Am I reading the right user guide?
Am I reading the right user guide?
Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
Overview
About Tanium
Tanium provides a powerful and flexible platform to secure endpoint devices. Rapidly respond to cyber threats with real-time visibility and comprehensive control.
Why integrate Tanium into the Vulcan platform?
The Tanium Connector by Vulcan integrates with the Tanioum platform to pull and ingest Host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Tanium Connector Details
Supported products | |
Category | Endpoint Security |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Configuring the Tanium Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Tanium icon.
Set up the Connector as follows:
Insert your client URL and the API Access Token key you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Tanium instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Tanium icon shows Connected, the sync is complete.
Tanium in the Vulcan Platform
Viewing Tanium vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Tanium from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Tanium assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Tanium from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Tanium
To take remediation action on vulnerabilities and assets detected by Tanium:
Go to the Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Tanium option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability out of the results list.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Tanium
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Tanium Connector.
From Tanium to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Tanium through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Host fields mapping
Tanium field | Vulcan field | Value example |
node.id | Uniqueness criteria | 41264 |
node.name | Asset Name | vulcancyber.vulcancyber.com |
Hosts | Asset type |
|
node.ipAddresses | IP | 127.0.0.1 |
node.os.generation | OS | Windows 10 |
node.os.name | OS Version | Windows 10 Pro |
node.eidFirstSeen | Created date | 2022-10-07T11:33:49Z |
node.macAddresses | Multiple mac addresses | FF:FF:FF:FF:FF:FF |
node.computerID node.systemUUID node.namespace node.isVirtual node.isEncrypted node.chassisType node.primaryUser.name | Asset Tags - Additional | 2512651369 4C4C4533-014A-4B10-804A-B5C12F4B3733 "" False False Desktop Some Name |
The asset ID + Unique Vuln ID | Vulnerability instance uniqueness criteria |
|
node.compliance.cveFindings.cveId | Unique Vulnerability uniqueness criteria | CVE-2016-2183 |
cveId | Vulnerability title | CVE-2016-2183 |
cvssScoreV3/cvssScore | Vulnerability score | 7.5 |
summary | Vulnerability description | The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. |
cveYear | Vulnerability details | 2016 |
cvssScoreV3 | CVSS |
|
Vulnerability status mapping
Tanium Status | Vulcan Status |
Vulnerable (Any received vulnerability from the Tanium connector is considered Vulnerable) | Vulnerable |
Vulnerability score mapping
Tanium score | Vulcan score |
CVSS score | CVSS score |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Tanium connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the connector's last sync - Asset not seen for X days according to "Last Seen". |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
Tanium is GraphQL based so there is one URL with multiple “queries” to ask for the relevant data:
Vulcan mainly uses the `Endpoint` entity and it’s related Compliance to pull the data: