Title

The Tanium IOC Detect module must be configured to forward events. (Cat II impact)

Discussion

Indicators of Compromise (IOC) is an artifact which is observed on the network or system that indicates computer intrusion. The Tanium IOC Detect module detects, manages, and analyzes systems against IOCs real-time. The module also responds to those detections. By forwarding events the IOC Detect module, using Tanium Connect with a syslog or SIEM connection, captures the necessary forensic evidence supporting a compromise is retained.

Check Content

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the “gear” icon. The “Workbench Settings” menu will be displayed. Click on the “wrench” icon under "Event Forwarding". If "Forwarding Target" is "Disabled", this is a finding.

Fix Text

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the “gear” icon. The “Workbench Settings” menu will be displayed. Click on the “wrench” icon under "Event Forwarding". Configured the "Event Forwarding" to be configured for "Syslog". If a syslog is already configured under Tanium Connect, the value for "Event Forwarding" may be configured to "Tanium Connect". Click on "Save Changes".

Additional Identifiers

Rule ID: SV-81543r1_rule

Vulnerability ID: V-67053

Group Title: SRG-APP-000115

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.