• 6 Minutes to read
  • PDF


  • PDF

Article summary

About this document

This document provides the step-by-step procedure to configure Tanium in SAFE.


SAFE seamlessly integrates with Tanium to get the assets and their security misconfigurations into SAFE.

The Tanium integration can be configured by SAFE administrators using the Tanium card available on the SAFE Integrations (on the left navigation).


To configure Tanium in SAFE, you need the following details:

  • An active Tanium user account with both the Comply Report Reviewer and API Gateway User or Gateway User roles (note that the naming of this default system role will depend on your Tanium platform version, Gateway User is the latest updated role name). To create a user profile with these specific roles, ensure you possess a Tanium user role permitting user creation. Detailed instructions can be found in the Create a User section.

  • Server URL: The URL of the user’s Tanium
    https://<Server URL>


The above Tanium URL must be accessible from the public cloud. Refer to SAFE’s Outgoing IP Addresses to get SAFE's outgoing IPs for each region).

Supported Operating System


Operating System (OS)

Windows Servers

Windows Server 2022

Windows Server 2019 (currently supported releases in the Long-Term Servicing Channel and the last supported release in the Semi-Annual Channel)

Windows Server 2016

Windows Server 2012, 2012 R2

Windows Server 2008 R2

Windows Server 2008

Windows Workstation

Windows 11

Windows 10 (currently supported releases in both the Semi-Annual Channel and the Long-Term Servicing Channel)

Windows 8

Windows 7 (SP1)


Amazon Linux 2 LTS

Amazon Linux AMI 2018.3

Amazon Linux AMI 2016.09

Debian 11.x

Debian 10.x

Debian 9.x

Debian 8.x

Debian 7.x, 6.x

Oracle Linux 9.x

Oracle Linux 8.x

Oracle Linux 7.x

Oracle Linux 6.x

Oracle Linux 5.x

Red Hat / AlmaLinux / Rocky Linux 9.x

Red Hat / CentOS / AlmaLinux / Rocky Linux 8.x

Red Hat / CentOS 7.x

Red Hat / CentOS 6.x

Red Hat / CentOS 5.x

SUSE Linux Enterprise Server (SLES) / OpenSUSE 15.x

SUSE Linux Enterprise Server (SLES) / OpenSUSE 12.x

SUSE Linux Enterprise Server (SLES) / OpenSUSE 11.x

Ubuntu 22.04 LTS

Ubuntu 20.04 LTS

Ubuntu 18.04 LTS

Ubuntu 16.04 LTS

Ubuntu 14.04 LTS

Generate Connection Details

Step 1: Create a User in Tanium

  1. Log in to your Tanium account. Make sure you possess a Tanium user role permitting user creation.

  2. Navigate to Administration > Permissions > Users.

  3. Click the New User button.

  4. Fill in the User Details.

  5. Click the Manage Roles button.

  6. Search and select the two roles, Comply Report Reviewer and API Gateway User (or Gateway User if present in your environment).

  7. Click the Apply button. The system displays the selected roles under the Roles section.

  8. Assign Computer Groups to the user as follows:

    1. Scroll down to the Computer Groups section and click the Manage Computer Groups button.

      Tanium 51
    2. Remove the No Computers group and add any in-scope computer groups as required or the All Computers group.

      Tanium 52

      Tanium 53
  9. Scroll down and click the Save button. The system displays the created user on the Users page.


Step 2: Generate API Token

To generate API Token from Tanium:

  1. Login to your Tanium Account with the API Gateway User (or Gateway User) and Comply Report Reviewer roles.

  2. Go to Administration from the Main menu.

  3. Navigate to Permissions > API Tokens.

    Tanium 1
  4. Click New API Token.

    Tanium 2
  5. Enter the Notes and Expiry

  6. In the Trusted IP addresses field, fill in the “Private IP address of the Tanium” and add the SAFE IP addresses based on the region where the safe is deployed. Refer to the List below.

  7. Click the Save button.

    Tanium 3
  8. The system displays the APIToken. Copy the token to use it while configuring Tanium in SAFE.

