[tanium] Initial Release for the Tanium

.github/CODEOWNERS

@@ -186,6 +186,7 @@
 /packages/system @elastic/elastic-agent-data-plane
 /packages/system/kibana @elastic/elastic-agent-data-plane @elastic/kibana-visualizations
 /packages/system_audit @elastic/security-external-integrations
+/packages/tanium @elastic/security-external-integrations
 /packages/tcp @elastic/security-external-integrations
 /packages/tenable_io @elastic/security-external-integrations
 /packages/tenable_sc @elastic/security-external-integrations

packages/tanium/_dev/build/build.yml

@@ -0,0 +1,4 @@
+dependencies:
+ ecs:
+ reference: git@v8.6.0
+ import_mappings: true

packages/tanium/_dev/build/docs/README.md

@@ -0,0 +1,134 @@
+# Tanium
+
+The [Tanium](https://www.tanium.com/) integration allows you to monitor Action History, Client Status, Discover, Endpoint Config, Reporting, and Threat Response Logs. Tanium is an enterprise platform that's primarily used as an endpoint management tool. It empowers security and IT operations teams with quick visibility and control to secure and manage every endpoint on the network, scaling to millions of endpoints with limited infrastructure. Tanium Connect is used to capture accurate and complete endpoint data from Tanium.
+
+The Tanium integration can be used in four different modes to collect data:
+- TCP mode: Tanium pushes logs directly to a TCP port hosted by your Elastic Agent.
+- HTTP Endpoint mode: Tanium pushes logs directly to an HTTP endpoint hosted by your Elastic Agent.
+- AWS S3 polling mode: Tanium writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files.
+- AWS S3 SQS mode: Tanium writes data to S3, S3 sends a notification of a new object to SQS, the Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple agents can be used in this mode.
+
+## Compatibility
+
+This module has been tested against the latest Tanium Instance version **7.5.5.1162**.
+Versions above this are expected to work but have not been tested.
+
+## Data streams
+
+The Tanium integration collects logs for six types of events: action history, client status, discover, endpoint config, reporting, and threat response.
+
+## Requirements
+
+You need Elasticsearch to store and search your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your hardware.
+
+## Setup
+
+### To collect data from an AWS S3 bucket, follow the below steps:
+- Considering you already have an AWS S3 bucket setup, to create a connection for AWS S3 as a destination, follow this [link](https://docs.tanium.com/connect/connect/aws.html ).
+- As we are always expecting data in JSON format, while creating the connection, select the format as JSON and deselect the `Generate Document option`.
+- The default value of the field `Bucket List Prefix` is listed below.
+
+ | Data Stream Name | Bucket List Prefix |
+ | ----------------- | ---------------------- |
+ | Action History | action_history |
+ | Client Status | client_status |
+ | Discover | discover |
+ | Endpoint Config | endpoint_config |
+ | Reporting | reporting |
+ | Threat Response | threat_response |
+
+**NOTE**: User can have any value which should match with bucket List Prefix.
+### To collect data from AWS SQS, follow the below steps:
+1. Assuming you've already set up a connection to push data into the AWS bucket; if not, see the section above.
+2. To set up an SQS queue, follow "Step 1: Create an Amazon SQS Queue" mentioned in the [link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html).
+ - While creating an Access Policy, use the bucket name configured to create a connection for AWS S3 in Tanium.
+3. Configure event notifications for an S3 bucket. Follow this [link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html).
+ - It is recommended to configure separate `event notification` for each data stream using different bucket list prefixes.
+ - While creating `event notification` select the event type as s3:ObjectCreated:*, destination type SQS Queue and select the queue name created in Step 2.
+
+### To collect data from the Tanium HTTP Endpoint, follow the below steps:
+- Considering you already have HTTP endpoint hosted, to create a connection for HTTP as destination follow this [link](https://docs.tanium.com/connect/connect/http.html).
+- As we are always expecting data in JSON format so while Creating the Connection, Select the Format as Json and deselect the `Generate Document option`.
+- Add some custom header and its value for additional security.
+
+### To collect data from TCP, follow the below steps:
+- While creating a connection, select the Socket Receiver as a destination.
+- Choose the type of source you want to obtain.
+- As we are always expecting data in JSON format so while Creating the Connection, Select the Format as Json and deselect the `Generate Document option`.
+- Mention HTTP endpoint in the field Host
+- Mention port in the field Port to create a TCP connection.
+- Finally, select TCP as Network Protocol.
+
+## Logs reference
+
+### Action-History
+
+This is the `action_history` dataset.
+The HTTP Endpoint's default port is _9577_.
+TCP's default port is _9578_.
+
+#### Example
+
+{{event "action_history"}}
+
+{{fields "action_history"}}
+
+### Client-Status
+
+This is the `client_status` dataset.
+The HTTP Endpoint's default port is _9579_.
+TCP's default port is _9580_.
+
+#### Example
+
+{{event "client_status"}}
+
+{{fields "client_status"}}
+
+### Discover
+
+This is the `discover` dataset.
+The HTTP Endpoint's default port is _9581_.
+TCP's default port is _9582_.
+
+#### Example
+
+{{event "discover"}}
+
+{{fields "discover"}}
+
+### Endpoint-Config
+
+This is the `endpoint_config` dataset.
+The HTTP Endpoint's default port is _9583_.
+TCP's default port is _9584_.
+
+#### Example
+
+{{event "endpoint_config"}}
+
+{{fields "endpoint_config"}}
+
+### Reporting
+
+This is the `reporting` dataset.
+The HTTP Endpoint's default port is _9585_.
+TCP's default port is _9586_.
+
+#### Example
+
+{{event "reporting"}}
+
+{{fields "reporting"}}
+
+### Threat-Response
+
+This is the `threat_response` dataset.
+The HTTP Endpoint's default port is _9587_.
+TCP's default port is _9588_.
+
+#### Example
+
+{{event "threat_response"}}
+
+{{fields "threat_response"}}

