVersion" : "1.0", + "mitreAttack" : { + "techniques" : [ { + "name" : "System Binary Proxy Execution", + "id" : "T1218" + }, { + "name" : "System Binary Proxy Execution: Control Panel", + "id" : "T1218.002" + } ] + }, + "size" : 1116, + "lastDeploymentTimestamp" : "2024-12-19T18:37:38.550Z", + "name" : "Control Panel Items", + "allowAutoDisable" : true, + "firstDeploymentTimestamp" : "2024-12-19T18:37:38.550Z", + "throttledFindingCount" : 0, + "disabled" : false, + "id" : 79, + "updatedAt" : "2024-12-19T20:46:41.889Z", + "status" : "HIGH_FIDELITY" + } + } + service: "threat-response-alerts" + result: + custom: + Endpoint: + id: 2 + ackedAt: "2024-12-26T06:26:52.692Z" + alertedAt: "2024-12-26T06:15:52.000Z" + computerName: "AssetTag-EID" + createdAt: "2024-12-26T06:20:09.636Z" + details: "" + eid: 1 + findingId: "" + firstEIDResolutionAttempt: "2024-12-26T06:20:17.210Z" + groupingId: 2 + guid: "00000000-0000-0000-0000-000000000001" + id: 2 + intelDoc: + allowAutoDisable: true + createdAt: "2024-12-19T18:26:40.490Z" + description: "Control panel items can be used to execute arbitrary code and is a well known bypass mechanism for red teams and attackers." + disabled: false + disabledEndpointCount: 0 + firstDeploymentTimestamp: "2024-12-19T18:37:38.550Z" + id: 79 + intrinsicId: "Control Panel Items" + isSchemaValid: true + lastDeploymentTimestamp: "2024-12-19T18:37:38.550Z" + mitreAttack: + techniques: + - + name: "System Binary Proxy Execution" + id: "T1218" + - + name: "System Binary Proxy Execution: Control Panel" + id: "T1218.002" + name: "Control Panel Items" + platforms: + - "windows" + revisionId: 1 + size: 1116 + source: + createdAt: "2024-12-19T18:26:29.536Z" + description: "Tanium authored Signals stream" + enabled: true + id: 9 + name: "Tanium Signals" + nameSlug: "tanium-signals" + type: "tanium-signals" + updatedAt: "2025-01-06T09:34:08.431Z" + sourceId: 9 + status: "HIGH_FIDELITY" + throttledFindingCount: 0 + type: "tanium-signal" + typeVersion: "1.0" + updatedAt: "2024-12-19T20:46:41.889Z" + intelDocId: 79 + intelDocRevisionId: 1 + lastEIDResolutionAttempt: "2024-12-26T06:20:17.210Z" + matchType: "process" + network: + client: + ip: "10.10.10.10" + path: "C:\\test.exe" + priority: "high" + receivedAt: "2024-12-26T06:20:09.415Z" + scanConfigId: 2 + scanConfigRevisionId: 1 + severity: "info" + state: "unresolved" + status: "Info" + type: "detect.match" + updatedAt: "2024-12-26T06:26:52.699Z" + message: |- + { + "eid" : 1, + "ackedAt" : "2024-12-26T06:26:52.692Z", + "groupingId" : 2, + "matchType" : "process", + "type" : "detect.match", + "receivedAt" : "2024-12-26T06:20:09.415Z", + "lastEIDResolutionAttempt" : "2024-12-26T06:20:17.210Z", + "scanConfigRevisionId" : 1, + "path" : "C:\\test.exe", + "createdAt" : "2024-12-26T06:20:09.636Z", + "alertedAt" : "2024-12-26T06:15:52.000Z", + "Endpoint" : { + "id" : 2 + }, + "computerName" : "AssetTag-EID", + "details" : "", + "scanConfigId" : 2, + "id" : 2, + "state" : "unresolved", + "intelDocId" : 79, + "updatedAt" : "2024-12-26T06:26:52.699Z", + "severity" : "info", + "findingId" : "", + "priority" : "high", + "firstEIDResolutionAttempt" : "2024-12-26T06:20:17.210Z", + "intelDocRevisionId" : 1, + "guid" : "00000000-0000-0000-0000-000000000001", + "computerIpAddress" : "10.10.10.10", + "intelDoc" : { + "sourceId" : 9, + "disabledEndpointCount" : 0, + "isSchemaValid" : true, + "description" : "Control panel items can be used to execute arbitrary code and is a well known bypass mechanism for red teams and