Review the requirements before you install and use Discover.
In addition to a license for the Discover product module, make sure that your environment also meets the following requirements.
|Platform||Version 7.0 or later|
|Tanium Client||All Tanium Client versions are supported|
Version 3.2 or later (Optional; for network blocking and notifications)
|Tanium Network Quarantine||Version 1.0.2 or later (Optional; for network blocking)|
|License||For information about licensing Discover, contact your Technical Account Manager (TAM). The license for Discover includes the following solutions:
Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your TAM for details.
- PsExec v2.11 or later (Optional; for using PSEXEC to deploy Tanium Client)
Specific ports and processes are needed to run Discover.
The following ports are required for Discover communication.
|Module Server||17446||Loopback||Discover||Internal purposes; not externally accessible|
|17447||Loopback||Discover||Internal purposes; not externally accessible|
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
|Target Device||Process or Directory Exclusions|
|Tanium Module Server||
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URLs:
Tanium Server 7.0
Administrator user role is required for all Discover functions.
Tanium Server 7.1 or later
Role-based access control (RBAC) permissions control access to the Discover workbench. The predefined roles are Discover Service Account, Discover Admin, Discover User, and Discover Read Only User.
|Privilege||Discover Service Account1||Discover Administrator||Discover User||Discover Read Only User|
View managed and unmanaged interfaces
Discover Asset Read
View lists of managed and unmanaged interfaces, export data from interface tables
Discover Asset Write
Apply or remove label on an interface
Discover Asset Block
Block interface with Palo Alto Dynamic Address Group (Connect User module role also required)
Discover Asset Unblock
Unblock interface with Palo Alto Dynamic Address Group (Connect User module role also required)
Discover Tag Write
Create or remove labels
Discover Manual Import Execute
Import interfaces manually with the Discover Unmanaged Interfaces button
Discover Settings Write
Edit Discover settings, create discovery methods
Discover Components Manage
Manage backend components, including Discover action groups and computer groups
1 Provides the Administrator reserved role.
|Permission||Role type||Content set for permission||Discover Service Account||Discover Administrator||Discover User||Discover Read Only User|
|Read Computer Group||Micro Admin|
|Write Computer Group||Micro Admin|
|Ask Dynamic Questions||Advanced|
|Execute Plugin||Advanced||Discover Content|
|Read Own Action||Advanced||Discover Content|
|Read Own Action||Advanced||Reserved|
|Read Package||Advanced||Discover Content|
|Read Saved Question||Advanced||Discover Content|
|Read Saved Question||Advanced||Reserved|
|Read Sensor||Advanced||Discover Content|
|Write Action||Advanced||Discover Content|
|Write Package||Advanced||Discover Content|
|Write Saved Question||Advanced||Discover Content|
|Write Saved Question||Advanced||Reserved|
For signed in user:
For service account:
|Network Quarantine User||
|Network Quarantine Read Only User||
Last updated: 1/15/2019 1:45 PM | Feedback