Important
This article is for on-prem Tanium installations only. For Cloud-based Tanium installations, use the Tanium Cloud article instead.
Tip
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!
Step 1: Enable console access
When you create a Tanium user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but can't access anything. Don't create configurations for user accounts that you import from an LDAP server. https://docs.tanium.com/platform_user/platform_user/console_users.html#Create
https://docs.tanium.com/platform_user/platform_user/console_users.html#Assign_roles
We use the following Tanium API routes for our integration:
Route |
Permission |
/api/v2/session/login |
Interact:Login |
/api/v2/sensors/by-name |
Interact:Read Sensor |
/api/v2/parse_question |
Interact:Ask Dynamic Questions |
/api/v2/questions |
|
/api/v2/result_data/question/ |
|
/plugin/products/detect3/api/v1/alerts |
Threat Response: Detect Alert Read |
/plugin/products/detect3/api/v1/intels |
Threat Response: Detect Intel Read |
/plugin/products/detect3/api/v1/sources |
Threat Response: Detect Source Read |
/plugin/products/detect3/api/v1/intels/<intel id>/labels |
Threat Response: Detect Label Read |
The Interact Basic User role grants us all the necessary permissions we need to access the question/sensor APIs and Interact console. https://docs.tanium.com/interact/interact/requirements.html#table_Interact_module_ roles
The Threat Response Read Only User role grants us all the necessary permissions we need to access the alerts APIs and Threat Response console.
https://docs.tanium.com/threat_response/threat_response/requirements.html#user_roles. If you are using a custom role, we also need Detect Use API permission as well as the necessary permissions to make Threat Response available in console.
The Tanium client uses a username/password combination to create an authenticated session. The returned session token is set on the session header for all later requests.
-
From the Main menu, select Administration > Management > Users.
-
Click New User.
-
Specify a user name that matches one of the following:
-
A user account defined locally on the Tanium Server.
-
A user account defined in your IdP.
-
(Windows only) An AD account name. Specify just the username, not the domain name. Tanium Server uses Windows Authentication, and doesn't store or manage login credentials for the user.
-
-
Save the configuration and get ready to assign roles to a user.
-
From the Main menu, select Administration > Management > Users.
-
Click the User Name of the user configuration that you want to edit.
-
In the Roles and Effective Permissions section, click Manage.
-
In the Grant Roles section, click Edit, select Interact Basic User and Threat Response Read Only User, and click Save.
-
Click Show Preview to Continue to review your changes.
Step 2: Configure the technology in Workbench
-
Login to https://workbench.expel.io.
-
Navigate to Settings > Security Devices.
-
At the top of the page, click Add New Device.
-
Search for and select Tanium.
-
Complete the fields using the credentials and information you collected in Step 1.
-
Name: type the host name of the Tanium device.
-
Location: type the geographic location of the appliance.
-
Username and Password: type the username and password created in Step 1.
-
Server address: type the hostname or IP address of the Tanium device.
-
-
You can provide console access now or set it up later. Use the instructions below to set it up later.
Comments
0 comments
Please sign in to leave a comment.