Tanium

Overview

The Tanium integration syncs endpoints (assets), vulnerabilities, and compliance findings from Tanium into RegScale. It supports both on-premises (REST API v2) and Tanium Cloud (GraphQL API Gateway) deployments with automatic detection.

Prerequisites

RegScale CLI installed and configured (regscale init)
A Tanium API token (generated from the Tanium Console)
Network access to your Tanium server
An existing RegScale Security Plan or Component to sync into

Configuration

Add the following variables to your init.yaml file (created by regscale init):

Variable	Type	Default	Description
`taniumUrl`	string	—	Base URL of your Tanium server
`taniumToken`	string	—	API token for authentication
`taniumTimeout`	int	`30`	Request timeout in seconds
`taniumVerifySsl`	bool	`true`	Verify SSL certificates
`taniumApiType`	string	`"auto"`	API type: `"auto"`, `"rest"`, or `"gateway"`
`taniumIsCloud`	bool	`false`	Force Cloud GraphQL API mode

Example Configuration

On-Premises Tanium:

taniumUrl: "https://tanium.mycompany.com"
taniumToken: "token-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
taniumTimeout: 30
taniumVerifySsl: true
taniumApiType: "auto"
taniumIsCloud: false

Tanium Cloud:

taniumUrl: "https://mycompany-api.cloud.tanium.com"
taniumToken: "token-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
taniumTimeout: 30
taniumVerifySsl: true
taniumApiType: "auto"
taniumIsCloud: true

Note: For Tanium Cloud, use the -api subdomain (e.g., mycompany-api.cloud.tanium.com), not the UI subdomain.

API Type Detection

When taniumApiType is set to "auto" (default), the CLI automatically determines which API to use:

If taniumIsCloud is true → GraphQL API Gateway
If the URL hostname ends with .cloud.tanium.com → GraphQL API Gateway
Otherwise → REST API v2

You can override this by setting taniumApiType to "rest" or "gateway" explicitly.

Commands

Test Connection

Verify that your Tanium credentials and URL are configured correctly.

regscale tanium test_connection

Example output:

Successfully connected to Tanium server (version 7.5.x.xxxx)

Sync Assets

Sync Tanium endpoints into RegScale as assets.

regscale tanium sync_assets --regscale_id <ID> --regscale_module <MODULE>

Parameters:

Parameter	Required	Description
`--regscale_id`	Yes	ID of the RegScale Security Plan or Component
`--regscale_module`	Yes	`"securityplans"` or `"components"`
`--dry-run` / `-dr`	No	Preview counts without syncing data
`--offset`	No	Skip N items (for parallel orchestration)
`--limit`	No	Process at most N items

Examples:

# Sync all Tanium endpoints to a Security Plan
regscale tanium sync_assets --regscale_id 42 --regscale_module securityplans

# Sync to a Component
regscale tanium sync_assets --regscale_id 100 --regscale_module components

# Preview how many assets would be synced
regscale tanium sync_assets --regscale_id 42 --regscale_module securityplans --dry-run

What gets synced:

Each Tanium endpoint is mapped to a RegScale asset with the following fields:

Tanium Field	RegScale Asset Field
Computer Name	Asset Name
IP Address	IP Address
MAC Address	MAC Address
Serial Number	Serial Number
OS Name + Version	Operating System
Manufacturer + Model	Description
Chassis Type / OS hints	Asset Type
Domain + Computer Name	FQDN

Asset type detection is automatic based on device metadata:

Condition	Asset Type
`is_virtual = true`	Virtual Machine (VM)
Chassis = server/rack/blade	Physical Server
Chassis = desktop/tower	Desktop
Chassis = laptop/notebook	Laptop
Chassis = tablet	Tablet
OS contains "server"	Physical Server
Default	Desktop

Sync Findings

Sync vulnerabilities and (optionally) compliance findings from Tanium into RegScale.

regscale tanium sync_findings --regscale_id <ID> --regscale_module <MODULE>

Parameters:

Parameter	Required	Default	Description
`--regscale_id`	Yes	—	ID of the RegScale Security Plan or Component
`--regscale_module`	Yes	—	`"securityplans"` or `"components"`
`--include_compliance` / `--no-include_compliance`	No	`true`	Include compliance findings
`--dry-run` / `-dr`	No	`false`	Preview counts without syncing
`--offset`	No	—	Skip N items
`--limit`	No	—	Process at most N items

Examples:

# Sync vulnerabilities + compliance findings
regscale tanium sync_findings --regscale_id 42 --regscale_module securityplans

# Sync vulnerabilities only (no compliance)
regscale tanium sync_findings --regscale_id 42 --regscale_module securityplans --no-include_compliance

