Tanium services
Tanium provides the following services to share data or functionality across Tanium solutions. Some services contain a user interface that appears in the Tanium Console, while other services are transparent to users.
- Tanium™ API Gateway
- Tanium™ Blob Service
- Tanium™ Client Index Extension
- Tanium™ Client Recorder Extension
- Tanium™ Client Management
- Tanium™ Data Service
- Tanium™ Direct Connect
- Tanium™ Endpoint Configuration
- Tanium™ End-User Notifications
- Tanium™ Health Check
- Tanium™ Network Quarantine
- Tanium™ RDB Service
- Tanium™ Reporting
- Tanium™ Reputation
- Tanium™ Secrets Service
- Tanium™ System User Service
Install services
Use the Tanium Console Solutions page to install any solutions or services and choose either automatic or manual configuration:
- Automatic configuration (Tanium Core Platform 7.4.2 or later only): The selected services are installed with any required dependencies and other selected products. This option is the best practice for most deployments. For more information about the automatic configuration for services, see Tanium Console User Guide: Import all modules and services.
- Manual configuration: Manually install any selected services and the required dependencies. For more information, see Tanium Console User Guide: Import or update specific solutions.
Tanium API Gateway
API Gateway provides a single and stable API integration point for various Tanium solutions. It is designed for Tanium partners and customers interested in building integrated solutions with the Tanium™ Core Platform.
For information about API Gateway, see the Tanium API Gateway User Guide.
Tanium Blob Service
Blob Service is an internal service that provides generic blob storage to other Tanium solutions. Blob Service provides solutions with file storage without the need for solutions to directly access the host file system. Blob Service does not appear in the Tanium Console and requires no configuration.
Requirements
Review the requirements before you
Tanium Module Server
Blob Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.
Ports
The following ports are required for Blob Service communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Module Server (loopback) | 17502 | TCP | Internal purposes, not externally accessible |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\blob-service\TaniumBlobService.exe |
No additional process exclusions are recommended.
User role requirements
Blob Service has no user roles but includes the following permissions. These permissions are intended for internal use only, but might appear in the Tanium Console.
Blob
READ: List and read blobs.
WRITE: Create, update, and delete blobs.
Blob Category
CREATE: Create blob domains and categories.
Troubleshooting
Contact Tanium Support
To contact Tanium Support for help, sign in to https://support.tanium.com.
Tanium Client Index Extension
Use Client Index Extension to index the local file systems on Tanium Client endpoints that run Windows, Linux, and macOS operating systems.
For information about Client Index Extension, see the Tanium Client Index Extension User Guide.
Tanium Client Recorder Extension
The Client Recorder Extension is a feature common to the Tanium Integrity Monitor, Tanium Map, and Tanium Threat Response solution modules. It continuously saves event data on each endpoint. The Client Recorder Extension monitors the endpoint kernel and other low-level subsystems to capture a variety of events.
For information about Client Recorder Extension, see the Tanium Client Recorder Extension User Guide.
Tanium Client Management
The Tanium Client is a service installed on endpoint computers that discovers and reports data from those endpoints. Deploy the Tanium Client using the Tanium Client Management shared service, an installation wizard (Windows and macOS endpoints only), or the client command-line interface (CLI). You can monitor client health using Client Management.
For information about Client Management, client installation wizards, and the client CLI, see the Tanium Client Management User Guide.
Tanium Data Service
Tanium Data Service caches data for use by other Tanium solutions and the Question Results grid.
- After you ask a question on the Tanium Home page or the Interact Overview page, the Question Results grid contains endpoint results that expire when the maxAge value for the sensor is reached. When you register sensors for collection with the Tanium Data Service, the service queries all managed endpoints to collect the results of those sensors and stores the data for a configurable length of time. The default is 30 days.
- Other Tanium solutions use data supplied from Tanium Data Service. For example, Tanium Reporting uses Tanium Data Service to populate data for reports and dashboards.
For information about Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.
Tanium Direct Connect
Direct Connect provides a communication channel for other Tanium™ solutions and a central location for configuring and administering direct endpoint connections across solutions, as well as for designating endpoints as satellites.
For information about Direct Connect, see the Tanium Direct Connect User Guide.
Tanium Endpoint Configuration
Use Endpoint Configuration to deliver configuration information to endpoints consistently for all Tanium solutions that are available in an environment. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.
For information about Endpoint Configuration, see the Tanium Endpoint Configuration User Guide.
