[SAASINT-3541] DDS: Tanium: Crawler Integration v1.0.0

.github/CODEOWNERS

@@ -434,6 +434,16 @@ vonage/*.md                                                        @DataDog/saas
 vonage/manifest.json                                               @DataDog/saas-integrations @DataDog/documentation
 vonage/assets/logs/                                                @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core
 
+/asana/                                                             @DataDog/saas-integrations
+/asana/*.md                                                         @DataDog/saas-integrations @DataDog/documentation
+/asana/manifest.json                                                @DataDog/saas-integrations @DataDog/documentation
+/asana/assets/logs/                                                 @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
+
+/tanium/                                                            @DataDog/saas-integrations
+/tanium/*.md                                                        @DataDog/saas-integrations @DataDog/documentation
+/tanium/manifest.json                                               @DataDog/saas-integrations @DataDog/documentation
+/tanium/assets/logs/                                                @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
+
 plaid/                                                              @DataDog/saas-integrations
 plaid/*.md                                                          @DataDog/saas-integrations @DataDog/documentation
 plaid/manifest.json                                                 @DataDog/saas-integrations @DataDog/documentation

tanium/README.md

@@ -1,43 +1,57 @@
-# Agent Check: tanium
-
 ## Overview
 
-This check monitors [tanium][1].
+[Tanium][1] is an enterprise platform designed for endpoint management. It provides security and IT operations teams with rapid visibility and control to secure and manage all network endpoints.
 
-## Setup
+This integration ingests the following logs:
+
+- **Threat Response Alerts**: This endpoint contains information about the core incident response lifecycle with integrated capabilities for alerting, analysis, containment, and remediation.
+- **Threat Response Audit**: This endpoint contains information about the centralized view of audit events generated by the Tanium Threat Response.
+- **Platform Audit**: This endpoint contains information about the authentication, API token usage, local settings, persona changes, user settings, and system settings information.
+
+This integration collects logs from the sources listed above and transmits them to Datadog for analysis in [Log Explorer][3] and [Cloud SIEM][4].
 
-### Installation
+## Setup
 
-The tanium check is included in the [Datadog Agent][2] package.
-No additional installation is needed on your server.
+### Generate API Credentials in Tanium
 
-### Configuration
+1. Login into Tanium.
+2. From the main menu, navigate to **Administration** > **Permissions** > **API Tokens**.
+3. Click **New API Token** and configure the token settings:
+    - **Expiration**: Enter the expiration interval in days.
+    - **Trusted IP addresses**: Enter the external IP addresses as `::/0,0.0.0.0/0` to enable any system to use the token.
+4. Click on **Create**.
+5. Click on **Yes** and copy the **token** for later use.
+6. The Tanium host format is **\<customer\>.cloud.tanium.com**. Replace **\<customer\>** with your organization's specific subdomain.
 
-!!! Add list of steps to set up this integration !!!
+### Connect your Tanium Account to Datadog
 
-### Validation
+1. Add your Host and API Token.
+   | Parameters | Description |
+   | ------------------- |------------------------------------------------------------- |
+   | Host | The Host of your Tanium platform. |
+   | API Token | The API Token of your Tanium platform. |
 
-!!! Add steps to validate integration is functioning as expected !!!
+2. Click the Save button to save your settings.
 
 ## Data Collected
 
-### Metrics
+### Logs
 
-tanium does not include any metrics.
+The Tanium integration collects and forwards threat-response alerts, threat-response audit logs, and platform audit logs to Datadog.
 
-### Service Checks
+### Metrics
 
-tanium does not include any service checks.
+The Tanium integration does not include any metrics.
 
 ### Events
 
-tanium does not include any events.
-
-## Troubleshooting
+The Tanium integration does not include any events.
 
-Need help? Contact [Datadog support][3].
+## Support
 
-[1]: **LINK_TO_INTEGRATION_SITE**
-[2]: https://app.datadoghq.com/account/settings/agent/latest
-[3]: https://docs.datadoghq.com/help/
+For any further assistance, contact [Datadog support][2].
 
+[1]: https://www.tanium.com/
+[2]: https://docs.datadoghq.com/help/
+[3]: https://docs.datadoghq.com/logs/explorer/
+[4]: https://www.datadoghq.com/product/cloud-siem/

