Cisco Vulnerability Management supports Tanium Connect which conducts vulnerability and compliance assessments against operating systems, applications, software supply chain, and security configurations and policies for various industry and federal regulations.
This document details the connector configuration for Tanium Cloud-based connectors exclusively. The Tanium on-premises API is currently not supported. For information about extracting report forms from the on-premises connector, refer to the Tanium Comply File-Based Connector article.
Note: At present, scanner fixes are not supported for this connector due to a Tanium issue that they are actively working on resolving. Progress on the issue is being tracked.
Prerequisites
- In Cisco Vulnerability Manager you must have access to an active account with administrative privileges.
- Create a user account in Tanium Cloud and assign the following roles:
- Asset Operator
- Comply Operator
- Connect Operator
- Create a custom role with the following permissions to ensure targeted permissions for API token management:
- Token – Revoke
- Token – Rotate
- Token – Use
- Token - View
For more information about custom roles, refer to the information from Tanium.
- You must know the URL of your Tanium Environment.
- Create a Tanium API key for the user. For more information about creating the key, refer to the information from Tanium.
Configuring your Tanium Connector
Note: To configure this connector, you must be a Cisco Vulnerability Management Administrator.
- In Cisco Vulnerability Management, click Connectors > Add Connector.
- In the Vulnerability Management section, click Tanium Connect.
- In the Tanium Connect window, type the following information:
- In the Name field, type any name that allows you to easily identify the connector.
- In the Host field, type the name of your host.
- In the API Key field, type the API Key that you created earlier.
- In the Asset Inactivity Limit (days) field, type an inactivity limit for assets that this connector ingests.
- Click Save and Verify.
Cisco Vulnerability Management will save your settings and initiate a verification process. This ensures the accuracy and functionality of the provided data. - After the verification completes, the Tanium connector will be present in the list of connectors. You can click Run to run the connector.
Asset Field Mapping
The following table shows how the Tanium fields map to asset fields in Cisco Vulnerability Management.
Tanium Field and Example |
Data Type in Tanium |
Cisco Vulnerability Management Field and Example |
Notes |
locators.container Example: null |
|||
locators.image Example: null |
|||
`asset computers`.`cloud_instance_id` Example: |
String |
locators.ec2 Example: i-073976e45c47fc6eb
|
This will be used only if cloud_instance_id starts with "i-": locator.ec2 = `asset computer`.`cloud_instance_id` else:None |
`asset computers`.`ci_network_adapter Example: 00:0C:29:19:61:67 02:34:ad:bd:4c:3a |
List of String |
locators.mac_address Example: 00:0C:29:19:61:67
|
|
`asset computers`.computer_name Example: az-wn-cl1 edr-wn-2510.demo.tanium.local
|
String |
locators.netbios Example: AZ-WN-CL1 EDR-WN-2510 |
Applies only to Windows assets. If the computer name is FQDN, the NetBIOS will be used. Otherwise, the computer name is copied to the NetBIOS. |
`asset computers`.computer_name Example: az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx. gc-lx-cl1.c.mystical-banner-257318.internal pbj-mc-0002 ubuntu-22.04-lts-template |
String |
locators.hostname Example: az-lx-cl1 gc-lx-cl1 pbj-mc-0002 ubuntu-22.04-lts-template |
If the computer name is FQDN, the hostname will be used. Otherwise, the computer name is copied to the hostname. |
locators.url Example: null |
|||
locators.file Example: null |
|||
`asset computers`.computer_name Example: az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx. gc-lx-cl1.c.mystical-banner-257318.internal pbj-mc-0002 ubuntu-22.04-lts-template |
String |
locators.fqdn Example: az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx. gc-lx-cl1.c.mystical-banner-257318.internal null null |
The FQDN is derived from the computer name if its valid. |
`asset computers`.ip_address Example: 172.16.50.128 |
String |
locators.ip_address Example: 172.16.50.128 |
|
`asset computers`.computer_id Example: 1636831080 |
String |
locators.external_id Example: 1636831080 |
This is the unique ID of the asset in Tanium. |
locators.database Example: null |
|||
locators.application Example: null |
|||
os_vendor Example: null |
|||
`asset computers`.os_version Example: 10.0.19045 |
String |
os_version Example: 10.0.19045 |
|
`asset computers`.operating_system Example: Windows 10 Pro |
String |
os_family Example: Windows 10 Pro |
|
os_cpe_name Example: null |
|||
vulnerability.`Custom Tags` Example: "Development, Test-Machines" |
String |
