Investigate requirements

Review the requirements before you install and use Investigate.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Investigate
Tanium™ Core Platform servers: 7.5.4.1158 or later
Tanium™ Client:
Any supported version of Tanium Client. For more information about specific Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.
- (Linux, macOS*, Windows) Any supported version of Tanium Client
- (macOS 10.15.x and later) 7.2.314.3608 or later
* = macOS earlier than 10.15.x Catalina
Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium Cloud automatically imports the computer groups that Investigate requires:

All Computers
All Windows
All Linux
All Mac

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Investigate to function (required dependencies) or for specific Investigate features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Investigate dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Investigate requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Investigate, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Investigate to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Investigate, the server automatically updates those dependencies to the latest available versions.

If you select only Investigate to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Investigate has the following required dependencies at the specified minimum versions:

Tanium™ Direct Connect 2.8.27 or later.
Tanium™ Interact 2.8.102 or later
Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later
Tanium™ Reporting 1.30.55 or later
Tanium™ Default Content 8.0.0 or later
Tanium™ Endpoint Configuration 1.2 or later
Tanium™ Patch 3.14.215 or later is required to view patching events.
Tanium™ System User Service 1.0.77 or later
Tanium™ RDB Service 1.2.184 or later
Tanium™ Secrets 1.0.263 or later
Tanium™ Partner Integration Service 1.0.52 or later
- This service requires the Enhanced Tags FQDN sensor. This sensor is provided by the Core Content - Enhanced Tags solution.

PerformanceCX is installed as part of Investigate.

Client extensions

Tanium Endpoint Configuration installs client extensions for Investigate on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Investigate functions:

Performance CX - Provides Performance functions on the endpoint. Tanium Investigate and Tanium Performance install this client extension.
Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
Support CX - Provides the ability to gather troubleshooting content from endpoints through Tanium Client Management. Tanium Client Management installs this client extension.
Software Manager CX - Provides a catalog of all installed software on an endpoint. Tanium Asset or Tanium Patch installs this client extension.
DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.
Extras CX - Provides a helper library that contains re-usable functions for various client extensions to use. Tanium Asset, Tanium Discover, Tanium Integrity Monitor, and Tanium Investigate install this client extension.

Tanium™ Module Server

Investigate is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Investigate.

Operating System	Version
Windows	A minimum of Windows 7 (SP1) or Windows Server 2008 R2 (with SP1) is required.
macOS	Same as Tanium Client support.
Linux	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

Host and network security requirements

Specific ports and processes are needed to run Investigate.

Ports

The following ports are required for Investigate communication.

Source	Destination	Port	Protocol	Purpose
Module Server	Direct Connect Zone Proxy	17487 (Direct Connect communication port) and 17488 (Direct Connect provision and status monitoring port)	TCP	(Optional) Tanium Direct Connect connection to Direct Connect Zone Proxy
Tanium Server	Module Server	17477	TCP	Tanium Server initiates connections to the Module Server on port 17477
Tanium Client	Direct Connect	17475 (Direct Connect on Module Server) 17486 (Direct Connect Zone Proxy)	TCP	Connections to the Module Server or the Direct Connect Zone Proxy for live connections

Source	Destination	Port	Protocol	Purpose
Tanium Client	Direct Connect	17486 (Direct Connect)	TCP	Live connections to Tanium Cloud

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Investigate security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device	Exclusion Type	Exclusion
Tanium Module Server	Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
	Process	<Module Server>\services\investigate-service\TaniumInvestigateService.exe
	Process	<Module Server>\services\partner-integration-service\TaniumPartnerIntegrationService.exe
Tanium Zone Server	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Tanium Zone Server	Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
¹ = TPython requires SHA2 support to allow installation.

Investigate security exclusions for endpoints
Endpoint OS	Notes	Exclusion Type	Exclusion
Windows x86 and x64		File	<Tanium Client>\extensions\SupportCX.dll
		File	<Tanium Client>\extensions\SupportCX.dll.sig
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
	7.4.x clients, ¹	Process	<Tanium Client>\Python38\TPython.exe
	7.4.x clients	Folder	<Tanium Client>\Python38
		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\extensions\TaniumDEC.dll
		File	<Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64		Process	<Tanium Client>/TaniumCX
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/libSupportCX.so
		File	<Tanium Client>/libSupportCX.so.sig
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
		File	<Tanium Client>/extensions/libTaniumDEC.so
		File	<Tanium Client>/extensions/libTaniumDEC.so.sig
macOS		Process	<Tanium Client>/TaniumCX
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
		File	<Tanium Client>/extensions/libTaniumDEC.dylib
		File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
		File	<Tanium Client>/extensions/libSupportCX.dylib
		File	<Tanium Client>/extensions/libSupportCX.dylib.sig
¹ = TPython requires SHA2 support to allow installation.

Investigate security exclusions for endpoints
Endpoint OS	Notes	Exclusion Type	Exclusion
Windows x86 and x64		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
	7.4.x clients	Process	<Tanium Client>\Python38\TPython.exe
	7.4.x clients	Folder	<Tanium Client>\Python38
		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\extensions\TaniumDEC.dll
		File	<Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64		Process	<Tanium Client>/TaniumCX
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
		File	<Tanium Client>/extensions/libTaniumDEC.so
		File	<Tanium Client>/extensions/libTaniumDEC.so.sig
macOS		Process	<Tanium Client>/TaniumCX
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
		File	<Tanium Client>/extensions/libTaniumDEC.dylib
		File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig

User role requirements

The following tables list the role permissions required to use Investigate.

Do not assign the Investigate Service Account and Investigate Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Investigate user role permissions
Permission	Investigate Administrator¹	Investigate Operator¹	Investigate User¹	Investigate Read Only User
Investigate Allows viewing the Investigate workbench	SHOW	SHOW	SHOW	SHOW
Investigate API Allows using the Investigate API	EXECUTE	EXECUTE	EXECUTE	EXECUTE
Investigate Artifacts Allows deleting Investigate artifacts	DELETE	DELETE	DELETE
Investigate Comments Allows deleting Investigate comments	DELETE	DELETE	DELETE
Investigate Direct Connect Allows issuing Direct Connect queries on an endpoint for an investigation	READ	READ	READ
Investigate Investigations Allows reading, authoring, updating, and deleting investigations	READ WRITE DELETE	READ WRITE DELETE	READ WRITE	READ
Investigate Remote Management Allows remote management in Single Endpoint View.	SHOW	SHOW
Investigate Partner Integration Allows issuing queries to partner integrations for an investigation	READ	READ	READ
¹ This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

Provided Investigate platform content permissions
Permission	Investigate Administrator¹	InvestigateOperator¹	InvestigateUser¹	Investigate Read Only User
Plugin	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. ¹ This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.