Discover requirements
Review the requirements before you install and use Discover.
Tanium dependencies
In addition to a license for the Discover product module, make sure that your environment also meets the following requirements.
| Component | Requirement |
|---|---|
| Tanium™ Core Platform | Version 7.2 or later |
| Tanium™ Client | Version 6.0.314.1442 or later |
| Tanium™ Connect | Version 3.2 or later (Optional; for exporting Discover data) |
| Tanium™ Network Quarantine | Version 1.0.2 or later (Optional; for network blocking) |
| Tanium™ Trends | Version 2.3 or later (Optional; for creating boards with Discover statistics) |
Tanium™ Module Server
Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your Technical Account Manager (TAM) for details.
Endpoints
Supported operating systems
Same as Tanium Client support. For Tanium Client operating system support, see Tanium Client User Guide: Host system requirements. Managed endpoints perform discovery scans.
| Level 1 (ARP cache) | Level 1 (Interface Connections) | Level 2 (Simple Ping Script) | Level 3/4 (Nmap) | |
|---|---|---|---|---|
| Windows |
|
|
|
1
|
| Linux |
|
|
|
|
| macOS |
|
|
|
|
| Solaris |
|
|
|
 2
|
| AIX |
|
|
|
2
|
|
1 For level 3 and 4 discovery on Windows 2003 Server and Windows XP, level 2 discovery is used. 2 For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms. |
||||
Host and network security requirements
Specific ports and processes are needed to run Discover.
Ports
The following ports are required for Discover communication.
| Component | Port | Direction | Service | Purpose |
|---|---|---|---|---|
| Module Server | 17446 | Loopback | Discover | Internal purposes; not externally accessible |
| 17447 | Loopback | Discover | Internal purposes; not externally accessible | |
| 443 | Outbound | Discover | Access to console.aws.amazon.com |
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
| Target Device | Process |
|---|---|
| Module Server | <Module Server>\services\discover\node.exe |
| <Module Server>\plugins\content\discover-proxy\proxyplugin.exe | |
| <Module Server>\services\twsm-v1\twsm.exe | |
| Endpoints (Windows) | C:\Program Files\Npcap (Level 3 and 4 profiles only) |
| <Tanium Client>Tools\Discover\nmap\nmap.exe (Level 3 and 4 profiles only) | |
| Endpoints (macOS, Linux) | <Tanium Client>/Tools/Discover/nmap/nmap (Level 3 and 4 profiles only) |
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URLs:
-
content.tanium.com
- sts.amazonaws.com (for centralized scans of Amazon EC2 environments)
-
console.aws.amazon.com (for centralized scans of Amazon EC2 environments)
User role requirements
Role-based access control (RBAC) permissions control access to the Discover workbench. The predefined roles are Discover Service Account, Discover Admin, Discover User, and Discover Read Only User.
| Permission | Discover Service Account | Discover Administrator1 | Discover User | Discover Read Only User |
|---|---|---|---|---|
|
View managed and unmanaged interfaces |
|
|
|
|
|
Discover Asset Read View lists of managed and unmanaged interfaces, export data from interface tables |
|
|
|
|
|
Discover Asset Write Apply or remove label on an interface |
|
|
|
|
|
Discover Tag Write Create or remove labels |
|
|
|
|
|
Discover Manual Import Execute Import interfaces manually with the Discover Unmanaged Interfaces button |
|
|
|
|
|
Discover Settings Write Edit Discover settings, manage profiles |
|
|
|
|
|
Discover Profile Write Create, edit, and delete Discover profiles |
|
|
|
|
|
Discover Profile Read View the configured Discover profiles |
|
|
|
|
|
Discover Action Group Read View the discover action group |
|
1
|
|
|
|
Discover Location Permissions Write Define locations and corresponding permissions for user groups |
|
|
|
|
|
Manage backend components, including Discover action groups and computer groups |
|
|
|
|
| 1 The Content Administrator reserved role is required to edit the Discover action group. | ||||
| Permission | Role type | Content set for permission | Discover Service Account | Discover Administrator | Discover User | Discover Read Only User |
|---|---|---|---|---|---|---|
| Read User | Micro Admin |
|
|
|
|
|
| Read Computer Group | Micro Admin |
|
|
|
|
|
| Write Computer Group | Micro Admin |
|
|
|
|
|
| Ask Dynamic Questions | Advanced |
|
|
|
|
|
| Execute Plugin | Advanced | Discover Content |
|
|
|
|
| Read Action | Advanced | Discover Content |
|
|
|
|
| Read Own Action | Advanced | Discover Content |
|
|
|
|
| Read Package | Advanced | Discover Content |
|
|
|
|
| Read Saved Question | Advanced | Discover Content |
|
|
|
|
| Read Sensor | Advanced | Discover Content |
|
|
|
|
| Read Sensor | Advanced | Reserved |
|
|
|
|
| Write Action | Advanced | Discover Content |
|
|
|
|
| Write Package | Advanced | Discover Content |
|
|
|
|
| Write Saved Question | Advanced | Discover Content |
|
|
|
|
| Role | Enables |
|---|---|
| Connect User |
For signed in user:
For service account:
|
| Administrator |
|
| Network Quarantine User |
|
| Network Quarantine Read Only User |
|
Last updated: 2/25/2020 2:16 PM | Feedback