attackers.", + "source" : { + "createdAt" : "2024-12-19T18:26:29.536Z", + "nameSlug" : "tanium-signals", + "name" : "Tanium Signals", + "description" : "Tanium authored Signals stream", + "id" : 9, + "type" : "tanium-signals", + "enabled" : true, + "updatedAt" : "2025-01-06T09:34:08.431Z" + }, + "type" : "tanium-signal", + "intrinsicId" : "Control Panel Items", + "platforms" : [ "windows" ], + "revisionId" : 1, + "createdAt" : "2024-12-19T18:26:40.490Z", + "typeVersion" : "1.0", + "mitreAttack" : { + "techniques" : [ { + "name" : "System Binary Proxy Execution", + "id" : "T1218" + }, { + "name" : "System Binary Proxy Execution: Control Panel", + "id" : "T1218.002" + } ] + }, + "size" : 1116, + "lastDeploymentTimestamp" : "2024-12-19T18:37:38.550Z", + "name" : "Control Panel Items", + "allowAutoDisable" : true, + "firstDeploymentTimestamp" : "2024-12-19T18:37:38.550Z", + "throttledFindingCount" : 0, + "disabled" : false, + "id" : 79, + "updatedAt" : "2024-12-19T20:46:41.889Z", + "status" : "HIGH_FIDELITY" + } + } + service: "threat-response-alerts" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735193752000 + - + sample: |- + { + "createdAt" : "2024-12-30T11:20:55.110Z", + "action" : "create", + "id" : 1859, + "state" : { + "connectionId" : "remote:AssetTag-EID:111111111:1", + "sessionId" : "00000000-0000-0000-0000-000000000001", + "target" : { + "eid" : "1", + "hostname" : "AssetTag-EID", + "clientId" : "608353334", + "ip" : "10.10.10.10", + "operatingSystem" : "Windows 11 Pro", + "platform" : "Windows" + } + }, + "userName" : "user@example.com", + "userId" : 48, + "table" : "LiveConnection", + "updatedAt" : "2024-12-30T11:20:55.110Z" + } + service: "threat-response-audit-logs" + result: + custom: + action: "create" + createdAt: "2024-12-30T11:20:55.110Z" + id: 1859 + network: + client: + ip: "10.10.10.10" + state: + connectionId: "remote:AssetTag-EID:111111111:1" + sessionId: "00000000-0000-0000-0000-000000000001" + target: + clientId: "608353334" + eid: "1" + hostname: "AssetTag-EID" + operatingSystem: "Windows 11 Pro" + platform: "Windows" + table: "LiveConnection" + updatedAt: "2024-12-30T11:20:55.110Z" + usr: + id: 48 + name: "user@example.com" + message: |- + { + "createdAt" : "2024-12-30T11:20:55.110Z", + "action" : "create", + "id" : 1859, + "state" : { + "connectionId" : "remote:AssetTag-EID:111111111:1", + "sessionId" : "00000000-0000-0000-0000-000000000001", + "target" : { + "eid" : "1", + "hostname" : "AssetTag-EID", + "clientId" : "608353334", + "ip" : "10.10.10.10", + "operatingSystem" : "Windows 11 Pro", + "platform" : "Windows" + } + }, + "userName" : "user@example.com", + "userId" : 48, + "table" : "LiveConnection", + "updatedAt" : "2024-12-30T11:20:55.110Z" + } + service: "threat-response-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735557655110 + - + sample: |- + { + "createdAt" : "2024-12-30T09:12:55.918Z", + "action" : "update", + "id" : 1856, + "state" : { + "guidsUpdated" : [ "00000000-0000-0000-0000-000000000023" ], + "idsUpdated" : [ 23 ], + "updatedFields" : { + "state" : "resolved" + }, + "legacyType" : "detect.service.alert.modified.batch" + }, + "userName" : "user@example.com", + "userId" : 48, + "table" : "Alert", + "updatedAt" : "2024-12-30T09:12:55.918Z" + } + service: "threat-response-audit-logs" + result: + custom: + action: "update" + createdAt: "2024-12-30T09:12:55.918Z" + id: 1856 + state: + guidsUpdated: + - "00000000-0000-0000-0000-000000000023" + idsUpdated: + - 23 + legacyType: "detect.service.alert.modified.batch" + updatedFields: + state: "resolved" + table: "Alert" + updatedAt: "2024-12-30T09:12:55.918Z" + usr: + id: 