Skip to main content

Tanium EDR Integration Setup

This guide walks you through integrating Tanium EDR with RAD Security for real-time endpoint visibility and threat response, enabling you to correlate endpoint security events with container and cloud runtime activity. Tanium provides real-time endpoint data collection, threat detection, incident response, and compliance monitoring across your entire infrastructure.

Prerequisites

Before you begin, ensure you have:
  • Admin access to Tanium Console
  • Ability to create roles, personas, and users in Tanium
  • A service account dedicated for integrations (recommended)
  • Access to RAD Security workspace with integration permissions
Service Account Recommended: Use a dedicated service account for the integration rather than a personal account. This ensures continuity when team members change roles or leave.

Step 1: Access Tanium Console

1

Log in to Console

Log in to your Tanium Console with administrative privileges
2

Note Your Console URL

Save your Tanium Console URL as you’ll need it for configurationExample: https://your-company.cloud.tanium.com

Step 2: Create Custom Role with Minimal Permissions

Follow the principle of least privilege by creating a role with only the necessary permissions.
1

Navigate to Roles

Go to Administration > Permissions > Roles
2

Create New Role

Click to create a new role and provide:
  • Role Name (e.g., “RAD Security Integration Role”)
  • Description (e.g., “Role for RAD Security API integration”)
  • Permission Type: Allow
3

Assign Gateway Permissions

In the Permissions table:
  1. Locate Gateway permissions
  2. Expand the section
  3. Select Execute permission for Gateway API
This permission is essential for the integration to function properly. Without Gateway API execute permissions, the integration will fail.
4

Assign Platform Content Permissions

In the Permissions table:
  1. Select Platform Content Permissions
  2. Check the Read option
  3. Click the icon with a number (n+) that appears
  4. Select the following Content Sets:
    • Reserved
    • Base
    • Core Content
    • Comply Reporting
These content sets provide access to the default sensors used for vulnerability checking and compliance monitoring.
5

Save Role

Click Save to create the role

Step 3: Create Persona with Custom Role

Personas in Tanium combine roles with computer group access to define the scope of access.
1

Navigate to Personas

Go to Administration > Permissions > Personas
2

Create New Persona

Click to create a new persona and provide:
  • Persona Name (e.g., “RAD Security Integration Persona”)
  • Description (e.g., “Persona for RAD Security API access”)
3

Assign Role

Assign the custom role you created in Step 2 to this persona
4

Configure Computer Groups

  1. Open the Computer Groups section
  2. Check the Unrestricted Management Rights checkbox
This grants access to all computer groups. If you need to restrict access to specific groups, configure accordingly instead of using unrestricted rights.
5

Assign Users

  1. Open the Users section
  2. Assign one or more users to this persona
Use a Service Account: Assign a dedicated service account rather than individual user accounts. This prevents disruptions when users leave or change roles.
6

Save Persona

Click Save to create the persona

Step 4: Generate API Token

1

Log in as Service Account

Log out and log back in using the service account you assigned to the persona in Step 3
2

Navigate to API Tokens

Go to Administration > Permissions > API Tokens
3

Create New API Token

Select the option to create a new API token
4

Configure Token Details

Provide the following information:Notes:
  • Add a description to identify the token’s purpose (e.g., “RAD Security Integration”)
Expiration Period:
  • Recommended: 14 days for production
  • Default: 7 days
  • Maximum: 365 days
Shorter expiration periods enhance security by requiring regular token rotation. Set calendar reminders for token rotation.
5

Assign Persona

Assign the persona you created in Step 3 to set the scope and permissions for this token
6

Configure Trusted IP Addresses

Add trusted IP addresses that can use this token:For Production:
  • Add RAD Security IP addresses (provided by your RAD Security team)
For Testing/Sandbox:
  • You can use 0.0.0.0/0 for initial testing
  • Remove this before production deployment
Using 0.0.0.0/0 allows access from any IP address. Only use this for sandbox testing and never in production environments.
7

Generate Token

Click Create to generate the API token
8

Save Token Securely

Immediately copy and save the API token in a secure location
This is your only chance to view the token! You cannot retrieve it later. Store it in a password manager or secrets vault immediately.

Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Tanium integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Base URLYour Tanium Console URLhttps://your-company.cloud.tanium.com
SecretThe API token generated in Step 4your-api-token-here

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Data Sources > Integrations > EDR in RAD Security
  2. Locate your Tanium integration
  3. Check the connection status shows as Connected
  4. Verify endpoint data is being synced
Your Tanium EDR integration is now configured! RAD Security can now correlate endpoint data with container and cloud runtime events.

What Data is Synced

Once configured, RAD Security will sync the following data from Tanium:
  • Real-time endpoint inventory
  • Operating system details
  • Computer names and IP addresses
  • Last seen timestamps
  • Network configuration
  • Tanium client version and status
  • Software vulnerabilities using default sensors
  • Missing patches and updates
  • CVE information
  • Vulnerability severity scores
  • Remediation recommendations
  • Compliance posture assessments
  • Policy violations
  • Configuration baselines
  • Comply Reporting data
  • Audit findings
  • Security events
  • Threat indicators
  • Suspicious activities
  • IOC detections
  • Behavioral anomalies
  • Installed applications
  • Software versions
  • Unmanaged software
  • License information
  • End-of-life software
Default Sensors: RAD Security uses Tanium’s default sensors for vulnerability checking. No additional sensor configuration is required.

