Skip to main content
Lantern Home

 

Splunk Lantern

Integrating Tanium data into the Splunk platform

  1. Last updated
  2. Save as PDF

 

Tanium provides a unified endpoint management and security platform that has real-time visibility, control, and remediation across enterprise endpoints. Integrating Tanium with the Splunk platform enhances security analytics, incident response, and IT operations by correlating rich endpoint data (such as asset details, running processes, vulnerabilities, compliance status, or threat alerts) with other machine data sources within the Splunk platform.

This page outlines the Splunk-side configuration needed to receive and use Tanium data.

Data types

The Splunk platform can receive various data types from Tanium, including:

  • Endpoint inventory and asset details (such as OS, IP, hardware, or user information).
  • Security detections and alerts (such as threat response events).
  • Vulnerability and patch status (such as comply findings or patch data).
  • Endpoint activity streams (such as process, file, network, DNS, or registry data).
  • Compliance and file integrity events (such as comply findings or integrity monitor events).
  • Network discovery data (such as managed or unmanaged interfaces).

Configuration steps

Install the Tanium App and Add-on

The components you'll need to install are:

  • Splunk Add-on for Tanium (TA-Tanium): Handles parsing, field extraction, and CIM mapping.Install it on indexers, search heads, and any heavy forwarders receiving Tanium data directly.
  • Tanium Splunk Application: Provides dashboards and visualizations. Install it on search heads where end users access Tanium dashboards.

For Splunk Cloud Platform, the Tanium add-on and app are self-service, so you can install them yourself. Contact Splunk Support if you require any assistance. See Splunk Docs: Self service app install or Tanium: Installing Tanium components for Splunk for more information.

Create an index

See Splunk Docs: Create event indexes or Tanium: Create an index for more information.

  1. Create a dedicated index (for example, tanium) to store Tanium data.
  2. Navigate to Settings > Indexes > New Index.
  3. Define appropriate size and retention policies.
  4. Ensure the index is accessible by Tanium end users by creating appropriate roles.

Configure the target index

The TA-Tanium add-on includes a search macro defining the target index. You'll need to edit this to ensure it points to the index you defined in the previous step.

  1. Navigate to Settings > Advanced Search > Search Macros.
  2. Set the App Context to TA-Tanium.
  3. Select the tanium_index macro.
  4. Change the Definition from the default (for example, index=main) to your created index (for example, index=tanium).
  5. Save the macro.unnamed - 2025-04-29T120203.145.png

For more information on configuring the search macro, see Tanium docs: Review the search macro for TA-Tanium.

Configure the data input

Tanium Connect sends data to the input you define. Coordinate with your Tanium administrator on the chosen method (HEC or TCP/UDP) and port/token. You have two options to choose from to configure the data input: use the HTTP Event Collector (HEC) or a network input.

Option A (preferred): HTTP Event Collector (HEC)

  1. Navigate to Settings > Data Inputs > HTTP Event Collector.
  2. Enable the HEC, if it is not already enabled in Global Settings.
  3. Create a new token specifically for Tanium.
  4. In the Token settings:
    1. Select tanium as the default source type (or allow Tanium Connect to specify).
    2. Select your tanium index as the default index.
    3. Add your tanium index to the allowed indexes.unnamed - 2025-04-29T121143.899.png

Tanium Connect often uses the /services/collector/raw HEC endpoint, especially when sending data in Syslog format. Ensure the HEC URI provided to Tanium matches the expected endpoint for the data format being sent (for example, use /services/collector/raw even if Tanium Connect is configured to send structured JSON). Verify this with your Tanium administrator.

For more information on configuring the HEC, see Splunk Docs: Set up and use HEC or Tanium: Configure an HTTP Event Collector.

Option B: Network input (TCP/UDP)

  1. Navigate to Settings > Data Inputs > TCP / UDP.
  2. Select New Local TCP or New Local UDP.
  3. Specify the port number Tanium Connect will use (for example, 9081).
  4. Set the source type to tanium by selecting it from the list (do not just type it). If tanium is not listed, verify TA installation on this input tier.
  5. Set the default index to your tanium index.
  6. Provide the Splunk hostname/IP and configured port to your Tanium administrator.

Important considerations

  • Network connectivity and firewalls: Ensure the Tanium Connect server (typically the Tanium Module Server) has outbound network access to your Splunk environment.
    • For Splunk Cloud Platform, verify that your organization's firewall allows outbound connections from the Tanium Connect server to the specific HEC URI and port (typically 443 or 8088) provided for your Splunk Cloud Platform stack. You might need to allowlist the Splunk Cloud Platform HEC endpoint in your egress firewall rules.
    • For Splunk Enterprise, ensure your firewalls allow traffic from the Tanium Connect server to the configured Splunk HEC or TCP/UDP port on your indexers or heavy forwarders.
  • Resource usage: High-volume data feeds (especially :stream source types) can significantly impact license usage, storage requirements, and Tanium Core Platform or Module Server resources. Plan your data volumes and collection frequency carefully. You should consult Tanium and Splunk resources if you are planning large-scale data ingestion.

Source types

The TA-Tanium add-on automatically assigns source types. Examples include tanium:inventory, tanium:detect:signals, tanium:report:vulnerability, and tanium:endpoint:processes:stream. The specific source type depends on the data feed configured in Tanium Connect.

For more information, see Tanium Docs: Source type extractions.

Validation

After Tanium Connect is configured and sending data:

  1. Search the index: Run index=<your_tanium_index> sourcetype="tanium:*" | stats count by sourcetype to confirm data arrival and identify received source types.
  2. Verify parsing: Check individual events to ensure that fields are extracted correctly.
  3. Check the CIM: Use the CIM Validation App or data model searches to verify CIM compliance if using Splunk Enterprise Security or other CIM-dependent apps.
  4. Monitor inputs: Check Splunk Data Input health and _internal logs for any errors related to the HEC token or the TCP/UDP port used by Tanium.

For more information, see Tanium: Verify data in Splunk.

Common Information Model (CIM) compliance

The TA-Tanium add-on is designed for CIM compatibility, mapping data to models like Inventory, Endpoint, Network Traffic, Updates, Vulnerabilities, Malware, and Change Analysis. For more information, see Tanium: CIM coverage.

Field extraction

Field extractions are handled by the TA-Tanium for supported data formats. Key fields like Computer Name, IP Address, User, Event Name, Severity, process, or file_path are typically extracted.

Next steps

These resources might help you understand and implement this guidance:

OSZAR »