Tags Example: "Development, Test-Machines" |
Tags can be extracted from the vulnerability by vulnerability.`Computer ID`. (Note: This field can only be extracted when the asset has vulnerabilities being scanned.) |
vulnerability.`Open Ports` Example: "135,445,5040,49664,49665,49666, |
String |
ports.port Example: "135,445,5040,49664,49665,49666, |
Port can be extracted from the vulnerability by vulnerability.`Computer ID`. (Note: This field returns top 1000 open tcp ports, which may include more than one port; This field can only be extracted when the asset has vulnerabilities being scanned.) |
ports.protocol Example: null |
|||
ports.status Example: null |
|||
ports.name Example: null |
|||
ports.product Example: null |
|||
ports.extra_info Example: null |
|||
ports.ostype Example: null |
|||
ports.version Example: null |
|||
`asset computers`.`ci_network_adapter Example: ['10.8.90.21', '169.254.81.127'] |
List of String |
network_interfaces.ip_address Example: |
|
`asset computers` .`ci_network_adapter Example: ['f0:18:98:eb:b1:43', 'f0:18:98:b2:3b:b0'] |
List of String |
network_interfaces.mac_address Example: ['f0:18:98:eb:b1:43', 'f0:18:98:b2:3b:b0'] |
|
`asset computers`.computer_name Example: az-lx-cl1.mayzlgflhznunhe0hfxg4dqs5b.xx. internal.cloudapp.net gc-lx-cl1.c.mystical-banner-257318.internal pbj-mc-0002 ubuntu-22.04-lts-template |
String |
network_interfaces.hostname Example: az-lx-cl1 gc-lx-cl1 pbj-mc-0002 ubuntu-22.04-lts-template |
If the Computer Name is a FQDN then the hostname is extracted from it, otherwise the Computer Name is copied and used. |
`asset computers`.computer_name Example: az-wn-cl1 edr-wn-2510.demo.tanium.local |
String |
network_interfaces.netbios Example: AZ-WN-CL1 EDR-WN-2510 |
Applies only to Windows assets. If the computer name is FQDN, the NetBIOS will be used. Otherwise, the computer name is copied to the NetBIOS. |
Priority Example: null |
|||
`asset computers`.last_seen_at Example: 2023-11-09 19:59:44 UTC |
Timestamp |
last_seen_time Example: 2020-10-12T07:20:50.52Z |
|
vulnerability.`Last Reboot` Example: Fri, 09 Jun 2023 12:05:15 -0420 |
String |
last_booted_at Example: "2020-10-12T07:20:50.52Z" |
|
asset_type
|
Vulnerability Field Mapping
The following table shows how the Tanium fields map to vulnerability fields in Cisco Vulnerability Management.
Tanium Field and Example | Data Type in Tanium |
Cisco Vulnerability Management Field and Example |
Notes |
vulnerability.CVE Example: "CVE-2015-4495" |
String |
vulnerabilities.identifier Example: "CVE-2015-4495" |
|
vulnerability. ”Tanium” + “ “ + vulnerability.CVE Example: "CVE-2015-4495" |
String |
vulnerabilities.definition_identifier Example: "Tanium CVE-2015-4495" |
|
vulnerability.CVE Example: "CVE-2015-4495" |
String |
vulnerabilities.name Example: "CVE-2015-4495" |
|
vulnerability.Remediation Example: |
String |
vulnerabilities.solution Example: "No confirmed patch or vendor advisory links found. Additional information may be found at: https://nvd.nist.gov/vuln/detail/CVE-2020-16121, |
Can be an empty string. |
vulnerability.Title Example: "A use-after-free vulnerability can |
String |
vulnerabilities.description Example: "A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 55." |
Can be an empty string.
|
vulnerability.CVE Example: "CVE-2015-4495" |
String |
vulnerabilities.cve_raw_data Example: "CVE-2015-4495" |
|
vulnerabilities.pci_related Example: False |
|||
vulnerability.Details Example: "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw." |
String |
vulnerabilities.details Example: "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw." |
|
vulnerability.`Open Ports` Example: "135,445,5040,49664,49665,49666, |
String |
vulnerabilities.port Example: "135,445,5040,49664,49665,49666, |
This field returns top 1000 open TCP ports. |
vulnerabilities.is_open Example: true |
|||
vulnerability.Severity Example: High |
String |
vulnerabilities.scanner_score Example: 8 |
Mapping { "Critical" => 10, "High" => 8, "Medium" => 6, "Low" => 3, "None" => 0, "Unscored" => 0} |
vulnerabilities.override_score
|
|||
vulnerability.`NIST Link` Example: "https://nvd.nist.gov/vuln/detail/CVE-2016-9079", |
String |
vulnerabilities.reference_links Example: "https://nvd.nist.gov/vuln/detail/CVE-2016-9079", |
|
vulnerability.`CVE Created` Example: "2018-06-11 21:29:00 UTC" |
Timestamp |
vulnerabilities.published_date Example: "2020-10-12T07:20:50.52Z" |
Can be a null value. |
vulnerability.`First Found Date` Example: 20230609 |
String |
vulnerabilities.found_on Example: "2020-10-12T07:20:50.52Z" |
|
vulnerability.`Last Found Date` Example: 20230627 |
String |
vulnerabilities.last_found_on Example: "2020-10-12T07:20:50.52Z" |
|
vulnerabilities.last_fixed_on Example: null |
Fix Field Mapping
The following table shows how the Tanium fields map to fix fields in Cisco Vulnerability Management.
