Tanium

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Tanium provides a converged endpoint management (XEM) reference platform to manage complex security and technology environments. Tanium protects endpoints from cyber threats by integrating workflows across IT, Risk, Compliance, and Security into a single platform. Tanium delivers comprehensive visibility across devices, a unified set of controls, real-time remediation, and a common taxonomy to protect critical information and infrastructure at scale.

Note

This article contains information about third-party plugins. This is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.

Know before you begin

Integration with Microsoft Copilot for Security requires a Tanium instance URL and API token. You'll need to take the following steps before using the plugin.

  1. Sign into your Tanium Console to retrieve information you need to configure the Tanium plugin.

  2. Select Modules > Connect > Overview. The Connect Overview page appears.

  3. Select Settings, and then select Microsoft Copilot for Security. Then follow these steps:

    1. Select Tanium Instance URL Copy to copy the Tanium instance URL to the clipboard. Paste it in a text editor, such as Notepad.

    2. Select Generate to generate an API token, and copy the token value to the clipboard. Paste it in your text editor.

  4. Sign in to Microsoft Copilot for Security.

  5. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  6. In the Other section, next to Tanium, select Set up.

  7. In the Value field, paste your Tanium instance URL and your API token. Then save your changes.

Sample Tanium prompts

After the Tanium plugin is configured, you can use it to retrieve information about endpoints (devices) in your organization. The following table lists some capabilities and example prompts you can try:

Capability Example prompts
Get Logged In User
Retrieves the user that is currently logged into an endpoint

Requires Tanium Core Platform
Using Tanium, return the user currently logged into the endpoint with the hostname hostname so that I can investigate possible unauthorized endpoint use. Return a Tanium Console Question Results URL so that I can view more real-time information for this endpoint.
Get Real-time Data from Endpoints
Retrieves real-time data from endpoints based on a Tanium sensor. For more information on supported sensors

Requires Tanium Core Platform, sensor-dependent
Using Tanium, return the computer name and IP address of endpoints. Display the results in a table, alphabetically sorted by computer name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
Count Endpoints Having Package Version
Retrieves the total count of endpoints that have the given software package

Requires Asset, SBOM
Using Tanium, return the total number of endpoints with a software package for software-name, so that I can start cataloging which computers have the software installed. Display the results in a table, alphabetically sorted by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List Endpoints Having Package
Retrieves up to 10 endpoints that have the given software package

Requires Asset, SBOM
Using Tanium, return the endpoints with a software package for software-name so that I can start cataloguing which computers might have an out-of-date version. Display the results in a table, alphabetically sorted by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List Process SHA-256 Hashes and Versions
Retrieves the SHA-256 file hash and version for a given process

Requires Asset, SBOM, Threat Response
Using Tanium, return the SHA-256 hash value and process version for the running process process-name, so that I can find other instances of this process based on the hash value.
Get Vulnerability Test Results
Returns whether an endpoint is vulnerable to a given CVE, and the reason why it is vulnerable

Requires Tanium Comply
Using Tanium, examine whether endpoint <hostname> is vulnerable to <cve-id>, and return the reasons that this endpoint is vulnerable, along with a suggested plan of action to remediate the intrusion.
List Endpoints Vulnerable To CVE
Retrieves up to 10 endpoints vulnerable to a given CVE ID

Requires Tanium Comply
Using Tanium, return the endpoints vulnerable to cve-id, so that I can remediate the vulnerability on these endpoints. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
View Endpoint Processes
Retrieves a URL to the Threat Response Live Connection page for the requested endpoint, which contains a list of running processes

Requires Direct Connect, Threat Response
Using Tanium, return a Threat Response Live Connection URL for the endpoint with the hostname hostname, so that I can review the running processes and identify potential vulnerabilities.
List Service Module Details
Retrieves running service module information for an endpoint, including name, caption, and image path

Requires Incident Response
Using Tanium, return information for the service modules running on the endpoint with the hostname hostname, so that I can review the list for unexpected service modules. Display the results in a table, alphabetically sorted by service module name, and return a Tanium Console Question Results URL so that I can view the real-time list of service modules.
List Service Process Details
Retrieves running service process information for an endpoint, including name, process ID, and file path