packages/tanium/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,86 @@
+version: '2.3'
+services:
+ tanium-tcp-action_history:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ entrypoint: /bin/bash
+ command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9082 -p=tcp /sample_logs/action_history.log"
+ tanium-tcp-client_status:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ entrypoint: /bin/bash
+ command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9083 -p=tcp /sample_logs/client_status.log"
+ tanium-tcp-discover:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ entrypoint: /bin/bash
+ command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9084 -p=tcp /sample_logs/discover.log"
+ tanium-tcp-endpoint_config:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ entrypoint: /bin/bash
+ command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9085 -p=tcp /sample_logs/endpoint_config.log"
+ tanium-tcp-reporting:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ entrypoint: /bin/bash
+ command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9086 -p=tcp /sample_logs/reporting.log"
+ tanium-tcp-threat_response:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ entrypoint: /bin/bash
+ command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9087 -p=tcp /sample_logs/threat_response.log"
+ tanium-action_history-http-endpoint:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ environment:
+ - STREAM_PROTOCOL=webhook
+ - STREAM_ADDR=http://elastic-agent:9087/
+ command: log --start-signal=SIGHUP --delay=5s /sample_logs/action_history.log
+ tanium-client_status-http-endpoint:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ environment:
+ - STREAM_PROTOCOL=webhook
+ - STREAM_ADDR=http://elastic-agent:9088/
+ command: log --start-signal=SIGHUP --delay=5s /sample_logs/client_status.log
+ tanium-discover-http-endpoint:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ environment:
+ - STREAM_PROTOCOL=webhook
+ - STREAM_ADDR=http://elastic-agent:9089/
+ command: log --start-signal=SIGHUP --delay=5s /sample_logs/discover.log
+ tanium-endpoint_config-http-endpoint:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ environment:
+ - STREAM_PROTOCOL=webhook
+ - STREAM_ADDR=http://elastic-agent:9090/
+ command: log --start-signal=SIGHUP --delay=5s /sample_logs/endpoint_config.log
+ tanium-reporting-http-endpoint:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ environment:
+ - STREAM_PROTOCOL=webhook
+ - STREAM_ADDR=http://elastic-agent:9091/
+ command: log --start-signal=SIGHUP --delay=5s /sample_logs/reporting.log
+ tanium-threat_response-http-endpoint:
+ image: docker.elastic.co/observability/stream:v0.9.0
+ volumes:
+ - ./sample_logs:/sample_logs:ro
+ environment:
+ - STREAM_PROTOCOL=webhook
+ - STREAM_ADDR=http://elastic-agent:9092/
+ command: log --start-signal=SIGHUP --delay=5s /sample_logs/threat_response.log

