Discover requirements

Review the requirements before you install and use Discover.

Tanium dependencies

In addition to a license for the Discover product module, make sure that your environment also meets the following requirements.

Component Requirement
Platform Version 7.0 or later
Tanium Client All Tanium Client versions are supported
Tanium Connect

Version 3.2 or later (Optional; for network blocking and notifications)

Tanium Network Quarantine Version 1.0.2 or later (Optional; for network blocking)
License For information about licensing Discover, contact your Technical Account Manager (TAM). The license for Discover includes the following solutions:
  • Discover
  • Discover Client Deploy

Taniumâ„¢ Module Server

Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your TAM for details.

Third-party software

  • PsExec v2.11 or later (Optional; for using PSEXEC to deploy Tanium Client)

Host and network security requirements

Specific ports and processes are needed to run Discover.

Ports

The following ports are required for Discover communication.

Component Port Direction Service Purpose
Module Server 17446 Loopback Discover Internal purposes; not externally accessible
17447 Loopback Discover Internal purposes; not externally accessible

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Target Device Process or Directory Exclusions
Tanium Module Server
  • <Tanium Module Server>\services\discover\node.exe
  • <Tanium Module Server>\plugins\content\discover-proxy\proxyplugin.exe

  • <Tanium Module Server>\services\twsm-v1\twsm.exe
Endpoint Computers
  • C:\Program Files\Npcap

  • <Tanium Client>\Tools\Discover\nmap\nmap.exe

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URLs:

  • content.tanium.com

User role requirements

Tanium Server 7.0

Administrator user role is required for all Discover functions.

Tanium Server 7.1 or later

Role-based access control (RBAC) permissions control access to the Discover workbench. The predefined roles are Discover Service Account, Discover Admin, Discover User, and Discover Read Only User.

Table 1:   Discover user role privileges for Tanium 7.1.314.3071 or later
Privilege Discover Service Account1 Discover Administrator Discover User Discover Read Only User


Show Discover

View managed and unmanaged interfaces


Discover Asset Read

View lists of managed and unmanaged interfaces, export data from interface tables


Discover Asset Write

Apply or remove label on an interface


Discover Asset Block

Block interface with Palo Alto Dynamic Address Group (Connect User module role also required)


Discover Asset Unblock

Unblock interface with Palo Alto Dynamic Address Group (Connect User module role also required)


Discover Tag Write

Create or remove labels


Discover Manual Import Execute

Import interfaces manually with the Discover Unmanaged Interfaces button


Discover Settings Write

Edit Discover settings, create discovery methods


Discover Components Manage

Manage backend components, including Discover action groups and computer groups

1

1 Provides the Administrator reserved role.

 

Table 2:   Provided Discover Micro Admin and Advanced user role permissions for Tanium 7.1.314.3071 or later
Permission Role type Content set for permission Discover Service Account Discover Administrator Discover User Discover Read Only User
Read Computer Group Micro Admin  
Write Computer Group Micro Admin  
Ask Dynamic Questions Advanced  
Execute Plugin Advanced Discover Content
Execute Plugin Advanced Reserved
Read Own Action Advanced Discover Content
Read Own Action Advanced Reserved
Read Package Advanced Discover Content
Read Package Advanced Reserved
Read Saved Question Advanced Discover Content
Read Saved Question Advanced Reserved
Read Sensor Advanced Discover Content
Read Sensor Advanced Reserved
Write Action Advanced Discover Content
Write Action Advanced Reserved
Write Package Advanced Discover Content
Write Package Advanced Reserved
Write Saved Question Advanced Discover Content
Write Saved Question Advanced Reserved

 

Table 3:   Optional roles for Discover
Role Enables
Connect User

For signed in user: 

  • Configure connections for Discover notifications
  • Configure connections for blocking and unblocking interfaces

For service account: 

  • Send Discover notifications
Administrator
  • Set up and run Discover client deployments
  • When a user is Tanium Service Account role, Administrator role is implied
Network Quarantine User
  • View quarantined interfaces on Interfaces pages
  • Quarantine and unquarantine interfaces
Network Quarantine Read Only User
  • View quarantined interfaces on Interfaces pages

Last updated: 11/2/2018 1:10 PM | Feedback