Discover requirements

Review the requirements before you use Discover.

Also review the Tanium as a Service requirements, described in Tanium as a Service User Guide: Tanium as a Service requirements.

Tanium dependencies

In addition to a license for the Discover product module, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform

Version 7.3.314.4250 or later

Tanium™ Client

Version 7.2.314.2311 or later

Version 7.4 or later

Tanium Products

If you clicked the Install with Recommended Configurations button when you installed Discover, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Discover requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

Discover requires the specified minimum versions to work with the following modules:

  • Tanium Connect 5.0 or later (for exporting Discover data)
  • Tanium Network Quarantine 1.0.2 or later (for network blocking)
  • Tanium Trends 3.6 or later (for creating boards with Discover statistics)
  • Tanium Endpoint Configuration 1.2 or later

    Endpoint Configuration is installed as part of Tanium Client Management 1.5.3 or later.

Tanium™ Module Server

Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported operating systems

For Tanium Client operating system support, see Tanium Client User Guide: Host system requirements. Managed endpoints perform discovery scans.

Operating System Version
Windows

Windows 7 and Windows Server 2008 R2 require the latest Windows updates. If the endpoints are not up-to-date and Python content does not run and generates an error about nt._add_dll_directory with The specified procedure could not be found, see this Microsoft Security Advisory.

For other Windows operating systems, see Tanium Client User Guide: Host system requirements.

macOS 10.11 and later
Linux

Same as Tanium Client support

Solaris

Same as Tanium Client support

AIX Same as Tanium Client support

 

Table 1:   Supported platforms per discovery method
  Level 1 (ARP cache) Level 1  (Interface Connections) Level 2 (Ping) Level 3/4 (Nmap)
Windows 1
Linux
macOS
Solaris 3 2
AIX 2

1 For level 3 and 4 discovery on Windows 2003 Server and Windows XP, level 2 discovery is used.

2 For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms.

3 Solaris endpoints do not perform OS detection.

Host and network security requirements

Specific ports and processes are needed to run Discover.

Ports

For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.

The following ports are required for Discover communication.

Source Destination Port Protocol Purpose

Module Server

Module Server 17446 TCP and UDP Internal purposes for Discover; not externally accessible
Module Server 17447 TCP and UDP Internal purposes for Discover; not externally accessible

ec2.*.amazonaws.com

sts.*.amazonaws.com

ssm.*.amazonaws.com

443 TCP Access to Amazon Web Services for Discover centralized Amazon EC2 environment scans
Endpoints Top 1,000 TCP and UDP ports (nmap default) TCP and UDP OS fingerprinting for Discover centralized Nmap scans

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 2:   Discover security exclusions
Target Device Notes Process
Module Server   <Module Server>\services\discover-service\node.exe
  <Module Server>\plugins\content\discover-proxy\proxyplugin.exe
  <Module Server>\services\twsm-v1\twsm.exe
  <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints (Level 3 and 4 profiles only) C:\Program Files\Npcap
(Level 3 and 4 profiles only) <Tanium Client>\Tools\Discover\nmap\nmap.exe
Linux endpoints (Level 3 and 4 profiles only)

<Tanium Client>/Tools/Discover/nmap/nmap

macOS endpoints (Level 3 and 4 profiles only) <Tanium Client>/Tools/Discover/nmap/nmap

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs:

  • content.tanium.com

  • ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com (for centralized scans of Amazon EC2 environments)

User role requirements

Role-based access control (RBAC) permissions control access to the Discover workbench. The predefined roles are Discover Service Account, Discover Administrator, Discover Operator, Discover User, Discover Read Only User, and Discover Endpoint Configuration Approver.

Table 3:   Discover user role permissions
Permission Discover Administrator1, 2 Discover Operator1 Discover User1 Discover Read Only User1 Discover Service Account1,3 Discover Endpoint Configuration Approver1,4


Discover Endpoint Configuration Approve

Approve Discover configuration changes in the Endpoint Configuration service


Show Discover

View managed and unmanaged interfaces


Discover Asset Read

View lists of managed and unmanaged interfaces, export data from interface tables


Discover Asset Write

Apply or remove label on an interface


Discover Tag Write

Create or remove labels

5

Discover Manual Import Execute

Import interfaces manually with the Discover Unmanaged Interfaces button


Discover Settings Write

Edit Discover settings



Discover Profile Write

Create, edit, and delete Discover profiles



Discover Profile Read

View the configured Discover profiles


Discover Keys Rotate

Rotate keys used to encrypt sensitive data


Discover Location Permissions Write

Define locations and corresponding permissions for user groups


Discover Locations Write

Define locations by importing CSV file


Discover Components Manage

Manage backend components, including Discover action groups and computer groups

Discover Use Api

Use the Discover API


Discover Trends Integration Service Account

Provide access for module service accounts to read and write data, and to define sources and boards

Discover Trends Write

Manipulate Discover data in Trends.

Discover Connect Integration Service Account

Enable the Discover service account to interface with Connect.

1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 The Content Administrator reserved role is required to edit the Discover action group.

3 This role provides module permissions for Tanium Connect. For more information, see the Tanium Connect User Guide: User role requirements.

4 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

5If location permissions are defined, Discover User role cannot create labels.

 

Table 4:   Provided Discover Micro Admin and Advanced user role permissions
Permission Role type Content set for permission Discover Administrator Discover Operator Discover User Discover Read Only User Discover Service Account Discover Endpoint Configuration Approver
Read User Micro Admin  
Read User Group Micro Admin  
Read Computer Group Micro Admin  
Write Computer Group Micro Admin  
Read Filter Group Micro Admin  
Write Filter Group Micro Admin  
Ask Dynamic Questions Advanced  
Execute Plugin Advanced Discover Content
Execute Plugin Advanced Reserved
Read Plugin Advanced Discover Content
Read Action Advanced Discover Content
Read Action Advanced Reserved
Read Own Action Advanced Discover Content
Read Package Advanced Discover Content
Read Saved Question Advanced Discover Content
Read Sensor Advanced Discover Content
Read Sensor Advanced Reserved
Write Action Advanced Discover Content
Write Package Advanced Discover Content
Write Saved Question Advanced Discover Content
Show Preview Advanced Discover Content

 

Table 5:   Optional roles for Discover
Role Enables
Connect User

For signed in user: 

  • Configure connections for Discover notifications
  • Configure connections for exporting interface reports
Administrator
  • Create Trends boards from Discover sources
Network Quarantine User
  • View quarantined interfaces on Interfaces pages
  • Quarantine and unquarantine interfaces
Network Quarantine Read Only User
  • View quarantined interfaces on Interfaces pages