Requires Incident Response
Using Tanium, return information for the service processes running on the endpoint with the hostname hostname, so that I can review the list for unexpected service processes. Display the results in a table, alphabetically sorted by service process name, and return a Tanium Console Question Results URL so that I can view the real-time list of service processes.
List WMI Event Consumers
Retrieves Windows Management Instrumentation (WMI) event consumers running on an endpoint

Requires Incident Response
Using Tanium, return the WMI event consumers running on the endpoint with the hostname hostname so that I can ensure only expected event consumers are running, and return a Tanium Console Question Results URL so that I can view the real-time list of event consumers.
List File Details
Retrieves details for a file by name, including the endpoints on which it is installed, the file path, and file size

Requires Index
Using Tanium, return information for the file named file-name so that I can determine if it is running on unintended endpoints. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view the real-time list.

or

Using Tanium, return information for the file named file-name installed on the endpoint with the hostname hostname, so that I can determine if it is running on unintended endpoints. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view real-time information.
List Child Processes for Process File
Returns all child processes running on an endpoint based on a given process file name

Requires Threat Response
Using Tanium, list the child processes of process-name so that I can analyze resource usage. Display the results in a table, alphabetically sorted by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.

or

Using Tanium, list the child processes of process-name that are running on the computer with the hostname hostname, so that I can analyze resource usage. Display the results in a table, alphabetically sorted by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List Endpoints with Process Command
Retrieves up to 10 endpoints running the given command line command

Requires Threat Response
Using Tanium, return the endpoints running the command line command process-command, so that I can ensure this process is not running on unexpected endpoints. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List Endpoints with Process Name
Retrieves up to 10 endpoints running the given process

Requires Threat Response
Using Tanium, return the endpoints running a process called process-name, so that I can ensure this process is not running on unexpected endpoints. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List Endpoints with Process MD5 Hash
Retrieves up to 10 endpoints running the given process matching the provided MD5 hash value

Requires Threat Response
Using Tanium, return all endpoints that are running a process with the MD5 hash value md5-hash-value, so that I can ensure this process is not running under a different file name. Display the results in a table, sorted alphabetically by host name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List File Operations
Retrieves historical file operation information from endpoints, including endpoint name, file path, and the file operation type, such as create or delete

Requires Threat Response
Using Tanium, return file operation information for the endpoint named hostname running on the file path "_partial-file-path" over the past time-frame so that I can determine if any malicious file behavior is occuring on the endpoint. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view the real-time list.

or

Using Tanium, return file operation information for files running on the file path "_partial-file-path" over the past time-frame so that I can determine if there is any malicious file creation or deletion. Display the results in a table, alphabetically sorted, and return a Tanium Console Question Results URL so that I can view the real-time list.
List Processes Connected To IPv4 Address
Retrieves the processes running on an endpoint with the given IPv4 address

Requires Threat Response
Using Tanium, return the processes running on the endpoint with the IPv4 address ipv4-address, so that I can analyze any potential security intrusions and resource usage. Display the results in a table, sorted alphabetically by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.
List Process Ran As User
Retrieve the processes running on an endpoint as a given user

Requires Threat Response
Using Tanium, return the processes running as the user user-name, so that I can determine whether there are issues with unauthorized access. Display the results in a table, sorted alphabetically by computer name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.

or

Using Tanium, return the processes running as the user user-name on the endpoint with the hostname hostname, so that I can determine whether there are issues with unauthorized access. Display the results in a table, sorted alphabetically by process name, and return a Tanium Console Question Results URL so that I can view the real-time list of endpoints.

Troubleshoot the Tanium plugin

Errors occur

If you encounter errors, such as Couldn't complete your request, or An unknown error occurred, make sure the plugin is turned on. If the issue persists, sign out of Copilot for Security, and then sign back in.

Prompts aren't invoking the correct capabilities

If prompts are not invoking the correct capabilities, or prompts are invoking some other capability set, you might have custom plugins or other plugins that have similar functionality as the capability set you want to use. To prioritize and target Tanium, try disabling other custom plugins.

Provide feedback

To provide feedback, contact Tanium.

See also

Other plugins for Microsoft Copilot for Security

Manage plugins in Microsoft Copilot for Security