48 + name: "user@example.com" + message: |- + { + "createdAt" : "2024-12-30T09:12:55.918Z", + "action" : "update", + "id" : 1856, + "state" : { + "guidsUpdated" : [ "00000000-0000-0000-0000-000000000023" ], + "idsUpdated" : [ 23 ], + "updatedFields" : { + "state" : "resolved" + }, + "legacyType" : "detect.service.alert.modified.batch" + }, + "userName" : "user@example.com", + "userId" : 48, + "table" : "Alert", + "updatedAt" : "2024-12-30T09:12:55.918Z" + } + service: "threat-response-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735549975918 + - + sample: |- + { + "creation_time" : "2025-01-06T09:46:20Z", + "audit_name" : "New System User Session Created", + "type_name" : "CreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "UserID: 44; Session ID: 322444; IP Address: 10.10.10.10", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 0, + "object_id" : 2, + "modification_time" : "2025-01-06T09:46:20Z", + "audit_row_id" : 323047 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "New System User Session Created" + audit_row_id: 323047 + creation_time: "2025-01-06T09:46:20Z" + last_modified_by: "" + modification_time: "2025-01-06T09:46:20Z" + modifier_user_id: 0 + network: + client: + ip: "10.10.10.10" + object_id: 2 + object_name: "" + object_type_name: "authentication" + session_id: 322444 + type: 0 + type_name: "CreateObject" + usr: + id: "44" + message: "UserID: 44; Session ID: 322444; IP Address: 10.10.10.10" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1736156780000 + - + sample: |- + { + "creation_time" : "2025-01-06T09:46:19Z", + "audit_name" : "New Session Created", + "type_name" : "CreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "User: Reputation; Session ID: 322443; Authentication Type: User; Originated from SOAPPluginScheduler", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 0, + "object_id" : 7, + "modification_time" : "2025-01-06T09:46:19Z", + "audit_row_id" : 323046 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "New Session Created" + audit_row_id: 323046 + authentication_type: "User" + creation_time: "2025-01-06T09:46:19Z" + last_modified_by: "" + modification_time: "2025-01-06T09:46:19Z" + modifier_user_id: 0 + object_id: 7 + object_name: "" + object_type_name: "authentication" + originated_from: "SOAPPluginScheduler" + session_id: 322443 + type: 0 + type_name: "CreateObject" + usr: + name: "Reputation" + message: "User: Reputation; Session ID: 322443; Authentication Type: User; Originated from SOAPPluginScheduler" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1736156779000 + - + sample: |- + { + "creation_time" : "2025-01-02T16:28:31Z", + "audit_name" : "New Session Created", + "type_name" : "CreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "User: integrations@tanium.com; Session ID: 254078; Authentication Type: JsonWebToken; IP Address: 10.10.10.10", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 0, + "object_id" : 3, + "modification_time" : "2025-01-02T16:28:31Z", + "audit_row_id" : 254586 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "New Session Created" + audit_row_id: 254586 + authentication_type: "JsonWebToken" + creation_time: "2025-01-02T16:28:31Z" + last_modified_by: "" + modification_time: "2025-01-02T16:28:31Z" + modifier_user_id: 0 + network: + client: + ip: "10.10.10.10" + object_id: 3 + object_name: "" + object_type_name: "authentication" + session_id: 254078 + type: 0 + type_name: "CreateObject" + usr: + name: "integrations@tanium.com" + message: "User: integrations@tanium.com; Session ID: 254078; Authentication Type: