Discover requirements

Review the requirements before you use Discover.

Also review the Tanium Cloud requirements, described in Tanium Cloud User Guide: Tanium Cloud requirements.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Discover

  • Tanium™ Core Platform servers: 7.3.314.4250 or later

  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the computer groups that Discover requires: All Computers.

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Discover to function (required dependencies) or for specific Discover features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Discover dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Discover requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Discover, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Discover to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Discover, the server automatically updates those dependencies to the latest available versions.

If you select only Discover to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Discover has the following required dependencies at the specified minimum versions:

Feature-specific dependencies

If you select only Discover to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Discover has the following feature-specific dependencies at the specified minimum versions:

  • Tanium™ Direct Connect 2.1 or later is required to run satellite scans
  • Tanium™ Connect 5.0 or later is required to export Discover data

Client extensions

Tanium Endpoint Configuration installs client extensions for Discover on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Discover functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension. This is a feature-specific dependency for Discover.
  • Discover CX - Performs satellite-based Nmap scans. Tanium Discover installs this client extension.
  • Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Discover installs this client extension.

Tanium™ Module Server

Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported internet protocols

Discover currently scans only for IPv4 addresses.

Supported operating systems

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements. Managed endpoints perform discovery scans.

Operating System Version Notes
Windows

Windows 7 SP1 or later and Windows Server 2008 R2 SP1 or later

If the endpoints are not up-to-date and Python content does not run and generates an error about nt._add_dll_directory with The specified procedure could not be found, see this Microsoft Security Advisory.

  • Windows 7 SP1 requires Microsoft KB2758857.

  • Windows Server 2008 R2 SP1 requires Microsoft KB2758857.

macOS Same as Tanium Client support  
Linux

Same as Tanium Client support

 
Solaris

Same as Tanium Client support

Solaris endpoints cannot be designated as satellites.

AIX

7.1.4 or later

The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file.

AIX endpoints cannot be designated as satellites.

Supported platforms per discovery method

Level 1 (ARP cache) Level 1 (Interface Connections) Level 2 (Ping) Level 3/4 (Nmap) and Satellite
Windows
Linux
macOS
Solaris 2 1
AIX 1

1 For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms.

2 Solaris endpoints do not perform OS detection.

Host and network security requirements

Specific ports and processes are needed to run Discover.

Ports

For Tanium Cloud ports, see Tanium Cloud User Guide: Host and network security requirements.

The following ports and protocols are required for Discover communication.

Source Destination Port Protocol Purpose

Module Server

Module Server (loopback) 17446 TCP and UDP Internal purposes for Discover; not externally accessible
Module Server (loopback) 17447 TCP and UDP Internal purposes for Discover; not externally accessible

Scan communication requirements

The following ports and protocols are required for Discover scanning.

Source Destination Scan Type Port Protocol Purpose

Tanium Client

Configured DNS servers for the client

Level 1 or level 2 distributed scans for which Use host name lookup to resolve host names is selected

53

UDP

Level 1 or level 2 distributed scans configured to use host name lookup for resolving host names use DNS for host name resolution.
Devices with an IP address in the same subnet as the Tanium Client Level 1 or level 2 distributed scans for which Use host name lookup to resolve host names is selected
  • 137 (Windows only)

  • 5355 (Windows only)
  • netbios-ns

  • LLMNR
On Windows endpoints, level 1 or level 2 distributed scans configured to use host name lookup for resolving host names might use netbios or LLMNR for name resolution if enabled in the operating system on the Tanium Client.

Level 2 distributed

N/A

ICMP

Level 2 distributed scans require ICMP echo-request and echo-response traffic from all managed endpoints to all other devices on the Tanium Client subnet.

Level 3 distributed N/A ARP

Level 3 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet.

Level 4 distributed

1000 most common TCP ports (default setting)
  • ARP

  • TCP

Level 4 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet.

Additionally, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running distributed scans.

Module Server Customer-defined subnets Centralized Nmap N/A

ICMP

 

Centralized Nmap scans require ICMP traffic to all IP addresses specified in the scan.

