The Kenna Tanium connector allows Kenna clients to utilize their Tanium deployments to quickly estimate probable vulnerabilities in installed software. The connector leverages the Tanium Connect framework by asking a specially formatted question to discern what applications and packages are installed on a fleet; the answers are fed through the Kenna Inference Engine to identify likely vulnerabilities.
Setup & Usage
The setup, running, and usage of Tanium connectors resembles existing connector usage. The key differences include the contents of the incoming connector data and the nature of the vulnerabilities reported from the completed connector run.
Kenna clients can use existing Tanium by uploading a CSV. The Tanium CSV must contain the following headers:
- Computer Name
- Operating System
- IP Address
- Installed Applications:Name
- Installed Applications:Version
The Kenna connector run parses the CSV and extracts the required information for the Kenna Inference Engine.
Kenna clients can set up a manual extraction of Tanium info by entering credentials for a read-enabled user. The Tanium username, Tanium password, and Tanium server hostname are required to utilize the SOAP API connector.
On first run of this connector, Kenna will create a Tanium "saved question". This question will be referenced in subsequent connector runs. On each run, the saved question will instruct Tanium to collect the required information from each client and submit that information to the Kenna Inference Engine.
Kenna Inference Engine
During the ingestion of Tanium data, Kenna runs a multi-pass algorithm to infer what vulnerabilities may be affecting Kenna client assets. The assets must be included in the Tanium response payload. Each of the inferred vulnerabilities refer directly to current CVE identifications.
Kenna clients have the ability to improve upon inferences by submitting false positive reports via the existing Kenna user interface. False positive reports help the Kenna Inference Engine "learn" relevant vulnerability attributes for the classes of application and/or package names submitted via connector runs.