> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Tanium

> Connect Serval to your Tanium Cloud instance to automate endpoint management across ten Tanium modules, from asset inventory to patching and threat response.

## About Tanium

Tanium is an endpoint management and security platform. This integration connects Serval to your Tanium Cloud instance so workflows can query and act on your endpoints across ten Tanium modules - Core Platform, Asset, Comply, Connect, Deploy, Enforce, Integrity Monitor, Patch, Reputation, and Threat Response - all through a single connection. The integration supports Tanium Cloud only and is currently marked **Beta** in the Serval connect UI.

**Authentication:** API token (Tanium Cloud). An admin supplies the customer-specific Tanium Cloud API domain and a Tanium API token; Serval stores the token encrypted and attaches it to every request on your behalf. Serval only ever sends the token to your own Tanium Cloud API host.

**Data sync:** On-demand only. There is no background sync, entity ingestion, or scheduled data pull - workflows call Tanium live when they run, and credentials are injected server-side so workflow code never handles your token.

## What the Tanium integration enables

One connection unlocks a dedicated API request action for each Tanium module. Each action targets its module's API directly, so workflow builders pick the module by action and never deal with module-specific URLs.

| Module            | Workflow action               | What it covers                                                                                           |
| ----------------- | ----------------------------- | -------------------------------------------------------------------------------------------------------- |
| Core Platform     | Tanium Platform API request   | Platform-level operations - sessions, users, questions, sensors, packages, actions, and computer groups. |
| Asset             | Tanium Asset API request      | Asset inventory queries - assets, attributes, and views.                                                 |
| Comply            | Tanium Comply API request     | Compliance benchmarks, custom checks and profiles, exceptions, and vulnerability data.                   |
| Connect           | Tanium Connect API request    | Data export connections, destinations, and connection runs.                                              |
| Deploy            | Tanium Deploy API request     | Software packages, deployment templates, and deployments.                                                |
| Enforce           | Tanium Enforce API request    | Policies, enforcements, antimalware scans, and device classes.                                           |
| Integrity Monitor | Tanium IM API request         | File integrity monitors and endpoint labels.                                                             |
| Patch             | Tanium Patch API request      | Patch lists, scan configurations, maintenance windows, and deployments.                                  |
| Reputation        | Tanium Reputation API request | File hash reputation lookups.                                                                            |
| Threat Response   | Tanium TR API request         | Alerts, intel, live response, snapshots, and quarantine operations.                                      |

Anything these ten modules define in the [Tanium API documentation](https://developer.tanium.com/) can be accessed through Serval.

## Get your credentials

You need two things: your **Tanium Cloud API domain** (in the form `<customer>-api.cloud.tanium.com`) and a **Tanium API token** created in the Tanium Console, scoped through a persona or role that grants the module permissions your workflows will use. Tanium's official guide is the [API tokens page in the Console User Guide](https://help.tanium.com/bundle/ug_platform_user_cloud/page/platform_user/console_api_tokens.html) (also available in the [Tanium Cloud Console bundle](https://help.tanium.com/bundle/ug_console_cloud/page/platform_user/console_api_tokens.html)).

<Steps>
  <Step title="Sign in to the Tanium Console">
    Sign in as a user with permission to manage API tokens.
  </Step>

  <Step title="Set up a least-privilege persona (recommended)">
    Create a role under **Administration > Permissions > Roles** that covers the Tanium modules your workflows will call, and assign it to a persona under **Administration > Permissions > Personas**.
  </Step>

  <Step title="Create the API token">
    Go to **Administration > Permissions > API Tokens** and create a new API token. Add notes, choose the persona, and set an expiration.
    <Note>The expiration defaults to 7 days; the maximum is 365 days. Pick a duration that matches how often you are willing to rotate the token in Serval.</Note>
  </Step>

  <Step title="Set trusted IP addresses">
    Tanium rejects API token use from addresses outside the token's trusted IP list, so the token must permit the IPs Serval calls from. A token that works from your own machine can still fail from Serval if this list is too narrow.
  </Step>

  <Step title="Copy the token value">
    Copy the token immediately - Tanium shows it only once.
  </Step>

  <Step title="Note your API domain">
    Your API domain is the host of your Tanium Cloud instance's API endpoint, in the form `<customer>-api.cloud.tanium.com` - no `https://` and no path.
  </Step>
</Steps>

<Warning>This integration supports Tanium Cloud only. Self-hosted or on-prem Tanium Server addresses fail validation at connect time and are blocked from outbound access.</Warning>

