Configuring Tanium Connect

If you did not install Connect with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

No default settings are configured for Connect.

Configure Connect

Configure a file share mount

Connect can write consumable files to disk. You can configure the Module Server to copy these files to a Common Internet File System (CIFS) or Network File System (NFS) share on a file server, or to an internal share on the appliance itself. An internal share is a directory that the tancopy user can access using SFTP. For more information about configuring a file share, see Tanium Appliance Deployment Guide: Configure solution module file share mounts.

Configure settings

You can configure the following settings for Connect in the Configuration tab of the Connect Settings:

Connection Run Log Expiration

Number of days before connection run logs are removed.

Connect Service Log Level

Log level for the Connect service logs.

Default Workbench Time Zone

Time zone that is used by default by the Connect workbench.

Internal IPs

Allow anyone to run connections to IP addresses in the following internal subnets:

  • 10.0.0.0/8
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.168.0.0/16

For more information, see Test connections.

Memory Ceiling

The global maximum sum of memory (Gb) for all simultaneously running connections. This defaults to 8 GB. The per-connection Memory Ceiling (by default, 1 GB) cannot exceed the global Memory Ceiling. Increase this setting when you have one or more demanding connections that frequently exhibit out of memory errors while running.

If the sum of simultaneously scheduled connection Memory Ceiling values exceed the global Memory Ceiling, connections run until the global Memory Ceiling is reached, then any remaining connections enter a waiting queue if you select the Queue Connections configuration setting, or fail if you clear the Queue Connections configuration setting.

Process Count Limit

Specify how many scheduled connections can run simultaneously, each with its own dedicated background process. This setting gives you better control over how many simultaneously running connections you want to allow in your environment. Set to 0 to allow unlimited simultaneous connections.

Queue Connections

Option to queue additional scheduled connections when the maximum memory or process counts is reached. If this setting is not enabled, any connections beyond the specified maximum values that attempt to run result in failures.

Configure cloud egress rules

Before your connections can successfully send data to a destination, your Tanium Cloud instance, CMP network egress allow list, and network allow list must be configured. Note the following:

  • Sign in to the CMP and configure a network egress allow list rule for each destination fully qualified domain name (FQDN) and associated port. For more information on configuring the network egress allow list, see Tanium Cloud Deployment Guide: Configuring network egress allow list rules in the CMP.
  • You must associate a port used for non-HTTPS destinations with only one FQDN. If multiple FQDNs are associated with the same port, traffic does not route correctly.
  • TCP traffic that does not use Server Name Indication (SNI) is limited to one destination per port. For example, SQL traffic and SMTP traffic do not use SNI.
  • TCP traffic is not supported for the following ports: 22, 25, 111, 3128, 3129, 3130, 4000, 5000, 6000, 9100, 9301, 9302, 9901, and 9902.
  • UDP traffic is not supported.
  • Your Tanium Cloud instance has a proxy cluster with 2 public IP addresses. If a destination is in your network, add inbound traffic from these IP addresses to your network allow list.

For more information, including restrictions on FQDNs and ports, see Tanium Cloud Deployment Guide: Network egress. For assistance, contact Tanium Support.

Configure email server profile settings for Microsoft 365

If you want to configure a connection destination to send email using Microsoft 365, you must first configure an email server profile. Note the following:

  • For a walkthrough of configuration prerequisites, Microsoft Azure configuration, email server profile configuration, and connection configuration, see Tanium Community: Use Tanium Connect to Send Microsoft Office 365 Emails using Modern Authentication.
  • You must have a Microsoft 365 Outlook email address associated with a Microsoft Entra ID (formerly Azure Active Directory) user.

    Microsoft Entra ID was previously known as Microsoft Azure Active Directory or Microsoft Azure AD.

  • You must create a Microsoft Entra ID application and service principal, and assign the Mail.Send and User.Read permissions to the application, to send an email with an attachment up to a total of 3 MB. For more information, see Microsoft Azure documentation: Create an Azure Active Directory application and service principal that can access resources.

    • You must also generate aMicrosoft Entra ID application client secret. For more information, see Microsoft Azure documentation: Option 2: Create a new application secret.
    • You must also assign the Mail.Send and User.Read permissions to the application to send emails with attachments up to a total of 3 MB. For more information, see Microsoft Azure documentation: Assign a role to the application.

      If a connection run generates no data, no email is sent. However, if you select a saved question source and clear Hide No Results, an email is sent per connection run, regardless of whether data is available.

