From bc67e9226fc7db057e3eea07490d47ea435d84d0 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 21 Nov 2025 14:52:34 +0100 Subject: [PATCH 1/5] Reorder S3 config. --- .../data_stream/action_history/agent/stream/aws-s3.yml.hbs | 6 +++--- .../data_stream/client_status/agent/stream/aws-s3.yml.hbs | 6 +++--- .../tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs | 6 +++--- .../data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs | 6 +++--- .../data_stream/reporting/agent/stream/aws-s3.yml.hbs | 6 +++--- .../data_stream/threat_response/agent/stream/aws-s3.yml.hbs | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs index 8c30fa37645..7546d4dd7bc 100644 --- a/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs @@ -53,12 +53,12 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} diff --git a/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs index 8c30fa37645..7546d4dd7bc 100644 --- a/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs @@ -53,12 +53,12 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} diff --git a/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs index 8c30fa37645..7546d4dd7bc 100644 --- a/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs @@ -53,12 +53,12 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} diff --git a/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs index 65840d3a149..1c86e49ea17 100644 --- a/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs @@ -53,12 +53,12 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} diff --git a/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs index 8c30fa37645..7546d4dd7bc 100644 --- a/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs @@ -53,12 +53,12 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} diff --git a/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs index 8c30fa37645..7546d4dd7bc 100644 --- a/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs @@ -53,12 +53,12 @@ secret_access_key: {{secret_access_key}} {{#if session_token}} session_token: {{session_token}} {{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} {{#if credential_profile_name}} credential_profile_name: {{credential_profile_name}} {{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} From ef122bf13782c06772faacdb2d1a38d7c3199e52 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 21 Nov 2025 14:54:48 +0100 Subject: [PATCH 2/5] Add endpoint, region, default_region and external_id where missing in S3 input config, make aws-s3.yml.hbs files identical by reordering data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs. --- .../action_history/agent/stream/aws-s3.yml.hbs | 12 ++++++++++++ .../client_status/agent/stream/aws-s3.yml.hbs | 12 ++++++++++++ .../discover/agent/stream/aws-s3.yml.hbs | 12 ++++++++++++ .../endpoint_config/agent/stream/aws-s3.yml.hbs | 13 +++++++++++-- .../reporting/agent/stream/aws-s3.yml.hbs | 12 ++++++++++++ .../threat_response/agent/stream/aws-s3.yml.hbs | 12 ++++++++++++ 6 files changed, 71 insertions(+), 2 deletions(-) diff --git a/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs index 7546d4dd7bc..9c06fbb76c6 100644 --- a/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/action_history/agent/stream/aws-s3.yml.hbs @@ -44,6 +44,15 @@ file_selectors: number_of_workers: {{number_of_workers}} {{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -62,6 +71,9 @@ shared_credential_file: {{shared_credential_file}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} +{{#if external_id}} +external_id: {{external_id}} +{{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} {{/if}} diff --git a/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs index 7546d4dd7bc..9c06fbb76c6 100644 --- a/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/client_status/agent/stream/aws-s3.yml.hbs @@ -44,6 +44,15 @@ file_selectors: number_of_workers: {{number_of_workers}} {{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -62,6 +71,9 @@ shared_credential_file: {{shared_credential_file}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} +{{#if external_id}} +external_id: {{external_id}} +{{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} {{/if}} diff --git a/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs index 7546d4dd7bc..9c06fbb76c6 100644 --- a/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/discover/agent/stream/aws-s3.yml.hbs @@ -44,6 +44,15 @@ file_selectors: number_of_workers: {{number_of_workers}} {{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -62,6 +71,9 @@ shared_credential_file: {{shared_credential_file}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} +{{#if external_id}} +external_id: {{external_id}} +{{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} {{/if}} diff --git a/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs index 1c86e49ea17..9c06fbb76c6 100644 --- a/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/endpoint_config/agent/stream/aws-s3.yml.hbs @@ -44,6 +44,15 @@ file_selectors: number_of_workers: {{number_of_workers}} {{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -62,8 +71,8 @@ shared_credential_file: {{shared_credential_file}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} +{{#if