This article explains how to connect XEM Core to Workbench.
Note
This article is for on-prem Tanium XEM Core installations only. For Cloud-based installations, use the Tanium XEM Core Cloud article instead.
In this article
Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
When you create an XEM Core user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but can't access anything. Don't create configurations for user accounts that you import from an LDAP server.
Doc reference: https://help.tanium.com
We use the following Tanium API routes for our integration:
Route |
Permission |
---|---|
/api/v2/session/login |
Interact:Login |
/api/v2/sensors/by-name |
Interact:Read Sensor |
/api/v2/parse_question |
Interact:Ask Dynamic Questions |
/api/v2/questions |
|
/api/v2/result_data/question/ |
|
/plugin/products/detect3/api/v1/alerts |
Threat Response: Detect Alert Read |
/plugin/products/detect3/api/v1/intels |
Threat Response: Detect Intel Read |
/plugin/products/detect3/api/v1/sources |
Threat Response: Detect Source Read |
/plugin/products/detect3/api/v1/intels/<intel id>/labels |
Threat Response: Detect Label Read |
The Interact Basic User role grants us all the necessary permissions we need to access the question/sensor APIs and Interact console. https://docs.tanium.com/interact/interact/requirements.html#table_Interact_module_ roles
The Threat Response Read Only User role grants us all the necessary permissions we need to access the alerts APIs and Threat Response console.
https://docs.tanium.com/threat_response/threat_response/requirements.html#user_roles. If you are using a custom role, we also need Detect Use API permission as well as the necessary permissions to make Threat Response available in console.
The Tanium client uses a username/password combination to create an authenticated session. The returned session token is set on the session header for all later requests.
-
From the Main menu, select Administration > Management > Users.
-
Click New User.
-
Specify a user name that matches one of the following:
-
A user account defined locally on the Tanium Server.
-
A user account defined in your IdP.
-
(Windows only) An AD account name. Specify just the username, not the domain name. Tanium Server uses Windows Authentication, and doesn't store or manage login credentials for the user.
-
-
Save the configuration and get ready to assign roles to a user.
-
From the Main menu, select Administration > Management > Users.
-
Click the User Name of the user configuration that you want to edit.
-
In the Roles and Effective Permissions section, click Manage.
-
In the Grant Roles section, click Edit, select Interact Basic User and Threat Response Read Only User, and click Save.
-
Click Show Preview to Continue to review your changes.
Step 2: Configure the technology in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.
-
Login to https://workbench.expel.io.
-
Navigate to Settings > Security Devices.
-
At the top of the page, click Add New Device.
-
Search for and select Tanium.
-
Complete the fields using the credentials and information you collected in Step 1.
-
Name: type the host name of the Tanium device.
-
Location: type the geographic location of the appliance.
-
Username and Password: type the username and password created in Step 1.
-
Server address: type the hostname or IP address of the Tanium device.
-
-
Click Save.
-
You can provide console access now or set it up later. Use the instructions below to set it up later.
You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.
To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.
Step 3: Edit the device to add console access
Expel needs console access to your device to allow our SOC analysts to dig deeper during incident investigations. Additionally, our engineering teams use this access to investigate potential health issues, including proper alert ingestion.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Open Workbench. Go to Organization Settings > Security Devices. Next to the device you just connected, click the down arrow and click Edit.
-
In the Console Login area, type these details:
-
Console URL: type the console URL from the Server address in the Connection Settings area above. At the end of the URL, type /login.
-
Username: type the user name you created above.
-
Password: type the password you created above.
-
Two-factor secret key (32-character code): depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, reach out to your engagement manager or to support.
-
-
Click Save.