Token Rotation

Regular token rotation is a security best practice. Follow these steps to rotate your API token:
1

Rotate Token in Tanium

  1. Go to Administration > Permissions > API Tokens
  2. Select your existing API token
  3. Use the Rotate feature
  4. Save the new token immediately
2

Update Token in RAD Security

  1. Navigate to your Tanium integration in RAD Security
  2. Update the token with the newly rotated value
  3. Verify the connection still works
3

Set Reminder

Set a calendar reminder for the next rotation based on your token’s expiration period
Token rotation should be performed before the current token expires to avoid service interruptions.

Use Cases

Real-Time Visibility

Get instant visibility into endpoint status and security posture across your entire infrastructure.

Vulnerability Management

Correlate Tanium vulnerability data with runtime exploitation attempts detected by RAD Security.

Compliance Monitoring

Track compliance posture and policy violations across endpoints and cloud workloads.

Incident Response

Coordinate response actions across endpoints when threats are detected in containerized environments.

Troubleshooting

Possible causes:
  • API token is incorrect or expired
  • Token was rotated and not updated
  • Service account permissions changed
  • Token not generated by correct service account
Solution:
  • Verify the token is copied correctly (no extra spaces)
  • Check token expiration date in Tanium
  • Ensure service account still has assigned persona
  • Try logging in as the service account to verify it’s active
  • Generate a new token if needed
Possible causes:
  • Role missing Gateway API execute permission
  • Platform Content permissions not configured
  • Persona not assigned correct role
  • Missing required content sets
Solution:
  • Verify role has Gateway API Execute permission
  • Check Platform Content Read permission is granted
  • Ensure all 4 content sets are selected (Reserved, Base, Core Content, Comply Reporting)
  • Verify persona is assigned to the token
  • Review RBAC configuration following Tanium’s guide
Possible causes:
  • RAD Security IP addresses not in trusted IPs list
  • Incorrect IP address format
  • Firewall blocking connections
Solution:
  • Verify RAD Security IP addresses are added to trusted IPs
  • Contact RAD Security support for current IP addresses
  • Check IP address format is correct (CIDR notation)
  • Review firewall rules allowing Tanium API access
  • For testing, temporarily use 0.0.0.0/0 (sandbox only!)
Possible causes:
  • No endpoints reporting to Tanium
  • Computer group access restricted
  • Default sensors not enabled
  • Initial sync still in progress
Solution:
  • Verify Tanium clients are installed and connected
  • Check computer group access (Unrestricted vs specific groups)
  • Confirm default sensors are active
  • Allow up to 15 minutes for initial data sync
  • Review integration logs in RAD Security for errors
Possible causes:
  • Token reached its expiration date
  • Token was manually revoked
Solution:
  • Check token expiration in Tanium
  • Rotate the token to generate a new one
  • Update RAD Security integration with new token
  • Set a calendar reminder for next rotation
  • Consider using longer expiration periods (e.g., 90 days) if frequent rotation is challenging
Possible causes:
  • Service account was disabled or deleted
  • Service account password changed
  • Persona unassigned from service account
  • User removed from persona
Solution:
  • Verify service account is active
  • Check persona assignment in Administration > Permissions > Personas
  • Ensure service account is still listed under Users for the persona
  • Re-add service account to persona if needed

Security Best Practices

Use Service Accounts

Always use dedicated service accounts for integrations, never personal accounts tied to individuals.

Least Privilege Access

Only grant the minimum permissions required. Avoid using admin accounts for API integrations.

Rotate Tokens Regularly

Set reasonable expiration periods (14-90 days) and rotate tokens before they expire.

Restrict IP Addresses

Only allow trusted IP addresses. Never use 0.0.0.0/0 in production environments.

Monitor API Usage

Regularly review API token usage in Tanium to detect anomalous activity.

Secure Token Storage

Store API tokens in a secure password manager or secrets vault. Never commit to version control.

Document Changes

Maintain documentation of token creation, rotation, and role/persona changes.

Audit Regularly

Periodically review personas, roles, and assigned users to ensure they’re still appropriate.

Additional Resources

Tanium Authentication

Official guide to Tanium authentication methods

RBAC for Integrations

Learn about role-based access control for integrations

Sensor Inventory

Complete list of available Tanium sensors

Default Sensors

Documentation on default sensors for vulnerability detection

Developer Summit 2024

Watch “RBAC for Integrations” breakout session

Sensor Management

Guide to register or unregister sensors

Next Steps

EDR Integrations Overview

Explore other EDR integration options

Runtime Security

Learn about RAD’s container runtime security

Alerts & Incidents

Configure correlated alerts and incident management

Compliance Validation

Understand RAD’s security and compliance framework