Tanium Connect Manual Upload Guide

How to manually upload Tanium Connect data to the RiskSense platform.

Tanium Connect Manual Upload Overview

The RiskSense platform provides support for manual upload of findings data for endpoints in CSV format created from within the Tanium Connect module. Tanium users can use some of the predefined reports in the Tanium Comply module and generate findings data files for their endpoints that provide information on existing endpoint vulnerabilities (CVEs) along with CVE details.

When using the Tanium Connect module to generate the CSV file, make sure to select Include Endpoint findings and Include CVE details under the Source and Destination section.

The Tanium Connect CSV file uploaded to RiskSense must include the following mandatory columns, as they are used to fingerprint the file as a Tanium file.

  • rowType
  • computerName
  • ipAddress
  • cve

In addition to the columns above, include the following columns in the file to ingest meaningful data on endpoint findings.

  • first_found_date
  • last_found_date
  • score
  • title
  • remediations
  • details

The following table details the CSV file’s Column headers and their corresponding properties.

CSV File’s Column Headers Properties
rowType

populated for all rows

rowType == E maps to the Host Data and rowType == C represents the CVE data

Mandatory field in RiskSense parsing

computerName

Populated only for rows for which rowType == E

Mandatory field in RiskSense parsing

ipAddress

Populated only for rows for which rowType == E

Mandatory field in RiskSense parsing

cve

Populated for all rows

Mandatory field in RiskSense parsing

first_found_date Populated only for rows for which rowType == E
last_found_date Populated only for rows for which rowType == E
score Populated for all rows
title Populated only for rows for which rowType == C
severity Populated only for rows for which rowType == C
attack_vector Populated only for rows for which rowType == C
oval_source Populated only for rows for which rowType == C
oval_definition Populated only for rows for which rowType == C
mitre_link Populated only for rows for which rowType == C
nist_link  Populated only for rows for which rowType == C
secpod_link  Populated only for rows for which rowType == C
solution_links  Populated only for rows for which rowType == C
created_date Populated only for rows for which rowType == C
last_modified_date  Populated only for rows for which rowType == C
remediations  Populated only for rows for which rowType == C
details  Populated only for rows for which rowType == C
criteria  Populated only for rows for which rowType == C
score_mapping  Populated only for rows for which rowType == C
id_mapping  Populated only for rows for which rowType == C

Tanium Connect Manual Upload Criteria

While performing the manual upload in RiskSense, first select the network for the upload. Currently networks can either be IP or hostname based. For Tanium, however, only hostname-based networks are supported. Selecting an IP Address-based network throws the following error message, “Only Hostname Network Allowed”.

Manual Upload Steps

Once logged into the platform, navigate to the Configuration (Settings Menu - Gear - Small) > Uploads page.

Navigation - Configuration - Uploads

In the Get Started window, enter the Upload Name and click Next.

Tanium Manual Upload - Name Upload

Select an assessment to associate with this scan. Either select an available assessment or create a new one. To create a new assessment, click the Create Assessment button. Fill out the fields in the Add a New Assessment window and click Submit. You can now select the new assessment from the list. Select the assessment to associate with this scan from the list and click Next.

Tanium Manual Upload - Select or Create Assessment

Select a network for this scan. Either select an available network or create a new one. This network must be a hostname-based network. To create a new network, click the Create Network button. Fill out the fields in the Add a New Network window and click Submit. You can now select the new network from the list. Select a network from the list (use the search field to find a network) and click Next.

Tanium Manual Upload - Select Hostname-Based Network

On the Upload Files page, there are two ways to add scan files. Either drag and drop the file in the gray Drag files here or click the Select Files button and search for the scan file on your computer. Once the file has been added, click Upload.

Tanium Manual Upload - Upload Files

To start the upload, verify all information is correct and click Start. When parsing succeeds, the status changes to Operation Complete. Once the data successfully parses, Tanium data can be found on the Manage > Hosts and Manage > Host Findings pages in RiskSense.

Tanium Connect Data Mapping in RiskSense

The following table maps the Tanium Connect CSV file to RiskSense fields.

Section RiskSense Field Tanium Connect Field Filters in RiskSense
Hosts Internal field is how RiskSense determines the data type. Used for fingerprinting a Tanium file. rowType N/A
Host Name computerName Host Name
IP Address ipAddress  IP Address
Host Findings Title title Title
Host Name computerName Host Name
IP Address ipAddress IP Address
CVE ID (in the Threats section) cve CVE
Discovered On first_found_date Discovered On
Last Found On last_found_date Last Found On
Scanner Reported Severity score N/A
Description details N/A
Possible Solution remediations N/A