Integrating Tanium and Axonius

Of the various tools I have managed over the course of my career, Axonius has been one of my favorites. Tanium is a close second. Between the ability to pull in data from hundreds of different data sources natively and the native ability to ingest CSV and JSON files, there is little left that can't be tracked and acted on for your inventory data. The native ability to find and remediate gaps is from vendor APIs is great, but it doesn't cover everything.

CSV and JSON integration isn't the focus of today's article. Today I want to talk about how Tanium and Axonius integrate, and help fill in the remaining data.

The Tanium Interact module for Axonius has really cool functionality already built in, notably the ability to "Parse Dynamic Fields". Having this option enabled allows any fields returned by the saved Tanium question used by Axonius to be converted into fields that Axonius parses, and can act on.

If you combine this with one of Tanium's training offers "Tanium Advanced Content" - you will have the ability to execute any PowerShell, VBS, etc script on your devices desired. Combined with the amazing powers of Axonius's dashboarding and historical data, you can find and track just about any attribute on your devices.

At this point all that is needed is creation of a saved question in Tanium that returns all of the fields you want for your devices, plus the bare minimum requirements Axonius needs to have, such as device identifiers.

While I can't disclose environmental specifics, I have assembled over a hundred unique sensors, covering everything from printer settings and certificates to spot checking event logs and finding legacy software configurations and COM class registrations.

Within Tanium , as long as the output is properly formatted and error handling is well done, this combination allows for answering just about any inventory question I have ever been able to think of. I can easily track remediation progress over time. If I can't answer a question, it usually means I need a new sensor created and imported. It actually reached a point that some of the code I use for Tanium is so ubiquitous I have actually created an internal PowerShell module to reduce the complexity of development.

On more then one occasion, I have been able to develop a custom sensor and remediation action using Tanium's native UI, and make use of Axonius to track the overall effectiveness and application of my remediation efforts. A registry key broken by a specific version upgrade? App crashes due to specific versions of DLLs still in use? All are cases that I have found and remediated, along with dozens more.

One of my more favorite use cases is comparing the settings for a specific service on my endpoints against settings in my EDR. With proper defense in depth, it might be OK to have one of these options set, maybe the other, but never both at once. Putting these two tools together lets me check and remediate this quickly and easily.

I must admit Tanium does have a module that performs similar functionality (called Trends if you are unfamiliar) but it doesn't provide a complete picture. Since the EDR data above is coming from the EDR vendor's API and isn't present on the endpoint Tanium does not support this on it's own. Even if I could it requires yet another tool in daily use. Being able to compare arbitrary settings against the whole device inventory for an organization at once has been a game changer.