Tanium™ Incident Response 5.0 User Guide

PDF 5.0
PDF 4.5
Documentation Home > Tanium Incident Response User Guide

Incident Response requirements

Review the requirements before you install and use Incident Response.

Tanium dependencies

Component Requirement
Platform Version 7.2 or later.
Tanium Client Version 6.0.314.1396 or later.
License For information about licensing Incident Response, contact your Technical Account Manager (TAM). The license for Incident Response includes the following solutions:
  • Tanium Incident Response
  • Tanium Quarantine (Quarantine)
  • Tanium Live Response (Live Response)
  • Tanium Index (Index)
  • Windows Security Patch Management (for more information, see Tanium Knowledge Base)
Tanium™ Trace Version 2.3.2.0004 or later is required for real-time events on Linux endpoints with Tanium Index 2.0.0 or later.

Third-party software requirements

For Tanium Incident Response, the required third-party software is installed automatically.

However, the IR Gatherer solution has third-party software requirements that are not installed automatically. The related documentation includes instructions to download the software and include it in packages that are distributed to the endpoints.

Endpoint hardware and software requirements

Disk space

If a solution is not listed, the required disk space is minimal.

IR Solution Disk Space
Index 1 GB free space

Supported endpoint operating systems

See the documentation for the IR solution for specific version numbers.

IR solution Windows Mac Linux
Incident Response X X X
Copy tools X X X
Quarantine X X X
Index X X X
Live Response X    

Host and network security requirements

Specific ports and processes are needed to run Incident Response.

Ports

The following ports are required for IR communication.

IR Solution Port Direction Purpose
Live Response 443 (S3), 22 (SFTP/SCP), or 445 (SMB) Outbound Outbound connections over ports depending on how the collected data is being transferred.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1:   Incident Response security exclusions
Target Device Process
Windows x86 <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1
Windows x64 <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe 1
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe1
Mac OS <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Downloads/Action_nnn/surge-collect1,2
<Tanium Client>/Downloads/Action_nnn/surge.dat1,2
<Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem1
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
Linux x86 <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper 
<Tanium Client>/Tools/EPI/TaniumEndpointIndex 
<Tanium Client>/Downloads/Action_nnn/surge-collect1,2
<Tanium Client>/Downloads/Action_nnn/surge.dat1,2
<Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1
Linux x64 <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Downloads/Action_nnn/surge-collect1,2
<Tanium Client>/Downloads/Action_nnn/surge.dat1,2
<Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer1

1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URL:

  • content.tanium.com

User role requirements

Table 2:   Incident Response Advanced user role permissions
Permission Content Set for Permission Incident Response Administrator Incident Response User Incident Response Read Only User
Ask Dynamic Questions   * * *
Read Action Incident Response
Read Package Incident Response *
Read Saved Question Incident Response *
Read Sensor Incident Response *
Write Action Incident Response
Write Action for Saved Questions Incident Response
Write Package Incident Response
Write Saved Question Incident Response
Write Sensor Incident Response

‡ To install IR solutions, you must have the reserved role of Administrator.

* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.

Table 3:   Index Advanced user role permissions
Permission Content Set for Permission Index Administrator Index User Index Read Only User
Ask Dynamic Questions   * * *
Read Action Index
Read Package Index *
Read Saved Question Index * *
Read Sensor Index * *
Write Action Index
Write Action for Saved Questions Index
Write Package Index
Write Saved Question Index
Write Sensor Index

‡ To install IR solutions, you must have the reserved role of Administrator.

* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.

Last updated: 10/29/2019 10:41 AM | Feedback