The Tanium Connect Connector

Cisco Vulnerability Management supports Tanium Connect which conducts vulnerability and compliance assessments against operating systems, applications, software supply chain, and security configurations and policies for various industry and federal regulations.

This document details the connector configuration for Tanium Cloud-based connectors exclusively. The Tanium on-premises API is currently not supported. For information about extracting report forms from the on-premises connector, refer to the Tanium Comply File-Based Connector article.

Note: At present, scanner fixes are not supported for this connector due to a Tanium issue that they are actively working on resolving. Progress on the issue is being tracked.

Prerequisites

  • In Cisco Vulnerability Manager you must have access to an active account with administrative privileges.
  • Create a user account in Tanium Cloud and assign the following roles:
    • Asset Operator
    • Comply Operator
    • Connect Operator
  • Create a custom role with the following permissions to ensure targeted permissions for API token management:
    • Token – Revoke
    • Token – Rotate
    • Token – Use
    • Token - View

For more information about custom roles, refer to the information from Tanium.

  • You must know the URL of your Tanium Environment.
  • Create a Tanium API key for the user. For more information about creating the key, refer to the information from Tanium.

Configuring your Tanium Connector

Note: To configure this connector, you must be a Cisco Vulnerability Management Administrator.

    1. In Cisco Vulnerability Management, click Connectors > Add Connector.
    2. In the Vulnerability Management section, click Tanium Connect.
      Select-Tanium.png
    3. In the Tanium Connect window, type the following information:
      • In the Name field, type any name that allows you to easily identify the connector.
      • In the Host field, type the name of your host.
      • In the API Key field, type the API Key that you created earlier.
      • In the Asset Inactivity Limit (days) field, type an inactivity limit for assets that this connector ingests.
        Tanium-Configuration-in-CVM-old.png
    4. Click Save and Verify.
      Cisco Vulnerability Management will save your settings and initiate a verification process. This ensures the accuracy and functionality of the provided data.
    5. After the verification completes, the Tanium connector will be present in the list of connectors. You can click Run to run the connector.
      Run-button.png

 

Asset Field Mapping

The following table shows how the Tanium fields map to asset fields in Cisco Vulnerability Management.

Tanium Field and
Example
Data Type in Tanium Cisco Vulnerability
Management
Field and Example
Notes
   

locators.container

Example:

null

 
   

locators.image

Example:

null

 

`asset computers`.`cloud_instance_id`

Example:
i-073976e45c47fc6eb

String

locators.ec2

Example:

i-073976e45c47fc6eb

 

This will be used only if cloud_instance_id starts with

"i-": locator.ec2 = `asset computer`.`cloud_instance_id`

else:None

`asset computers`.`ci_network_adapter
mac_address`

Example:

00:0C:29:19:61:67

02:34:ad:bd:4c:3a

List of String

locators.mac_address

Example:

00:0C:29:19:61:67

 

 

 

`asset computers`.computer_name

Example:

az-wn-cl1

edr-wn-2510.demo.tanium.local

 

String

locators.netbios

Example:

AZ-WN-CL1

EDR-WN-2510

 

Applies only to Windows assets.

If the computer name is FQDN, the NetBIOS will be used. Otherwise, the computer name is copied to the NetBIOS.

`asset computers`.computer_name

Example:

az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx.
internal.cloudapp.net

gc-lx-cl1.c.mystical-banner-257318.internal

pbj-mc-0002

ubuntu-22.04-lts-template

String

locators.hostname

Example:

az-lx-cl1

gc-lx-cl1

pbj-mc-0002

ubuntu-22.04-lts-template

 

If the computer name is FQDN, the hostname will be used. Otherwise, the computer name is copied to the hostname.

   

locators.url

Example:

null

 
   

locators.file

Example:

null

 

`asset computers`.computer_name

Example:

az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx.
internal.cloudapp.net

gc-lx-cl1.c.mystical-banner-257318.internal

pbj-mc-0002

ubuntu-22.04-lts-template

String

locators.fqdn

Example:

az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx.
internal.cloudapp.net

gc-lx-cl1.c.mystical-banner-257318.internal

null

null

The FQDN is derived from the computer name if its valid.