## Connect in Serval

<Steps>
  <Step title="Open the Tanium connect form">
    In Serval, choose to connect Tanium. The integration is labeled **Beta** in the connect UI.
  </Step>

  <Step title="Enter the API Domain">
    The **API Domain** field is required (marked with an asterisk). Enter the bare hostname only, for example `acme-api.cloud.tanium.com`. The field's helper text reads "Your Tanium Cloud API domain (e.g. acme-api.cloud.tanium.com). Do not include https\://." Leaving it empty shows "This field is required". A value that is not a Tanium Cloud API hostname - including any `https://` prefix, path, or trailing slash - is rejected at submit with "Failed to install integration: Invalid API domain: invalid API domain format: expected `<customer>-api.cloud.tanium.com`".
  </Step>

  <Step title="Enter the API Token">
    Paste the token you copied from the Tanium Console into this password field (also marked required). The helper text reads "A Tanium API token (session token) with the permissions required for the workflows you plan to run." There is no format check on this field.
  </Step>

  <Step title="Submit the form">
    Click **Submit**. Serval validates the API Domain and stores your credentials encrypted.
  </Step>
</Steps>

<Note>
  Serval does not test the token when you save - a mistyped, expired, or IP-restricted token is accepted at save time and only surfaces when the health check runs. Run it right after connecting (see below).
</Note>

<Tip>
  After saving, the token is displayed masked - bullet characters plus its last 4 characters. To rotate it later, click **Replace** next to the masked value and paste the complete new token. Saving an update with the token field untouched or blank keeps your existing stored token. The API Domain stays visible in the form when you edit; clearing it fails validation instead of saving.
</Tip>

## Verifying the connection

Serval runs one health check for Tanium:

* **Test Tanium Connection** - verifies the stored API token authenticates against your Tanium Cloud API domain by looking up the current session on the Core Platform API. On success it reports "Successfully authenticated with Tanium Cloud". On failure: "Unable to connect to Tanium. Please verify your API token and API domain (e.g. acme-api.cloud.tanium.com) are correct."

<Tip>A passing "Test Tanium Connection" only proves the token can authenticate at the platform level. Workflows can still receive authorization errors from individual modules (Patch, Threat Response, Comply, and so on) if the token's persona lacks permissions for those modules.</Tip>

## Gotchas and troubleshooting

<AccordionGroup>
  <Accordion title="Tanium Cloud only - on-prem servers are not supported">
    The API Domain must match `<customer>-api.cloud.tanium.com`. Self-hosted or on-prem Tanium Server addresses fail validation at connect time, and Serval's outbound host allow-list only permits customer-specific Tanium Cloud API subdomains, so other hosts are unreachable from workflows as well.
  </Accordion>

  <Accordion title="Enter the bare hostname - no https://, path, or trailing slash">
    The API Domain field takes a hostname only. Including `https://`, a path, or a trailing slash fails validation with "Failed to install integration: Invalid API domain: invalid API domain format: expected `<customer>-api.cloud.tanium.com`". The helper text says "Do not include https\://."
  </Accordion>

  <Accordion title="API tokens expire - the console default is 7 days">
    Tanium API tokens default to a 7-day expiration in the console UI (maximum 365 days), and Serval does not auto-refresh them. When the token expires or is revoked in Tanium, the "Test Tanium Connection" check fails until an admin replaces the token. Set an expiration that matches your rotation cadence.
  </Accordion>

  <Accordion title="Trusted IP addresses can silently block the token">
    Tanium rejects API token use from addresses outside the token's trusted IP list. A token that works when you test it yourself can still fail from Serval. Make sure the token's trusted IP settings allow the addresses Serval calls Tanium from.
  </Accordion>

  <Accordion title="Token permissions gate each module">
    The token inherits its persona and role permissions. A token that passes the connection test can still get authorization errors from module actions (Patch, Threat Response, Comply, and others) it lacks permissions for. Grant the role permissions for every Tanium module your workflows call.
  </Accordion>

  <Accordion title="Rotating the API token">
    Open the connection settings, click **Replace** next to the masked token value, paste the complete new token, and save. The API Domain is pre-filled and only changes if you edit it. Saving with the token field untouched or blank keeps the previously stored token.
  </Accordion>

  <Accordion title="Beta integration">
    The Tanium integration is marked Beta in the Serval connect UI. Behavior and coverage may change as it matures.
  </Accordion>
</AccordionGroup>

***

Need help? Contact **[support@serval.com](mailto:support@serval.com)** for assistance with your Tanium integration.