Tanium's CCF Push Connector
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | TaniumConnector |
| Publisher | Tanium Inc. |
| Used in Solutions | Tanium |
| Collection Method | CCF Push |
| Connector Definition Files | ConnectorDefinition.json |
| CCF Configuration | DataConnector.json |
| CCF Capabilities | Push |
| Ingestion API | Log Ingestion API — CCF Push connectors use DCR-based Log Ingestion API |
| Custom Log V1 Tables | Yes 🔶 — ingests into tables with type-suffixed columns |
This data feeds Microsoft Sentinel workbooks and playbooks so analysts can enrich incidents, visualize endpoint risk and health, and automate investigation and response workflows. For more details about Tanium, head to https://www.tanium.com/contact-us/
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
TaniumComplyCompliance_CL 🔶 |
? | ✓ | ? |
TaniumComplyVulnerabilities_CL 🔶 |
? | ✓ | ? |
TaniumDefenderHealth_CL 🔶 |
? | ✓ | ? |
TaniumDiscoverUnmanagedAssets_CL 🔶 |
? | ✓ | ? |
TaniumHighUptime_CL 🔶 |
? | ✓ | ? |
TaniumPatchCoverageStatus_CL 🔶 |
? | ✓ | ? |
TaniumPatchListApplicability_CL 🔶 |
? | ✓ | ? |
TaniumPatchListCompliance_CL 🔶 |
? | ✓ | ? |
TaniumSCCMClientHealth_CL 🔶 |
? | ✓ | ? |
TaniumThreatResponse_CL 🔶 |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): read and write permissions are required.
Custom Permissions: - Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. - Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR).
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
1. Create ARM Resources and Provide the Required Permissions
This connector enables your Tanium Server to push Basic Inventory data directly to Microsoft Sentinel via the Azure Monitor Ingestion API.
Automated Configuration and Secure Data Ingestion with Entra Application
Clicking on "Deploy" will trigger the creation of Log Analytics table and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables the Tanium data to be sent securely to the DCR using an Entra token. Deploy Tanium data connector resources
2. Configure Tanium Connections
Use the following parameters to configure the your Tanium Connections to push data to the workspace.
- Tenant ID (Directory ID): TenantId
Note: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Entra App Registration Application ID:
ApplicationIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Entra App Registration Secret:ApplicationSecretNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Data Collection Endpoint Uri:DataCollectionEndpointNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Data Collection Rule Immutable ID:DataCollectionRuleIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel. - Compliance Findings Logs Stream Name:Custom-TaniumComplyCompliance- Compliance Vulnerabilities Logs Stream Name:Custom-TaniumComplyVulnerabilities- Defender Health Logs Stream Name:Custom-TaniumDefenderHealth- Discover Unmanaged Assets Health Logs Stream Name:Custom-TaniumDiscoverUnmanagedAssets- High Uptime Logs Stream Name:Custom-TaniumHighUptime- Patch Coverage Status Logs Stream Name:Custom-TaniumPatchCoverageStatus- Patch List Applicability Logs Stream Name:Custom-TaniumPatchListApplicability- Patch List Compliance Logs Stream Name:Custom-TaniumPatchListCompliance- SCCM Client Health Logs Stream Name:Custom-TaniumSCCMClientHealth- Threat Response Alerts Logs Stream Name:Custom-TaniumThreatResponse
3. Create the Connection in Tanium
After you've successfully deployed the data connector in Azure, create the required connection in your Tanium server in the Connect Module. For more information regarding the Connect module see Tanium Help 1. Download the connection import file. 1. Replace the placeholders with the parameters displayed above. 1. In your Tanium Server open the Connect Module. 1. Use the import functionality to import you new connections.
Additional Documentation
📄 Source: Tanium\Data Connectors\README.md
Tanium Data Connector for Microsoft Sentinel
Overview
The Tanium Data Connector deploys the required resources to your Azure instance to enable sending data from Tanium to Sentinel via Logs Ingestion Workspaces. For more information see Tanium Data Connector
Setup Data Flow
Once you have deployed the Data Connector you'll be provided with the configuration values needed for your connections in Tanium. You'll need to create connections using the Tanium Connect Module in your Tanium Server.
[!IMPORTANT]
One of the values that will be displayed after you deploy the connector will be the App Registration secret. Be sure to capture this value before refreshing or navigating away from the page, as you will not be able to access this again since it's a sensitive/secret value.
Use the JSON file found here along with the instructions on the Tanium Help site to setup the necessary connections.
Help
Having issues? See our Tanium Help documentation for common issues, questions and FAQs.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