`asset computers`.ip_address

Example:

172.16.50.128

String

locators.ip_address

Example:

172.16.50.128

 

`asset computers`.computer_id

Example:

1636831080

String

locators.external_id

Example:

1636831080

This is the unique ID of the asset in Tanium.
   

locators.database

Example: null

 
   

locators.application

Example: null

 
   

os_vendor

Example: null

 

`asset computers`.os_version

Example:

10.0.19045

String

os_version

Example:

10.0.19045

 

`asset computers`.operating_system

Example:

Windows 10 Pro

String

os_family

Example:

Windows 10 Pro

 
   

os_cpe_name

Example: null

 

vulnerability.`Custom Tags`

Example:

"Development, Test-Machines"

String

Tags

Example:

"Development, Test-Machines"

Tags can be extracted from the vulnerability by vulnerability.`Computer ID`.
(Note: This field can only be extracted when the asset has vulnerabilities being scanned.)

vulnerability.`Open Ports`

Example:

"135,445,5040,49664,49665,49666,
49667,49669,49670,139"

String

ports.port

Example:

"135,445,5040,49664,49665,49666,
49667,49669,49670,139"

Port can be extracted from the vulnerability by vulnerability.`Computer ID`.
(Note: This field returns top 1000 open tcp ports, which may include more than one port;
This field can only be extracted when the asset has vulnerabilities being scanned.)
   

ports.protocol

Example: null

 
   

ports.status

Example: null

 
   

ports.name

Example: null

 
   

ports.product

Example: null

 
   

ports.extra_info

Example: null

 
   

ports.ostype

Example: null

 
   

ports.version

Example: null

 

`asset computers`.`ci_network_adapter
ipv4_address`

Example:

['10.8.90.21', '169.254.81.127']

List of String

network_interfaces.ip_address

Example:
['10.8.90.21', '169.254.81.127']

 

`asset computers` .`ci_network_adapter
mac_address`

Example:

['f0:18:98:eb:b1:43', 'f0:18:98:b2:3b:b0']

List of String

network_interfaces.mac_address

Example:

['f0:18:98:eb:b1:43', 'f0:18:98:b2:3b:b0']

 

`asset computers`.computer_name

Example:

az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx.

internal.cloudapp.net

gc-lx-cl1.c.mystical-banner-257318.internal

pbj-mc-0002

ubuntu-22.04-lts-template

String

network_interfaces.hostname

Example:

az-lx-cl1

gc-lx-cl1

pbj-mc-0002

ubuntu-22.04-lts-template

If the Computer Name is a FQDN then the hostname is extracted from it, otherwise the Computer Name is copied and used.

`asset computers`.computer_name

Example:

az-wn-cl1

edr-wn-2510.demo.tanium.local

String

network_interfaces.netbios

Example:

AZ-WN-CL1

EDR-WN-2510

Applies only to Windows assets.

If the computer name is FQDN, the NetBIOS will be used. Otherwise, the computer name is copied to the NetBIOS.

   

Priority

Example: null

 

`asset computers`.last_seen_at

Example:

2023-11-09 19:59:44 UTC

Timestamp

last_seen_time

Example:

2020-10-12T07:20:50.52Z

 

vulnerability.`Last Reboot`

Example:

Fri, 09 Jun 2023 12:05:15 -0420

String

last_booted_at

Example:

"2020-10-12T07:20:50.52Z"

 
   

asset_type

 

 

 

Vulnerability Field Mapping

The following table shows how the Tanium fields map to vulnerability fields in Cisco Vulnerability Management.

