Tanium EDR Integration Setup
This guide walks you through integrating Tanium EDR with RAD Security for real-time endpoint visibility and threat response, enabling you to correlate endpoint security events with container and cloud runtime activity. Tanium provides real-time endpoint data collection, threat detection, incident response, and compliance monitoring across your entire infrastructure.Prerequisites
Before you begin, ensure you have:- Admin access to Tanium Console
- Ability to create roles, personas, and users in Tanium
- A service account dedicated for integrations (recommended)
- Access to RAD Security workspace with integration permissions
Service Account Recommended: Use a dedicated service account for the integration rather than a personal account. This ensures continuity when team members change roles or leave.
Step 1: Access Tanium Console
Step 2: Create Custom Role with Minimal Permissions
Follow the principle of least privilege by creating a role with only the necessary permissions.Create New Role
Click to create a new role and provide:
- Role Name (e.g., “RAD Security Integration Role”)
- Description (e.g., “Role for RAD Security API integration”)
- Permission Type: Allow
Assign Gateway Permissions
In the Permissions table:
- Locate Gateway permissions
- Expand the section
- Select Execute permission for Gateway API
Assign Platform Content Permissions
In the Permissions table:
- Select Platform Content Permissions
- Check the Read option
- Click the icon with a number (n+) that appears
- Select the following Content Sets:
- Reserved
- Base
- Core Content
- Comply Reporting
These content sets provide access to the default sensors used for vulnerability checking and compliance monitoring.
Step 3: Create Persona with Custom Role
Personas in Tanium combine roles with computer group access to define the scope of access.Create New Persona
Click to create a new persona and provide:
- Persona Name (e.g., “RAD Security Integration Persona”)
- Description (e.g., “Persona for RAD Security API access”)
Configure Computer Groups
- Open the Computer Groups section
- Check the Unrestricted Management Rights checkbox
This grants access to all computer groups. If you need to restrict access to specific groups, configure accordingly instead of using unrestricted rights.
Step 4: Generate API Token
Log in as Service Account
Log out and log back in using the service account you assigned to the persona in Step 3
Configure Token Details
Provide the following information:Notes:
- Add a description to identify the token’s purpose (e.g., “RAD Security Integration”)
- Recommended: 14 days for production
- Default: 7 days
- Maximum: 365 days
Shorter expiration periods enhance security by requiring regular token rotation. Set calendar reminders for token rotation.
Assign Persona
Assign the persona you created in Step 3 to set the scope and permissions for this token
Configure Trusted IP Addresses
Add trusted IP addresses that can use this token:For Production:
- Add RAD Security IP addresses (provided by your RAD Security team)
- You can use
0.0.0.0/0for initial testing - Remove this before production deployment
Step 5: Configure in RAD Security
Navigate to your RAD Security workspace and configure the Tanium integration with the following parameters:Required Parameters
| Parameter | Description | Example |
|---|---|---|
| Base URL | Your Tanium Console URL | https://your-company.cloud.tanium.com |
| Secret | The API token generated in Step 4 | your-api-token-here |
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources > Integrations > EDR in RAD Security
- Locate your Tanium integration
- Check the connection status shows as Connected
- Verify endpoint data is being synced
Your Tanium EDR integration is now configured! RAD Security can now correlate endpoint data with container and cloud runtime events.
What Data is Synced
Once configured, RAD Security will sync the following data from Tanium:Endpoint Information
Endpoint Information
- Real-time endpoint inventory
- Operating system details
- Computer names and IP addresses
- Last seen timestamps
- Network configuration
- Tanium client version and status
Vulnerability Data
Vulnerability Data
- Software vulnerabilities using default sensors
- Missing patches and updates
- CVE information
- Vulnerability severity scores
- Remediation recommendations
Compliance Data
Compliance Data
- Compliance posture assessments
- Policy violations
- Configuration baselines
- Comply Reporting data
- Audit findings
Threat Detection
Threat Detection
- Security events
- Threat indicators
- Suspicious activities
- IOC detections
- Behavioral anomalies
Software Inventory
Software Inventory
- Installed applications
- Software versions
- Unmanaged software
- License information
- End-of-life software
Default Sensors: RAD Security uses Tanium’s default sensors for vulnerability checking. No additional sensor configuration is required.