    • If you want to enable sending emails with attachments greater than 3 MB and up to 150 MB (subject to your Microsoft 365 attachment settings), you can assign the Mail.ReadWrite permission to the Microsoft Entra ID application. If you assign this permission, you must allow traffic to outlook.office.com over port 443/TCP and outlook.office365.com over port 443/TCP.

      For the best results, if you assign the Mail.ReadWrite permission, create an access policy and limit Microsoft Entra ID application access to one user. For more information, see Microsoft Graph documentation: Limiting application permissions to specific Exchange Online mailboxes.
  • The Email (O365) destination requires an email server profile. The Email (SMTP) destination does not require an email server profile.

    • Configuring an email server profile requires the Email Config Write permission. Sending an email requires the user that configures the connection to have permission to the content set to which you assign the email server profile.

    If you delete an email server profile configuration that is referenced by a scheduled connection, future scheduled instances of that connection fail. For more information, see Issue: Emails using Microsoft 365 fail to send.

  • The email server profile uses login.microsoftonline.com for authentication to the graph.microsoft.com host over port 443/TCP. If you want to change the host from graph.microsoft.com, Contact Tanium Support.

  • Configure a CMP network egress allow list rule for the following Microsoft 365 URLs to enable access for Microsoft 365 mail resources:

  • Configure your network allow list to allow traffic outbound from your Tanium Module Server to the following Microsoft 365 URLs and enable access for Microsoft 365 mail resources:

For more information, see Configuring email destinations using Microsoft 365.

  1. From the Connect Overview page, click Settings , then click the Email Destination Settings tab.

  2. Click Create Email Profile.

  3. Enter a profile display Name and Description.

  4. Enter the Microsoft Azure Tenant ID in hexadecimal UUID format. For more information, see Microsoft Azure documentation: How to find your Azure Active Directory tenant ID.

  5. Enter the Microsoft Azure application Client ID in hexadecimal UUID format. For more information, see Microsoft Azure documentation: Sign in to the application.

  6. Enter the Microsoft Azure application Client Secret. For more information, see Microsoft Azure documentation: Option 2: Create a new application secret.

  7. Enter a Microsoft Entra ID (formerly Azure Active Directory) user User Principal Name attribute or Object ID as the From User (Principal Name or ID). Emails sent using this email server profile display this user in the From field. For more information, see Microsoft Azure documentation: Add or update a user's profile information and settings

    .
  8. To verify your configuration, enter an email address in the Send a Test Email field, then click Send Test Email. An email from the configured From User with the subject Tanium Connection Test is sent to this email address. If you receive this email in the email address inbox within the next few minutes, move on to the next step. Otherwise, check the following:

    • Check the recipient email address spam folder and deleted items folder to see if a rule redirected the email from the inbox.

    • Check the sender email address sent email folder to verify that the email was generated and sent.

    • Check that your email server profile settings are correct, including the Tenant ID, Client ID, and Client Secret.

    • Check that your CMP network egress allow list contains properly configured rules for graph.microsoft.com, login.microsoftonline.com, and outlook.office.com.

    • Verify that your network allow list contains properly configured rules for graph.microsoft.com, login.microsoftonline.com, and outlook.office.com.

  9. Select a Content Set from the drop-down list to which this email server profile belongs.

    Ensure that users configuring connections using this email server profile can access this content set.

  10. Click Create.

Set up Connect users

You can use the following set of predefined user roles to set up Connect users.

To review specific permissions for each role, see User role requirements.

On installation, Connect creates a Connect user to automatically manage the Connect service account. Do not edit or delete the Connect user.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Connect Administrator

Assign the Connect Administrator role to users who manage the configuration of Connect.
This role can perform the following tasks:

  • Configure Connect settings, including resource allocation and logging
  • View, run, and create connections
  • Take ownership of connections owned by other users
  • Edit and delete owned connections
  • Access the Connect REST API

Connect Operator

Assign the Connect Operator role to users who manage the configuration of Connect.
This role can perform the following tasks:

  • Configure some Connect settings, including resource allocation and logging
  • View, run, and create connections
  • Take ownership of connections owned by other users
  • Edit and delete owned connections
  • Access the Connect REST API

Connect User

Assign the Connect User role to users who work with connections.
This role can perform the following tasks:

  • Create connections
  • View, run, edit, and delete owned connections

Do not assign the Connect Service Account, Email Service Account, or Email Service Account - All Content Sets roles to users. These roles are for internal purposes only.