Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.draftt.io/llms.txt

Use this file to discover all available pages before exploring further.

Connect Tanium to Draftt to enrich your cloud inventory with endpoint visibility — agent presence, operating system details, and patch state. Draftt queries the Tanium GraphQL Gateway using a read-only API token.

Prerequisites

  • A Tanium Cloud or on-premises deployment with the Gateway module enabled
  • The Cloud Instance ID sensor available on your Tanium endpoints — returns the unique ID associated with the instance in AWS, Azure, or GCP. Requires the Tanium Core Python package and maintains a cache of cloud infrastructure state on the endpoint. See Tanium Core Content documentation for details
  • Admin access to create roles, personas, and API tokens in Tanium
  • Access to the Draftt dashboard (Integrations > Tanium)

Setup

1

Create a dedicated API role

Draftt needs read access to sensor data through the Gateway API. The quickest path is to clone the built-in role and add the required permissions.
  1. Open Administration > Roles in your Tanium console
  2. Find the Gateway User role and click Clone to duplicate it
  3. In the cloned role, open Platform Content Permissions and switch on:
    • Sensor > Read
    • Plugin > Execute
  4. Grant access to these Content Sets:
    • Base
    • Core Content
    • Reserved
    • Tanium Data Service
  5. Save the new role
2

Create a persona and attach the role

API tokens in Tanium are scoped through personas, which bundle a role, computer-group visibility, and a service account together.
  1. Go to Administration > Personas and click New Persona
  2. Pick a descriptive name (e.g. Draftt Read-Only Persona)
  3. Under Manage Roles, attach the role you created in the previous step
  4. Under Computer Groups, choose the groups whose endpoints you want Draftt to enrich — or toggle Unrestricted Management Rights for full visibility
  5. Bind the persona to a service account and save
3

Generate an API token

  1. Open Administration > API Tokens and click New API Token
  2. Name the token (for example, Draftt Read-Only Token), set an expiry, and select the persona you just created
  3. Save and copy the token value right away — Tanium only shows it once
The token value includes a token- prefix. Make sure to copy the full value including this prefix.
4

Connect in Draftt

  1. In Draftt, go to Integrations > Tanium and click Add Integration
  2. Enter a descriptive Integration Name
  3. Enter your API Gateway URL — for Tanium Cloud this is typically: 
    https://<tenant>-api.cloud.tanium.com
    Self-hosted customers should use their own gateway hostname. You can provide the bare host or the full GraphQL path — Draftt appends the path automatically if omitted.
  4. Paste the API Token (including the token- prefix)
  5. Click Create Integration

What Draftt Reads

Draftt’s integration is read-only. It queries the Tanium GraphQL Gateway to retrieve:
  • Endpoint identity — hostname, IP addresses, computer ID
  • Operating system — platform, version, and generation
  • Cloud instance metadata — Cloud Instance ID sensor for AWS, Azure, and GCP workloads
  • Agent status — Tanium client presence and last check-in time
This data enriches your existing cloud inventory with endpoint-level context, enabling more accurate governance and lifecycle tracking.

Verifying Your Connection

After setup, return to Integrations > Tanium in Draftt. The integration shows a status:
  • Healthy — All required access is in place. Draftt is collecting data as expected.
  • Partial-Visibility — Some details aren’t being collected yet and may need attention (for example, the Cloud Instance ID sensor isn’t returning data on a subset of endpoints).
  • Unhealthy — Something is wrong with the connection. See Troubleshooting below.
  • Unknown — Status could not be determined due to missing data.

Troubleshooting

Authentication failed (401): Verify the API token includes the token- prefix, has not expired, and that the persona has the Gateway User role with Sensor: Read and Plugin: Execute permissions. Gateway not found (404): Check the API URL. For Tanium Cloud the format is https://<tenant>-api.cloud.tanium.com. Self-hosted deployments should point to the on-premises gateway hostname. Access forbidden (403): The token’s persona may be missing required Content Sets or Computer Group visibility. Verify the role includes access to Base, Core Content, Reserved, and Tanium Data Service. Missing cloud metadata in inventory: Ensure the Cloud Instance ID sensor is available and the Tanium Core Python package is installed on your endpoints. Without these, the sensor will not return data and Draftt cannot match endpoints to cloud resources.
For more details on Tanium’s GraphQL Gateway, see the Tanium Gateway documentation.