JsonWebToken; IP Address: 10.10.10.10" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735835311000 + - + sample: |- + { + "creation_time" : "2024-12-26T12:12:38Z", + "mod_user" : { + "domain" : "", + "name" : "test@example.com", + "id" : 47, + "display_name" : "" + }, + "type_name" : "DeleteObject", + "last_modified_by" : "test@example.com", + "type" : 2, + "object_id" : 47, + "audit_row_id" : 122364, + "audit_name" : "User Logged Out", + "modifier_user_id" : 47, + "object_name" : "", + "details" : "User: test@example.com; Session ID: 121951; 10.10.10.10", + "object_type_name" : "authentication", + "modification_time" : "2024-12-26T12:12:38Z" + } + service: "platform-audit-logs" + result: + custom: + audit_name: "User Logged Out" + audit_row_id: 122364 + creation_time: "2024-12-26T12:12:38Z" + last_modified_by: "test@example.com" + mod_user: + display_name: "" + domain: "" + modification_time: "2024-12-26T12:12:38Z" + modifier_user_id: 47 + network: + client: + ip: "10.10.10.10" + object_id: 47 + object_name: "" + object_type_name: "authentication" + session_id: 121951 + type: 2 + type_name: "DeleteObject" + usr: + id: 47 + name: "test@example.com" + message: "User: test@example.com; Session ID: 121951; 10.10.10.10" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735215158000 + - + sample: |- + { + "creation_time" : "2024-12-31T18:29:50Z", + "audit_name" : "Authentication Failed", + "type_name" : "FailedCreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "Failed Authentication Deleted session supplied. User: Comply; Last Used: 2024-12-31 18:24:16 +0000; Now: 2024-12-31 18:29:50 +0000", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 3, + "object_id" : 0, + "modification_time" : "2024-12-31T18:29:50Z", + "audit_row_id" : 219322 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "Authentication Failed" + audit_row_id: 219322 + creation_time: "2024-12-31T18:29:50Z" + last_modified_by: "" + last_used: 1735669456000 + modification_time: "2024-12-31T18:29:50Z" + modifier_user_id: 0 + now: 1735669790000 + object_id: 0 + object_name: "" + object_type_name: "authentication" + type: 3 + type_name: "FailedCreateObject" + usr: + name: "Comply" + message: "Failed Authentication Deleted session supplied. User: Comply; Last Used: 2024-12-31 18:24:16 +0000; Now: 2024-12-31 18:29:50 +0000" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735669790000 + - + sample: |- + { + "creation_time" : "2025-01-04T14:26:53Z", + "audit_name" : "Authentication Failed", + "type_name" : "FailedCreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "Failed Authentication Expired session supplied. User: Reputation; Last Used: 2025-01-04 14:21:52 +0000; Now: 2025-01-04 14:26:53 +0000", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 3, + "object_id" : 0, + "modification_time" : "2025-01-04T14:26:53Z", + "audit_row_id" : 289840 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "Authentication Failed" + audit_row_id: 289840 + creation_time: "2025-01-04T14:26:53Z" + last_modified_by: "" + last_used: 1736000512000 + modification_time: "2025-01-04T14:26:53Z" + modifier_user_id: 0 + now: 1736000813000 + object_id: 0 + object_name: "" + object_type_name: "authentication" + type: 3 + type_name: "FailedCreateObject" + usr: + name: "Reputation" + message: "Failed Authentication Expired session supplied. User: Reputation; Last Used: 2025-01-04 14:21:52 +0000; Now: 2025-01-04 14:26:53 +0000" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1736000813000 + - + sample: |- + { + "creation_time" : "2025-01-03T05:56:12Z", + "audit_name" : "Authentication