# Preview finding counts
regscale tanium sync_findings --regscale_id 42 --regscale_module securityplans --dry-run

Vulnerability Mapping

Tanium Field	RegScale Field
CVE ID	CVE
Title	Title
Description	Description
Severity / CVSS Score	Severity
CVSS Score	CVSS Score
CVSS Vector	CVSS Vector
Solution	Remediation
Affected Endpoints	Linked Assets

Severity mapping uses a multi-tier approach:

Tanium Severity	RegScale Severity
Critical	Critical
High	High
Medium	Moderate
Low	Low
Informational	Low

If no explicit severity is provided, CVSS score is used as a fallback:

CVSS Score	RegScale Severity
> = 9.0	Critical
> = 7.0	High
> = 4.0	Medium
> 0	Low
0 or N/A	Moderate (default)

Compliance Finding Mapping

Only failing compliance findings are synced (passing checks are skipped).

Tanium Field	RegScale Field
Rule ID	Finding ID
Rule Title	Title
Rule Description	Description
Benchmark + Version	Category context
Fix Text	Remediation
NIST Controls	Control mappings
CCI References	CCI mappings
DISA STIG Category	Severity

DISA STIG severity mapping:

STIG Category	RegScale Severity
CAT I	Critical
CAT II	High
CAT III	Medium

Sync All

Run both asset sync and findings sync in sequence with a single command.

regscale tanium sync_all --regscale_id <ID> --regscale_module <MODULE>

Parameters: Same as sync_findings.

Examples:

# Full sync: assets first, then findings
regscale tanium sync_all --regscale_id 42 --regscale_module securityplans

# Full sync to a component, compliance included
regscale tanium sync_all --regscale_id 100 --regscale_module components

# Full sync, skip compliance
regscale tanium sync_all --regscale_id 42 --regscale_module securityplans --no-include_compliance

Execution order:

sync_assets — creates/updates all Tanium endpoints as RegScale assets
sync_findings — creates vulnerabilities and compliance findings linked to those assets

Automation manager DAG Support

The Tanium integration includes pre-built Automation manager DAGs for scheduled automation.

Available DAGs

DAG	Description
`tanium_sync_assets`	Sync Tanium endpoints on a schedule
`tanium_sync_findings`	Sync vulnerabilities and compliance findings
`tanium_sync_assets_and_findings`	Run both syncs in sequence (assets then findings)

DAG Parameters

Parameter	Required	Default	Description
`regscale_id`	Yes	—	RegScale Security Plan or Component ID
`regscale_module`	No	`"securityplans"`	Target module type
`include_compliance`	No	`true`	Include compliance findings (findings DAGs only)

Architecture

┌──────────────────────────┐
│  regscale tanium <cmd>   │
└────────────┬─────────────┘
             │
             v
┌──────────────────────────┐
│     TaniumScanner        │
│  (ScannerIntegration)    │
└────────────┬─────────────┘
             │
             v
┌──────────────────────────┐
│    TaniumAPIClient       │
│  REST v2  or  GraphQL    │
│  (auto-detected)         │
└────────────┬─────────────┘
             │
             v
┌──────────────────────────┐     ┌──────────────────────────┐
│    Tanium Server         │────>│    Data Models            │
│  - Endpoints             │     │  - TaniumEndpoint         │
│  - Vulnerabilities       │     │  - TaniumVulnerability    │
│  - Compliance Findings   │     │  - TaniumComplianceFinding│
└──────────────────────────┘     └────────────┬─────────────┘
                                              │
                                              v
                                 ┌──────────────────────────┐
                                 │  RegScale API            │
                                 │  - Assets                │
                                 │  - Vulnerabilities       │
                                 │  - Issues                │
                                 └──────────────────────────┘

Troubleshooting

Issue	Cause	Solution
`test_connection` fails with HTML response	URL points to Tanium UI, not API	Use the correct API URL. For Cloud, use the `-api` subdomain
"Invalid object route" error	Cloud deployment using REST instead of GraphQL	Set `taniumApiType: "gateway"` or `taniumIsCloud: true`
SSL certificate errors	Self-signed or internal certificates	Set `taniumVerifySsl: false` (not recommended for production)
No assets returned	Tanium Discover module not enabled	Ensure Tanium Discover (TDS) is active on the server
No vulnerabilities returned	Tanium Comply module not configured	Ensure Tanium Comply is installed and has completed scans
Timeout errors on large environments	Default timeout too low	Increase `taniumTimeout` to `60` or `120`
Rate limit errors (429)	Too many requests	The CLI retries automatically with exponential backoff (3 retries)

Quick Start

# 1. Configure your Tanium credentials
regscale init
# Edit init.yaml with your Tanium URL and token

# 2. Verify connectivity
regscale tanium test_connection

# 3. Preview what will be synced
regscale tanium sync_all --regscale_id 42 --regscale_module securityplans --dry-run

# 4. Run the full sync
regscale tanium sync_all --regscale_id 42 --regscale_module securityplans