The Tanium IOC Detect module must be configured to forward events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-67053	TANS-SV-000010	SV-81543r1_rule		Medium

Description
Indicators of Compromise (IOC) is an artifact which is observed on the network or system that indicates computer intrusion. The Tanium IOC Detect module detects, manages, and analyzes systems against IOCs real-time. The module also responds to those detections. By forwarding events the IOC Detect module, using Tanium Connect with a syslog or SIEM connection, captures the necessary forensic evidence supporting a compromise is retained.

Description

Indicators of Compromise (IOC) is an artifact which is observed on the network or system that indicates computer intrusion. The Tanium IOC Detect module detects, manages, and analyzes systems against IOCs real-time. The module also responds to those detections. By forwarding events the IOC Detect module, using Tanium Connect with a syslog or SIEM connection, captures the necessary forensic evidence supporting a compromise is retained.

STIG	Date
Tanium 6.5 Security Technical Implementation Guide	2016-09-29

Details

Check Text ( C-67689r1_chk )
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the “gear” icon. The “Workbench Settings” menu will be displayed. Click on the “wrench” icon under "Event Forwarding". If "Forwarding Target" is "Disabled", this is a finding.

Check Text ( C-67689r1_chk )

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.

Click on "IOC Detect".

Along the right column of the interface, click on the “gear” icon.

The “Workbench Settings” menu will be displayed.

Click on the “wrench” icon under "Event Forwarding".

If "Forwarding Target" is "Disabled", this is a finding.

Fix Text (F-73153r1_fix)
Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC. Click on "IOC Detect". Along the right column of the interface, click on the “gear” icon. The “Workbench Settings” menu will be displayed. Click on the “wrench” icon under "Event Forwarding". Configured the "Event Forwarding" to be configured for "Syslog". If a syslog is already configured under Tanium Connect, the value for "Event Forwarding" may be configured to "Tanium Connect". Click on "Save Changes".

Fix Text (F-73153r1_fix)

Using a web browser on a system that has connectivity to the Tanium Server, access the Tanium Server web user interface (UI) and log on with CAC.

Click on "IOC Detect".

Along the right column of the interface, click on the “gear” icon.

The “Workbench Settings” menu will be displayed.

Click on the “wrench” icon under "Event Forwarding".

Configured the "Event Forwarding" to be configured for "Syslog".

If a syslog is already configured under Tanium Connect, the value for "Event Forwarding" may be configured to "Tanium Connect".

Click on "Save Changes".