Documentation Home > Tanium Incident Response User Guide

Incident Response requirements

Review the requirements before you install and use Incident Response.

Tanium dependencies

Component	Requirement
Platform	Version 7.2 or later.
Tanium Client	Version 6.0.314.1396 or later.
License	For information about licensing Incident Response, contact your Technical Account Manager (TAM). The license for Incident Response includes the following solutions: Tanium Incident Response Tanium Quarantine (Quarantine) Tanium Live Response (Live Response) Tanium Index (Index) Windows Security Patch Management (for more information, see Tanium Knowledge Base)
Tanium™ Trace	Version 2.3.2.0004 or later is required for real-time events on Linux endpoints with Tanium Index 2.0.0 or later.

Third-party software requirements

For Tanium Incident Response, the required third-party software is installed automatically.

However, the IR Gatherer solution has third-party software requirements that are not installed automatically. The related documentation includes instructions to download the software and include it in packages that are distributed to the endpoints.

Endpoints

Supported operating systems

The following endpoint operating systems are supported by Incident Response, Copy tools, Quarantine, Index, and Live Response:

Windows (A minimum of Windows 7 or Windows Server 2008 R2 with SP1 is required. Windows 7 Service Pack 1 requires Microsoft KB2758857.)
macOS (macOS 10.14 (Mojave) or later is required for Tanium Incident Response 4.5.3 or later and Tanium Index 2.3.2 or later)
Linux

See the documentation for each IR solution for specific version numbers.

Disk space requirements

Index requires 1 GB free space. For other solutions, the required disk space is minimal.

Host and network security requirements

Specific ports and processes are needed to run Incident Response.

Ports

The following ports are required for IR communication.

IR Solution	Port	Direction	Purpose
Live Response	443 (S3), 22 (SFTP/SCP), or 445 (SMB)	Outbound	Outbound connections over ports depending on how the collected data is being transferred.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1: Incident Response security exclusions
Target Device	Notes	Process
Windows x86 or x64 endpoints		<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
		<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
		<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
		<Tanium Client>\Tools\IR\TanFileInfo.exe
		<Tanium Client>\Tools\IR\TaniumHandle.exe
		<Tanium Client>\Tools\IR\TanListModules.exe
		<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
		<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
	¹	<Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe
	¹	<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
	7.2.x clients, ³	<Tanium Client>\Python27\TPython.exe
	7.4.x clients, ³	<Tanium Client>\Python38\TPython.exe
	7.4.x clients	<Tanium Client>\Python38\*.dll
macOS endpoints		<Tanium Client>/Tools/EPI/TaniumExecWrapper
		<Tanium Client>/Tools/IR/TaniumExecWrapper
		<Tanium Client>/Tools/EPI/TaniumEndpointIndex
	¹,²	<Tanium Client>/Downloads/Action_nnn/surge-collect
	¹,²	<Tanium Client>/Downloads/Action_nnn/surge.dat
	¹	<Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem
	¹	<Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
	7.2.x clients	<Tanium Client>/python27/python
	7.4.x clients	<Tanium Client>/python38/python
Linux x86 or x64 endpoints		<Tanium Client>/Tools/EPI/TaniumExecWrapper
		<Tanium Client>/Tools/IR/TaniumExecWrapper
		<Tanium Client>/Tools/EPI/TaniumEndpointIndex
	¹,²	<Tanium Client>/Downloads/Action_nnn/surge-collect
	¹,²	<Tanium Client>/Downloads/Action_nnn/surge.dat
	¹	<Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin
	¹	<Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
	7.2.x clients	<Tanium Client>/python27/python
	7.4.x clients	<Tanium Client>/python38/python
¹ = Where nnn corresponds to the action ID. ² = Exception is required if Volexity Surge is used for memory collection. ³ = TPython requires SHA2 support to allow installation.

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URL:

content.tanium.com

User role requirements

Table 2: Incident Response Advanced user role permissions
Permission	Content Set for Permission	Incident Response Administrator	Incident Response User	Incident Response Read Only User
Ask Dynamic Questions		*	*	*
Read Action	Incident Response
Read Package	Incident Response	*
Read Saved Question	Incident Response	*
Read Sensor	Incident Response	*
Write Action	Incident Response
Write Action for Saved Questions	Incident Response
Write Package	Incident Response
Write Saved Question	Incident Response
Write Sensor	Incident Response

‡ To install IR solutions, you must have the reserved role of Administrator.

* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.

Table 3: Index Advanced user role permissions
Permission	Content Set for Permission	Index Administrator	Index User	Index Read Only User
Ask Dynamic Questions		*	*	*
Read Action	Index
Read Package	Index	*
Read Saved Question	Index	*	*
Read Sensor	Index	*	*
Write Action	Index
Write Action for Saved Questions	Index
Write Package	Index
Write Saved Question	Index
Write Sensor	Index

‡ To install IR solutions, you must have the reserved role of Administrator.

* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.

Last updated: 11/12/2020 12:04 PM | Feedback