Directory Query requirements

Review the requirements before you install and use Directory Query.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium™ Core Platform servers: 7.5.4.1158 or later
Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Directory Query to function (required dependencies).

Some Directory Query dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Directory Query requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Directory Query, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Directory Query to import and you are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Directory Query, the server automatically updates those dependencies to the latest available versions.

If you select only Directory Query to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Directory Query has the following required dependencies at the specified minimum versions. You must install the dependencies in the listed order.

Tanium™ System User Service 1.0.77 or later
Tanium™ RDB Service 1.2.31 or later
Tanium™ Secrets Service 1.0.48 or later

Feature-specific dependencies

Directory Query has the following feature-specific dependencies at the specified minimum versions:

Tanium™ Direct Connect 2.3 or later is required to sync from Windows satellites.

Tanium™ Module Server

Directory Query is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Directory Query does not directly deploy packages to endpoints. For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Third-party software

Directory Query is supported for use with the following directories:

Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft
Microsoft Entra ID (formerly Azure AD) Domain Services

Microsoft Entra ID was previously known as Microsoft Azure Active Directory or Microsoft Azure AD.

For supported versions, see Microsoft: Search Product and Services Lifecycle Information.

You can synchronize Impact with Active Directory in two different ways: service or satellite. As a best practice, use the satellite sync, which connects the Module ServerTanium™ Cloud to an endpoint that behaves as a satellite to enable communication with the Active Directory server. With service, the Module ServerTanium Cloud connects to the Active Directory server through proxy access. If you use the service type, consider the following:

The connection to the LDAP server must use LDAP over TLS (also referred to as secure LDAP or LDAPS). For steps to configure LDAPS in Entra ID AD DS (formerly Azure AD DS), see Microsoft: Configure secure LDAP for an Azure Active Directory Domain Services managed domain.
As a best practice, restrict network traffic to flow only between the IP range for your LDAP server and the Module ServerTanium Cloud over the associated ports. For port information, see Ports.
If you are using Entra ID DS (formerly Azure AD DS), you must configure Microsoft Azure to allow network connections from the Module ServerTanium Cloud. For more information, see Microsoft: Lock down secure LDAP access over the internet.
You must submit a Tanium Cloud proxy request to allow communication between your Active Directory (either on-premises or Microsoft Entra) and the Tanium Cloud server. For more information, see Tanium Cloud Deployment Guide: Network egress.

Active Directory user account

Directory Query uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:

Member of the Domain Users group
Permission to read the objectSID attribute from the domain object in the configured domains
Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
Permission to Read members on all groups in the configured domains
(Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.

Host and network security requirements

Specific ports and processes are needed to run Directory Query.

Ports

The following ports are required for Directory Query communication.

Source	Destination	Port	Protocol	Purpose
Module Server Tanium Cloud	Module Server Tanium Cloud (loopback)	17515	TCP	Internal purposes, not externally accessible
Module Server Tanium Cloud or satellite	Active Directory Server	389 / 636	LDAP / LDAPS	Connecting to the Active Directory server.
Module Server Tanium Cloud or satellite	Active Directory Global Catalog Server	3268 / 3269	LDAP / LDAPS	Required only when connecting to the Active Directory Global Catalog server. For more information, see Managing connections to directory servers.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Directory Query security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device	Notes	Exclusion Type	Exclusion
Module Server		Process	<Module Server>\services\directory-query-service\TaniumDirectoryQueryService.exe

Directory Query requires no specific security exclusions. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

User role requirements

The following tables list the role permissions required to use Directory Query. To review a summary of the predefined roles, see Set up Directory Query users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Do not assign the Directory Query Service Account role to users. This role is for internal purposes only.

Directory Query user role permissions
Permission	Directory Query Administrator¹	Directory Query Operator¹	Directory Query User¹
Directory Query Domains Configure domains	QUERY READ WRITE	QUERY READ WRITE	QUERY READ
Directory Query Settings Configure Directory Query service settings	READ WRITE	READ WRITE	READ
Directory Query Support Bundle Generate and view Directory Query support bundle	READ
Directoryquery View the Directory Query workbench	SHOW	SHOW	SHOW
¹This role provides module permissions for Tanium Direct Connect. For more information, see Tanium Direct Connect User Guide: User role requirements.

Provided Directory Query platform content permissions
Permission	Directory Query Administrator	Directory Query Operator	Directory Query User
Plugin	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	READ	READ	READ
Sensor	READ	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.