Discover requirements

Review the requirements before you use Discover.

Also review the Tanium as a Service requirements, described in Tanium as a Service User Guide: Tanium as a Service requirements.

Tanium dependencies

Component Requirement
Tanium™ Core Platform

Version 7.3.314.4250 or later

Tanium™ Client Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium solutions

If you selected Tanium Recommended Installation when you installed Discover, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the solutions that Discover requires to function, as described in Tanium Console User Guide: Import, re-import, or update specific solutions.

Discover requires the following solutions:

  • Tanium Client Management 1.7.0 or later

  • Tanium Endpoint Configuration 1.2 or later

    Endpoint Configuration is installed as part of Tanium Client Management 1.5 or later.

The following solutions are optional:

  • Tanium Interact 2.8 or later (promote data to Tanium Data Service)
  • Tanium Trends 3.6 or later (create charts on Discover Overview page)
  • Tanium Connect 5.0 or later (export Discover data)

Tanium™ Module Server

Discover is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage.

For more information, see Tanium Core Platform Installation Guide: Host system sizing guidelines.

Endpoints

Supported internet protocols

Discover currently scans only for IPv4 addresses.

Supported operating systems

For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements. Managed endpoints perform discovery scans.

Operating System Version
Windows

Windows 7 SP1 or later and Windows Server 2008 R2 SP1 or later

If the endpoints are not up-to-date and Python content does not run and generates an error about nt._add_dll_directory with The specified procedure could not be found, see this Microsoft Security Advisory.

macOS 10.11 and later
Linux

Same as Tanium Client support

Solaris

Same as Tanium Client support

AIX

7.1.4 or later

The IBM XL C++ runtime libraries file set (xlC.rte), version 16.1.0.0 or later, and the IBM LLVM runtime libraries file set (libc++.rte) must be installed. For installation instructions, see Tanium Client Management User Guide: Deploy the Tanium Client to AIX endpoints using a package file.

Supported platforms per discovery method
Level 1 (ARP cache) Level 1 (Interface Connections) Level 2 (Ping) Level 3/4 (Nmap)
Windows 1
Linux
macOS
Solaris 3 2
AIX 2
1 For level 3 and 4 discovery on Windows 2003 Server and Windows XP, level 2 discovery is used.

2 For level 3 and 4 discovery on Solaris and AIX, level 2 discovery is used because Nmap is not supported on these platforms.

3 Solaris endpoints do not perform OS detection.

Host and network security requirements

Specific ports and processes are needed to run Discover.

Ports

For Tanium as a Service ports, see Tanium as a Service User Guide: Host and network security requirements.

The following ports and protocols are required for Discover communication.

Source Destination Port Protocol Purpose

Module Server

Module Server 17446 TCP and UDP Internal purposes for Discover; not externally accessible
Module Server 17447 TCP and UDP Internal purposes for Discover; not externally accessible

Scan communication requirements

The following ports and protocols are required for Discover scanning.

Source Destination Scan Type Port Protocol Purpose

Tanium Client

Devices with an IP address in the same subnet as the Tanium Client

 

Level 2 distributed

N/A ICMP Level 2 distributed scans require ICMP echo-request and echo-response traffic from all managed endpoints to all other devices on the Tanium Client subnet.
Level 3 N/A ARP

Level 3 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet.

Level 4 distributed

1000 most common TCP ports (default setting) ARP
TCP
Level 4 distributed scans require ARP-request traffic from the managed endpoint on the Tanium Client subnet.

Additionally, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running distributed scans.
Module Server

 

Customer-defined subnets Centralized Nmap N/A

ICMP

 

Centralized Nmap scans require ICMP traffic to all IP addresses specified in the scan.

