Tanium

About this document

This document provides the step-by-step procedure to configure Tanium in SAFE.

Introduction

SAFE seamlessly integrates with Tanium, a top-tier endpoint security management platform, to get the assets and their security misconfigurations into SAFE.

The Tanium integration can be configured by SAFE administrators using the Tanium card available on the SAFE Hooks page.

Prerequisites

To configure Tanium in SAFE, you need the following details:

• Server URL: The URL of the user’s Tanium
  Examples:
  https://<Server URL>
  https://ec2-18-212-94-62.compute-1.amazonaws.com/)

• APIToken: To create API Token need an API Gateway User role, and this is a one-time process.

Supported Operating System

Generate API Token

To generate API Token from Tanium:

1. Login to your Tanium Account with the API Gateway User role.
2. Go to Administration from the Main menu.
3. Navigate to Permissions > API Tokens.
   
4. Click New API Token.
   
5. Enter the Notes and Expiry. 
6. In the Trusted IP addresses field, fill the “Private IP address of the Tanium” and add the SAFEIPaddresses based on the region where the safe is deployed. Refer to the below list.
7. Click the Save button.
   
8. The system displays the APIToken. Copy the token to use it while configuring Tanium in SAFE.
   

Configure Tanium Comply in SAFE

Follow the below step-by-step procedure to configure Tanium in SAFE:

1. Navigate to SAFE Hooks and click the Tanium card.
2. Enter the Tanium Server URL. Here is an example of a Tanium URL https://ec2-18-212-94-62.compute-1.amazonaws.com/
3. Enter the APIToken you generate.
4. Fill the OSFilter. This filter allows the user to filter the data being fetched from Tanium based on the asset's operating system. If not provided, all assets data to which the user has access to will be pulled into SAFE.
   E.g., ubuntu, centos. The filter will work with an exact string match or partial string match. For Ex: An exact String match is like “Ubuntu 20.04.5, “ and a partial match can be “Ubuntu 20“. It will work for both.
5. Select an auto-sync frequency in the number of days.
6. Click the TestConnection button.
7. Once the connection is validated, click the Save button.
8. Once the configuration is saved, click the SyncNow button to trigger the on-demand sync outside of the scheduled auto sync.

View Results

After a successful sync, the Tanium assets are automatically imported into SAFE.

To view the assets pulled from Tanium Comply:

1. Navigate to Technology > Assets.
2. Filter the assets with Source as security.safe.saas.tanium.
   
3. Click on the Asset name.
4. The system displays all the controls and their status.
   
5. Click on the Control Name, and under the observation section; it will show the ID and the Status of the control.
   

FAQs

1. How does OS Filter work?

The OS Filter field will take comma-separated values, e.g., ubuntu, centos

• Filters are not case-sensitive, so that any value matching will be handled.
• Extra spaces at the beginning and end of strings will also be handled and won’t impact the results.
• Spaces in between strings will impact results, e.g., Red Hat or Cent OS will not be the same as RedHat and CentOS.
• The filter will work with an exact string match or partial string match. For Ex:- Exact String match is like “Ubuntu 20.04.5, “ and a partial match can be “Ubuntu 20“. It will work for both.

2. Is it mandatory to provide OS Filter in Tanium Configuration?

No, it is not mandatory to provide the filter in Tanium Configuration. The filter helps a user to configure a filter for the assets data that need to pull by SAFE. This is useful in case Tanium has a large data set, and the user only wants to import a section of the whole data in SAFE.

3. Where will assets get onboarded?

The asset will get onboarded on the basis of OS to asset type matching criteria. For example, if we have Ubuntu 20.04.5 LTS, it will get mapped to Ubuntu 20.x to Server Vertical. If no match is found, the asset will get onboarded to Others Vertical.

4. How can I check the Sync status for Tanium Integration?

To view the information related to any saved configuration, GET /integrations/:instance_id can be used. It will return all config fields except the fields which are encrypted using the sensitiveFields array. It will also return the information regarding the config state and the current Sync status.

{
      "id": 1,
      "type": "caplugin",
      "subtype": "tanium",
      "config": {
        "autoSync": 1,
        "serverUrl": "https://ec2-18-212-94-62.compute-1.amazonaws.com",
        "sensitiveFields": [
          "apiToken"
        ]
      },
      "state": {
        "error": "",
        "stage": "COMPLETED",
        "status": 0,
        "message": "Success",
        "lastScanTriggerTs": "2023-01-31T11:03:17.027Z",
        "completionPercentage": 100,
        "lastScanCompletionTs": "2023-01-31T11:11:06.965Z"
      },
      "isEnabled": true,
      "userData": {
        "emailId": "user.test@safe.security"
      }
    }

5. What are the possible values of the state of Tanium sync?

The following are the possible values for the sync stage:

Each stage will have its own completion Percentage for reference.

The following are the possible values for sync status:

6. What if an already existing SAFE asset is assessed by Tanium sync?

In case an existing asset, for example- a Windows endpoint with the Safe agent installed on it, also gets assessed during a Tanium sync, the following behavior can be expected:

1. The controls from Tanium will get populated under the existing asset, with the assessment being completed.
2. The control count for the asset will increase, and there even may be double penalization for a few controls since two different sources are carrying out the assessment. This will affect the asset level score and may even have an effect on PAI.

For the reasons stated above, it is recommended that any such existing asset is first retired from Safe before the Tanium sync is triggered- so that it can be onboarded once again with Tanium as its source. Additionally, the Safe agent should be disabled on the endpoint so that it doesn’t continue sending assessments in the future.