Requirements

Review the requirements before you install and use Threat Response.

Review the requirements before you use Threat Response.

License entitlements

The content that appears in the Threat Response workbench can differ depending on the type of license you have.

The following table illustrates the areas of the Threat Response workbench that are available for various types of licenses.

License Intel
configurations
Engine
configurations
Recorder
configurations
Index
configurations
Enterprise
hunting
Live
Response
Threat Response
Trace (Trace and Incident Response)
Detect (Detect and Incident Response)
Trace and Detect
Trace, Detect, and Incident Response N/A N/A N/A N/A N/A N/A
Trace only
Detect only
Incident Response only N/A N/A N/A N/A N/A N/A*

* = With an Incident Response license, you can use Live Response, however the Live Response workbench is not provided. See the Incident Response User Guide for more information on using Live Response.

Tanium dependencies

In addition to a license for the Threat Response product module, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium™ Client For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.

One of the following 7.2 Tanium Client versions is required as a minimum:

  • 7.2.314.3476 and later with the exception of 7.2.314.3518 (Linux, MacOS*, Windows)
  • 7.2.314.3608 (MacOS 10.15.x and later)

* = MacOS earlier than 10.15.x Catalina

7.4.1.1955 and later clients are supported on Threat Response 2.1.0 and later.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

7.4.1.1955 and later clients are supported on Threat Response 2.1.0 and later.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products If you clicked the Install with Recommended Configurations button when you installed Threat Response, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Threat Response requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

The following modules are required for features of Threat Response to function. The given versions are the minimum required:

  • Tanium™ Connect 4.1.0 to 4.10.5 is required for reputation data without Tanium™ Reputation.
  • Tanium™ Reputation 5.0 or later is required for reputation data with Tanium Connect 4.11 or later.
  • Tanium™ Protect 2.1.0 or later is required for alert remediation.
  • Tanium™ Quarantine 3.1.1. or later is required for isolating endpoints.
  • Tanium™ Direct Connect 1.7.111 or later is required for live endpoint connections.
  • Tanium Trends 3.6.331 or later.
  • Tanium Interact 2.5.146 or later.
  • Tanium Impact 1.5.68 or later (optional).
  • Tanium Endpoint Configuration 1.2 or later is required for tools deployment and optionally approving configuration changes.

Endpoint Configuration is installed as part of Tanium Client Management 1.5.112 or later.

Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Threat Response requires:

  • All Computers

  • All Windows

  • All Linux

  • All Mac

For information about activating product licenses, see Tanium Knowledge Base: Licensing.

Tanium™ Module Server

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. For more information, see Contact Tanium Support.

Endpoints

The following endpoint operating systems are supported with Threat Response. The endpoint requirements for Threat Response are consistent with those used for Tanium Performance and Tanium Integrity Monitor. Threat Response uses the Tanium™ Client Recorder Extension to gather data from endpoints.

Operating System Version
Windows

A minimum of Windows 7 (SP1) or Windows Server 2008 R2 (with SP1) is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported.

Windows 7 Service Pack 1 requires Microsoft KB2758857.

macOS A minimum of macOS 10.11 or later is required.
Linux

Same as Tanium Client support with the exceptions noted below. See Tanium Client User Guide: Host system requirements.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

  • Oracle Enterprise Linux 5.x, 6.x, 7.x, and 8.x

    When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Threat Response.

  • Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
  • CentOS 5.4 and later, 6.x, 7.x, and 8.x
  • Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

The engine requires LSOF on endpoints to scan open files.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

Disk space requirements

By default, the endpoint database for Threat Response is 1GB in size. On installation, 100MB is reserved on on disk, and the database increases in size to up to 1GB before event pruning occurs. A maximum database size of 1GB is advised for best event retention and performance. The endpoint device must have three times the maximum database size available in free disk space.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%. For full-functionality a minimum of two CPUs per endpoint is required.

A minimum of 4 GB RAM is recommended on each endpoint device.

Tanium Event Recorder Driver

Use the Tanium Event Recorder Driver to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver. Enable the Tanium Driver by selecting the Enforce Driver setting in a recorder configuration. If checked, this setting distributes the Tanium Driver to endpoints and enforces that the Tanium Driver service is running. The recorder is optimized to use the Tanium Event Recorder Driver on Windows systems when it is installed. It is strongly recommended to use the Tanium Event Recorder Driver for the best performance and data reliability.

If unchecked, the Tanium Driver will not be distributed to the endpoint; if the Tanium Driver is already installed, the Tanium Driver service will no longer be enforced and will continue running unless manually disabled or removed.

The use of Sysmon has been deprecated in Threat Response version 2.2.0.

The following table provides information about the available recorder features on Windows.

