Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.draftt.io/llms.txt

Use this file to discover all available pages before exploring further.

Connect Tanium to Draftt to enrich your cloud inventory with endpoint visibility — agent presence, operating system details, and patch state. Draftt queries the Tanium GraphQL Gateway using a read-only API token.

Prerequisites

  • A Tanium Cloud deployment with the Gateway module enabled (for self-hosted deployments, connectivity to the gateway will need to be planned with our team)
  • Your Tanium tenant must expose cloud metadata through Tanium Asset/Cloud content or equivalent sensors, including Cloud Instance ID. Without this data, Draftt can connect to Tanium but may not be able to match endpoints to AWS, Azure, or GCP resources. See Tanium Core Content documentation for details
  • Admin access to create roles, personas, and API tokens in Tanium
  • Access to the Draftt dashboard (Integrations > Tanium)

Setup

1

Create a dedicated API role

Draftt needs read access to sensor data through the Gateway API. The quickest path is to clone the built-in role and add the required permissions.
  1. Open Administration > Roles in your Tanium console
  2. Find the Gateway User role and click Clone to duplicate it
  3. In the cloned role, open Platform Content Permissions and switch on:
    • Sensor > Read
    • Plugin > Execute
  4. Grant access to these Content Sets:
    • Base
    • Core Content
    • Reserved
    • Tanium Data Service
  5. Save the new role
2

Create a persona and attach the role

API tokens in Tanium are scoped through personas, which bundle a role, computer-group visibility, and a service account together.
  1. Go to Administration > Personas and click New Persona
  2. Pick a descriptive name (e.g. Draftt Read-Only Persona)
  3. Under Manage Roles, attach the role you created in the previous step
  4. Under Computer Groups, choose the groups whose endpoints you want Draftt to enrich — or toggle Unrestricted Management Rights for full visibility
  5. Bind the persona to a service account and save
3

Generate an API token in Tanium

Steps to create a token: see Tanium API Tokens Documentation.
  1. Open Administration > API Tokens and click New API Token
  2. Name the token (for example, Draftt Read-Only Token), set an expiry, and select the persona you just created If you need to specify allowed IP addresses when creating the token, please contact us to get Draftt’s outbound IP. Read more here.
  3. Save and copy the token value immediately. Tanium only shows it once.
The token value includes a token- prefix. Make sure to copy the full value including this prefix.
4

Connect in Draftt

  1. In Draftt, go to Integrations > Tanium and click Add Integration
  2. Enter a descriptive Integration Name
  3. Enter your API Gateway URL — for Tanium Cloud this is typically: 
    https://<tenant>-api.cloud.tanium.com
    You can provide the bare host or the full GraphQL path — Draftt appends the path automatically if omitted.
  4. Paste the API Token (including the token- prefix)
  5. Click Create Integration

What Draftt Reads

Draftt’s integration is read-only. It queries the Tanium GraphQL Gateway to retrieve:
  • Endpoint identity — hostname, IP addresses, computer ID
  • Operating system — platform, version, and generation
  • Cloud instance metadata — Cloud Instance ID sensor for AWS, Azure, and GCP workloads
  • Agent status — Tanium client presence and last check-in time
This data enriches your existing cloud inventory with endpoint-level context, enabling more accurate governance and lifecycle tracking.

Verifying Your Connection

After setup, return to Integrations > Tanium in Draftt. The integration reports one of five connection states:
  • processing — Initial state. Draftt is reaching the Gateway and probing the Cloud Instance ID sensor.
  • ready — Authentication succeeded and the Cloud Instance ID sensor is returning data. Draftt is enriching your inventory.
  • sensor_missing — Authentication succeeded but the Cloud Instance ID sensor either isn’t deployed on your endpoints, isn’t returning data, or is returning empty values.
  • auth_failed — The Gateway rejected the API token. The token may be expired, missing required permissions (Sensor: Read + Plugin: Execute), or out of scope for the configured Computer Groups.
  • transport_failed — Draftt could not reach the Gateway. Check the API URL, network connectivity, and that the Gateway service is reachable.

Troubleshooting

Status: auth_failed Verify the API token includes the token- prefix, has not expired, and that the persona has the Gateway User role with Sensor: Read and Plugin: Execute permissions. If permissions look right, the role’s persona may also be missing required Content Sets or Computer Group visibility — confirm the role includes access to Base, Core Content, Reserved, and Tanium Data Service. Status: transport_failed Check the API URL. For Tanium Cloud the format is https://<tenant>-api.cloud.tanium.com. For self-hosted deployments, verify the gateway hostname and that connectivity has been configured so Draftt can reach it. Status: sensor_missing Authentication is fine but the Cloud Instance ID sensor isn’t returning data. Ensure the sensor is available on your endpoints and that the Tanium Core Python package is installed. Without these, Draftt cannot match endpoints to cloud resources. Status stuck on processing If the status doesn’t transition within a few hours, please contact us.