Configure Tanium for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform host-based response actions in your network using Tanium®.

Tanium supports these response actions:
  • Contain a host/Remove from containment

For more information, see Response action descriptions.

Note: Arctic Wolf Active Response only supports Tanium Cloud.

These resources are required:

  • The Content Administrator role for the Tanium environment that you are configuring.
  • A Tanium Threat Response license and configuration on the target devices.
  • Contact your CST to validate the Active Response integration. Have a device or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create an Active Response user account

  1. Create a user account using the identity provider (IdP) that your organization integrated with Tanium.
    For more information about the IdPs that Tanium Cloud supports, see Configuring your identity provider for Tanium Cloud.
  2. Create the user account in the Tanium Console.
    Depending on your settings, Tanium may create the account automatically upon first sign-in or you may have to create the account manually. For more information, see Create users.

Configure role assignments for the Active Response user account

For more information, see Configure role assignments for a user.
  1. Sign in to the Tanium Console.
  2. Navigate to Administration > Permissions > Users.
  3. Click the name of the user account that you created in Create an Active Response user account, and then click Edit Mode.
  4. In the Roles section, click Manage Roles.
  5. Select these roles:
    • Gateway User
    • Interact Basic User
    • Threat Response Operator
  6. Click Apply.
  7. In the Computer Groups section, select the Unrestricted Management Rights checkbox.
  8. Click Save.
  9. Sign out of the Tanium Console.

Create a Tanium API token

For more information, see Add API tokens.
  1. Sign in to the Tanium Console using the user account that you created in Create an Active Response user account.
  2. Navigate to Administration > Permissions > API Tokens.
  3. Click New API Token.
  4. Configure these settings:
    • Notes — (Optional) Enter a description for the token.
    • Expiration — Enter the expiration interval in days. The maximum interval is 365 days. If you don't enter a value, the interval is 7 days.
    • Persona — Select the persona that the token is associated with.
    • Trusted IP addresses — Enter the Arctic Wolf Active Response server IP address.

      To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for Cloud Sensors.

  5. Click Create.
  6. Copy the token value to a safe, encrypted location to provide to Arctic Wolf later.

Provide Tanium Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Tanium.
  5. On the New Active Response Integration page, configure these settings:
    • Integration Name — Enter a unique and descriptive name for the integration, including the tenant name. For example, <tenant_name> Tanium Active Response Integration.
    • API Base URL — Enter your Tanium Console URL. The URL has the format https://your_instance-api.cloud.tanium.com.
    • API Token — Enter the API token that you created in Create a Tanium API token.
    • Endpoint Offline Timeout (Hours) — Enter the number of hours that Arctic Wolf should continue checking for a command response from Tanium. Tanium recommends one minute for each 50 MB of file size. For more information, see Managing Software.
    • User defined mapping — (Optional) Keep this field blank.
  6. Click Save Integration.