Discover requirements

Review the requirements before you use Discover.

Also review the Tanium Cloud requirements, described in Tanium Cloud User Guide: Tanium Cloud requirements.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Discover
Tanium™ Core Platform servers: 7.3.314.4250 or later
Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the computer groups that Discover requires: All Computers.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Discover to function (required dependencies) or for specific Discover features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Discover dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Discover requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Discover, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Discover to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Discover, the server automatically updates those dependencies to the latest available versions.

If you select only Discover to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Discover has the following required dependencies at the specified minimum versions:

Tanium™ Client Management 1.7.194 or later
Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
Tanium™ Interact 2.8.102 or later
Tanium™ Trends 3.6 or later

Feature-specific dependencies

If you select only Discover to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Discover has the following feature-specific dependencies at the specified minimum versions:

Tanium™ Direct Connect 2.1 or later is required to run satellite scans
Tanium™ Connect 5.0 or later is required to export Discover data

Client extensions

Tanium Endpoint Configuration installs client extensions for Discover on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Discover functions:

Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension. This is a feature-specific dependency for Discover.
Discover CX - Performs satellite-based Nmap scans. Tanium Discover installs this client extension.
Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Discover installs this client extension.

Tanium™ Module Server

Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported internet protocols

Discover currently scans only for IPv4 addresses.

Supported operating systems

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements. Managed endpoints perform discovery scans.

Operating System	Version	Notes
Windows	Windows 7 SP1 or later and Windows Server 2008 R2 SP1 or later If the endpoints are not up-to-date and Python content does not run and generates an error about nt._add_dll_directory with The specified procedure could not be found, see this Microsoft Security Advisory.	Windows 7 SP1 requires Microsoft KB2758857. Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
macOS	Same as Tanium Client support
Linux	Same as Tanium Client support
Solaris	Same as Tanium Client support	Solaris endpoints cannot be designated as satellites.
AIX	7.1.4 or later	The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file. AIX endpoints cannot be designated as satellites.

Supported platforms per discovery method
	Level 2 (Ping)	Level 3/4 (Nmap) and Satellite
Windows
Linux
macOS
Solaris	²	¹
AIX		¹
¹ For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms. ₂ Solaris endpoints do not perform OS detection.

Host and network security requirements

Specific ports and processes are needed to run Discover.

Ports

For Tanium Cloud ports, see Tanium Cloud User Guide: Host and network security requirements.

The following ports and protocols are required for Discover communication.

Source	Destination	Port	Protocol	Purpose
Module Server	Module Server (loopback)	17446	TCP and UDP	Internal purposes for Discover; not externally accessible
Module Server	Module Server (loopback)	17447	TCP and UDP	Internal purposes for Discover; not externally accessible

Scan communication requirements

The following ports and protocols are required for Discover scanning.