1000 most common open TCP ports (default setting) TCMP For centralized Nmap scans, by default, Discover scans the 1000 most commonly used TCP ports on the Tanium Client subnet to calculate the OS Generation field. You can change this setting in the scan profile. For more information, see Running centralized scans.

ec2.*.amazonaws.com

sts.*.amazonaws.com

ssm.*.amazonaws.com

Centralized Amazon EC2 environment 443 TCP Centralized Amazon EC2 environment scans require access to Amazon Web Services.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Discover security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server Process <Module Server>\services\discover-service\node.exe
Process <Module Server>\plugins\content\discover-proxy\proxyplugin.exe
Process <Module Server>\services\twsm-v1\twsm.exe
Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints (Level 3 and 4 profiles only) Folder C:\Program Files\Npcap
(Level 3 and 4 profiles only) Process <Tanium Client>\Tools\Discover\nmap\nmap.exe
Linux endpoints (Level 3 and 4 profiles only) Process

<Tanium Client>/Tools/Discover/nmap/nmap

macOS endpoints (Level 3 and 4 profiles only) Process <Tanium Client>/Tools/Discover/nmap/nmap

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the following URLs:

  • From both Tanium Server and Tanium Module Server: content.tanium.com

  • From Tanium Module Server: ec2.*.amazonaws.com, sts.*.amazonaws.com, and ssm.*.amazonaws.com (for centralized scans of Amazon EC2 environments)

User role requirements

The following tables list the role permissions required to use Discover. To review a summary of the predefined roles, see Set up Discover users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Discover user role permissions
Permission Discover Administrator1,3 Discover Operator1,3 Discover User1 Discover Read Only User1 Discover Service Account1,2,3,5 Discover Endpoint Configuration Approver3,6

Discover

View managed and unmanaged interfaces

SHOW

SHOW

SHOW

SHOW

Discover API

Use the Discover API

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Discover Asset

View lists of managed and unmanaged interfaces; export data from interface tables; apply or remove label on an interface

READ

WRITE

READ

WRITE

READ

WRITE

READ

Discover Components

Manage backend components, including Discover action groups and computer groups

MANAGE

Discover Connect Integration Service Account

Enable the Discover service account to interface with Connect.

EXECUTE

Discover Endpoint Configuration

Approve Discover configuration changes in the Endpoint Configuration service

APPROVE

Discover Keys

Rotate keys used to encrypt sensitive data

ROTATE

Discover Location Permissions

Define locations and corresponding permissions for user groups

WRITE

WRITE

Discover Locations

Define locations by importing CSV file

WRITE

WRITE

Discover Manual Import

Import interfaces manually with the Discover Unmanaged Interfaces button

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Discover Profile

View, create, edit, and delete Discover profiles

READ

WRITE

READ

WRITE

READ

Discover Settings

Edit Discover settings

WRITE

Discover Tag

Create or remove labels

WRITE

WRITE

WRITE4

Discover Tds Integration Service Account

Provide access to promote Discover data to Tanium Data Service (TDS).

EXECUTE

Discover Trends

Manipulate Discover data in Trends.

WRITE

WRITE

Discover Trends Integration Service Account

Provide access for module service accounts to read and write data, and to define sources and boards

EXECUTE

1 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides module permissions for Tanium Connect. For more information, see the Tanium Connect User Guide: User role requirements.

3 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

4If location permissions are defined, Discover User role cannot create labels.

5 This role provides module permissions for Tanium Interact. For more information, see the Tanium Interact User Guide: User role requirements.

6 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Provided Discover administration and platform content permissions
Permission Permission type Discover Administrator1,2 Discover Operator1,2 Discover User1 Discover Read Only User1 Discover Service Account1,2,3,4 Discover Endpoint Configuration Approver2
Computer Group Administration

READ

READ

READ

READ

Server Status Administration

READ

User Administration

READ

READ

User Group Administration

READ

Action Platform Content

READ

WRITE

READ

WRITE

READ

WRITE

READ

Own Action Platform Content

READ

READ

READ

READ

Package Platform Content

READ

READ

READ

Plugin Platform Content

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

READ

EXECUTE

Saved Question Platform Content

READ

READ

READ

WRITE

Sensor Platform Content

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

2 This role provides content set permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration content sets are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

3 This role provides content set permissions for Tanium Connect. You can view which Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Connect User Guide: User role requirements.

4 This role provides content set permissions for Tanium Data Service.

Optional roles for Discover
Role Enables
Connect User

For signed in user:

  • Configure connections for Discover notifications
  • Configure connections for exporting interface reports
Administrator
  • Create Trends boards from Discover sources