Skip to main content
 

Important

This article is for on-prem Tanium installations only. For Cloud-based Tanium installations, use the Tanium Cloud article instead.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Step 1: Enable console access

When you create a Tanium user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but can't access anything. Don't create configurations for user accounts that you import from an LDAP server. https://docs.tanium.com/platform_user/platform_user/console_users.html#Create

https://docs.tanium.com/platform_user/platform_user/console_users.html#Assign_roles

We use the following Tanium API routes for our integration:

Route

Permission

/api/v2/session/login

Interact:Login

/api/v2/sensors/by-name

Interact:Read Sensor

/api/v2/parse_question

Interact:Ask Dynamic Questions

/api/v2/questions

/api/v2/result_data/question/

/plugin/products/detect3/api/v1/alerts

Threat Response: Detect Alert Read

/plugin/products/detect3/api/v1/intels

Threat Response: Detect Intel Read

/plugin/products/detect3/api/v1/sources

Threat Response: Detect Source Read

/plugin/products/detect3/api/v1/intels/<intel id>/labels

Threat Response: Detect Label Read

The Interact Basic User role grants us all the necessary permissions we need to access the question/sensor APIs and Interact console. https://docs.tanium.com/interact/interact/requirements.html#table_Interact_module_ roles

The Threat Response Read Only User role grants us all the necessary permissions we need to access the alerts APIs and Threat Response console.

https://docs.tanium.com/threat_response/threat_response/requirements.html#user_roles. If you are using a custom role, we also need Detect Use API permission as well as the necessary permissions to make Threat Response available in console.

The Tanium client uses a username/password combination to create an authenticated session. The returned session token is set on the session header for all later requests.

  1. From the Main menu, select Administration > Management > Users.

  2. Click New User.

    Screen Shot 2021-03-08 at 7.54.09 AM.png
  3. Specify a user name that matches one of the following:

    • A user account defined locally on the Tanium Server.

    • A user account defined in your IdP.

    • (Windows only) An AD account name. Specify just the username, not the domain name. The Tanium Server uses Windows Authentication, and doesn't store or manage login credentials for the user.

      Screen Shot 2021-03-08 at 7.54.46 AM.png
  4. Save the configuration and get ready to assign roles to a user.

  5. From the Main menu, select Administration > Management > Users.

  6. Click the User Name of the user configuration that you want to edit.

  7. In the Roles and Effective Permissions section, click Manage.

    Screen Shot 2021-03-08 at 7.55.23 AM.png
  8. In the Grant Roles section, click Edit, select Interact Basic User and Threat Response Read Only User, and click Save.

    Screen Shot 2021-03-08 at 7.55.59 AM.png
    Screen Shot 2021-03-08 at 7.56.40 AM.png
  9. Click Show Preview to Continue to review your changes.

    Screen Shot 2021-03-08 at 7.57.15 AM.png

Step 2: Configure the technology in Workbench

  1. Login to https://workbench.expel.io.

  2. Navigate to Settings > Security Devices.

  3. At the top of the page, click Add New Device.

  4. Search for and select Tanium.

    Screen Shot 2021-03-08 at 7.57.56 AM.png
  5. Complete the fields using the credentials and information you collected in Step 1.

    • Name: type the host name of the Tanium device.

    • Location: type the geographic location of the appliance.

    • Server address: type the hostname or IP address of the Tanium device.

    • Username and Password: type the username and password created in Step 1.