Managing whitelisted URLs

Tanium as a Service deployments include a customer-specific proxy server that whitelists the destinations that are required for Tanium modules to work. To request additional whitelist entries, consult your Technical Account Manager (TAM).

The URL expressions that you configure on the Administration > Whitelisted URLs page control how the Tanium Server handles file downloads that the Tanium Client requests from Internet URLs. When the Tanium Client executes content (such as action packages or sensors), the script associated with that content might request a file from an Internet URL. The Tanium Client API uniquely identifies the download by URL, including file name. For security, the Tanium Client sends a message to the Tanium Server, which checks the requested URL against its lists of package file URLs and whitelisted URLs. The package file URLs are known URLs that the package author specified. You use the whitelisted URLs to account for dynamic URLs, such as URLs that a Tanium Client script computed. If the URL does not match either list, the request fails.

The first time the Tanium Server handles a Tanium Client file download request that passes the whitelisted URL check, the server downloads the file and stores a temporary package file and metadata so that it can distribute the file to endpoints (see Tanium Client User Guide: File distribution). The whitelisted URLs configuration includes settings that affect how often the Tanium Server checks for changes to the requested URL files and how often the server clears temporary files.

You must be assigned a role with the Write Whitelisted URLs (micro admin) permission to create, modify, or delete the whitelisted URLs configurations. Users that are assigned to the Administrator reserved role have this permission.

Add whitelisted URLs

  1. From the Main menu, selectConsole > Administration > Whitelisted URLs.
  2. Configure the following settings.
  3. URL/regular expression Specify a URL. You can use a regular expression to whitelist multiple files from a base URL. For example, to whitelist any download from, use the following regex:


    Note that the value is case sensitive. For example, the regex https\:\/\/192\.0\.2\.1\/abc\.csv whitelists but not The regex to whitelist both files is https\:\/\/192\.0\.2\.1\/abc|ABC\.csv.

    When a Tanium Client initiates a download that passes this check, the Tanium Server downloads the file so that it can distribute it to Tanium Clients through the linear chain.

    Download Interval Specify an interval at which the Tanium Server checks the URL for changes to the requested file. The default is every 6 hours. If the check indicates there are changes to the file, the Tanium Server updates its copy of the file and restarts the "expiration" clock. For URLs that are specified regular expression, a timer is maintained for each match.

    Specify the interval for clearing stale packages. The default is seven days. This means that the Tanium Server deletes files that it has not downloaded and that Tanium Clients have not requested in the past seven days. If a Tanium Client subsequently requests the URL, the Tanium Server downloads it again and resumes the update checks. For URLs that you specify with a regular expression, the Tanium Server maintains a timer for each match.

  4. Save the configuration.

Import or export a whitelisted URLs configuration

You can use the import and export features to facilitate migration from a lab environment to a production environment.

Export specific configurations

  1. Select one or more rows in the table and click Export in the toolbar above the table header.
  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the JSON file to the Downloads folder on the system you use to access the Tanium Console.

Export the complete whitelisted URLs configuration

  1. Click Export All in the table header.

    Alternatively, or if you want to export other configuration objects in addition to whitelisted URLs, go to any Console > Content or Console > Permissions page, click Export Content at the top right of the Tanium Console, select Whitelisted URLs and any other object types, select the Export Format (JSON or XML), and click Export.

  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the JSON file to the Downloads folder on the system you use to access the Tanium Console.

Import a configuration

You can import files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature, as described under Authenticating content files.
  2. From the Main menu, select any Console > Content or Console > Permissions page and click Import Content at the top right of the page.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
  6. Click Import again, and click Close when the import finishes.