Tanium Field and Example | Data Type in Tanium |
Cisco Vulnerability Management Field and Example |
Notes |
vulnerabilities.fix_hash.source Example: Tanium |
|||
|
vulnerabilities.fix_hash.published_by_ Example: null |
||
vulnerability.`Solution Links` Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
String |
vulnerabilities.fix_hash.reference_links Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
|
vulnerability.CVE Example: "CVE-2017-5715" |
String |
vulnerabilities.fix_hash.title Example: "Tanium Remediation for: CVE-2017-5715" |
|
vulnerability.Details Example: "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw." |
String |
vulnerabilities.fix_hash.consequences Example: "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw." |
|
vulnerability.Criteria Example: "At least one of the following\n\tAll of Firefox/version\n\t\tTEST IF TRUE: \t\tAll of the following\n\t\t\tTEST IF TRUE: Mozilla Firefox (32 bit) is installed\n\t\t\tTEST IF FALSE: Check if Firefox ESR (32 bit) is installed\n\t\tTEST IF TRUE: Check if the version of Mozilla Firefox is before 44 (32 bit)\n\tAll of Firefox/version\n\t\tTEST IF TRUE: \t\tAll of the following\n\t\t\tTEST IF TRUE: Mozilla Firefox (64 bit) is installed\n\t\tTEST IF TRUE: Check if the version of Mozilla Firefox is before 44 (64 bit)\n" |
String |
vulnerabilities.fix_hash.diagnosis Example: "At least one of the following: |
|
vulnerability.Remediation Example: "The host is missing a critical security update according to Mozilla advisory, MFSA2019-18. The update is required to fix a type confusion vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the application." |
String |
vulnerabilities.fix_hash.solution Example: "The host is missing a critical security update according to Mozilla advisory, MFSA2019-18. The update is required to fix a type confusion vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the application." |
Can be an empty string. |
vulnerability.Manufacturer Example: VMware, Inc. |
String |
vulnerabilities.fix_hash.vendor Example: VMware, Inc. |
|
vulnerability.`Affected Products` Example: packagekit\nlibpackagekit-glib2-16\nlibpackagekit-glib2-dev\npython3-packagekit\ngir1.2-packagekitglib-1.0\ngstreamer1.0-packagekit\nlibpackagekit-glib2-18 |
String |
vulnerabilities.fix_hash.product Example: packagekit libpackagekit-glib2-16 libpackagekit-glib2-dev python3-packagekit gir1.2-packagekitglib-1.0 gstreamer1.0-packagekit libpackagekit-glib2-18 |
|
vulnerability.`Solution Links` Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
String |
vulnerabilities.fix_hash.reference_link Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
Can be an empty string. |
vulnerability.`Solution Links` Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
String |
vulnerabilities.fix_hash.url Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
Can be an empty string. |
vulnerability.`Solution Links` Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
String |
vulnerabilities.fix_hash.urls Example: "https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ " |
Can be an empty string. |
|
vulnerabilities.fix_hash.external_id |
||
|
vulnerabilities.fix_hash.last_modified_ Example: null |
Tanium Data Fields
The following are the recommended fields that the connector should import during data ingestion from Tanium.
ASSET_COLUMN_NAMES
[ "Cloud Instance ID", "MAC Address", "asset_id", "ci_network_adapter ipv4_address", "ci_network_adapter ipv6_address", "ci_network_adapter mac_address", "ci_network_adapter manufacturer", "ci_network_adapter name", "computer_id", "computer_name", "created_at", "ci_custom_tag custom_tag", "ci_open_port open_port", "domain_name", "id", "ip_address", "last_seen_at", "operating_system", "os_platform", "os_version", "source_id", "system_uuid", "updated_at", ]
VULNERABILITY_COLUMN_NAMES
[ "CISA KEV", "CISA Notes", "CISA Product", "CISA Required Action", "CISA Short Description", "CISA Vendor", "CISA Vulnerability Name", "CVE", "CVE Created", "CVE Year", "CVSS v3 Score", "CVSS v3 Severity", "Cloud Instance ID", "Cloud Instance Image", "Manufacturer", "Computer ID", "Computer Name", "Definition Title", "Details", "First Found Date", "IP Address", "Last Found Date", "Last Reboot", "MAC Address", "MITRE Link", "NIST Link", "OS Platform", "Online", "Open Ports", "Operating System", "Operating System Generation", "Scan Type", "Secpod Link", "Severity", "Title", ]
Comments
Please sign in to leave a comment.