Tanium services

Tanium provides the following services to share data or functionality across Tanium solutions. Some services contain a user interface that appears in the Tanium Console, while other services are transparent to users.

Install services

Use the Tanium Console Solutions page to install any solutions or services and choose either automatic or manual configuration:

Tanium API Gateway

API Gateway provides a single and stable API integration point for various Tanium solutions. It is designed for Tanium partners and customers interested in building integrated solutions with the Tanium™ Core Platform.

For information about API Gateway, see the Tanium API Gateway User Guide.

Tanium Blob Service

Blob Service is an internal service that provides generic blob storage to other Tanium solutions. Blob Service provides solutions with file storage without the need for solutions to directly access the host file system. Blob Service does not appear in the Tanium Console and requires no configuration.

Requirements

Review the requirements before you install and use Blob Service.

Core platform dependencies

  • Tanium™ Core Platform servers: 7.4.2.2063 or later

Solution dependencies

Blob Service has no solution dependencies.

Tanium Module Server

Blob Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.

Ports

The following ports are required for Blob Service communication.

Source Destination Port Protocol Purpose
Module Server Tanium Cloud Module Server (loopback) 17502 TCP Internal purposes, not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Blob Service security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\blob-service\TaniumBlobService.exe

No additional process exclusions are recommended.

User role requirements

Blob Service has no user roles but includes the following permissions. These permissions are intended for internal use only, but might appear in the Tanium Console.

Blob

READ: List and read blobs.
WRITE: Create, update, and delete blobs.

Blob Category

CREATE: Create blob domains and categories.

Troubleshooting

Review logs

You can find logs on the Module Server at <Module Server>\services\blob-files\logs.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.

Tanium Client Index Extension

Use Client Index Extension to index the local file systems on Tanium Client endpoints that run Windows, Linux, and macOS operating systems.

For information about Client Index Extension, see the Tanium Client Index Extension User Guide.

Tanium Client Recorder Extension

The Client Recorder Extension is a feature common to the Tanium Integrity Monitor, Tanium Map, and Tanium Threat Response solution modules. It continuously saves event data on each endpoint. The Client Recorder Extension monitors the endpoint kernel and other low-level subsystems to capture a variety of events.

For information about Client Recorder Extension, see the Tanium Client Recorder Extension User Guide.

Tanium Client Management

The Tanium Client is a service installed on endpoint computers that discovers and reports data from those endpoints. Deploy the Tanium Client using the Tanium Client Management shared service, an installation wizard (Windows and macOS endpoints only), or the client command-line interface (CLI). You can monitor client health using Client Management.

For information about Client Management, client installation wizards, and the client CLI, see the Tanium Client Management User Guide.

Tanium Data Service

Tanium Data Service caches data for use by other Tanium solutions and the Question Results grid.

  • After you ask a question on the Tanium Home page or the Interact Overview page, the Question Results grid contains endpoint results that expire when the maxAge value for the sensor is reached. When you register sensors for collection with the Tanium Data Service, the service queries all managed endpoints to collect the results of those sensors and stores the data for a configurable length of time. The default is 30 days.
  • Other Tanium solutions use data supplied from Tanium Data Service. For example, Tanium Reporting uses Tanium Data Service to populate data for reports and dashboards.

For information about Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.

Tanium Direct Connect

Direct Connect provides a communication channel for other Tanium™ solutions and a central location for configuring and administering direct endpoint connections across solutions, as well as for designating endpoints as satellites.

For information about Direct Connect, see the Tanium Direct Connect User Guide.

Tanium Endpoint Configuration

Use Endpoint Configuration to deliver configuration information to endpoints consistently for all Tanium solutions that are available in an environment. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For information about Endpoint Configuration, see the Tanium Endpoint Configuration User Guide.

Tanium End-User Notifications

End-User Notifications is a service that other Tanium solutions use to notify users about updates to their endpoints.

For information about End-User Notifications, see the Tanium End-User Notifications User Guide.

Tanium Health Check

With Health Check, you can automate the collection of Tanium Platform Analyzer (TPAN) reports on a configurable schedule. TPAN reports can help you get a comprehensive view of the issues, risks, and performance of your Tanium environment. You can also download reports locally to share with Tanium. Regularly collecting and sharing these reports can help Tanium provide you with the best support.