Tanium Field and Example Data Type in Tanium Cisco Vulnerability Management
Field and Example
Notes

vulnerability.CVE

Example:

"CVE-2015-4495"

String

vulnerabilities.identifier

Example:

"CVE-2015-4495"

 

vulnerability. ”Tanium” + “ “ + vulnerability.CVE

Example:

"CVE-2015-4495"

String

vulnerabilities.definition_identifier

Example:

"Tanium CVE-2015-4495"

 

vulnerability.CVE

Example:

"CVE-2015-4495"

String

vulnerabilities.name

Example:

"CVE-2015-4495"

 

vulnerability.Remediation

Example:

"No confirmed patch or vendor advisory links found. Additional information may be found at: https://nvd.nist.gov/vuln/detail/CVE-2020-16121,
https://scaprepo.com/view.jsp?id=CVE-2020-16121"

String

vulnerabilities.solution

Example:

"No confirmed patch or vendor advisory links found. Additional information may be found at: https://nvd.nist.gov/vuln/detail/CVE-2020-16121,
https://scaprepo.com/view.jsp?id=CVE-2020-16121"

Can be an empty string.

vulnerability.Title

Example:

"A use-after-free vulnerability can
occur when the layer manager is
freed too early when rendering
specific SVG content, resulting in a
potentially exploitable crash. This
vulnerability affects Firefox < 55."

String

vulnerabilities.description

Example:

"A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 55."

Can be an empty string.

 

vulnerability.CVE

Example:

"CVE-2015-4495"

String

vulnerabilities.cve_raw_data

Example:

"CVE-2015-4495"

 
   

vulnerabilities.pci_related

Example:

False

 

vulnerability.Details

Example:

"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw."

String

vulnerabilities.details

Example:

"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw."

 

vulnerability.`Open Ports`

Example:

"135,445,5040,49664,49665,49666,
49667,49669,49670,139"

String

vulnerabilities.port

Example:

"135,445,5040,49664,49665,49666,
49667,49669,49670,139"

This field returns top 1000 open TCP ports.
   

vulnerabilities.is_open

Example:

true

 

vulnerability.Severity

Example:

High

String

vulnerabilities.scanner_score

Example:

8

 Mapping { "Critical" => 10, "High" => 8, "Medium" => 6, "Low" => 3, "None" => 0, "Unscored" => 0}

   

vulnerabilities.override_score

 

 

vulnerability.`NIST Link`
+ vulnerability.`MITRE Link`
+ vulnerability.`Secpod Link`

Example:

"https://nvd.nist.gov/vuln/detail/CVE-2016-9079",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079",
"https://scaprepo.com/view.jsp?id=CVE-2007-3106"

String

vulnerabilities.reference_links

Example:

"https://nvd.nist.gov/vuln/detail/CVE-2016-9079",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079",
"https://scaprepo.com/view.jsp?id=CVE-2007-3106"

 

vulnerability.`CVE Created`

Example:

"2018-06-11 21:29:00 UTC"

Timestamp

vulnerabilities.published_date

Example:

"2020-10-12T07:20:50.52Z"

Can be a null value.

vulnerability.`First Found Date`

Example:

20230609

String

vulnerabilities.found_on

Example:

"2020-10-12T07:20:50.52Z"

 

vulnerability.`Last Found Date`

Example:

20230627

String

vulnerabilities.last_found_on

Example:

"2020-10-12T07:20:50.52Z"

 
   

vulnerabilities.last_fixed_on

Example:

null

 

Fix Field Mapping

The following table shows how the Tanium fields map to fix fields in Cisco Vulnerability Management.

Tanium Field and Example Data Type in Tanium Cisco Vulnerability Management
Field and Example
Notes
   

vulnerabilities.fix_hash.source

Example:

Tanium

 

 

 

vulnerabilities.fix_hash.published_by_
source_datetime

Example:

null

 

vulnerability.`Solution Links`

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

String    

vulnerabilities.fix_hash.reference_links

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

 

vulnerability.CVE

Example:

"CVE-2017-5715"

String

vulnerabilities.fix_hash.title

Example:

"Tanium Remediation for: CVE-2017-5715"

 

vulnerability.Details

Example:

"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw."

String

vulnerabilities.fix_hash.consequences

Example:

"A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw."

