Title

The Tanium applications must be configured to filter audit records for events of interest based on organization-defined criteria. (Cat II impact)

Discussion

The ability to specify the event criteria that are of interest enables those reviewing the logs to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or by specific information system component. This requires applications to provide the capability to customize audit record reports based on organization-defined criteria.

Check Content

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Connections" under "Connections" section. 5. Filter by source and review event-based sources. If any event=based sources have a failed run for more than 72 hours, this is a finding.

Fix Text

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Expand the left menu. 5. Click "Connections". 6. Click "Create Connection" or if importing, click "Import". 7. Give the "Connection" a name and description. 8. In the "Configuration" section, select "Event" as the source. 9. Select appropriate source under "Event Group" - any source to generate interest-based events (Discover, Asset, IM, THR, etc). 10. Select the appropriate events to send. Note: Consult with the Tanium system administrator for the Destination. 11. Select "Listen for this Event". 12. Click "Save".

Additional Identifiers

Rule ID: SV-253844r997268_rule

Vulnerability ID: V-253844

Group Title: SRG-APP-000115

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.