Tanium CCF Data Connector: Enhanced Endpoint Visibility with DCR-Based Ingestion

What Changed

Tanium solution v3.3.0 adds a new CCF push connector and updated workbook table formatting. The connector enables direct data flow from Tanium servers to Microsoft Sentinel via Data Collection Rules (DCRs).

Data Source

The connector ingests from Tanium’s endpoint management platform across multiple modules:

• Comply: Compliance findings and vulnerability data
• Threat Response: Security alert data from endpoint detection
• Discover: Unmanaged asset discovery data
• Patch: Patch compliance and coverage status
• Microsoft Tooling Health: SCCM client health and Defender status monitoring

Ingestion Mechanism

CCF-based connector using DCR/DCE architecture with 10 distinct custom data streams:

• TaniumComplyCompliance_CL - compliance assessment findings
• TaniumComplyVulnerabilities_CL - vulnerability scan results
• TaniumThreatResponseAlerts_CL - threat detection alerts
• TaniumDiscoverUnmanagedAssets_CL - asset discovery data
• TaniumPatchCoverageStatus_CL / TaniumPatchListCompliance_CL - patch management data
• TaniumDefenderHealth_CL / TaniumSccmHealth_CL - Microsoft tooling health metrics

Detection Surface Unlocked

This connector provides comprehensive endpoint visibility for:

• Asset discovery gaps - unmanaged devices on the network
• Compliance violations - policy and configuration drift detection
• Patch management blind spots - missing critical updates across the estate
• Microsoft security tooling health - Defender and SCCM deployment status
• Threat response correlation - endpoint alerts enriched with asset context

The workbook includes 20+ visualizations across 5 tabs enabling SOC teams to correlate Tanium’s real-time endpoint data with Sentinel incident workflows.

Affected Files

.gitignore
Solutions/Tanium/Data Connectors/ConnectorDefinition.json
Solutions/Tanium/Data Connectors/DCR.json
Solutions/Tanium/Data Connectors/DataConnector.json
Solutions/Tanium/Data Connectors/README.md
Solutions/Tanium/Data Connectors/Table_ComplianceFindings.json
Solutions/Tanium/Data Connectors/Table_ComplianceVulnerabilities.json
Solutions/Tanium/Data Connectors/Table_DefenderHealth.json
Solutions/Tanium/Data Connectors/Table_DiscoverUnmanagedAssets.json
Solutions/Tanium/Data Connectors/Table_HighUptime.json
Solutions/Tanium/Data Connectors/Table_PatchCoverageStatus.json
Solutions/Tanium/Data Connectors/Table_PatchListApplicability.json
Solutions/Tanium/Data Connectors/Table_PatchListCompliance.json
Solutions/Tanium/Data Connectors/Table_SccmHealth.json
Solutions/Tanium/Data Connectors/Table_ThreatResponseAlerts.json
Solutions/Tanium/Data Connectors/connect-module-connections.json
Solutions/Tanium/Package/testParameters.json
Solutions/Tanium/Workbooks/README.md
Solutions/Tanium/Workbooks/TaniumWorkbook.json
Solutions/Tanium/Workbooks/connect-module-connections.json
Solutions/Tanium/build_solution.sh
Solutions/Tanium/ci/Taskfile.yml
Solutions/Tanium/ci/build-silently.ps1
Solutions/Tanium/ci/build.sh
Solutions/Tanium/ci/get-new-version.ps1
Solutions/Tanium/ci/get-published-version.ps1
Solutions/Tanium/ci/run-arm-ttk-accurately.ps1
Solutions/Tanium/ci/run-json-validation.ps1
Solutions/Tanium/ci/set-connector-versions.ps1
Solutions/Tanium/ci/validation-functions.ps1
Solutions/Tanium/get-offer-id.ps1
Workbooks/WorkbooksMetadata.json
cspell-dictionaries/azure-arm-template-words.txt
cspell-dictionaries/dataconnector-words.txt
cspell-dictionaries/kql-functions.txt
cspell-dictionaries/powershell-words.txt
cspell-dictionaries/variables.txt
cspell.config.json
package-lock.json
package.json
(packaging artefacts: 3.3.0.zip, SolutionMetadata.json, Solution_Tanium.json, createUiDefinition.json, mainTemplate.json)