This article explains how to connect XEM Core to Workbench.

Important

This article is for on-prem Tanium XEM Core installations only. For Cloud-based installations, use the Tanium XEM Core Cloud article instead.

Step 1: Enable console access

Note

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

When you create a XEM Core user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but can't access anything. Don't create configurations for user accounts that you import from an LDAP server.

Doc reference: https://help.tanium.com

We use the following Tanium API routes for our integration:

Route

Permission

/api/v2/session/login

Interact:Login

/api/v2/sensors/by-name

Interact:Read Sensor

/api/v2/parse_question

Interact:Ask Dynamic Questions

/api/v2/questions

/api/v2/result_data/question/

/plugin/products/detect3/api/v1/alerts

Threat Response: Detect Alert Read

/plugin/products/detect3/api/v1/intels

Threat Response: Detect Intel Read

/plugin/products/detect3/api/v1/sources

Threat Response: Detect Source Read

/plugin/products/detect3/api/v1/intels/<intel id>/labels

Threat Response: Detect Label Read

The Interact Basic User role grants us all the necessary permissions we need to access the question/sensor APIs and Interact console. https://docs.tanium.com/interact/interact/requirements.html#table_Interact_module_ roles

The Threat Response Read Only User role grants us all the necessary permissions we need to access the alerts APIs and Threat Response console.

https://docs.tanium.com/threat_response/threat_response/requirements.html#user_roles. If you are using a custom role, we also need Detect Use API permission as well as the necessary permissions to make Threat Response available in console.

The Tanium client uses a username/password combination to create an authenticated session. The returned session token is set on the session header for all later requests.

  1. From the Main menu, select Administration > Management > Users.

  2. Click New User.

  3. Specify a user name that matches one of the following:

    • A user account defined locally on the Tanium Server.

    • A user account defined in your IdP.

    • (Windows only) An AD account name. Specify just the username, not the domain name. Tanium Server uses Windows Authentication, and doesn't store or manage login credentials for the user.

  4. Save the configuration and get ready to assign roles to a user.

  5. From the Main menu, select Administration > Management > Users.

  6. Click the User Name of the user configuration that you want to edit.

  7. In the Roles and Effective Permissions section, click Manage.

  8. In the Grant Roles section, click Edit, select Interact Basic User and Threat Response Read Only User, and click Save.

  9. Click Show Preview to Continue to review your changes.

Step 2: Configure the technology in Workbench

  1. Login to https://workbench.expel.io.

  2. Navigate to Settings > Security Devices.

  3. At the top of the page, click Add New Device.

  4. Search for and select Tanium.

    Screen Shot 2021-03-08 at 7.57.56 AM.png
  5. Complete the fields using the credentials and information you collected in Step 1.

    • Name: type the host name of the Tanium device.

    • Location: type the geographic location of the appliance.

    • Username and Password: type the username and password created in Step 1.

    • Server address: type the hostname or IP address of the Tanium device.

  6. You can provide console access now or set it up later. Use the instructions below to set it up later.

Tip

This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.