 

vulnerability.Criteria

Example:

"At least one of the following\n\tAll of Firefox/version\n\t\tTEST IF TRUE: \t\tAll of the following\n\t\t\tTEST IF TRUE: Mozilla Firefox (32 bit) is installed\n\t\t\tTEST IF FALSE: Check if Firefox ESR (32 bit) is installed\n\t\tTEST IF TRUE: Check if the version of Mozilla Firefox is before 44 (32 bit)\n\tAll of Firefox/version\n\t\tTEST IF TRUE: \t\tAll of the following\n\t\t\tTEST IF TRUE: Mozilla Firefox (64 bit) is installed\n\t\tTEST IF TRUE: Check if the version of Mozilla Firefox is before 44 (64 bit)\n"

String

vulnerabilities.fix_hash.diagnosis

Example:

"At least one of the following:
All of Firefox/version
TEST IF TRUE: All of the following
TEST IF TRUE: Mozilla Firefox
(32 bit) is installed
TEST IF FALSE: Check if Firefox
ESR (32 bit) is installed
TEST IF TRUE: Check if the version
of Mozilla Firefox is before 44 (32 bit)
All of Firefox/version
TEST IF TRUE: All of the following
TEST IF TRUE: Mozilla Firefox (64 bit)
isinstalled
TEST IF TRUE: Check if the version
of Mozilla Firefox is before 44 (64 bit)"

 

vulnerability.Remediation

Example:

"The host is missing a critical security update according to Mozilla advisory, MFSA2019-18. The update is required to fix a type confusion vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the application."

String

vulnerabilities.fix_hash.solution

Example:

"The host is missing a critical security update according to Mozilla advisory, MFSA2019-18. The update is required to fix a type confusion vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the application."

Can be an empty string.

vulnerability.Manufacturer

Example:

VMware, Inc.

String

vulnerabilities.fix_hash.vendor

Example:

VMware, Inc.

 

vulnerability.`Affected Products`

Example:

packagekit\nlibpackagekit-glib2-16\nlibpackagekit-glib2-dev\npython3-packagekit\ngir1.2-packagekitglib-1.0\ngstreamer1.0-packagekit\nlibpackagekit-glib2-18

String

vulnerabilities.fix_hash.product

Example:

packagekit

libpackagekit-glib2-16

libpackagekit-glib2-dev

python3-packagekit

gir1.2-packagekitglib-1.0

gstreamer1.0-packagekit

libpackagekit-glib2-18

 

vulnerability.`Solution Links`

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

String

vulnerabilities.fix_hash.reference_link

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

Can be an empty string.

vulnerability.`Solution Links`

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

String

vulnerabilities.fix_hash.url

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

Can be an empty string.

vulnerability.`Solution Links`

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

String

vulnerabilities.fix_hash.urls

Example:

"https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ "

Can be an empty string.

 

 

vulnerabilities.fix_hash.external_id

 

 

 

vulnerabilities.fix_hash.last_modified_
by_source_datetime

Example:

null

 

 

 

Tanium Data Fields

The following are the recommended fields that the connector should import during data ingestion from Tanium.

ASSET_COLUMN_NAMES

[ "Cloud Instance ID", "MAC Address", "asset_id", "ci_network_adapter ipv4_address", "ci_network_adapter ipv6_address", "ci_network_adapter mac_address", "ci_network_adapter manufacturer", "ci_network_adapter name", "computer_id", "computer_name", "created_at", "ci_custom_tag custom_tag", "ci_open_port open_port", "domain_name", "id", "ip_address", "last_seen_at", "operating_system", "os_platform", "os_version", "source_id", "system_uuid", "updated_at", ]

VULNERABILITY_COLUMN_NAMES

[ "CISA KEV", "CISA Notes", "CISA Product", "CISA Required Action", "CISA Short Description", "CISA Vendor", "CISA Vulnerability Name", "CVE", "CVE Created", "CVE Year", "CVSS v3 Score", "CVSS v3 Severity", "Cloud Instance ID", "Cloud Instance Image", "Manufacturer", "Computer ID", "Computer Name", "Definition Title", "Details", "First Found Date", "IP Address", "Last Found Date", "Last Reboot", "MAC Address", "MITRE Link", "NIST Link", "OS Platform", "Online", "Open Ports", "Operating System", "Operating System Generation", "Scan Type", "Secpod Link", "Severity", "Title", ]

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.