Incident Response requirements
Review the requirements before you install and use Incident Response.
Tanium dependencies
| Component | Requirement |
|---|---|
| Platform | Version 6.5 or later. |
| Tanium Client | All Tanium Client versions are supported. |
| License | For information about licensing Incident Response, contact your Technical Account Manager (TAM). The license for Incident Response includes the following solutions:
|
| Tanium™ Trace | Version 2.3.2.0004 or later is required for real-time events on Linux endpoints with Tanium Index 2.0.0 or later. |
Third-party software requirements
For Tanium Incident Response, the required third-party software is installed automatically.
However, the IR Gatherer solution has third-party software requirements that are not installed automatically. The related documentation includes instructions to download the software and include it in packages that are distributed to the endpoints.
- KnockKnock (optional)
- OSX Collector (optional)
Endpoint hardware and software requirements
Disk space
If a solution is not listed, the required disk space is minimal.
| IR Solution | Disk Space |
|---|---|
| Index | 1 GB free space |
Supported endpoint operating systems
See the documentation for the IR solution for specific version numbers.
| IR solution | Windows | Mac | Linux |
|---|---|---|---|
| Incident Response | X | X | X |
| IR Gatherer | X | X | X |
| Copy tools | X | X | X |
| Quarantine | X | X | X |
| Index | X | X | X |
| Live Response | X |
Host and network security requirements
Specific ports and processes are needed to run Incident Response.
Ports
The following ports are required for IR communication.
| IR Solution | Port | Direction | Purpose |
|---|---|---|---|
| IR Gatherer | 443, 22, 21, or 445 | Outbound | Outbound connections over ports depending on how the collected data is being transferred. |
| Live Response | 443 (S3), 22 (SFTP/SCP), or 445 (SMB) | Outbound | Outbound connections over ports depending on how the collected data is being transferred. |
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
| Target Device | Process |
|---|---|
| Windows x86 | <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe |
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TanFileInfo.exe | |
| <Tanium Client>\Tools\IR\TaniumHandle.exe | |
| <Tanium Client>\Tools\IR\TanListModules.exe | |
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe | |
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll | |
| <Tanium Client>\Downloads\Action_nnn\Winpmem_3.1.rc10.exe 1 | |
| Windows x64 | <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe |
| <Tanium Client>\Tools\IR\TaniumExecWrapper.exe | |
| <Tanium Client>\Tools\IR\TanFileInfo.exe | |
| <Tanium Client>\Tools\IR\TaniumHandle.exe | |
| <Tanium Client>\Tools\IR\TanListModules.exe | |
| <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe | |
| <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll | |
| <Tanium Client>\Downloads\Action_nnn\Winpmem_3.1.rc10.exe 1 | |
| Mac OS |
<Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 | |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 | |
| <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem1 | |
| Linux x86 | <Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 | |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 | |
| <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1 | |
| Linux x64 |
<Tanium Client>/Tools/EPI/TaniumExecWrapper |
| <Tanium Client>/Tools/IR/TaniumExecWrapper | |
| <Tanium Client>/Tools/EPI/TaniumEndpointIndex | |
| <Tanium Client>/Downloads/Action_nnn/surge-collect1,2 | |
| <Tanium Client>/Downloads/Action_nnn/surge.dat1,2 | |
| <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin1 |
1 = Where nnn corresponds to the action ID.
2 = Exception is required if Volexity Surge is used for memory collection.
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the following URL:
- content.tanium.com
User role requirements
Tanium 6.5 and 7.0
For Tanium Platform version 6.5 and 7.0, the following user roles are required:
- Administrator - Incident Response and all solutions
- Content administrator - Quarantine
Tanium 7.1 and later
In 7.1.314.3071 and later, you can use role-based access control (RBAC) permissions to restrict access to IR solution content sets. If a solution is not listed below, RBAC does not apply and the roles are the same as 7.0.
For more information, see the Tanium Core Platform User Guide: Users and user groups.
| Permission | Content Set for Permission | Incident Response Administrator | Incident Response User | Incident Response Read Only User |
|---|---|---|---|---|
| Ask Dynamic Questions |
 * |
* |
* |
|
| Read Action | Incident Response |
|
|
|
| Read Package | Incident Response |
* |
|
|
| Read Saved Question | Incident Response |
* |
|
|
| Read Sensor | Incident Response |
* |
|
|
| Write Action | Incident Response |
|
|
|
| Write Action for Saved Questions | Incident Response |
|
|
|
| Write Package | Incident Response |
|
|
|
| Write Saved Question | Incident Response |
|
|
|
| Write Sensor | Incident Response |
|
|
|
‡ To install IR solutions, you must have the reserved role of Administrator.
* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.
| Permission | Content Set for Permission | Index Administrator | Index User | Index Read Only User |
|---|---|---|---|---|
| Ask Dynamic Questions |
* |
* |
* |
|
| Read Action | Index |
|
|
|
| Read Package | Index |
* |
|
|
| Read Saved Question | Index |
* |
* |
|
| Read Sensor | Index |
* |
* |
|
| Write Action | Index |
|
|
|
| Write Action for Saved Questions | Index |
|
|
|
| Write Package | Index |
|
|
|
| Write Saved Question | Index |
|
|
|
| Write Sensor | Index |
|
|
|
‡ To install IR solutions, you must have the reserved role of Administrator.
* Requires permissions for the Interact module to ask questions, see results, and drill-down to endpoints.
Last updated: 3/12/2019 4:51 PM | Feedback