Configure Tanium for Arctic Wolf monitoring

You can configure Tanium® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • Administrator access to the Tanium Console
  • A Tanium license that includes Tanium Threat Response
    Note: For more information about solutions and bundles, see Tanium Solutions & Bundles.

Create a new user

  1. Sign in to your Tanium Console instance with administrator permissions.
    The URL has the format https://your_instance.cloud.tanium.com.
  2. In the navigation menu, click Administration > Users.
  3. Click New User.
  4. On the Create User page, configure these settings:
    • User Name — Enter the name of the user.
    • Computer Groups — Click Manage Computer Groups, clear the No Computers checkbox, select All Computers, and then click Select.
  5. Click Save.
  6. Click Yes.

Create a new role

  1. Sign in to your Tanium Console instance with administrator permissions.
    The URL has the format https://your_instance.cloud.tanium.com.
  2. In the navigation menu, click Administration > Roles.
  3. Click New Role.
  4. On the Create Role page, configure these settings:
    • Role Name — Enter a unique and descriptive name for the role.
    • Permission Type — Select Allow.
  5. In the Permissions section, configure these permissions:
    • Administration > Token - Revoke — Select Special.
    • Administration > Token - Rotate — Select Special.
    • Administration > Token - Use — Select Special.
    • Administration > Token - View — Select Special.
    • Threat Response > Threat Response Alerts — Select Read.
  6. Click Save.
  7. Click Yes.

Create an API token

  1. Sign in to your Tanium Console instance with the new user that you created in Create a new user.
    The URL has the format https://your_instance.cloud.tanium.com.
  2. In the navigation menu, click Administration > API Tokens.
  3. Click New API Token.
  4. On the Create API Token page, configure these settings:
    • Notes — Enter a description for the token.
    • Expiration — Enter a number of days for when you want the token to expire that meets your security governance requirements.
    • Persona — Select the persona that you want to use for the token.
    • Trusted IP Addresses — Enter the appropriate IP addresses for Arctic Wolf cloud sensors.
      Note: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  5. Click Create.
  6. Click Yes.
  7. In the View API Token window, copy the token to safe, encrypted location.
    You will provide it to Arctic Wolf later.
  8. Click Close.
    Note: This is the only time that you can view the token. If you lose the token, you will need to create a new one.

Provide Tanium credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Tanium.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • API URL — Enter your Tanium Console URL. The URL has the format https://your_instance-api.cloud.tanium.com.
    • API Token — Enter the API token from Create an API token.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.