Tanium

Overview

Tanium is an endpoint security and systems management platform that gives large organizations real-time visibility, control, and the ability to remediate threats and manage devices at a massive scale. It uses a unique, patented "linear-chain" architecture to communicate efficiently with millions of endpoints, which enables its speed and scalability. The platform integrates multiple IT and security functions, helping to break down silos and improve collaboration between teams.

Tanium audit logs record user activity, system status, and action history, which can be used for security, compliance, and troubleshooting. These logs track a wide range of operations, such as user changes to settings, computer groups, and roles. Tanium recommends forwarding these logs to a central log management solution using tools like Tanium Connect, which can automate exports to destinations like Hunter’ SIEM, email, or file.  

Tanium Direct Connect provides other Tanium solutions a communication channel to endpoints and provides a central location in the Tanium user interface (UI) where you can monitor direct endpoint connections across solutions. For example, Direct Connect enables Tanium Investigate users to monitor and manage processes on endpoints through a direct connection. You can also use Direct Connect to designate specific endpoints as satellites for running certain targeted, secure workloads on other endpoints that Tanium™ Cloud cannot directly reach. For example, a satellite can run remote authenticated scans for Tanium Comply.

Supported data types

Tanium Audit Logs

Table name: tanium_audit_logs

tanium audit logs  contain 33 different sub-log types. please be aware that you would have to set-up 33 integrations through the “Create data source” screen on the portal.

Send data to Hunters

Hunters supports the collection of logs from Tanium using API (and also S3).

To connect Tines logs:

1. Retrieve the following information by following this guide by Tanium:

   • Host (example - xxx.tanium.com)

   • Audit Type (one of the 33 options)

   • Token (following the guide)

2. Complete the process on the Hunters platform, following this guide.

Expected format

The expected format of the logs is the JSON format as detailed here:

1. Working with Tanium audit logs

2. Reviewing and exporting the audit log

Tanium Audit Log Sample

{
  "object_id": 123,
  "audit_name": "Global - Limited Admin",
  "creation_time": "2025-10-14T14:26:54Z",
  "modification_time": "2025-10-14T14:26:54Z",
  "last_modified_by": "xxx@xyz.com",
  "modifier_user_id": 10,
  "mod_user": {
    "id": 10,
    "name": "xxx@xyz.com",
    "domain": "",
    "display_name": "ABC"
  },
  "details": "User group (ID 1): updated with user ids added 123; ",
  "audit_row_id": 1234,
  "type": 1,
  "type_name": "UpdateObject",
  "object_name": "xxx@xyz.com",
  "object_type_name": "user"
}

The Tanium Audit Logs has 33 different logs (with 33 different endpoints), All of them are based on the same format / schema, with some minor changes.

The supported audit log types are (from their official documentation):