Unwanted Applications and How To Find Them

There’s an app for everything, but not every app may be wanted on your network. Today we will walk through using Cribl Steam to enrich Tanium Asset data. We will use Cribl Stream to tag data for alerting in a SIEM.

This walkthrough assumes you are using the Tanium Cribl Pack, but the pipelines can be replicated on your own without using the Tanium Cribl Pack. You can download the Tanium Cribl Pack at the Cribl Pack Dispensary here: https://packs.cribl.io/, just search for “Tanium”.

Once you import the Tanium Cribl Pack you will find a knowledge object named: application_approval_status.csv. To begin enriching you Tanium data with Tags you can populate this lookup table with product_usage_name or MD5_Hash fields and an approved status (true OR false). You can then alert based off any events that have a field value of approve=false

This portion of the Pack works by having a pipeline with a lookup function inside. This lookup function looks at the application_approval_status.csv knowledge object and if a match is found it creates a new output field of Approved. An example of how to use the lookup knowledge object can be seen below. We are looking for an MD5 Hash of 94EB3DE6900DFA5C1165CFE416096A72 which happens to be the MD5 Hash for a piece of software called Caffeine (an app frequently used for work avoidance app). Now anytime this MD5 is found in a Tanium Event I can generate an alert in my SIEM let me know it is being used. This also works for the application name using the product_usage_name field. You can add any product name or MD5 hash you may want to have a field with an approval status on.