How to manually upload Tanium Connect data to the RiskSense platform.
Tanium Connect Manual Upload Overview
The RiskSense platform provides support for manual upload of findings data for endpoints in CSV format created from within the Tanium Connect module. Tanium users can use some of the predefined reports in the Tanium Comply module and generate findings data files for their endpoints that provide information on existing endpoint vulnerabilities (CVEs) along with CVE details.
When using the Tanium Connect module to generate the CSV file, make sure to select Include Endpoint findings and Include CVE details under the Source and Destination section.
The Tanium Connect CSV file uploaded to RiskSense must include the following mandatory columns, as they are used to fingerprint the file as a Tanium file.
- rowType
- computerName
- ipAddress
- cve
In addition to the columns above, include the following columns in the file to ingest meaningful data on endpoint findings.
- first_found_date
- last_found_date
- score
- title
- remediations
- details
The following table details the CSV file’s Column headers and their corresponding properties.
CSV File’s Column Headers | Properties |
rowType |
populated for all rows rowType == E maps to the Host Data and rowType == C represents the CVE data Mandatory field in RiskSense parsing |
computerName |
Populated only for rows for which rowType == E Mandatory field in RiskSense parsing |
ipAddress |
Populated only for rows for which rowType == E Mandatory field in RiskSense parsing |
cve |
Populated for all rows Mandatory field in RiskSense parsing |
first_found_date | Populated only for rows for which rowType == E |
last_found_date | Populated only for rows for which rowType == E |
score | Populated for all rows |
title | Populated only for rows for which rowType == C |
severity | Populated only for rows for which rowType == C |
attack_vector | Populated only for rows for which rowType == C |
oval_source | Populated only for rows for which rowType == C |
oval_definition | Populated only for rows for which rowType == C |
mitre_link | Populated only for rows for which rowType == C |
nist_link | Populated only for rows for which rowType == C |
secpod_link | Populated only for rows for which rowType == C |
solution_links | Populated only for rows for which rowType == C |
created_date | Populated only for rows for which rowType == C |
last_modified_date | Populated only for rows for which rowType == C |
remediations | Populated only for rows for which rowType == C |
details | Populated only for rows for which rowType == C |
criteria | Populated only for rows for which rowType == C |
score_mapping | Populated only for rows for which rowType == C |
id_mapping | Populated only for rows for which rowType == C |
Tanium Connect Manual Upload Criteria
While performing the manual upload in RiskSense, first select the network for the upload. Currently networks can either be IP or hostname based. For Tanium, however, only hostname-based networks are supported. Selecting an IP Address-based network throws the following error message, “Only Hostname Network Allowed”.
Manual Upload Steps
Once logged into the platform, navigate to the Configuration () > Uploads page.
In the Get Started window, enter the Upload Name and click Next.
Select an assessment to associate with this scan. Either select an available assessment or create a new one. To create a new assessment, click the Create Assessment button. Fill out the fields in the Add a New Assessment window and click Submit. You can now select the new assessment from the list. Select the assessment to associate with this scan from the list and click Next.
Select a network for this scan. Either select an available network or create a new one. This network must be a hostname-based network. To create a new network, click the Create Network button. Fill out the fields in the Add a New Network window and click Submit. You can now select the new network from the list. Select a network from the list (use the search field to find a network) and click Next.
On the Upload Files page, there are two ways to add scan files. Either drag and drop the file in the gray Drag files here or click the Select Files button and search for the scan file on your computer. Once the file has been added, click Upload.
To start the upload, verify all information is correct and click Start. When parsing succeeds, the status changes to Operation Complete. Once the data successfully parses, Tanium data can be found on the Manage > Hosts and Manage > Host Findings pages in RiskSense.
Tanium Connect Data Mapping in RiskSense
The following table maps the Tanium Connect CSV file to RiskSense fields.
Section | RiskSense Field | Tanium Connect Field | Filters in RiskSense |
Hosts | Internal field is how RiskSense determines the data type. Used for fingerprinting a Tanium file. | rowType | N/A |
Host Name | computerName | Host Name | |
IP Address | ipAddress | IP Address | |
Host Findings | Title | title | Title |
Host Name | computerName | Host Name | |
IP Address | ipAddress | IP Address | |
CVE ID (in the Threats section) | cve | CVE | |
Discovered On | first_found_date | Discovered On | |
Last Found On | last_found_date | Last Found On | |
Scanner Reported Severity | score | N/A | |
Description | details | N/A | |
Possible Solution | remediations | N/A |