Discover requirements

Review the requirements before you use Discover.

Also review the Tanium as a Service requirements, described in Tanium as a Service User Guide: Tanium as a Service requirements.

Tanium dependencies

In addition to a license for the Discover product module, make sure that your environment also meets the following requirements.

Component	Requirement
Tanium™ Core Platform	Version 7.3.314.4250 or later
Tanium™ Client	Version 7.2.314.2311 or later Version 7.4 or later
Tanium Products	If you clicked the Install with Recommended Configurations button when you installed Discover, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Discover requires to function, as described under Tanium Console User Guide: Manage Tanium modules. Discover requires the specified minimum versions to work with the following modules: Tanium Connect 5.0 or later (for exporting Discover data) Tanium Network Quarantine 1.0.2 or later (for network blocking) Tanium Trends 3.6 or later (for creating boards with Discover statistics) Tanium Endpoint Configuration 1.2 or later Endpoint Configuration is installed as part of Tanium Client Management 1.5.3 or later.

Component

Requirement

Tanium™ Core Platform

Version 7.3.314.4250 or later

Tanium™ Client

Version 7.2.314.2311 or later

Version 7.4 or later

Tanium Products

If you clicked the Install with Recommended Configurations button when you installed Discover, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Discover requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Discover requires the specified minimum versions to work with the following modules:

Tanium Connect 5.0 or later (for exporting Discover data)
Tanium Network Quarantine 1.0.2 or later (for network blocking)
Tanium Trends 3.6 or later (for creating boards with Discover statistics)
Tanium Endpoint Configuration 1.2 or later

Endpoint Configuration is installed as part of Tanium Client Management 1.5.3 or later.

Tanium™ Module Server

Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported operating systems

For Tanium Client operating system support, see Tanium Client User Guide: Host system requirements. Managed endpoints perform discovery scans.

Operating System	Version
Windows	Windows 7 and Windows Server 2008 R2 require the latest Windows updates. If the endpoints are not up-to-date and Python content does not run and generates an error about nt._add_dll_directory with The specified procedure could not be found, see this Microsoft Security Advisory. For other Windows operating systems, see Tanium Client User Guide: Host system requirements.
macOS	10.11 and later
Linux	Same as Tanium Client support
Solaris	Same as Tanium Client support
AIX	Same as Tanium Client support

Table 1: Supported platforms per discovery method
	Level 2 (Ping)	Level 3/4 (Nmap)
Windows		¹
Linux
macOS
Solaris	³	²
AIX		²
¹ For level 3 and 4 discovery on Windows 2003 Server and Windows XP, level 2 discovery is used. ² For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms. ₃ Solaris endpoints do not perform OS detection.

Host and network security requirements

Specific ports and processes are needed to run Discover.

Ports

For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.

The following ports are required for Discover communication.

Source	Destination	Port	Protocol	Purpose
Module Server	Module Server	17446	TCP and UDP	Internal purposes for Discover; not externally accessible
	Module Server	17447	TCP and UDP	Internal purposes for Discover; not externally accessible
	ec2..amazonaws.com sts..amazonaws.com ssm.*.amazonaws.com	443	TCP	Access to Amazon Web Services for Discover centralized Amazon EC2 environment scans
	Endpoints	Top 1,000 TCP and UDP ports (nmap default)	TCP and UDP	OS fingerprinting for Discover centralized Nmap scans

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 2: Discover security exclusions
Target Device	Notes	Process
Module Server		<Module Server>\services\discover-service\node.exe
		<Module Server>\plugins\content\discover-proxy\proxyplugin.exe
		<Module Server>\services\twsm-v1\twsm.exe
		<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints	(Level 3 and 4 profiles only)	C:\Program Files\Npcap
Windows endpoints	(Level 3 and 4 profiles only)	<Tanium Client>\Tools\Discover\nmap\nmap.exe
Linux endpoints	(Level 3 and 4 profiles only)	<Tanium Client>/Tools/Discover/nmap/nmap
macOS endpoints	(Level 3 and 4 profiles only)	<Tanium Client>/Tools/Discover/nmap/nmap

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs:

content.tanium.com
ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com (for centralized scans of Amazon EC2 environments)

User role requirements

Role-based access control (RBAC) permissions control access to the Discover workbench. The predefined roles are Discover Service Account, Discover Administrator, Discover Operator, Discover User, Discover Read Only User, and Discover Endpoint Configuration Approver.

Table 3: Discover user role permissions
Permission	Discover Administrator^{1, 2}	Discover Operator¹	Discover User¹	Discover Read Only User¹	Discover Service Account^1,3	Discover Endpoint Configuration Approver^1,4
Discover Endpoint Configuration Approve Approve Discover configuration changes in the Endpoint Configuration service
Show Discover View managed and unmanaged interfaces
Discover Asset Read View lists of managed and unmanaged interfaces, export data from interface tables
Discover Asset Write Apply or remove label on an interface
Discover Tag Write Create or remove labels			⁵
Discover Manual Import Execute Import interfaces manually with the Discover Unmanaged Interfaces button
Discover Settings Write Edit Discover settings
Discover Profile Write Create, edit, and delete Discover profiles
Discover Profile Read View the configured Discover profiles
Discover Keys Rotate Rotate keys used to encrypt sensitive data
Discover Location Permissions Write Define locations and corresponding permissions for user groups
Discover Locations Write Define locations by importing CSV file
Discover Components Manage Manage backend components, including Discover action groups and computer groups
Discover Use Api Use the Discover API
Discover Trends Integration Service Account Provide access for module service accounts to read and write data, and to define sources and boards
Discover Trends Write Manipulate Discover data in Trends.
Discover Connect Integration Service Account Enable the Discover service account to interface with Connect.
¹ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ² The Content Administrator reserved role is required to edit the Discover action group. ³ This role provides module permissions for Tanium Connect. For more information, see the Tanium Connect User Guide: User role requirements. ⁴ This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. ⁵If location permissions are defined, Discover User role cannot create labels.

Table 4: Provided Discover Micro Admin and Advanced user role permissions
Permission	Role type	Content set for permission
Read User	Micro Admin
Read User Group	Micro Admin
Read Computer Group	Micro Admin
Write Computer Group	Micro Admin
Read Filter Group	Micro Admin
Write Filter Group	Micro Admin
Ask Dynamic Questions	Advanced
Execute Plugin	Advanced	Discover Content
Execute Plugin	Advanced	Reserved
Read Plugin	Advanced	Discover Content
Read Action	Advanced	Discover Content
Read Action	Advanced	Reserved
Read Own Action	Advanced	Discover Content
Read Package	Advanced	Discover Content
Read Saved Question	Advanced	Discover Content
Read Sensor	Advanced	Discover Content
Read Sensor	Advanced	Reserved
Write Action	Advanced	Discover Content
Write Package	Advanced	Discover Content
Write Saved Question	Advanced	Discover Content
Show Preview	Advanced	Discover Content

Table 5: Optional roles for Discover
Role	Enables
Connect User	For signed in user: Configure connections for Discover notifications Configure connections for exporting interface reports
Administrator	Create Trends boards from Discover sources
Network Quarantine User	View quarantined interfaces on Interfaces pages Quarantine and unquarantine interfaces
Network Quarantine Read Only User	View quarantined interfaces on Interfaces pages