Module 2 — Lesson 7 of 8

ServiceNow Integration

Connect Tanium Investigate with ServiceNow to create incidents automatically, enrich CMDB records, and enable help desk agents to investigate and remediate endpoints without ever leaving the ServiceNow console.

📚 Overview

🔧 Deep Dive

🛠 Hands-On

✅ Check

Why Integrate Tanium with ServiceNow?

ServiceNow is the central nervous system for IT operations at most organizations. It is where tickets are created, tracked, escalated, and resolved. Tanium is where you gain real-time visibility into endpoint health and take action. When these two systems operate in isolation, your team wastes time switching between them, copying data manually, and losing context at every handoff.

The Tanium-ServiceNow integration bridges this gap by enabling bidirectional data flow between the platforms. Investigation findings flow into tickets automatically, remediation actions can be triggered from the ticket, and the CMDB stays current with real-time endpoint telemetry.

Integration Architecture

Key Integration Capabilities

📄

Ticket Context

Pull SN ticket details, SLA status, and history directly into Tanium investigations

🔃

Bidirectional Sync

Investigation findings automatically written back to ServiceNow work notes

🛠

Remote Actions

Help desk agents trigger Tanium remediation from within ServiceNow

🗃

CMDB Enrichment

Real-time endpoint data keeps CMDB records accurate and current automatically

Integration Impact at Scale

🕑

Reduction in remote desktop sessions

⏱

Faster average resolution time

📈

CMDB accuracy with automated sync

🚫

Manual CMDB updates needed for Tanium-managed attributes

Ticket Context Capture

When you begin an investigation in Tanium Investigate, you can link it to a ServiceNow ticket. Once linked, the integration pulls relevant ticket details into the Tanium investigation workspace:

Tanium Investigate — Linked ServiceNow Ticket

INC0091847

Ticket Number

P2 - High

Priority

2h 14m

SLA Remaining

CAEI782014

Affected CI

Field	Value
Description	"Laptop extremely slow, Outlook keeps freezing, can't open Excel at all"
Caller	Maria Garcia, Claims Department
Assignment Group	Desktop Support - Tier 2
Previous Tickets (Same CI)	3 tickets in past 30 days (INC0089241, INC0090102, INC0091003)
Last Resolution	"Rebooted machine, issue resolved" - 2 weeks ago

PATTERN DETECTED

3 similar tickets in 30 days for same CI. Recurring issue — previous "reboot" resolutions were temporary fixes. Root cause investigation recommended.

Key Benefit

Having ticket context inside the investigation workspace eliminates the need to flip back and forth between ServiceNow and Tanium. You see the full picture — user complaint, ticket history, and live endpoint data — in one place.

Saving Findings Back to ServiceNow

As you investigate in Tanium, your findings can be pushed back to the ServiceNow ticket automatically or with a single click:

Work Notes

Investigation observations (e.g., "CPU at 98% due to SearchIndexer.exe, post-patch rebuild in progress") written to the ticket's work notes with timestamps.

Resolution Details

Remediation actions and results (e.g., "Deployed disk cleanup — freed 12 GB, disk usage 95% to 62%") logged to the ticket automatically.

Attachments

Screenshots, exported data, or downloaded files from the investigation attached to the ServiceNow ticket as evidence.

Complete Record

The ticket becomes the authoritative record: complaint, findings, action, result. No manual copy-pasting needed.

Help Desk Agent Workflow: Tanium Inside ServiceNow

Help desk agents see Tanium endpoint data embedded directly in the ServiceNow ticket or CI record — no Tanium console login needed.

ServiceNow — Incident INC0091847 — Tanium Endpoint Panel

Endpoint Health

Hardware

Software

Recent Changes

Actions

Health Score

97%

Disk Usage

72%

Memory

35%

CPU

Attribute	Value
Computer Name	CAEI782014
Model	Dell Latitude 5540
OS	Windows 11 23H2 (Build 22631.4890)
RAM	16 GB
Disk	232 GB / 240 GB (97% used)
Active Alerts	Low Disk Space (Critical), High Memory (Warning)
Last Seen	Online - 12 seconds ago

AVAILABLE ACTIONS

🔄 Reboot 🗃 Disk Cleanup 🔃 Restart Service 📦 Install Software

Pro Tip

This immediate visibility often allows agents to triage or resolve without escalating. If a user calls about a slow computer and the agent can see health score 28 with disk at 97%, they already know the likely cause before asking a single diagnostic question.