1000 most common open TCP ports (default setting) TCP For centralized Nmap scans, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running centralized scans.

ec2.*.amazonaws.com

sts.*.amazonaws.com

ssm.*.amazonaws.com

Centralized Amazon EC2 environment 443 TCP Centralized Amazon EC2 environment scans require access to Amazon Web Services.

Satellite

 

Local network Satellite N/A

ARP

 

Satellite scans on a local network require ARP-request traffic from the managed endpoint on the Tanium Client subnet.

1000 most common open TCP ports (default setting) TCP Additionally, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running satellite scans.

Remote subnets

Satellite N/A ICMP Remote network satellite scans require ICMP traffic to all IP addresses specified in the scan
1000 most common open TCP ports (default setting) TCP By default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running satellite scans.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Discover security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\discover-service\node.exe
  Process <Module Server>\plugins\content\discover-proxy\proxyplugin.exe
  Process <Module Server>\services\twsm-v1\twsm.exe
  Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints   Process <Tanium Client>\TaniumCX.exe
  File <Tanium Client>\TaniumClientExtensions.dll
  File <Tanium Client>\TaniumClientExtensions.dll.sig
  File <Tanium Client>\extensions\SupportCX.dll
  File <Tanium Client>\extensions\SupportCX.dll.sig
  File <Tanium Client>\extensions\TaniumConfig.dll
  File <Tanium Client>\extensions\TaniumConfig.dll.sig
  File <Tanium Client>\extensions\discover\data\discover.db
  File <Tanium Client>\extensions\discover\data\discover.db-wal
  File <Tanium Client>\extensions\discover\data\discover.db-shm
(Distributed level 3, distributed level 4, and satellite profiles only) Folder C:\Program Files\Npcap
(Distributed level 3, distributed level 4, and satellite profiles only) Process <Tanium Client>\Tools\Discover\nmap\nmap.exe
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>\extensions\TaniumDEC.dll
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>\extensions\TaniumDEC.dll.sig
(Satellite profiles only) File <Tanium Client>\extensions\TaniumDiscover.dll
(Satellite profiles only) File <Tanium Client>\extensions\TaniumDiscover.dll.sig
(Satellite profiles only) File <Tanium Client>\extensions\TaniumExtras.dll
(Satellite profiles only) File <Tanium Client>\extensions\TaniumExtras.dll.sig
7.4.x clients Folder <Tanium Client>\python38
7.4.x clients1 Process <Tanium Client>\python38\TPython.exe
Linux endpoints   Process <Tanium Client>/TaniumCX
  File <Tanium Client>/libTaniumClientExtensions.so
  File <Tanium Client>/libTaniumClientExtensions.so.sig
  File <Tanium Client>/extensions/libSupportCX.so
  File <Tanium Client>/extensions/libSupportCX.so.sig
  File <Tanium Client>/extensions/libTaniumConfig.so
  File <Tanium Client>/extensions/libTaniumConfig.so.sig
  File <Tanium Client>/extensions/discover/data/discover.db
  File <Tanium Client>/extensions/discover/data/discover.db-wal
  File <Tanium Client>/extensions/discover/data/discover.db-shm
(Distributed level 3, distributed level 4, and satellite profiles only) Process <Tanium Client>/Tools/Discover/nmap/nmap
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.so
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.so.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.so
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.so.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.so
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.so.sig
7.4.x clients Folder <Tanium Client>/python38
7.4.x clients Process <Tanium Client>/python38/python
macOS endpoints   Process <Tanium Client>/TaniumCX
  File <Tanium Client>/libTaniumClientExtensions.dylib
  File <Tanium Client>/libTaniumClientExtensions.dylib.sig
  File <Tanium Client>/extensions/libSupportCX.dylib
  File <Tanium Client>/extensions/libSupportCX.dylib.sig
  File <Tanium Client>/extensions/libTaniumConfig.dylib
  File <Tanium Client>/extensions/libTaniumConfig.dylib.sig
  File <Tanium Client>/extensions/discover/data/discover.db
  File <Tanium Client>/extensions/discover/data/discover.db-wal
  File <Tanium Client>/extensions/discover/data/discover.db-shm
(Distributed level 3, distributed level 4, and satellite profiles only) Process <Tanium Client>/Tools/Discover/nmap/nmap