tanium/assets/logs/tanium.yaml

@@ -0,0 +1,152 @@
+id: tanium
+metric_id: tanium
+backend_only: false
+facets:
+  - groups:
+      - Web Access
+    name: Client IP
+    path: network.client.ip
+    source: log
+  - groups:
+      - User
+    name: User ID
+    path: usr.id
+    source: log
+  - groups:
+      - User
+    name: User Name
+    path: usr.name
+    source: log
+pipeline:
+  type: pipeline
+  name: Tanium
+  enabled: true
+  filter:
+    query: source:tanium
+  processors:
+    - type: date-remapper
+      name: Define `alertedAt`, `createdAt`, `creation_time` as the official date of
+        the log
+      enabled: true
+      sources:
+        - alertedAt
+        - createdAt
+        - creation_time
+    - type: attribute-remapper
+      name: Map `state.target.ip`, `computerIpAddress` to `network.client.ip`
+      enabled: true
+      sources:
+        - state.target.ip
+        - computerIpAddress
+      sourceType: attribute
+      target: network.client.ip
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `mod_user.id`, `userId` to `usr.id`
+      enabled: true
+      sources:
+        - mod_user.id
+        - userId
+      sourceType: attribute
+      target: usr.id
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `mod_user.name`, `userName` to `usr.name`
+      enabled: true
+      sources:
+        - mod_user.name
+        - userName
+      sourceType: attribute
+      target: usr.name
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: pipeline
+      name: Platform Audit Logs for Authentication
+      enabled: true
+      filter:
+        query: service:platform-audit-logs @object_type_name:authentication
+      processors:
+        - type: grok-parser
+          name: Parsing authentication logs for platform audits
+          enabled: true
+          source: details
+          samples:
+            - "User: test@example.com; Session ID: 111111; 10.10.10.10"
+            - "Failed Authentication Expired session supplied. User:
+              test@example.com; Last Used: 2024-12-29 06:24:46 +0000; Now:
+              2024-12-29 06:29:50 +0000"
+            - "Failed Authentication JWT authentication failed: IP Address:
+              10.10.10.10. User access token has been invalidated"
+            - "Failed Authentication JWT authentication failed: IP Address:
+              10.10.10.10. JWTInvalidToken: Invalid JSON Web Token. Token has
+              expired. now=2024-12-31 06:18:12 +0000 exp=2024-12-31 05:35:00
+              +0000"
+            - "User: test@example.com; Session ID: 111111; Authentication Type:
+              JsonWebToken; IP Address: 10.10.10.10"
+          grok:
+            supportRules: ""
+            matchRules: >-
+              new_system_user_session_created_rule UserID: %{word:usr.id};
+              Session ID: %{integer:session_id}; IP Address: %{ip:network.client.ip}
+
+              new_session_created_rule User: %{regex("[^;]*"):usr.name}; Session ID: %{integer:session_id}; Authentication Type: %{regex("[^;]*"):authentication_type}(; Originated from %{notSpace:originated_from})?(; IP Address: %{ip:network.client.ip})?
+
+              user_logged_out User: %{regex("[^;]*"):usr.name}; Session ID: %{integer:session_id}; (IP Address: )?%{ip:network.client.ip}
+
+              authentication_failed_rule1 Failed Authentication (Deleted|Expired) session supplied.%{regex(" *")}User: %{regex("[^;]*"):usr.name}; Last Used: %{date("yyyy-MM-dd HH:mm:ss Z"):last_used}; Now: %{date("yyyy-MM-dd HH:mm:ss Z"):now}
+
+              authentication_failed_rule2 Failed Authentication JWT authentication failed: IP Address: %{ip:network.client.ip}. (JWTInvalidToken: Invalid JSON Web Token. Token has expired. now=%{date("yyyy-MM-dd HH:mm:ss Z"):now} exp=%{date("yyyy-MM-dd HH:mm:ss Z"):exp}|User access token has been invalidated)
+    - type: pipeline
+      name: Platform Audit Logs for System Settings
+      enabled: true
+      filter:
+        query: service:platform-audit-logs @object_type_name:system_setting
+      processors:
+        - type: grok-parser
+          name: Parsing system settings logs for platform audits
+          enabled: true
+          source: details
+          samples:
+            - Updated 'ias_auth_jwks_download_timeout_seconds' from 20 to 10
+            - Updated 'jwt_settings' from {\"username_claim\":\"email\"} to
+              {\"username_claim\":\"email\"}
+            - "Created setting 'HotCachePercentage' with a value of: 80"
+          grok:
+            supportRules: ""
+            matchRules: >-
+              update_rule Updated '%{word:setting}' from %{regex(".*(?=
+              to)"):old_value} to %{data:new_value}
+
+              create_rule Created setting '%{word:setting}' with a value of: %{data:value}
+    - type: pipeline
+      name: " Message Remapping for Platform Audit Logs"
+      enabled: true
+      filter:
+        query: service:platform-audit-logs
+      processors:
+        - type: message-remapper
+          name: Define `details` as the official message of the log
+          enabled: true
+          sources:
+            - details
+    - name: Lookup on `severity` to `status`
+      enabled: true
+      source: severity
+      target: status
+      lookupTable: |-
+        info,Info
+        low,Notice
+        medium,Warning
+        high,Critical
+        critical,Alert
+      type: lookup-processor
+    - type: status-remapper
+      name: Define `status` as the official status of the log
+      enabled: true
+      sources:
+        - status

tanium/manifest.json

@@ -9,8 +9,24 @@
     "support": "README.md#Support",
     "changelog": "CHANGELOG.md",
     "description": "Gain insights into Tanium threat response alerts and audit activities",
-    "title": "tanium",
-    "media": [],
+    "title": "Tanium",
+    "media": [
+      {
+        "caption": "Tanium - Threat Response Alerts",
+        "image_url": "images/tanium_threat_response_alerts.png",
+        "media_type": "image"
+      },
+      {
+        "caption": "Tanium - Threat Response Audit Logs",
+        "image_url": "images/tanium_threat_response_audit_logs.png",
+        "media_type": "image"
+      },
+      {
+        "caption": "Tanium - Platform Audit Logs",
+        "image_url": "images/tanium_platform_audit_logs.png",
+        "media_type": "image"
+      }
+    ],
     "classifier_tags": [
       "Category::Log Collection",
       "Category::Security",
@@ -29,6 +45,14 @@
       "service_checks": {
         "metadata_path": "assets/service_checks.json"
       }
+    },
+    "dashboards": {
+      "Tanium - Threat Response Alerts": "assets/dashboards/tanium_threat_response_alerts.json",
+      "Tanium - Threat Response Audit Logs": "assets/dashboards/tanium_threat_response_audit_logs.json",
+      "Tanium - Platform Audit Logs": "assets/dashboards/tanium_platform_audit_logs.json"
+    },
+    "logs": {
+      "source": "tanium"
     }
   },
   "author": {