This article provides prerequisites and onboarding steps for connecting your XEM Core Cloud installation to the Expel Workbench.

Step 1: Enable console access

When you create a XEM Core user configuration, by default it has no computer management groups, alternative personas, user groups, or roles until you assign them. A user with no roles can log into the Tanium Console but can't access anything. Don't create configurations for user accounts that you import from an LDAP server.

Doc reference:

We use the following Tanium API routes for our integration:






Interact:Read Sensor


Interact:Ask Dynamic Questions




Threat Response: Detect Alert Read


Threat Response: Detect Intel Read


Threat Response: Detect Source Read

/plugin/products/detect3/api/v1/intels/<intel id>/labels

Threat Response: Detect Label Read

The Interact Basic Userrole grants us all the necessary permissions we need to access the question/sensor APIs and Interact console.

The Threat Response Read Only User role grants us all the necessary permissions we need to access the alerts APIs and Threat Response console.

If you are using a custom role, we also need Detect Use API permission as well as the necessary permissions to make Threat Response available in console.

The Tanium client uses a username/password combination to create an authenticated session. The returned session token is set in the session header for all subsequent requests.

  1. From the Main menu, select Administration > Management > Users.

  2. Click New User.

  3. Specify a user name that matches 1 of the following:

    • A user account defined locally on the Tanium Server.

    • A user account defined in your IdP.

    • (Windows only) An AD account name. Specify just the user name, not the domain name. The Tanium Server uses Windows Authentication, and doesn't store or manage login credentials for the user.

  4. Save the configuration and get ready to assign roles to a user.

  5. From the main menu, select Administration > Management > Users.

  6. Click the User Name of the user configuration that you want to edit.

  7. In the Roles and Effective Permissions section, click Manage.

  8. In the Grant Roles section, click Edit, select Interact Basic User and Threat Response Read Only User, and click Save.

  9. Click Show Preview to Continue to review the impact of your changes.

Step 2: Create an API Token

  1. Sign into the Tanium Console as the user and persona for whom you want to create a token.


    The authentication credentials and authorization permissions of a token are those of the requesting persona. To limit access to computer groups and content sets, create a persona with the desired permissions and then sign in with the new persona.

  2. From the Main menu, go to Administration > Permissions > API Tokens.

  3. Click New API Token and configure the token settings:

    • Notes (optional): type a description of the purpose for this token.

    • Expire in days: type the expiration interval 365. By default, the maximum interval is 365 days. If you don't enter a value, the interval defaults to 7 days.

  4. Trusted IP addresses: Enter the external IP addresses of the systems from which you will use this token to authenticate with the Tanium Server. Use commas or line breaks to separate multiple entries. Expel uses a group of static egress IP addresses to complete polling of the security device and for console access. Add the following IPs to the Trusted IP address list:

  5. Click Save and review the token details.

  6. Copy the token to your clipboard and store as you need this to add this to Workbench.


    You cannot view the token in the Tanium Console after the visibility timeout (5 minutes) expires, or you refresh the API Tokens page or grid, or you navigate to another console page.

Step 3: Configure the technology in Workbench

  1. Login to

  2. Navigate to Settings > Security Devices.

  3. At the top of the page, click Add New Device.

  4. Search for and select your technology (Tanium).

  5. Complete the fields as follows:

    • For Name, type the host name of the Tanium device.

    • For Location, type the geographic location of the appliance.

    • For Server address, type your Tanium Cloud URL.

    • For Username and Password, type the username and password created in Step 1.

    • For Token, type the API token that you created in Step 2.


This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.