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.dylib
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.dylib.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.dylib
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.dylib.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.dylib
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.dylib.sig
7.4.x clients Folder <Tanium Client>/python38
7.4.x clients Process <Tanium Client>/python38/python
1 = TPython requires SHA2 support to allow installation.
Discover security exclusions
Target Device Notes Exclusion Type Exclusion
Windows endpoints   Process <Tanium Client>\TaniumCX.exe
  File <Tanium Client>\TaniumClientExtensions.dll
  File <Tanium Client>\TaniumClientExtensions.dll.sig
  File <Tanium Client>\extensions\SupportCX.dll
  File <Tanium Client>\extensions\SupportCX.dll.sig
  File <Tanium Client>\extensions\TaniumConfig.dll
  File <Tanium Client>\extensions\TaniumConfig.dll.sig
  File <Tanium Client>\extensions\discover\data\discover.db
  File <Tanium Client>\extensions\discover\data\discover.db-wal
  File <Tanium Client>\extensions\discover\data\discover.db-shm
(Distributed level 3, distributed level 4, and satellite profiles only) Folder C:\Program Files\Npcap
(Distributed level 3, distributed level 4, and satellite profiles only) Process <Tanium Client>\Tools\Discover\nmap\nmap.exe
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>\extensions\TaniumDEC.dll
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>\extensions\TaniumDEC.dll.sig
(Satellite profiles only) File <Tanium Client>\extensions\TaniumDiscover.dll
(Satellite profiles only) File <Tanium Client>\extensions\TaniumDiscover.dll.sig
(Satellite profiles only) File <Tanium Client>\extensions\TaniumExtras.dll
(Satellite profiles only) File <Tanium Client>\extensions\TaniumExtras.dll.sig
7.4.x clients Folder <Tanium Client>\python38
7.4.x clients1 Process <Tanium Client>\python38\TPython.exe
Linux endpoints   Process <Tanium Client>/TaniumCX
  File <Tanium Client>/libTaniumClientExtensions.so
  File <Tanium Client>/libTaniumClientExtensions.so.sig
  File <Tanium Client>/extensions/libSupportCX.so
  File <Tanium Client>/extensions/libSupportCX.so.sig
  File <Tanium Client>/extensions/libTaniumConfig.so
  File <Tanium Client>/extensions/libTaniumConfig.so.sig
  File <Tanium Client>/extensions/discover/data/discover.db
  File <Tanium Client>/extensions/discover/data/discover.db-wal
  File <Tanium Client>/extensions/discover/data/discover.db-shm
(Distributed level 3, distributed level 4, and satellite profiles only) Process <Tanium Client>/Tools/Discover/nmap/nmap
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.so
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.so.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.so
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.so.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.so
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.so.sig
7.4.x clients Folder <Tanium Client>/python38
7.4.x clients Process <Tanium Client>/python38/python
macOS endpoints   Process <Tanium Client>/TaniumCX
  File <Tanium Client>/libTaniumClientExtensions.dylib
  File <Tanium Client>/libTaniumClientExtensions.dylib.sig
  File <Tanium Client>/extensions/libSupportCX.dylib
  File <Tanium Client>/extensions/libSupportCX.dylib.sig
  File <Tanium Client>/extensions/libTaniumConfig.dylib
  File <Tanium Client>/extensions/libTaniumConfig.dylib.sig
  File <Tanium Client>/extensions/discover/data/discover.db
  File <Tanium Client>/extensions/discover/data/discover.db-wal
  File <Tanium Client>/extensions/discover/data/discover.db-shm
(Distributed level 3, distributed level 4, and satellite profiles only) Process <Tanium Client>/Tools/Discover/nmap/nmap
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.dylib
(When Direct Connect is installed; satellite profiles only) File <Tanium Client>/extensions/libTaniumDEC.dylib.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.dylib
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumDiscover.dylib.sig
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.dylib
(Satellite profiles only) File <Tanium Client>/extensions/libTaniumExtras.dylib.sig
7.4.x clients Folder <Tanium Client>/python38
7.4.x clients Process <Tanium Client>/python38/python
1 = TPython requires SHA2 support to allow installation.