Source	Destination	Scan Type	Port	Protocol	Purpose
Tanium Client	Configured DNS servers for the client	Level 1 or level 2 distributed scans for which Use host name lookup to resolve host names is selected	53	UDP	Level 1 or level 2 distributed scans configured to use host name lookup for resolving host names use DNS for host name resolution.
	Devices with an IP address in the same subnet as the Tanium Client	Level 1 or level 2 distributed scans for which Use host name lookup to resolve host names is selected	137 (Windows only) 5355 (Windows only)	netbios-ns LLMNR	On Windows endpoints, level 1 or level 2 distributed scans configured to use host name lookup for resolving host names might use netbios or LLMNR for name resolution if enabled in the operating system on the Tanium Client.
		Level 2 distributed	N/A	ICMP	Level 2 distributed scans require ICMP echo-request and echo-response traffic from all managed endpoints to all other devices on the Tanium Client subnet.
		Level 3 distributed	N/A	ARP	Level 3 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet.
		Level 4 distributed	1000 most common TCP ports (default setting)	ARP TCP	Level 4 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet. Additionally, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running distributed scans.
Module Server	Customer-defined subnets	Centralized Nmap	N/A	ICMP	Centralized Nmap scans require ICMP traffic to all IP addresses specified in the scan.
	Customer-defined subnets	Centralized Nmap	1000 most common open TCP ports (default setting)	TCP	For centralized Nmap scans, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running centralized scans.
	ec2..amazonaws.com sts..amazonaws.com ssm.*.amazonaws.com	Centralized Amazon EC2 environment	443	TCP	Centralized Amazon EC2 environment scans require access to Amazon Web Services.
Satellite	Local network	Satellite	N/A	ARP	Satellite scans on a local network require ARP-request traffic from the managed endpoint on the Tanium Client subnet.
	Local network	Satellite	1000 most common open TCP ports (default setting)	TCP	Additionally, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running satellite scans.
	Remote subnets	Satellite	N/A	ICMP	Remote network satellite scans require ICMP traffic to all IP addresses specified in the scan
	Remote subnets	Satellite	1000 most common open TCP ports (default setting)	TCP	By default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running satellite scans.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Discover security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Module Server		Process	<Module Server>\services\discover-service\node.exe
		Process	<Module Server>\plugins\content\discover-proxy\proxyplugin.exe
		Process	<Module Server>\services\twsm-v1\twsm.exe
		Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
		File	<Tanium Client>\extensions\SupportCX.dll
		File	<Tanium Client>\extensions\SupportCX.dll.sig
		File	<Tanium Client>\extensions\TaniumConfig.dll
		File	<Tanium Client>\extensions\TaniumConfig.dll.sig
		File	<Tanium Client>\extensions\discover\data\discover.db
		File	<Tanium Client>\extensions\discover\data\discover.db-wal
		File	<Tanium Client>\extensions\discover\data\discover.db-shm
	(Distributed level 3, distributed level 4, and satellite profiles only)	Folder	C:\Program Files\Npcap
	(Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>\Tools\Discover\nmap\nmap.exe
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>\extensions\TaniumDEC.dll
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>\extensions\TaniumDEC.dll.sig
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumDiscover.dll
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumDiscover.dll.sig
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumExtras.dll
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumExtras.dll.sig
	7.4.x clients	Folder	<Tanium Client>\python38
	7.4.x clients¹	Process	<Tanium Client>\python38\TPython.exe
Linux endpoints		Process	<Tanium Client>/TaniumCX
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/extensions/libSupportCX.so
		File	<Tanium Client>/extensions/libSupportCX.so.sig
		File	<Tanium Client>/extensions/libTaniumConfig.so
		File	<Tanium Client>/extensions/libTaniumConfig.so.sig
		File	<Tanium Client>/extensions/discover/data/discover.db
		File	<Tanium Client>/extensions/discover/data/discover.db-wal
		File	<Tanium Client>/extensions/discover/data/discover.db-shm
	(Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>/Tools/Discover/nmap/nmap
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.so
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.so.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so.sig
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
macOS endpoints		Process	<Tanium Client>/TaniumCX
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		File	<Tanium Client>/extensions/libSupportCX.dylib
		File	<Tanium Client>/extensions/libSupportCX.dylib.sig
		File	<Tanium Client>/extensions/libTaniumConfig.dylib
		File	<Tanium Client>/extensions/libTaniumConfig.dylib.sig
		File	<Tanium Client>/extensions/discover/data/discover.db
		File	<Tanium Client>/extensions/discover/data/discover.db-wal
		File	<Tanium Client>/extensions/discover/data/discover.db-shm
	(Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>/Tools/Discover/nmap/nmap
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.dylib
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.dylib
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.dylib.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.dylib
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.dylib.sig
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python

Discover security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Windows endpoints		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
		File	<Tanium Client>\extensions\SupportCX.dll
		File	<Tanium Client>\extensions\SupportCX.dll.sig
		File	<Tanium Client>\extensions\TaniumConfig.dll
		File	<Tanium Client>\extensions\TaniumConfig.dll.sig
		File	<Tanium Client>\extensions\discover\data\discover.db
		File	<Tanium Client>\extensions\discover\data\discover.db-wal
		File	<Tanium Client>\extensions\discover\data\discover.db-shm
	(Distributed level 3, distributed level 4, and satellite profiles only)	Folder	C:\Program Files\Npcap
	(Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>\Tools\Discover\nmap\nmap.exe
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>\extensions\TaniumDEC.dll
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>\extensions\TaniumDEC.dll.sig
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumDiscover.dll
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumDiscover.dll.sig
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumExtras.dll
	(Satellite profiles only)	File	<Tanium Client>\extensions\TaniumExtras.dll.sig
Linux endpoints		Process	<Tanium Client>/TaniumCX
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/extensions/libSupportCX.so
		File	<Tanium Client>/extensions/libSupportCX.so.sig
		File	<Tanium Client>/extensions/libTaniumConfig.so
		File	<Tanium Client>/extensions/libTaniumConfig.so.sig
		File	<Tanium Client>/extensions/discover/data/discover.db
		File	<Tanium Client>/extensions/discover/data/discover.db-wal
		File	<Tanium Client>/extensions/discover/data/discover.db-shm
	(Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>/Tools/Discover/nmap/nmap
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.so
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.so.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.so.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.so.sig
macOS endpoints		Process	<Tanium Client>/TaniumCX
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		File	<Tanium Client>/extensions/libSupportCX.dylib
		File	<Tanium Client>/extensions/libSupportCX.dylib.sig
		File	<Tanium Client>/extensions/libTaniumConfig.dylib
		File	<Tanium Client>/extensions/libTaniumConfig.dylib.sig
		File	<Tanium Client>/extensions/discover/data/discover.db
		File	<Tanium Client>/extensions/discover/data/discover.db-wal
		File	<Tanium Client>/extensions/discover/data/discover.db-shm
	(Distributed level 3, distributed level 4, and satellite profiles only)	Process	<Tanium Client>/Tools/Discover/nmap/nmap
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.dylib
	(When Direct Connect is installed; satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.dylib
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumDiscover.dylib.sig
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.dylib
	(Satellite profiles only)	File	<Tanium Client>/extensions/libTaniumExtras.dylib.sig