For information about Health Check, see the Tanium Health Check User Guide.

Tanium Network Quarantine

With Network Quarantine, you can use your existing Network Access control (NAC) solution to control the communication of both managed and unmanaged endpoints (controlling unmanaged endpoints requires Tanium™ Discover).

For information about Network Quarantine, see the Tanium Network Quarantine User Guide.

Tanium RDB Service

Relational Database (RDB) Service is an internal service that manages database credentials for other Tanium solutions. RDB Service does not appear in the Tanium Console and requires no configuration.

Requirements

Review the requirements before you install and use RDB Service.

Core platform dependencies

  • Tanium™ Core Platform servers: 7.4.2.2063 or later

Solution dependencies

RDB Service has no solution dependencies.

Tanium Module Server

RDB Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.

Ports

The following ports are required for RDB Service communication.

Source Destination Port Protocol Purpose
Module Server Tanium Cloud Module Server (loopback) 17516 TCP Internal purposes, not externally accessible
17517 TCP Internal purposes, not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

RDB service security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\rdb-service\TaniumRdbService.exe

No additional process exclusions are recommended.

User role requirements

RDB Service has no user roles but includes the following permissions. These permissions are intended for internal use only, but might appear in the Tanium Console.

Rdb Read

WRITE: Read and write to relational databases.

Rdb

MIGRATION: Migrate relational databases.

Troubleshooting

Review logs

You can find logs on the Module Server at <Module Server>\services\rdb-files\logs.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.

Tanium Reporting

Use Tanium™ Reporting to explore real-time visualizations of your endpoint data, create custom reports and charts from the data, and export data to share with key stakeholders.

For information about Reporting, see the Tanium Reporting User Guide.

Tanium Reputation

With Reputation, you can build a repository of reputation data from various sources, such as Palo Alto Networks WildFire, Recorded Future, ReversingLabs, and VirusTotal. These sources determine threat levels for file hashes. Other Tanium solutions, such as Tanium™ Threat Response, can use this data to give an indication of potentially malicious files. You can also send reputation data to supported Tanium™ Connect destinations or import reputation data to Tanium™ Trends boards.

For information about Reputation, see the Tanium Reputation User Guide.

Tanium Secrets Service

Secrets Service provides a role-based access control (RBAC)-aware API to access the underlying storage and management of sensitive information. Secrets Service does not appear in the Tanium Console and requires no configuration.

Requirements

Review the requirements before you install and use Secrets Service.

Core platform dependencies

  • Tanium™ Core Platform servers: 7.4.2.2063 or later

Solution dependencies

Tanium Module Server

Secrets Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.

Ports

The following ports are required for Secrets Service communication.

Source Destination Port Protocol Purpose
Module Server Tanium Cloud Module Server (loopback) 17509 TCP Internal purposes, not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Secrets service security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\secrets-service\TaniumSecretsService.exe

No additional process exclusions are recommended.

User role requirements

Secrets Service has no user roles but includes the following permissions. These permissions are intended for internal use only, but might appear in the Tanium Console.

Secrets Info

READ: Read secret information, but not secret values.

Secrets Service Account

EXECUTE: Provides required service account privileges.

Secrets Value

READ: Read secrets and secret values
WRITE: Create, update, and delete secrets and secret values.

Troubleshooting

Review logs

You can find logs on the Module Server at <Module Server>\services\secrets-files\logs.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.

Tanium System User Service

System User Service is an internal service that manages user accounts and provides credentials to other Tanium solutions. System User Service does not appear in the Tanium Console and requires no configuration.

Requirements

Review the requirements before you install and use System User Service.

Core platform dependencies

  • Tanium™ Core Platform servers: 7.4 or later

Solution dependencies

System User Service has no solution dependencies.

Tanium Module Server

System User Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.

Ports

The following ports are required for System User Service communication.

Source Destination Port Protocol Purpose
Module Server Tanium Cloud Module Server (loopback) 17501 TCP Internal purposes, not externally accessible

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

System User service security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\system-user-service\TaniumSystemUserService.exe

No additional process exclusions are recommended.

User role requirements

System User Service has no user roles or permissions.

Troubleshooting

Review logs

You can find logs on the Module Server at <Module Server>\services\system-user-files\logs.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.