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs:

  • From both Tanium Server and Tanium Module Server: content.tanium.com

  • From Tanium Module Server: ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com (for centralized scans of Amazon EC2 environments)

User role requirements

The following tables list the role permissions required to use Discover. To review a summary of the predefined roles, see Set up Discover users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Discover user role permissions
Permission Discover Administrator1,3 Discover Operator1,3 Discover User1 Discover Read Only User1 Discover Service Account1,2,3,5,6 Discover Endpoint Configuration Approver3,7

Discover

View managed and unmanaged interfaces

SHOW

SHOW

SHOW

SHOW

Discover API

Use the Discover API

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Discover Asset

View lists of managed and unmanaged interfaces; export data from interface tables; apply or remove label on an interface

READ

WRITE

READ

WRITE

READ

WRITE

READ

Discover Components

Manage backend components, including Discover action groups and computer groups

MANAGE

Discover Connect Integration Service Account

Enable the Discover service account to interface with Connect.

EXECUTE

Discover Endpoint Configuration

Approve Discover configuration changes in the Endpoint Configuration service

APPROVE

Discover Keys

Rotate keys used to encrypt sensitive data

ROTATE

Discover Location Permissions

Define locations and corresponding permissions for user groups

WRITE

WRITE

Discover Locations

Define locations by importing CSV file

WRITE

WRITE

Discover Manual Import

Import interfaces manually with the Discover Unmanaged Interfaces button

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Discover Profile

View, create, edit, and delete Discover profiles

READ

WRITE

READ

WRITE

READ

Discover Settings

Edit Discover settings

WRITE

Discover Tag

Create or remove labels

WRITE

WRITE

WRITE4

Discover TDS Integration Service Account

Provide access to promote Discover data to Tanium Data Service (TDS)

EXECUTE

Discover Trends

Manipulate Discover data in Trends

WRITE

WRITE

READ

Discover Trends Integration Service Account

Provide access for module service accounts to read and write data, and to define sources and boards

EXECUTE

1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides module permissions for Tanium Connect. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Connect User Guide: User role requirements.

3 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

4If location permissions are defined, Discover User role cannot create labels.

5 This role provides Tanium Data Service permissions (through Tanium Interact). You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

6This role provides satellite permissions (through Tanium Direct Connect). For more information, see Tanium Direct Connect User Guide: User role requirements.

7 If you enabled configuration approvals in Endpoint Configuration, then by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to the Discover Service Account role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements and Tanium Endpoint Configuration User Guide: Managing approvals.

Provided Discover administration and platform content permissions
Permission Permission type Discover Administrator1,2 Discover Operator1,2 Discover User1 Discover Read Only User1 Discover Service Account1,2,3,4,5 Discover Endpoint Configuration Approver2
Computer Group Administration

READ

READ

READ

READ

Server Status Administration

READ

User Administration

READ

READ

User Group Administration

READ

Action Platform Content

READ

WRITE

READ

WRITE

READ

WRITE

READ

Own Action Platform Content

READ

READ

READ

READ

Package Platform Content

READ

READ

READ

Plugin Platform Content

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

Saved Question Platform Content

READ

READ

READ

WRITE

Sensor Platform Content

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 This role provides content set permissions for Tanium Connect. You can view which Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Connect User Guide: User role requirements.

4 This role provides content set permissions for Tanium Data Service through Tanium Interact.

5 This role provides content set permissions for Tanium Direct Connect.

Optional roles for Discover
Role Enables
Connect User

For signed in user:

  • Configure connections for Discover notifications
  • Configure connections for exporting interface reports
Administrator
  • Create Trends boards from Discover sources