Failed", + "type_name" : "FailedCreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "Failed Authentication JWT authentication failed: IP Address: 10.10.10.10. User access token has been invalidated", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 3, + "object_id" : 0, + "modification_time" : "2025-01-03T05:56:12Z", + "audit_row_id" : 264927 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "Authentication Failed" + audit_row_id: 264927 + creation_time: "2025-01-03T05:56:12Z" + last_modified_by: "" + modification_time: "2025-01-03T05:56:12Z" + modifier_user_id: 0 + network: + client: + ip: "10.10.10.10" + object_id: 0 + object_name: "" + object_type_name: "authentication" + type: 3 + type_name: "FailedCreateObject" + message: "Failed Authentication JWT authentication failed: IP Address: 10.10.10.10. User access token has been invalidated" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735883772000 + - + sample: |- + { + "creation_time" : "2024-12-31T11:53:03Z", + "audit_name" : "Authentication Failed", + "type_name" : "FailedCreateObject", + "modifier_user_id" : 0, + "object_name" : "", + "details" : "Failed Authentication JWT authentication failed: IP Address: 10.10.10.10. JWTInvalidToken: Invalid JSON Web Token. Token has expired. now=2024-12-31 11:53:03 +0000 exp=2024-12-31 11:10:13 +0000", + "last_modified_by" : "", + "object_type_name" : "authentication", + "type" : 3, + "object_id" : 0, + "modification_time" : "2024-12-31T11:53:03Z", + "audit_row_id" : 214232 + } + service: "platform-audit-logs" + result: + custom: + audit_name: "Authentication Failed" + audit_row_id: 214232 + creation_time: "2024-12-31T11:53:03Z" + exp: 1735643413000 + last_modified_by: "" + modification_time: "2024-12-31T11:53:03Z" + modifier_user_id: 0 + network: + client: + ip: "10.10.10.10" + now: 1735645983000 + object_id: 0 + object_name: "" + object_type_name: "authentication" + type: 3 + type_name: "FailedCreateObject" + message: "Failed Authentication JWT authentication failed: IP Address: 10.10.10.10. JWTInvalidToken: Invalid JSON Web Token. Token has expired. now=2024-12-31 11:53:03 +0000 exp=2024-12-31 11:10:13 +0000" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1735645983000 + - + sample: |- + { + "creation_time" : "2025-01-06T09:53:02Z", + "mod_user" : { + "domain" : "", + "name" : "admin", + "id" : 2, + "display_name" : "" + }, + "type_name" : "UpdateObject", + "last_modified_by" : "admin", + "type" : 1, + "object_id" : 102, + "audit_row_id" : 9234, + "audit_name" : "ias_auth_jwks_download_timeout_seconds", + "modifier_user_id" : 2, + "object_name" : "ias_auth_jwks_download_timeout_seconds", + "details" : "Updated 'ias_auth_jwks_download_timeout_seconds' from 10 to 10", + "object_type_name" : "system_setting", + "modification_time" : "2025-01-06T09:53:02Z" + } + service: "platform-audit-logs" + result: + custom: + audit_name: "ias_auth_jwks_download_timeout_seconds" + audit_row_id: 9234 + creation_time: "2025-01-06T09:53:02Z" + last_modified_by: "admin" + mod_user: + display_name: "" + domain: "" + modification_time: "2025-01-06T09:53:02Z" + modifier_user_id: 2 + new_value: "10" + object_id: 102 + object_name: "ias_auth_jwks_download_timeout_seconds" + object_type_name: "system_setting" + old_value: "10" + setting: "ias_auth_jwks_download_timeout_seconds" + type: 1 + type_name: "UpdateObject" + usr: + id: 2 + name: "admin" + message: "Updated 'ias_auth_jwks_download_timeout_seconds' from 10 to 10" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1736157182000 + - + sample: |- + { + "creation_time" : "2024-12-19T18:27:31Z", + "mod_user" : { + "domain" : "<[tanium]>", + "name" : "Patch", + "id" : 37, + "display_name" : "Tanium Internal" + }, + "type_name" : "CreateObject", + "last_modified_by" : "Patch", + "type" : 0, + "object_id" : 317, + "audit_row_id" : 105, + "audit_name" : "HotCachePercentage", + "modifier_user_id" : 37, + "object_name" : "HotCachePercentage", + "details" : "Created setting 'HotCachePercentage' with a value of: 80", + "object_type_name" : "system_setting", + "modification_time" : "2024-12-19T18:27:31Z" + } + service: "platform-audit-logs" + result: + custom: + audit_name: "HotCachePercentage" + audit_row_id: 105 + creation_time: "2024-12-19T18:27:31Z" + last_modified_by: "Patch" + mod_user: + display_name: "Tanium Internal" + domain: "<[tanium]>" + modification_time: "2024-12-19T18:27:31Z" + modifier_user_id: 37 + object_id: 317 + object_name: "HotCachePercentage" + object_type_name: "system_setting" + setting: "HotCachePercentage" + type: 0 + type_name: "CreateObject" + usr: + id: 37 + name: "Patch" + value: "80" + message: "Created setting 'HotCachePercentage' with a value of: 80" + service: "platform-audit-logs" + tags: + - "source:LOGS_SOURCE" + timestamp: 1734632851000 \ No newline at end of file diff --git a/tanium/assets/tanium.svg b/tanium/assets/tanium.svg new file mode 100644 index 0000000000000..ec4e88a9d3120 --- /dev/null +++ b/tanium/assets/tanium.svg @@ -0,0 +1,13 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/tanium/images/tanium_platform_audit_logs.png b/tanium/images/tanium_platform_audit_logs.png new file mode 100644 index 0000000000000..65956928f8b78 Binary files /dev/null and b/tanium/images/tanium_platform_audit_logs.png differ diff --git a/tanium/images/tanium_threat_response_alerts.png b/tanium/images/tanium_threat_response_alerts.png new file mode 100644 index 0000000000000..feb7b9f036d49 Binary files /dev/null and b/tanium/images/tanium_threat_response_alerts.png differ diff --git a/tanium/images/tanium_threat_response_audit_logs.png b/tanium/images/tanium_threat_response_audit_logs.png new file mode 100644 index 0000000000000..23cc3faad1f19 Binary files /dev/null and b/tanium/images/tanium_threat_response_audit_logs.png differ diff --git a/tanium/manifest.json b/tanium/manifest.json index 550999960e67e..6d934ef964472 100644 --- a/tanium/manifest.json +++ b/tanium/manifest.json @@ -9,8 +9,24 @@ "support": "README.md#Support", "changelog": "CHANGELOG.md", "description": "Gain insights into Tanium threat response alerts and audit activities", - "title": "tanium", - "media": [], + "title": "Tanium", + "media": [ + { + "caption": "Tanium - Threat Response Alerts", + "image_url": "images/tanium_threat_response_alerts.png", + "media_type": "image" + }, + { + "caption": "Tanium - Threat Response Audit Logs", + "image_url": "images/tanium_threat_response_audit_logs.png", + "media_type": "image" + }, + { + "caption": "Tanium - Platform Audit Logs", + "image_url": "images/tanium_platform_audit_logs.png", + "media_type": "image" + } + ], "classifier_tags": [ "Category::Log Collection", "Category::Security", @@ -29,6 +45,14 @@ "service_checks": { "metadata_path": "assets/service_checks.json" } + }, + "dashboards": { + "Tanium - Threat Response Alerts": "assets/dashboards/tanium_threat_response_alerts.json", + "Tanium - Threat Response Audit Logs": "assets/dashboards/tanium_threat_response_audit_logs.json", + "Tanium - Platform Audit Logs": "assets/dashboards/tanium_platform_audit_logs.json" + }, + "logs": { + "source": "tanium" } }, "author": {