About Tanium
Tanium is an endpoint management and security platform. This integration connects Serval to your Tanium Cloud instance so workflows can query and act on your endpoints across ten Tanium modules - Core Platform, Asset, Comply, Connect, Deploy, Enforce, Integrity Monitor, Patch, Reputation, and Threat Response - all through a single connection. The integration supports Tanium Cloud only and is currently marked Beta in the Serval connect UI. Authentication: API token (Tanium Cloud). An admin supplies the customer-specific Tanium Cloud API domain and a Tanium API token; Serval stores the token encrypted and attaches it to every request on your behalf. Serval only ever sends the token to your own Tanium Cloud API host. Data sync: On-demand only. There is no background sync, entity ingestion, or scheduled data pull - workflows call Tanium live when they run, and credentials are injected server-side so workflow code never handles your token.What the Tanium integration enables
One connection unlocks a dedicated API request action for each Tanium module. Each action targets its module’s API directly, so workflow builders pick the module by action and never deal with module-specific URLs.| Module | Workflow action | What it covers |
|---|---|---|
| Core Platform | Tanium Platform API request | Platform-level operations - sessions, users, questions, sensors, packages, actions, and computer groups. |
| Asset | Tanium Asset API request | Asset inventory queries - assets, attributes, and views. |
| Comply | Tanium Comply API request | Compliance benchmarks, custom checks and profiles, exceptions, and vulnerability data. |
| Connect | Tanium Connect API request | Data export connections, destinations, and connection runs. |
| Deploy | Tanium Deploy API request | Software packages, deployment templates, and deployments. |
| Enforce | Tanium Enforce API request | Policies, enforcements, antimalware scans, and device classes. |
| Integrity Monitor | Tanium IM API request | File integrity monitors and endpoint labels. |
| Patch | Tanium Patch API request | Patch lists, scan configurations, maintenance windows, and deployments. |
| Reputation | Tanium Reputation API request | File hash reputation lookups. |
| Threat Response | Tanium TR API request | Alerts, intel, live response, snapshots, and quarantine operations. |
Get your credentials
You need two things: your Tanium Cloud API domain (in the form<customer>-api.cloud.tanium.com) and a Tanium API token created in the Tanium Console, scoped through a persona or role that grants the module permissions your workflows will use. Tanium’s official guide is the API tokens page in the Console User Guide (also available in the Tanium Cloud Console bundle).
Set up a least-privilege persona (recommended)
Create a role under Administration > Permissions > Roles that covers the Tanium modules your workflows will call, and assign it to a persona under Administration > Permissions > Personas.
Create the API token
Go to Administration > Permissions > API Tokens and create a new API token. Add notes, choose the persona, and set an expiration.
The expiration defaults to 7 days; the maximum is 365 days. Pick a duration that matches how often you are willing to rotate the token in Serval.
Set trusted IP addresses
Tanium rejects API token use from addresses outside the token’s trusted IP list, so the token must permit the IPs Serval calls from. A token that works from your own machine can still fail from Serval if this list is too narrow.
Connect in Serval
Open the Tanium connect form
In Serval, choose to connect Tanium. The integration is labeled Beta in the connect UI.
Enter the API Domain
The API Domain field is required (marked with an asterisk). Enter the bare hostname only, for example
acme-api.cloud.tanium.com. The field’s helper text reads “Your Tanium Cloud API domain (e.g. acme-api.cloud.tanium.com). Do not include https://.” Leaving it empty shows “This field is required”. A value that is not a Tanium Cloud API hostname - including any https:// prefix, path, or trailing slash - is rejected at submit with “Failed to install integration: Invalid API domain: invalid API domain format: expected <customer>-api.cloud.tanium.com”.Enter the API Token
Paste the token you copied from the Tanium Console into this password field (also marked required). The helper text reads “A Tanium API token (session token) with the permissions required for the workflows you plan to run.” There is no format check on this field.
Serval does not test the token when you save - a mistyped, expired, or IP-restricted token is accepted at save time and only surfaces when the health check runs. Run it right after connecting (see below).
Verifying the connection
Serval runs one health check for Tanium:- Test Tanium Connection - verifies the stored API token authenticates against your Tanium Cloud API domain by looking up the current session on the Core Platform API. On success it reports “Successfully authenticated with Tanium Cloud”. On failure: “Unable to connect to Tanium. Please verify your API token and API domain (e.g. acme-api.cloud.tanium.com) are correct.”
Gotchas and troubleshooting
Tanium Cloud only - on-prem servers are not supported
Tanium Cloud only - on-prem servers are not supported
The API Domain must match
<customer>-api.cloud.tanium.com. Self-hosted or on-prem Tanium Server addresses fail validation at connect time, and Serval’s outbound host allow-list only permits customer-specific Tanium Cloud API subdomains, so other hosts are unreachable from workflows as well.Enter the bare hostname - no https://, path, or trailing slash
Enter the bare hostname - no https://, path, or trailing slash
The API Domain field takes a hostname only. Including
https://, a path, or a trailing slash fails validation with “Failed to install integration: Invalid API domain: invalid API domain format: expected <customer>-api.cloud.tanium.com”. The helper text says “Do not include https://.”API tokens expire - the console default is 7 days
API tokens expire - the console default is 7 days
Tanium API tokens default to a 7-day expiration in the console UI (maximum 365 days), and Serval does not auto-refresh them. When the token expires or is revoked in Tanium, the “Test Tanium Connection” check fails until an admin replaces the token. Set an expiration that matches your rotation cadence.
Trusted IP addresses can silently block the token
Trusted IP addresses can silently block the token
Tanium rejects API token use from addresses outside the token’s trusted IP list. A token that works when you test it yourself can still fail from Serval. Make sure the token’s trusted IP settings allow the addresses Serval calls Tanium from.
Token permissions gate each module
Token permissions gate each module
The token inherits its persona and role permissions. A token that passes the connection test can still get authorization errors from module actions (Patch, Threat Response, Comply, and others) it lacks permissions for. Grant the role permissions for every Tanium module your workflows call.
Rotating the API token
Rotating the API token
Open the connection settings, click Replace next to the masked token value, paste the complete new token, and save. The API Domain is pre-filled and only changes if you edit it. Saving with the token field untouched or blank keeps the previously stored token.
Beta integration
Beta integration
The Tanium integration is marked Beta in the Serval connect UI. Behavior and coverage may change as it matures.
Need help? Contact support@serval.com for assistance with your Tanium integration.