Remote Actions from ServiceNow

Beyond visibility, the integration enables help desk agents to trigger Tanium remediation actions directly from ServiceNow. Depending on RBAC configuration:

Support Tier	Visibility	Available Actions
Tier 1	Endpoint health, hardware, software, alerts	Read-only — view data, escalate with context
Tier 2	All Tier 1 + recent changes, process list	Reboot, disk cleanup, service restart, BitLocker check
Tier 3	Full endpoint data + Direct Connect	All Tier 2 + package deployment, config changes, quarantine

Key Concept

The goal of the ServiceNow integration is to eliminate remote sessions. Traditional support requires the technician to remote into the user's machine, disrupting their work for 15-30 minutes. With Tanium + ServiceNow, most common issues (disk cleanup, service restarts, reboots, software installs) can be resolved silently in the background while the user continues working.

CMDB Enrichment

The ServiceNow CMDB is only as useful as the data it contains. In many organizations, CMDB records are manually maintained and quickly become stale. Tanium solves this by automatically syncing real-time endpoint data to the CMDB.

What Gets Synced

💻

Hardware

Manufacturer, model, serial, CPU, RAM, disk type/capacity, BIOS

📦

Software

Installed applications with exact versions, updated continuously

🌐

Network

IP addresses, MAC addresses, VPN status, adapter details

🔒

Security

Encryption status, AV version, firewall state, health score

Deep Dive: CSDM and CMDB Data Sync ▼

ServiceNow's Common Service Data Model (CSDM) defines a standardized structure for how CI data should be organized. The Tanium integration maps endpoint data to CSDM-compliant CI classes:

cmdb_ci_computer: Primary CI class for endpoints. Tanium populates hardware specs, OS details, and network information.
cmdb_ci_spentry (Software Installation): Tanium syncs installed software to software installation records linked to the computer CI.
cmdb_ci_network_adapter: Network adapter details including IP and MAC addresses.

The sync operates on a configurable schedule (typically every 4-8 hours) and uses reconciliation rules to match Tanium endpoints to existing CMDB CIs by serial number or computer name. When a match is found, the record is updated. When no match is found, a new CI can be created automatically.

Important: Tanium should be configured as an authoritative data source for the attributes it manages. If someone manually edits a hardware spec in the CMDB, Tanium will overwrite it on the next sync with the actual value. This prevents well-intentioned but incorrect manual updates from corrupting the data.

Best Practices

Start with read-only visibility▼

Before enabling remediation actions from ServiceNow, start by syncing endpoint data so agents can see Tanium information in tickets. This builds trust and familiarity before adding action capabilities.

Define RBAC carefully▼

Not every help desk agent should be able to reboot machines from ServiceNow. Define role-based permissions that match your support tiers: Tier 1 gets visibility only, Tier 2 gets basic remediation (reboot, cleanup), Tier 3 gets full remediation including package deployment.

Map CIs before enabling sync▼

Run a reconciliation report before enabling CMDB sync to identify how many Tanium endpoints match existing CMDB CIs. Address duplicates and orphans before turning on automated updates.

Train agents on the new workflow▼

Agents need to understand what the Tanium data means and when to use remediation actions. Provide quick-reference guides and hands-on training sessions.

Monitor sync health▼

Set up alerts for sync failures, CI match rate drops, or data quality issues. A broken sync that goes unnoticed for weeks will erode trust in the CMDB data.

Use work note templates▼

Standardize how investigation findings are written to tickets so they are consistent, searchable, and useful for trend analysis.

Scenario: VPN Connection Failure

The Situation

A ServiceNow ticket arrives: "I cannot connect to GlobalProtect VPN. I've been trying for 2 hours and need to access my work files. Error message says 'Portal authentication failed.'" The user is a remote Claims adjuster working from home. You are a Tier 2 support agent with Tanium integration enabled in your ServiceNow console.