Token Rotation
Regular token rotation is a security best practice. Follow these steps to rotate your API token:Rotate Token in Tanium
- Go to Administration > Permissions > API Tokens
- Select your existing API token
- Use the Rotate feature
- Save the new token immediately
Update Token in RAD Security
- Navigate to your Tanium integration in RAD Security
- Update the token with the newly rotated value
- Verify the connection still works
Token rotation should be performed before the current token expires to avoid service interruptions.
Use Cases
Real-Time Visibility
Get instant visibility into endpoint status and security posture across your entire infrastructure.
Vulnerability Management
Correlate Tanium vulnerability data with runtime exploitation attempts detected by RAD Security.
Compliance Monitoring
Track compliance posture and policy violations across endpoints and cloud workloads.
Incident Response
Coordinate response actions across endpoints when threats are detected in containerized environments.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- API token is incorrect or expired
- Token was rotated and not updated
- Service account permissions changed
- Token not generated by correct service account
- Verify the token is copied correctly (no extra spaces)
- Check token expiration date in Tanium
- Ensure service account still has assigned persona
- Try logging in as the service account to verify it’s active
- Generate a new token if needed
Insufficient Permissions
Insufficient Permissions
Possible causes:
- Role missing Gateway API execute permission
- Platform Content permissions not configured
- Persona not assigned correct role
- Missing required content sets
- Verify role has Gateway API Execute permission
- Check Platform Content Read permission is granted
- Ensure all 4 content sets are selected (Reserved, Base, Core Content, Comply Reporting)
- Verify persona is assigned to the token
- Review RBAC configuration following Tanium’s guide
IP Address Blocked
IP Address Blocked
Possible causes:
- RAD Security IP addresses not in trusted IPs list
- Incorrect IP address format
- Firewall blocking connections
- Verify RAD Security IP addresses are added to trusted IPs
- Contact RAD Security support for current IP addresses
- Check IP address format is correct (CIDR notation)
- Review firewall rules allowing Tanium API access
- For testing, temporarily use
0.0.0.0/0(sandbox only!)
No Data Syncing
No Data Syncing
Possible causes:
- No endpoints reporting to Tanium
- Computer group access restricted
- Default sensors not enabled
- Initial sync still in progress
- Verify Tanium clients are installed and connected
- Check computer group access (Unrestricted vs specific groups)
- Confirm default sensors are active
- Allow up to 15 minutes for initial data sync
- Review integration logs in RAD Security for errors
Token Expired
Token Expired
Possible causes:
- Token reached its expiration date
- Token was manually revoked
- Check token expiration in Tanium
- Rotate the token to generate a new one
- Update RAD Security integration with new token
- Set a calendar reminder for next rotation
- Consider using longer expiration periods (e.g., 90 days) if frequent rotation is challenging
Service Account Issues
Service Account Issues
Possible causes:
- Service account was disabled or deleted
- Service account password changed
- Persona unassigned from service account
- User removed from persona
- Verify service account is active
- Check persona assignment in Administration > Permissions > Personas
- Ensure service account is still listed under Users for the persona
- Re-add service account to persona if needed
Security Best Practices
Use Service Accounts
Always use dedicated service accounts for integrations, never personal accounts tied to individuals.
Least Privilege Access
Only grant the minimum permissions required. Avoid using admin accounts for API integrations.
Rotate Tokens Regularly
Set reasonable expiration periods (14-90 days) and rotate tokens before they expire.
Restrict IP Addresses
Only allow trusted IP addresses. Never use
0.0.0.0/0 in production environments.Monitor API Usage
Regularly review API token usage in Tanium to detect anomalous activity.
Secure Token Storage
Store API tokens in a secure password manager or secrets vault. Never commit to version control.
Document Changes
Maintain documentation of token creation, rotation, and role/persona changes.
Audit Regularly
Periodically review personas, roles, and assigned users to ensure they’re still appropriate.
Additional Resources
Tanium Authentication
Official guide to Tanium authentication methods
RBAC for Integrations
Learn about role-based access control for integrations
Sensor Inventory
Complete list of available Tanium sensors
Default Sensors
Documentation on default sensors for vulnerability detection
Developer Summit 2024
Watch “RBAC for Integrations” breakout session
Sensor Management
Guide to register or unregister sensors