---
title: Tanium
description: Gain insights into Tanium threat response alerts and audit activities
breadcrumbs: Docs > Integrations > Tanium
---

# Tanium
Integration version1.0.0   Tanium - Threat Response AlertsTanium - Threat Response Audit LogsTanium - Platform Audit Logs
## Overview{% #overview %}

[Tanium](https://www.tanium.com/) is an enterprise platform designed for endpoint management. It provides security and IT operations teams with rapid visibility and control to secure and manage all network endpoints.

This integration ingests the following logs:

- **Threat Response Alerts**: This endpoint contains information about the core incident response lifecycle with integrated capabilities for alerting, analysis, containment, and remediation.
- **Threat Response Audit**: This endpoint contains information about the centralized view of audit events generated by the Tanium Threat Response.
- **Platform Audit**: This endpoint contains information about the authentication, API token usage, local settings, persona changes, user settings, and system settings information.

This integration collects logs from the sources listed above and transmits them to Datadog for analysis in [Log Explorer](https://docs.datadoghq.com/logs/explorer.md) and [Cloud SIEM](https://www.datadoghq.com/product/cloud-siem/).

## Setup{% #setup %}

### Prerequisites{% #prerequisites %}

- The `Threat Response` module must be included in your Tanium license to collect `Threat Response Alerts` and `Threat Response Audit` logs.

### Retrieve Datadog CIDR range{% #retrieve-datadog-cidr-range %}

1. Use an API platform (such as Postman) or `curl` to make a `GET` request to the [Datadog API endpoint](https://docs.datadoghq.com/api/latest/ip-ranges.md).
1. In the JSON response, locate the `webhooks` section. For example:
   ```json
      "webhooks": {
         "prefixes_ipv4": [
            "0.0.0.0/32",
            ...
         ],
         "prefixes_ipv6": []
         }
   ```
1. From the `prefixes_ipv4` list, copy each CIDR entry.

### Generate API Credentials in Tanium{% #generate-api-credentials-in-tanium %}

1. Sign in to the Tanium Console as a user with the following permissions:

   - `Special`: Token Use
   - `Execute`: Threat Response API
   - `Read`: Audit, Threat Response Alerts, Threat Response Audit, and Threat Response Visibility Bypass
   - `Unrestricted Management Rights`: Computer Groups

1. From the main menu, navigate to **Administration** > **Permissions** > **API Tokens**.

1. Click **New API Token** and configure the token settings:

   - **Expiration**: Set the expiration interval to `365` days. Ensure you rotate the token before it expires. Refer to the "Rotate API Token in Tanium" section for instructions.
   - **Trusted IP addresses**: Enter each CIDR entry retrieved in the "Retrieve Datadog CIDR Range" section, separated by commas or new lines.

1. Click on **Create**.

1. Click on **Yes** and copy the **token** for later use.

1. This integration supports both **cloud-based** and **self-hosted** Tanium instances:

   - **Cloud-based**: Use the host format `\<customer\>.cloud.tanium.com`. Replace `\<customer\>` with your organization's subdomain.
   - **Self-hosted**: Use the domain of your self-hosted Tanium instance. The instance must be publicly accessible over HTTPS. Examples: `tk-example.titankube.com`, `123.123.123.123:8443`.

**Note:** Ensure that you do not include `-api` in the `Host` value when configuring the integration, as it is automatically handled internally.

### Rotate API token in Tanium{% #rotate-api-token-in-tanium %}

1. Sign in to the Tanium Console as a user with the following permission:
   - `Special`: Token Rotate
1. From the main menu, navigate to **Administration** > **Permissions** > **API Tokens**.
1. Select the token and click **Rotate Token**.
1. Enter the old token value and click **Rotate**.
1. Click **Yes** and copy the new token for later use.

### Connect your Tanium Account to Datadog{% #connect-your-tanium-account-to-datadog %}

1. Add your Host and API Token.

| Parameters | Description                            |
| ---------- | -------------------------------------- |
| Host       | The Host of your Tanium platform.      |
| API Token  | The API Token of your Tanium platform. |

1. Click the Save button to save your settings.

## Data Collected{% #data-collected %}

### Logs{% #logs %}

The Tanium integration collects and forwards threat-response alerts, threat-response audit logs, and platform audit logs to Datadog.

### Metrics{% #metrics %}

The Tanium integration does not include any metrics.

### Events{% #events %}

The Tanium integration does not include any events.

## Support{% #support %}

For any further assistance, contact [Datadog support](https://docs.datadoghq.com/help/).