Tanium provides endpoint protection for devices such as laptops, desktops, and servers. It uses a client-server architecture in which Tanium agents installed on each endpoint communicate with the Tanium server, which can be deployed on premises or in the cloud. The agents collect data about the processes, network connections, and installed software and report back to the server. The server processes the data and identifies vulnerabilities and security gaps so that the organization can ensure their IT environment is protected and complies with security best practices.

Device Security can integrate through Cortex XSOAR with Tanium to import data about vulnerabilities on IoT devices. The IoT devices must already be in the Device Security inventory and they must be hosting a Tanium agent. (Tanium agents can be installed on AIX, Linux, macOS, Solaris, and Windows endpoints.)

The imported data is then shown on the Vulnerabilities, Devices, and Device Details pages in the Device Security portal. Device Security also updates the risk scores for devices, device profiles, sites, and the organization based on the vulnerabilities that Tanium provides.

Both the cloud-based and on-premises Tanium server provide a GraphQL API that Cortex XSOAR or a Cortex engine accesses over HTTPS.

In Cortex XSOAR, you create an integration instance to connect to the Tanium API and a job to import device details and vulnerabilities to Device Security for devices in its database. You can then see the following data learned from Tanium on the Device Details page and Vulnerabilities page in the Device Security portal:

Integrating with Tanium requires either a full-featured Cortex XSOAR server or the purchase and activation of an Device Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan includes a license for three integration add-ons, one of which can be used for Tanium. The advanced plan includes a license for all supported third-party integrations.