Tanium

About this document

This document provides the step-by-step procedure to configure Tanium in SAFE.

Introduction

SAFE seamlessly integrates with Tanium to get the assets and their security misconfigurations into SAFE.

The Tanium integration can be configured by SAFE administrators using the Tanium card available on the SAFE Hooks page.

Prerequisites

To configure Tanium in SAFE, you need the following details:

• An active Tanium user account with both the Comply Report Reviewer and API Gateway User or Gateway User roles (note that the naming of this default system role will depend on your Tanium platform version, Gateway User is the latest updated role name). To create a user profile with these specific roles, ensure you possess a Tanium user role permitting user creation. Detailed instructions can be found in the Create a User section.
• Server URL: The URL of the user’s Tanium
  Examples:
  https://<Server URL>
  https://ec2-18-212-94-62.compute-1.amazonaws.com/)

• API Token: Refer to Generate API Token for detailed instructions.

Supported Operating System

Generate Connection Details

Step 1: Create a User in Tanium

1. Log in to your Tanium account. Make sure you possess a Tanium user role permitting user creation.
2. Navigate to Administration > Permissions > Users.
   
3. Click the New User button.
4. Fill in the User Details.
5. Click the Manage Roles button.
   
6. Search and select the two roles, Comply Report Reviewer and API Gateway User (or Gateway User if present in your environment).
7. Click the Apply button. The system displays the selected roles under the Roles section.
   
8. Assign Computer Groups to the user as follows:
   1. Scroll down to the Computer Groups section and click the Manage Computer Groups button.
      
   2. Remove the No Computers group and add any in-scope computer groups as required or the All Computers group.
      
9. Scroll down and click the Save button. The system displays the created user on the Users page.
   

Step 2: Generate API Token

To generate API Token from Tanium:

1. Login to your Tanium Account with the API Gateway User (or Gateway User) andComply Report Reviewer roles.
2. Go to Administration from the Main menu.
3. Navigate to Permissions > API Tokens.
   
4. Click New API Token.
   
5. Enter the Notes and Expiry. 
6. In the Trusted IP addresses field, fill in the “Private IP address of the Tanium” and add the SAFE IP addresses based on the region where the safe is deployed. Refer to the List below.
7. Click the Save button.
   
8. The system displays the APIToken. Copy the token to use it while configuring Tanium in SAFE.
   

List 1: AWS Region where SAFE is hosted

Configure Tanium Comply in SAFE

Follow the below step-by-step procedure to configure Tanium in SAFE:

1. Navigate to SAFE Hooks and click the Tanium card.
2. Enter the Tanium Server URL. Here is an example of a Tanium URL https://ec2-18-212-94-62.compute-1.amazonaws.com/
3. Enter the API Token you generate.
4. Fill the OS Filter. This filter allows the user to filter the data being fetched from Tanium based on the asset's operating system. If not provided, all assets data to which the user has access will be pulled into SAFE.
   E.g., ubuntu, centos. The filter will work with an exact string match or partial string match. For Ex, An exact String match is like “Ubuntu 20.04.5, “ and a partial match can be “Ubuntu 20“. It will work for both.
5. Select an auto-sync frequency in the number of days.
6. Click the Test Connection button.
7. Once the connection is validated, click the Save button.
8. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync.

View Results

After a successful sync, the Tanium assets are automatically pulled into SAFE.

To view the assets pulled from Tanium:

1. On the Tanium configuration page, click the See Updated Assets option available at the top-right of the History table.
2. The system redirects you to a filtered asset list.

FAQs

1. How does the OS Filter work?

The OS Filter field will take comma-separated values, e.g., ubuntu, centos

• The OS Filter list is a positive filter and should specify the OS values intended to be synchronised to SAFE.
• Filters are not case-sensitive, so any value matching will be handled.
• Extra spaces at the beginning and end of strings will also be handled and won’t impact the results.
• Spaces in between strings will impact results, e.g., Red Hat or Cent OS will not be the same as RedHat and CentOS.
• The filter will work with an exact string match or partial string match. For Ex, an exact String match is like “Ubuntu 20.04.5, “ and a partial match can be “Ubuntu 20“. It will work for both.

2. Is it mandatory to provide an OS Filter in Tanium Configuration?

No, it is not mandatory to provide the filter in Tanium Configuration. The filter helps a user to configure a filter for the assets data that need to be pulled by SAFE. This is useful in case Tanium has a large data set, and the user only wants to import a section of the whole data in SAFE.

3. Where will assets get onboarded?

The asset will get onboarded on the basis of OS to asset type matching criteria. For example, if we have Ubuntu 20.04.5 LTS, it will get mapped to Ubuntu 20.x to Server Vertical. If no match is found, the asset will get onboarded to Others Vertical.

4. How can I check the Sync status for Tanium Integration?

To view the information related to any saved configuration, GET /integrations/:instance_id can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

{
      "id": 1,
      "type": "caplugin",
      "subtype": "tanium",
      "config": {
        "autoSync": 1,
        "serverUrl": "https://ec2-18-212-94-62.compute-1.amazonaws.com",
        "sensitiveFields": [
          "apiToken"
        ]
      },
      "state": {
        "error": "",
        "stage": "COMPLETED",
        "status": 0,
        "message": "Success",
        "lastScanTriggerTs": "2023-01-31T11:03:17.027Z",
        "completionPercentage": 100,
        "lastScanCompletionTs": "2023-01-31T11:11:06.965Z"
      },
      "isEnabled": true,
      "userData": {
        "emailId": "user.test@safe.security"
      }
    }

5. What are the possible values of the state of Tanium sync?

The following are the possible values for the sync stage:

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:

6. What if an already existing SAFE asset is assessed by Tanium sync?

In case an existing asset, for example- a Windows endpoint with the Safe agent installed on it, also gets assessed during a Tanium sync, the following behavior can be expected:

1. The controls from Tanium will get populated under the existing asset, with the assessment being completed.
2. The control count for the asset will increase, and there may even be double penalization for a few controls since two different sources are carrying out the assessment. This will affect the asset level score and may even have an effect on PAI.

For the reasons stated above, it is recommended that any such existing asset is first retired from Safe before the Tanium sync is triggered- so that it can be onboarded once again with Tanium as its source. Additionally, the Safe agent should be disabled on the endpoint so that it doesn’t continue sending assessments in the future.

7. Which Tanium APIs are used by the SAFE integration?

Where possible the GraphQL API Gateway is used as this is the newest & preferred option for integrating with Tanium. Some Tanium functionality is not currently supported via the GraphQL Gateway and in these cases the older REST APIs are utilised.