---
title: Tanium API Gateway
---
<!-- licenses: community, platform -->

runZero integrates with ((Tanium)) by importing data from the [Tanium Gateway API](https://developer.tanium.com/apis/tanium_gateway_schema/queries/endpoints). This integration allows you to sync data about your endpoints, applications, and vulnerabilities from Tanium to provide better visibility over your network.

## Getting started with Tanium {#tanium-getting-started}

To set up an integration with Tanium, you'll need to:

1. Generate an API token with the necessary permissions.
1. Configure the Tanium credential in runZero.
1. Choose whether to configure the integration as [a scan probe or connector task](integrations-inbound.md#integration-probe-connector).
1. Activate the integration to pull your data into runZero.

## Step 1: Generate an API key in Tanium Dashboard  {#tanium-step1}

1. Sign in to Tanium and navigate to **Administration > Roles**.
1. Create a role with the necessary permissions:
    1. Search for the **Gateway User** role.
    1. Select it and click the **Clone** button that appears to create a copy of this role.
    1. On the **Clone Role** screen, enable **Platform Content Permissions > Sensor > Read** and add these Content Sets (via the **n+** button beside the green check):
        * Base
        * Comply
        * Comply Reporting
        * Core AD Query Content
        * Core Content
        * Reserved
        * Tanium Data Service
    1. Save the role.
1. Navigate to **Administration > Personas** and click **New Persona** to create a persona using the role you just created:
    1. Name the persona.
    1. Under **Manage Roles**, search for and apply your new role.
    1. Under **Computer Groups**, add the groups you need, or check **Unrestricted Management Rights** to allow access to all Computer Groups.
    1. Assign a user or service account which has the permissions granted to the persona.
    1. Save the persona.
1. Navigate to **Administration > API Tokens** and click **New API Token**.
    1. Enter a name and select a TTL.
    1. Select the persona you just created from the dropdown (you may need to refresh the page for it to appear).
    1. Enter IP addresses to allow requests from:
        * If you will run the integration via an Explorer or CLI, enter the IP addresses or ranges of your host(s);
        * Otherwise, enter `0.0.0.0/0`.
    1. Save the API token.

## Step 2: Add the Tanium API token to runZero {#tanium-step2}

1. Go to the [Credentials page](https://console.runzero.com/credentials/new) in runZero. 
1. Choose **Tanium API Token** from the list of credential types.
1. Provide a name for the credential, like `Tanium`.
1. Provide the following information:
    * **Tanium API URL** - Your Tanium API Gateway URL. The full URL will be something like `https://<customername>-api.cloud.tanium.com/plugin/products/gateway/graphql`. If the path (`/plugin/products/gateway/graphql`) is omitted, it will be added automatically when the API is called.
    * **Tanium API token** - The API token (including the `token-` prefix) created in step 1.
    * **Insecure** - Enable this option to approve authenticating with untrusted endpoints. When enabled, certificate validation is disabled. Use with caution.
1. If you want other organizations to be able to use this credential, select the _Make this a global credential_ option. Otherwise, you can configure access on a per-organization basis.
1. Verify and save the credential.

You're now ready to set up and activate the connection to bring in data from Tanium. 

## Step 3: Choose how to configure the Tanium integration {#tanium-step3}
The Tanium integration can be configured as either a [scan probe or a connector task](integrations-inbound.md#integration-probe-connector). Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.

## Step 4: Set up and activate the integration to sync data {#tanium-step4}
After you add your Tanium credential, you'll need to sync your data from Tanium.

### Step 4a: Configure the Tanium integration as a connector task {#tanium-step4a}
A connection requires you to specify a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Tanium-only assets are created.

1. Activate a connection to [Tanium](https://console.runzero.com/ingest/tanium). You can access all available third-party connections from the [integrations page](https://console.runzero.com/integrations), your [inventory](https://console.runzero.com/inventory), or the [tasks page](https://console.runzero.com/tasks). 
1. Choose the credentials you added earlier. If you don't see the credentials listed, make sure the credentials have access to the organization you are currently in. 
1. Optionally provide a list of computer groups to include in the import. The list must be comma-separated. We will only import data for the computer groups specified.
1. Enter a name for the task, like `Tanium Sync` (optional). 
1. Choose the Explorer to perform this connector task from (optional).
1. Choose the site you want to add your assets to. All newly discovered assets will be stored in this site. 
1. Enter a description for the task (optional).
1. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the **Exclude unknown assets** toggle to _Yes_. By default, the integration will include assets that have not been scanned by runZero.
1. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set. 
1. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the [Scheduled tasks](https://console.runzero.com/tasks) to see when the next sync will occur. 

### Step 4b: Configure the Tanium integration as a scan probe {#tanium-step4b}
You can run the Tanium integration as a scan probe so that the runZero Explorer will pull your Tanium assets into the runZero Console. 

In a new or existing scan configuration:
* Ensure that the _TANIUM_ option is set to _Yes_ in the _Probes and SNMP_ tab and change any of the default options if needed.
* Set the correct _TANIUM_ credential to _Yes_ in the _Credentials_ tab.

## Step 5: View Tanium assets {#tanium-step5}

After a successful sync, you can [go to your inventory](https://console.runzero.com/inventory) to view your Tanium assets. These assets will have a Tanium icon listed in the **Source** column.

To filter by Tanium assets, consider running the following queries:

* [View all Tanium assets](https://console.runzero.com/inventory?search=source%3Atanium): 
     ```
     source:Tanium
    ```

Click into each asset to see its individual attributes. runZero will show you the attributes gathered from Tanium.