    Tanium 5

List 1: AWS Region where SAFE is hosted

AWS Region where SAFE is hosted

IP Address

ap-south-1 (Mumbai)

ap-southeast-1 (Singapore)

ap-southeast-2 (Sydney)

eu-central-1 (Frankfurt)

eu-west-2 (London)

us-east-1 (N Virginia)

Configure Tanium Comply in SAFE

Follow the below step-by-step procedure to configure Tanium in SAFE:

  1. Navigate to Integration and click on the Tanium card.

  2. Enter the Tanium Server URL. Here is an example of a Tanium URL https://ec2-18-212-94-62.compute-1.amazonaws.com/

  3. Enter the API Token you generate.

  4. Fill the OS Filter. This filter allows the user to filter the data being fetched from Tanium based on the asset's operating system. If not provided, all assets data to which the user has access will be pulled into SAFE.
    E.g., ubuntu, centos. The filter will work with an exact string match or partial string match. For Ex, An exact String match is like “Ubuntu 20.04.5, “ and a partial match can be “Ubuntu 20“. It will work for both.

  5. Select an auto-sync frequency in the number of days.

  6. Click the Test Connection button.

  7. Once the connection is validated, click the Save button.

  8. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync.

    Tanium 6

View Results

After a successful sync, the Tanium assets are automatically pulled into SAFE.

  • Go to Integrations.

  • Scroll to find the Tanium integration card or search for Tanium in the search bar.

  • Click on the Tanium integration card for Finding View and Asset View.

    • Finding View: This tab displays all the findings details pulled from Tanium.

    • Asset View: This tab displays all the Asset details pulled from Tanium.


1. How does the OS Filter work?

The OS Filter field will take comma-separated values, e.g., ubuntu, centos.

  • The OS Filter list is a positive filter and should specify the OS values intended to be synchronised to SAFE.

  • Filters are not case-sensitive, so any value matching will be handled.

  • Extra spaces at the beginning and end of strings will also be handled and won’t impact the results.

  • Spaces in between strings will impact results, e.g., Red Hat or Cent OS will not be the same as RedHat and CentOS.

  • The filter will work with an exact string match or partial string match. For Ex, an exact String match is like “Ubuntu 20.04.5, “ and a partial match can be “Ubuntu 20“. It will work for both.

2. Is it mandatory to provide an OS Filter in Tanium Configuration?

No, it is not mandatory to provide the filter in Tanium Configuration. The filter helps a user to configure a filter for the assets data that need to be pulled by SAFE. This is useful in case Tanium has a large data set, and the user only wants to import a section of the whole data in SAFE.

3. Where will assets get onboarded?

The asset will get onboarded on the basis of OS to asset type matching criteria. For example, if we have Ubuntu 20.04.5 LTS, it will get mapped to Ubuntu 20.x to Server Vertical. If no match is found, the asset will get onboarded to Others Vertical.

4. How can I check the Sync status for Tanium Integration?

To view the information related to any saved configuration, GET /integrations/:instance_id can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

      "id": 1,
      "type": "caplugin",
      "subtype": "tanium",
      "config": {
        "autoSync": 1,
        "serverUrl": "https://ec2-18-212-94-62.compute-1.amazonaws.com",
        "sensitiveFields": [
      "state": {
        "error": "",
        "stage": "COMPLETED",
        "status": 0,
        "message": "Success",
        "lastScanTriggerTs": "2023-01-31T11:03:17.027Z",
        "completionPercentage": 100,
        "lastScanCompletionTs": "2023-01-31T11:11:06.965Z"
      "isEnabled": true,
      "userData": {
        "emailId": "user.test@safe.security"

5. What are the possible values of the state of Tanium sync?

The following are the possible values for the sync stage:




Finished sync


Error occurred during sync


Sync is in progress

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:






In Progress



6. What if an already existing SAFE asset is assessed by Tanium sync?

In case an existing asset, for example- a Windows endpoint with the Safe agent installed on it, also gets assessed during a Tanium sync, the following behavior can be expected:

  1. The controls from Tanium will get populated under the existing asset, with the assessment being completed.

  2. The control count for the asset will increase, and there may even be double penalization for a few controls since two different sources are carrying out the assessment. This will affect the asset level score and may even have an effect on PAI.

For the reasons stated above, it is recommended that any such existing asset is first retired from Safe before the Tanium sync is triggered- so that it can be onboarded once again with Tanium as its source. Additionally, the Safe agent should be disabled on the endpoint so that it doesn’t continue sending assessments in the future.

7. Which Tanium APIs are used by the SAFE integration?

Where possible the GraphQL API Gateway is used as this is the newest & preferred option for integrating with Tanium. Some Tanium functionality is not currently supported via the GraphQL Gateway and in these cases the older REST APIs are utilised.

API Endpoint

API Type




Return the active in-scope assets via getMatchingEndpoints query.

Return all the compliance findings corresponding to each asset via endpointComplianceFindings query.



To check accessibility of the Tanium Server URL.



Returns all of the Tanium supported benchmarks.



Returns metadata corresponding to a particular rule.

Was this article helpful?