Detect requirements

Review the requirements before you install and use Detect.

Tanium dependencies

In addition to a license for the Detect product module, make sure that your environment also meets the following requirements.

Component Requirement
Platform Version 7.0 or later.

Enhanced functionality is available with version 7.0.314.6042 and later. Installing Tanium™ Interact is also suggested.

For more information, see the Tanium Core Platform Installation Guide: Installing Tanium Server.

Tanium™ Client Detect is supported on Linux, Mac, and Windows endpoints.

Windows XP must have SP3 installed and Windows 2003 must have SP2 installed.

For more information, see the Tanium Client Deployment Guide: Prerequisites.

Tanium™ Connect 3.0 or later is required for event forwarding. 4.1.0 or later is required for reputation data.
Tanium™ Index 1.3.0.1 or later (optional)
Tanium™ Trace 2.1.0 or later. Sysmon is required for Windows Server 2008 and Windows 7 endpoints. See Tanium Trace User Guide: Third-party software.

Endpoint hardware requirements

250 MB of disk space must be free on the endpoint. For more information, see the Tanium Client Deployment Guide: Prerequisites.

Tanium Module Server computer resources

Detect is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, see the Tanium Core Platform Installation Guide: Host computer sizing. Contact your Technical Account Manager (TAM) for details.

Host and network security requirements

Specific ports and processes are needed to run Detect.

Ports

Outbound ports 80 and 443 are required on the Module Server host machine for integrating intel streams.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Target device Process
Module Server <Tanium Module Server>\services\detect3\node.exe
<Tanium Module Server>\services\detect3\twsm.exe
<Tanium Module Server>\services\event-service\node.exe
<Tanium Module Server>\services\event-service\twsm.exe
Windows x86 endpoints <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
Windows x64 endpoints <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
Mac OS endpoints <Tanium Client>/Tools/Detect3/TaniumDetectEngine
Linux x86 endpoints <Tanium Client>/Tools/Detect3/TaniumDetectEngine
Linux x64 endpoints <Tanium Client>/Tools/Detect3/TaniumDetectEngine

Internet URLs

Intel streams are updated from the Detect service, which runs on the Tanium Module server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the intel stream provider URLs on the Tanium Module Server.

User role requirements

For Tanium Platform version 7.0, users with a minimum of Question Author privilege can perform all functions.

For version 7.1.314.3071 or later, you can use role-based access control (RBAC) permissions to restrict access to Detect functions.

Table 1:   Tanium 7.1 Detect Role Privileges
Permission Detect Administrator Detect Service Account Detect Read Only User Detect User

Show Detect

Access to the Detect workbench

Show Detect3

Access to the Detect workbench

* * *

Detect Alert Write

View and explore alerts

Detect Config Read

View and list engine configurations

*

Detect Config Write

Create, edit, and delete engine configurations

Detect Group Config Read

View and list groups for intel mapping

*

Detect Group Config Write

Create, edit, and delete groups for intel mapping

Detect Intel Read

View and list intel

* *

Detect Intel Write

Add and delete intel

Detect Label Read

View and list labels that are assigned to intel

* *

Detect Label Write

Create, edit, and delete labels that are assigned to intel

Detect Notification Read

View and list system notifications of updates to the Tanium signals feed

*

Detect Notification Write

Remove notifications from the Detect workbench

Detect Quickscan Read

View and list the results of quick scans

* *

Detect Quickscan Write

Start, stop, and delete the results of quick scans

Detect Service User

Deploy group configs and intel, gather alerts and group config stats, and ingest intel from streams

Detect Source Read

View and list sources of intel

* *

Detect Source Write

Add, remove, and configure sources of intel

Detect Use API

Perform Detect operations using the API

* * *

Detect Suppressionrule Write

Create, edit, and delete suppression rules

Detect Suppressionrule Read

View and list suppression rules

* *

Detect Workbench User

Provides privileges for Workbench users

Detect Demo User

Provides privileges for Demo users

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.

† Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Interact, Trace (version 2.2.0 or later), or Connect (version 4.3.0 or later). You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

‡ To install Detect, you must have the reserved role of Administrator.



Table 2:    Tanium 7.1 Micro Admin Role Privileges
Permission Detect Administrator Detect Service Account Detect Read Only User Detect User
Read User *
Write WhiteListed Urls *

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.



Table 3:   Tanium 7.1 Advanced Role Privileges
Permission Content Set for Permission Detect Administrator Detect Service Account Detect Read Only User Detect User
Ask Dynamic Questions   * * *
Execute Plugin Detect * * * *
Execute Plugin Detect Service *
Read Package Detect *
Read Plugin Detect Service *
Read Saved Question Detect *
Read Saved Question Detect Service *
Read Sensor Reserved * *
Read Sensor Base *
Read Sensor Detect * * * *
Read Sensor Detect Service *
Write Action Detect * *
Write Action Detect Service *
Write Package Detect *
Write Package Detect Service *

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.

For example, to do everything in Detect and its features that integrate with other Tanium products, the user needs:

  • Detect Administrator and Detect Service Account roles.
  • Connect Administrator role or the Event Schema Write and Reputation Write privileges to send events to Connect and see reputation data.
  • Trace User role to pivot from an alert into a Trace live connection and to work with Trace-generated intel.
  • Show Interact role to open scan results and drill-down to endpoints.

Last updated: 11/2/2018 3:30 PM | Feedback