Tanium Integration Use Cases
Tanium is a flexible platform that will support a wide variety of integration use cases limited only by your creativity. To help you kick off the brainstorming, here are some general themes for the types of integrations we see most often.
Feed Tanium alerts, reports, and other valuable endpoint data into your SIEM, alert manager, or other log aggregation system. Tanium has packaged apps available for Splunk and IBM QRadar, but it is easy to configure Tanium to send data to virtually any downstream system.
Risk and Zero Trust
With people working from anywhere from all sorts of devices, the old network based perimeter security model just doesn't work anymore. Security measures like multi-factor authentication and application-specific authorization policies are important measures for verifying that users are who they say they are and accessing what they should be accessing. But what about the device they accessing your network and applications from? Is it patched? Is it compliant with your organization's security policies?
Integration with Tanium's Risk Module as part of a Zero Trust solution enables instant verification of a device's Risk Score as part of your login and authentication flow. Have confidence that users are accessing your sensitive applications from a managed, secure endpoint.
Integrating with Tanium's Zero Trust capabilities is relevant for:
- Cloud Access Security Brokers (CASB)
- Secure Web Gateways (SWG)
- Identity and Access Management tools (IAM)
CMDB and Asset Management
Tanium Asset gives you a complete and up-to-date view of your enterprise inventory. Asset aggregates information about all endpoints managed by Tanium, online or offline. This data is valuable for a variety of scenarios such as:
- Updating external CMDB with up-to-date inventory information from Tanium
- Enriching endpoint information in Tanium Asset with data from an external system
- Looking up current details about a particular endpoint
Threat Intelligence & Investigation
Tanium Threat Response supports OpenIOC, STIX, CybOX, Yara and Tanium Signals. Use cases that leverage this capability can automatically generate and deploy Intel as part of an investigation workflow. Automate full or partial steps to consume local telemetry (such as a hash), create and deploy matching Intel, consume the generated Alert, and secondary steps to update or remove the root intel. Please see the following for more details.
Once Intel has been deployed Alerts can be consumed and managed. Alerts can easily be sent via Tanium Connect with a number of formatting and destination options. Alerts can also be pulled and managed via API.
Tanium Stream is a capability within Threat Response that allows operators to send the raw underlying endpoint telemetry to a SIEM or other data lake. Send Registry, Network, File, DSN, and HTTP header data directly from the endpoint to your preferred solution. Leverage this data for historical retroactive investigations as well as enrichment of your current workflows.
Orchestration and Response
Integration with SOAR platforms is a popular use case for Tanium. You can create workflows to handle alerts from Tanium, or use Tanium to automate evidence gathering and remediation actions directly on the endpoints.
Tanium Threat Response has the ability to easily generate key response actions as part of an investigation. This includes out-of-the-box ability to execute Live Response, Snapshot generation, File Download, File Delete, and Quarantine. Use cases leveraging this functionality can easily leverage this tool from a SOAR or homegrown solution.