Rule ID
SV-254936r1067725_rule
Version
V2R2
CCIs
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. 5. Select the "Audit Log" source. 6. Select the audit connection found in the lower half of the screen. 7. Verify the "Destination Type" is a SIEM tool. If the "Destination Type" is not a SIEM tool, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Configure sources to send audit logs from the Tanium Server to a SIEM tool or email destination. 5. Work with email administrator to configure email destination. 6. Work with the SIEM administrator to configure alerts based on audit failures. Consult documentation located at https://docs.tanium.com/connect/connect/siem.html#siem for reference on configuring other applicable SIEM connections.