Your ServiceNow View

ServiceNow — INC0092155 — Tanium Endpoint Data

Health Score

Online

Status

5.2.8

GP VPN Version

5.3.1

Current GP Version

Check	Result	Status
Internet Connectivity	Connected — ping to 8.8.8.8 OK	Pass
DNS Resolution	vpn.mercuryinsurance.com resolves OK	Pass
GlobalProtect Version	5.2.8 (current: 5.3.1)	Outdated
VPN Config File	Last modified: 2024-11-15	Stale
Recent Changes	Windows Update KB5034765 installed yesterday	Review

What is the best approach using the Tanium-ServiceNow integration?

Ask the user to uninstall and reinstall the VPN client and call back if it still does not work. View the endpoint's Tanium data in ServiceNow to check the VPN client version, network connectivity status, and recent changes. If the VPN client is outdated, deploy the latest version via Tanium from within ServiceNow. If it is a configuration issue, deploy the VPN config fix package. Update the ticket with findings and resolution. Escalate to the network team since VPN issues are their responsibility. Schedule a remote desktop session for tomorrow to troubleshoot the VPN client.

Correct! The Tanium-ServiceNow integration lets you investigate and remediate without leaving ServiceNow and without interrupting the user. Check the endpoint data for the VPN client version (an outdated client is the most common cause of "portal authentication failed"), network connectivity, and recent changes. If the client needs updating, deploy it via Tanium directly from ServiceNow. The user does not need to do anything, you do not need to remote in, and the ticket is updated with a complete record.

Not quite. The Tanium-ServiceNow integration lets you investigate and remediate without leaving ServiceNow. Asking the user to reinstall (A) puts the burden on a non-technical user. Escalating to network (C) delays resolution for a client-side issue. Scheduling for tomorrow (D) is unacceptable when the user cannot work now.

Full Walkthrough: VPN Resolution▼

Check Tanium Data in SN

Open the ticket and view embedded Tanium data. See VPN client version 5.2.8 (current is 5.3.1), internet connectivity is fine, DNS resolves OK.

Identify Root Cause

Outdated GlobalProtect client (5.2.8) plus stale VPN config file from November 2024. The "portal authentication failed" error matches known issues with 5.2.x clients after the server-side VPN gateway upgrade.

Deploy Fix from SN

From the ServiceNow actions panel, deploy the GlobalProtect 5.3.1 upgrade package via Tanium. The package also includes the updated VPN configuration file.

Verify and Close

After 3 minutes, refresh the Tanium data. GP version now shows 5.3.1. Ask the user to try connecting — VPN connects successfully. Update ticket with findings and resolve.

Exercise: Traditional vs. Integrated Workflow

Compare how the same VPN ticket would be handled with and without the Tanium-ServiceNow integration:

Step	Traditional Workflow	Tanium + ServiceNow
1. Triage	Ask user to describe the error, check VPN version manually	View Tanium endpoint data instantly — see GP 5.2.8, outdated config
2. Diagnose	Remote desktop session (user interrupted for 15+ min)	All diagnostic data visible in the ticket panel — no remote session
3. Fix	Walk user through manual uninstall/reinstall (20+ min, error-prone)	Deploy GP 5.3.1 package from SN — silent background install (3 min)
4. Verify	Ask user to test, call back if still broken	Refresh Tanium data, confirm version, ask user to test VPN
5. Document	Manually type findings into ticket from memory	Findings automatically written to work notes throughout
Total Time	35-45 minutes	5-8 minutes

← Previous: Remote Remediation Next: Real-World Scenarios →

Tanium Training

ServiceNow Integration

Why Integrate Tanium with ServiceNow?

Integration Architecture

Key Integration Capabilities

Integration Impact at Scale

Ticket Context Capture

Saving Findings Back to ServiceNow

Work Notes

Resolution Details

Attachments

Complete Record

Help Desk Agent Workflow: Tanium Inside ServiceNow

Remote Actions from ServiceNow

CMDB Enrichment

What Gets Synced

Best Practices

Scenario: VPN Connection Failure

Your ServiceNow View

Check Tanium Data in SN

Identify Root Cause

Deploy Fix from SN

Verify and Close

Exercise: Traditional vs. Integrated Workflow

✍ Knowledge Check