This article explains how to connect Tanium to Workbench.
Important
This article is for on-prem Tanium installations only. For Cloud-based Tanium installations, use the Tanium Cloud article instead.
Step 1: Enable console access
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
When you create a Tanium user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but can't access anything. Don't create configurations for user accounts that you import from an LDAP server. https://docs.tanium.com/platform_user/platform_user/console_users.html#Create
https://docs.tanium.com/platform_user/platform_user/console_users.html#Assign_roles
We use the following Tanium API routes for our integration:
|
Route |
Permission |
|---|---|
|
/api/v2/session/login |
Interact:Login |
|
/api/v2/sensors/by-name |
Interact:Read Sensor |
|
/api/v2/parse_question |
Interact:Ask Dynamic Questions |
|
/api/v2/questions |
|
|
/api/v2/result_data/question/ |
|
|
/plugin/products/detect3/api/v1/alerts |
Threat Response: Detect Alert Read |
|
/plugin/products/detect3/api/v1/intels |
Threat Response: Detect Intel Read |
|
/plugin/products/detect3/api/v1/sources |
Threat Response: Detect Source Read |
|
/plugin/products/detect3/api/v1/intels/<intel id>/labels |
Threat Response: Detect Label Read |
The Interact Basic User role grants us all the necessary permissions we need to access the question/sensor APIs and Interact console. https://docs.tanium.com/interact/interact/requirements.html#table_Interact_module_ roles
The Threat Response Read Only User role grants us all the necessary permissions we need to access the alerts APIs and Threat Response console.
https://docs.tanium.com/threat_response/threat_response/requirements.html#user_roles. If you are using a custom role, we also need Detect Use API permission as well as the necessary permissions to make Threat Response available in console.
The Tanium client uses a username/password combination to create an authenticated session. The returned session token is set on the session header for all later requests.
-
From the Main menu, select Administration > Management > Users.
-
Click New User.
-
Specify a user name that matches one of the following:
-
A user account defined locally on the Tanium Server.
-
A user account defined in your IdP.
-
(Windows only) An AD account name. Specify just the username, not the domain name. Tanium Server uses Windows Authentication, and doesn't store or manage login credentials for the user.
-
-
Save the configuration and get ready to assign roles to a user.
-
From the Main menu, select Administration > Management > Users.
-
Click the User Name of the user configuration that you want to edit.
-
In the Roles and Effective Permissions section, click Manage.
-
In the Grant Roles section, click Edit, select Interact Basic User and Threat Response Read Only User, and click Save.
-
Click Show Preview to Continue to review your changes.
Step 2: Configure the technology in Workbench
-
Login to https://workbench.expel.io.
-
Navigate to Settings > Security Devices.
-
At the top of the page, click Add New Device.
-
Search for and select Tanium.
-
Complete the fields using the credentials and information you collected in Step 1.
-
Name: type the host name of the Tanium device.
-
Location: type the geographic location of the appliance.
-
Username and Password: type the username and password created in Step 1.
-
Server address: type the hostname or IP address of the Tanium device.
-
-
You can provide console access now or set it up later. Use the instructions below to set it up later.
Comments
0 comments
Please sign in to leave a comment.