external_id}} +external_id: {{external_id}} {{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} diff --git a/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs index 7546d4dd7bc..9c06fbb76c6 100644 --- a/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/reporting/agent/stream/aws-s3.yml.hbs @@ -44,6 +44,15 @@ file_selectors: number_of_workers: {{number_of_workers}} {{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -62,6 +71,9 @@ shared_credential_file: {{shared_credential_file}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} +{{#if external_id}} +external_id: {{external_id}} +{{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} {{/if}} diff --git a/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs b/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs index 7546d4dd7bc..9c06fbb76c6 100644 --- a/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs +++ b/packages/tanium/data_stream/threat_response/agent/stream/aws-s3.yml.hbs @@ -44,6 +44,15 @@ file_selectors: number_of_workers: {{number_of_workers}} {{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} {{#if access_key_id}} access_key_id: {{access_key_id}} {{/if}} @@ -62,6 +71,9 @@ shared_credential_file: {{shared_credential_file}} {{#if role_arn}} role_arn: {{role_arn}} {{/if}} +{{#if external_id}} +external_id: {{external_id}} +{{/if}} {{#if fips_enabled}} fips_enabled: {{fips_enabled}} {{/if}} From 578fab9eb9774fec5c23deaadca3a4ace5adcdc0 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 21 Nov 2025 14:56:32 +0100 Subject: [PATCH 3/5] Match file_selectors description in data_stream/threat_response/manifest.yml to those in other data streams. --- packages/tanium/data_stream/threat_response/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/tanium/data_stream/threat_response/manifest.yml b/packages/tanium/data_stream/threat_response/manifest.yml index c1d18f92c87..4fde76b5e4e 100644 --- a/packages/tanium/data_stream/threat_response/manifest.yml +++ b/packages/tanium/data_stream/threat_response/manifest.yml @@ -75,7 +75,7 @@ streams: show_user: false default: | - regex: "threat_response/" - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Multiple regexes are used [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match any of the regexes will not be processed. + description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - name: tags type: text title: Tags From 38edcb5abcd840f35fd69eda4227354c5f960fc1 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 21 Nov 2025 14:57:33 +0100 Subject: [PATCH 4/5] Add var definitions in the top-level manifest for endopint, region, external_id, default_region. --- packages/tanium/manifest.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/packages/tanium/manifest.yml b/packages/tanium/manifest.yml index eb80e1030d9..33c8e680a36 100644 --- a/packages/tanium/manifest.yml +++ b/packages/tanium/manifest.yml @@ -124,6 +124,22 @@ policy_templates: required: false show_user: false description: AWS IAM Role to assume. + - name: endpoint + type: text + title: Endpoint + multi: false + required: false + show_user: false + default: "" + description: URL of the entry point for an AWS web service. + - name: region + type: text + title: Region + multi: false + required: false + show_user: false + default: "" + description: The name of the AWS region of the end point. - name: fips_enabled type: bool title: Enable S3 FIPS @@ -132,6 +148,21 @@ policy_templates: required: false show_user: false description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + - name: external_id + type: text + title: External ID + multi: false + required: false + show_user: false + description: External ID to use when assuming a role in another account, see [the AWS documentation for use of external IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html). + - name: default_region + type: text + title: Default AWS Region + multi: false + required: false + show_user: false + default: "" + description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. - name: proxy_url type: text title: Proxy URL From a86e61904008b1c2700260235e091401b12a0639 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 21 Nov 2025 15:13:35 +0100 Subject: [PATCH 5/5] Version bump, changelog entry. --- packages/tanium/changelog.yml | 5 +++++ packages/tanium/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/tanium/changelog.yml b/packages/tanium/changelog.yml index cd049352cf3..aa35e532f24 100644 --- a/packages/tanium/changelog.yml +++ b/packages/tanium/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Add options to configure non-public S3. + type: enhancement + link: https://github.com/elastic/integrations/pull/16080 - version: "1.16.2" changes: - description: Fix handling of SQS worker count configuration. diff --git a/packages/tanium/manifest.yml b/packages/tanium/manifest.yml index 33c8e680a36..9a417e32bec 100644 --- a/packages/tanium/manifest.yml +++ b/packages/tanium/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: tanium title: Tanium -version: "1.16.2" +version: "1.17.0" description: This Elastic integration collects logs from Tanium with Elastic Agent. type: integration categories: