Review the requirements before you install and use Detect.
In addition to a license for the Detect product module, make sure that your environment also meets the following requirements.
|Platform||7.0 or later
Enhanced functionality is available with version 7.0.314.6042 and later. Installing Tanium™ Interact is also suggested.
For more information, see the Tanium Core Platform Installation Guide: Installing Tanium Server.
|Tanium™ Client||Detect is supported on Linux, Mac, and Windows endpoints.
Windows XP must have SP3 installed and Windows 2003 must have SP2 installed.
For more information, see the Tanium Client Deployment Guide: Prerequisites.
|Tanium™ Connect||Connect 3.0 or later is required for event forwarding. Connect 4.1.0 or later is required for reputation data.|
|Tanium™ Index||22.214.171.124 or later (optional)|
|Tanium™ Trace||2.1.0 or later with Microsoft Sysmon configured, required for signals intel.|
There must be 250 MB of free disk space on the endpoint. For more information, see the Tanium Client Deployment Guide: Prerequisites.
Detect is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, see the Tanium Core Platform Installation Guide: Host computer sizing. Contact your Technical Account Manager (TAM) for details.
Specific ports and processes are needed to run Detect.
Outbound ports 80 and 443 are required on the Module Server host machine for integrating intel streams.
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
Intel streams are updated from the Detect service, which runs on the Tanium Module server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the intel stream provider URLs on the Tanium Module Server.
For Tanium Platform version 7.0, users with a minimum of Question Author privilege can perform all functions.
For version 7.1.314.3071 or later, you can use role-based access control (RBAC) permissions to restrict access to Detect functions.
|Privilege||Detect Administrator||Detect User||Detect Read Only User||Detect Service User|
|Detect Use API|
|Detect Configuration Write|
|Detect Configuration Read|
|Detect Group Configuration Write|
|Detect Group Configuration Read|
|Detect Source Write*|
|Detect Source Read|
|Detect Intel Write|
|Detect Intel Read*|
|Detect Label Write|
|Detect Label Read|
|Detect Quick Scan Write|
|Detect Quick Scan Read*|
|Detect Alert Write|
|Detect Alert Read*|
|Detect Workbench User|
|Detect Administrator User|
|Detect Service User*|
‡ To install Detect, you must have the reserved role of Administrator.
* Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Interact, Trace (version 2.2.0 or later), or Connect (version 4.3.0 or later). You can assign a role for another product, or create a custom role that lists just the specific privileges needed.
For example, to do everything in Detect and its features that integrate with other Tanium products, the user needs:
- Detect Administrator and Detect Service Account roles.
- Connect Administrator role or the Event Schema Write and Reputation Write privileges to send events to Connect and see reputation data.
- Trace User role to pivot from an alert into a Trace live connection and to work with Trace-generated intel.
- Show Interact role to open scan results and drill-down to endpoints.
For more information, see the Tanium Core Platform User Guide: Users and user groups.
Last updated: 2/20/2018 1:21 PM | Feedback