Rule ID
SV-253794r1099929_rule
Version
V2R3
CCIs
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Select "Connect". 4. Review the configured Tanium Sources listed. If an "Audit Log" source does not exist, this is a finding. 5. Select the "Audit Log" source. 6. Select the audit connection found in the lower half of the screen. 7. Verify the "Destination Type" is a security information and event management (SIEM) tool. If the "Destination Type" is not a SIEM tool, this is a finding.
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Connect". 4. Click "Create Connection". 5. In the Configuration section, select "Tanium Audit Source" as the "Event Source" from the "Source" drop-down menu. 6. In the "Destination" section, select "Socket Receiver" from the drop-down menu. 7. Enter "Destination Name". 8. Enter "Host". 9. Enter "Network Protocol". 10. Enter "Port". 11. Click "Save". Work with the SIEM administrator to configure alerts based on audit failures.