Tanium End-User Notifications
End-User Notifications is a service that other Tanium solutions use to notify users about updates to their endpoints.
For information about End-User Notifications, see the Tanium End-User Notifications User Guide.
Tanium Health Check
With Health Check, you can automate the collection of Tanium Platform Analyzer (TPAN) reports on a configurable schedule. TPAN reports can help you get a comprehensive view of the issues, risks, and performance of your Tanium environment. You can also download reports locally to share with Tanium. Regularly collecting and sharing these reports can help Tanium provide you with the best support.
For information about Health Check, see the Tanium Health Check User Guide.
Tanium Network Quarantine
With Network Quarantine, you can use your existing Network Access control (NAC) solution to control the communication of both managed and unmanaged endpoints (controlling unmanaged endpoints requires Tanium™ Discover).
For information about Network Quarantine, see the Tanium Network Quarantine User Guide.
Tanium RDB Service
Relational Database (RDB) Service is an internal service that manages database credentials for other Tanium solutions. RDB Service does not appear in the Tanium Console and requires no configuration.
Requirements
Review the requirements before you
Tanium Module Server
RDB Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.
Ports
The following ports are required for RDB Service communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Module Server (loopback) | 17516 | TCP | Internal purposes, not externally accessible |
| 17517 | TCP | Internal purposes, not externally accessible |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\rdb-service\TaniumRdbService.exe |
No additional process exclusions are recommended.
User role requirements
RDB Service has no user roles but includes the following permissions. These permissions are intended for internal use only, but might appear in the Tanium Console.
Rdb Read
WRITE: Read and write to relational databases.
Rdb
MIGRATION: Migrate relational databases.
Troubleshooting
Contact Tanium Support
To contact Tanium Support for help, sign in to https://support.tanium.com.
Tanium Reporting
Use Tanium™ Reporting to explore real-time visualizations of your endpoint data, create custom reports and charts from the data, and export data to share with key stakeholders.
For information about Reporting, see the Tanium Reporting User Guide.
Tanium Reputation
With Reputation, you can build a repository of reputation data from various sources, such as Palo Alto Networks WildFire, Recorded Future, ReversingLabs, and VirusTotal. These sources determine threat levels for file hashes. Other Tanium solutions, such as Tanium™ Threat Response, can use this data to give an indication of potentially malicious files. You can also send reputation data to supported Tanium™ Connect destinations or import reputation data to Tanium™ Trends boards.
For information about Reputation, see the Tanium Reputation User Guide.
Tanium Secrets Service
Secrets Service provides a role-based access control (RBAC)-aware API to access the underlying storage and management of sensitive information. Secrets Service does not appear in the Tanium Console and requires no configuration.
Requirements
Review the requirements before you
Solution dependencies
- Tanium™ RDB Service: 1.0.113 or later
- Tanium™ System User Service: 1.0.40 or later
Tanium Module Server
Secrets Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.
Ports
The following ports are required for Secrets Service communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Module Server (loopback) | 17509 | TCP | Internal purposes, not externally accessible |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\secrets-service\TaniumSecretsService.exe |
No additional process exclusions are recommended.
User role requirements
Secrets Service has no user roles but includes the following permissions. These permissions are intended for internal use only, but might appear in the Tanium Console.
Secrets Info
READ: Read secret information, but not secret values.
Secrets Service Account
EXECUTE: Provides required service account privileges.
Secrets Value
READ: Read secrets and secret values
WRITE: Create, update, and delete secrets and secret values.
Troubleshooting
Contact Tanium Support
To contact Tanium Support for help, sign in to https://support.tanium.com.
Tanium System User Service
System User Service is an internal service that manages user accounts and provides credentials to other Tanium solutions. System User Service does not appear in the Tanium Console and requires no configuration.
Requirements
Review the requirements before you
Tanium Module Server
System User Service is installed and runs as a service on the Tanium Module Server. The impact on the Module Server is minimal and depends on usage.
Ports
The following ports are required for System User Service communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Module Server (loopback) | 17501 | TCP | Internal purposes, not externally accessible |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\system-user-service\TaniumSystemUserService.exe |
No additional process exclusions are recommended.
Troubleshooting
Review logs
You can find logs on the Module Server at <Module Server>\services\system-user-files\logs.
Contact Tanium Support
To contact Tanium Support for help, sign in to https://support.tanium.com.
Last updated: 11/1/2022 4:08 PM | Feedback