packages/tanium/_dev/deploy/docker/sample_logs/action_history.log

@@ -0,0 +1 @@
+{"Issuer": "tanium","SourceId": 10,"Expiration": "2022-10-04T17:38:42","ActionName": "Deploy Client Configuration and Support [Mac](universal)","Command": "/bin/sh -c 'chmod u+x TaniumCX && ./TaniumCX bootstrap --zip bootstrap.zip'","Approver": "tanium","Status": "Closed","DistributeOver": "1 minutes","PackageName": "Client Configuration and Support [Mac](universal)","Comment": "","StartTime": "2022-10-04T16:38:42","InsertTime": "2022-10-04T16:38:48","ActionId": 6058}

packages/tanium/_dev/deploy/docker/sample_logs/client_status.log

@@ -0,0 +1 @@
+{"Status": "Leader","LastRegistration": "2022-10-07T09:20:08","ProtocolVersion": 315,"ValidKey": 1,"ComputerId": "4008511043","HostName": "dhcp-client02.local","ClientNetworkLocation": "67.43.156.0","ServerNetworkLocation": "81.2.69.192","RegisteredWithTLS": 1,"SendState": "None","ReceiveState": "None","FullVersion": "7.4.9.1046"}

packages/tanium/_dev/deploy/docker/sample_logs/discover.log

@@ -0,0 +1 @@
+{"id": 1,"MacAddress": "00-51-58-91-62-41","MacOrganization": "VMware, Inc.","IpAddress": "89.160.20.112","NatIpAddress": "","HostName": "otelco7_46.test.local","Labels": "","Locations": "","TaniumComputerId": 1558885994,"Ports": "22,41000","Os": "linux","OsGeneration": null,"Managed": 1,"Unmanageable": 0,"Arp": 0,"Nmap": 0,"Ping": 0,"Connected": 0,"AwsApi": 0,"CentralizedNmap": 0,"SatelliteNmap": 0,"CreatedAt": "2022-11-18 09:30:26 +00:00","UpdatedAt": "2022-11-18 10:10:57 +00:00","FirstManagedAt": null,"LastManagedAt": "2022-11-18 10:10:57 +00:00","LastDiscoveredAt": null,"Profile": null,"SatelliteDecId": null,"SatelliteName": null}

packages/tanium/_dev/deploy/docker/sample_logs/endpoint_config.log

@@ -0,0 +1 @@
+{"timestamp":"2022-11-02T13:49:03.993426735Z","action":"AUDIT_ACTION_CREATED","user":{"user_id":1,"persona_id":0},"config_item":{"id":9,"domain":"endpoint-config","data_category":"tools","description":"Threat Response Stream Toolset"}}

packages/tanium/_dev/deploy/docker/sample_logs/reporting.log

@@ -0,0 +1 @@
+{"Computer Name":"localhost","OS Platform":"Linux","Operating System":"CentOS Linux release 7.9.2009 (Core)","Virtual Platform":"VMware Virtual Platform","Is Virtual":"Yes","Manufacturer":"VMware, Inc.","Model":"VMware Virtual Platform","Count":3}