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs:

From both Tanium Server and Tanium Module Server: content.tanium.com
From Tanium Module Server: ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com (for centralized scans of Amazon EC2 environments)

User role requirements

The following tables list the role permissions required to use Discover. To review a summary of the predefined roles, see Set up Discover users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Discover user role permissions
Permission	Discover Administrator^1,3	Discover Operator^1,3	Discover User¹	Discover Read Only User¹	Discover Service Account^1,2,3,5,6	Discover Endpoint Configuration Approver³^,7
Discover View managed and unmanaged interfaces	SHOW	SHOW	SHOW	SHOW
Discover API Use the Discover API	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE
Discover Asset View lists of managed and unmanaged interfaces; export data from interface tables; apply or remove label on an interface	READ WRITE	READ WRITE	READ WRITE	READ
Discover Components Manage backend components, including Discover action groups and computer groups					MANAGE
Discover Connect Integration Service Account Enable the Discover service account to interface with Connect.					EXECUTE
Discover Endpoint Configuration Approve Discover configuration changes in the Endpoint Configuration service						APPROVE
Discover Keys Rotate keys used to encrypt sensitive data	ROTATE
Discover Location Permissions Define locations and corresponding permissions for user groups	WRITE	WRITE
Discover Locations Define locations by importing CSV file	WRITE	WRITE
Discover Manual Import Import interfaces manually with the Discover Unmanaged Interfaces button	EXECUTE	EXECUTE	EXECUTE		EXECUTE
Discover Profile View, create, edit, and delete Discover profiles	READ WRITE	READ WRITE				READ
Discover Settings Edit Discover settings	WRITE
Discover Tag Create or remove labels	WRITE	WRITE	WRITE⁴
Discover TDS Integration Service Account Provide access to promote Discover data to Tanium Data Service (TDS)					EXECUTE
Discover Trends Manipulate Discover data in Trends	WRITE	WRITE		READ
Discover Trends Integration Service Account Provide access for module service accounts to read and write data, and to define sources and boards					EXECUTE
¹ This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ² This role provides module permissions for Tanium Connect. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Connect User Guide: User role requirements. ³ This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ⁴If location permissions are defined, Discover User role cannot create labels. ⁵ This role provides Tanium Data Service permissions (through Tanium Interact). You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ⁶This role provides satellite permissions (through Tanium Direct Connect). For more information, see Tanium Direct Connect User Guide: User role requirements. ⁷ If you enabled configuration approvals in Endpoint Configuration, then by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to the Discover Service Account role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements and Tanium Endpoint Configuration User Guide: Managing approvals.

Provided Discover administration and platform content permissions
Permission	Permission type	Discover Administrator^1,2	Discover Operator^1,2	Discover User¹	Discover Read Only User¹	Discover Service Account^1,2,3,4,5	Discover Endpoint Configuration Approver²
Computer Group	Administration	READ	READ			READ	READ
Server Status	Administration					READ
User	Administration	READ				READ
User Group	Administration					READ
Action	Platform Content	READ WRITE	READ WRITE			READ WRITE	READ
Own Action	Platform Content	READ	READ			READ	READ
Package	Platform Content	READ	READ			READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ	READ			READ WRITE
Sensor	Platform Content	READ	READ			READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. ¹ This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ² This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ³ This role provides content set permissions for Tanium Connect. You can view which Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Connect User Guide: User role requirements. ⁴ This role provides content set permissions for Tanium Data Service through Tanium Interact. ⁵ This role provides content set permissions for Tanium Direct Connect.

Optional roles for Discover
Role	Enables
Connect User	For signed in user: Configure connections for Discover notifications Configure connections for exporting interface reports
Administrator	Create Trends boards from Discover sources