Feature Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 or later Windows 7 SP1 Windows 8 Windows 8.1 or later*
DNS events Not Available Not Available Available Not Available Not Available Available
Process hashes and command-line information Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver.
Driver loads Available Available Available Available Available Available

* = Windows 10 operating systems must be Windows 10 1607 or greater.

Install the Tanium Event Recorder Driver to capture process and command line events

The Tanium Event Recorder Driver is installed by default on new installations of Threat Response 2.2.0 and later. If you are upgrading to Threat Response 2.2.0 or later from an earlier version, you can manually install the Tanium Event Recorder Driver.

  1. From the Tanium Console home page, ask the question Get Tanium Driver Status from all machines and click Search.
  2. Select Install Recommended.
  3. From the Deploy Action page, select Install Tanium Driver.
  4. Validate successful installations by checking the validation query that runs at the end of the package installation.
  5. Collect the action logs from any endpoints that fail the validation query using Live Response.
  6. Run the action Remove Tanium Driver on any endpoints that return anything other than SERVICE_RUNNING for the Tanium Event Recorder Driver service status.

If you make changes to the event source, you must redeploy any recorder enabled profile for the changes to take effect.

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Component Port number Direction Service Purpose

Module Server

Tanium as a Service

17494

Inbound Threat Response service Console and API connections to the Module Server Tanium as a Service.

17475

Inbound Threat Response service Threat Response agents connecting to the Module Server Tanium as a Service for live connections to endpoints.

17487 (Direct Connect communication port)

and

17488 (Direct Connect provision and status monitoring port)

Outbound

Direct Connect Service

or

Zone hub

(Optional) Tanium zone hub connection to Tanium zone proxy.
80 Outbound Threat Response service Integration of intel streams.
443 Outbound Threat Response service Integration of intel streams.
17477 Inbound Tanium Server Tanium Server initiates connections to the Module Server Tanium as a Service on port 17477.
Zone Server 17487 (Direct Connect communication port)

and


17488 (Direct Connect provision and status monitoring port)

Inbound Zone proxy (Optional) Connection to Tanium zone proxy. This port only needs to be accessible from the internal network to the DMZ.
17486 (Direct Connect)
Inbound Zone proxy (Optional) Connections from Threat Response agents.
Tanium Client

17475 (Direct Connect)

and

17486 (Direct Connect)


Outbound Tanium Client Connections to the Module Server Tanium as a Service or the zone proxy for live connections.
Threat Response data collection 443 (S3), 22 (SFTP/SCP), or 445 (SMB) Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.
Threat Response Stream configurations for Splunk

(Required for Stream configurations to Splunk destinations)
TCP (provided by a Splunk administrator) Outbound Threat Response service The port for the stream communication to the host. This TCP port is provided by a Splunk administrator to correspond to a data source.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Table 1:   Threat Response security exclusions
Target Device Notes Process
Tanium Module Server   <Module Server>\services\trace-service\node.exe
  <Module Server>\services\detect3\node.exe
  <Module Server>\services\detect3\twsm.exe
  <Module Server>\services\event-service\node.exe
  <Module Server>\services\event-service\twsm.exe
  <Module Server>\services\threat-response-service\node.exe
  <Module Server>\services\twsm-v1\twsm.exe
  <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Tanium Zone Server   <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TanFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumHandle.exe
  <Tanium Client>\Tools\IR\TanListModules.exe
  <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
  <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
  <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient64.exe
  <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
  <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
  <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
  <Tanium Client>\extensions\TaniumRecorder.dll
  <Tanium Client>\extensions\TaniumRecorder.dll.sig
  <Tanium Client>\extensions\SupportCX.dll
  <Tanium Client>\extensions\SupportCX.dll.sig
  <Tanium Client>\extensions\recorder\proc.bin
  <Tanium Client>\extensions\recorder\recorder.db
  <Tanium Client>\extensions\recorder\recorder.db-shm
  <Tanium Client>\extensions\recorder\recorder.db-wal
  <Tanium Client>\extensions\TaniumThreatResponse.dll
  <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  <Tanium Client>\extensions\stream\*.py
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
  <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe1
  <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
  <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.2.x clients, 3 <Tanium Client>\Python27\TPython.exe
7.4.x clients, 3 <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumSensorDebugger.exe
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64 endpoints   <Tanium Client>/TaniumAuditPipe
  <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
  <Tanium Client>/Tools/Trace/TaniumExecWrapper
  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.2.x clients <Tanium Client>/python27/python
7.2.x clients <Tanium Client>/python27/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/libSupportCX.so
  <Tanium Client>/libSupportCX.so.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.so
  <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
  <Tanium Client>/extensions/libTaniumRecorder.so
  <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.so
  <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/extensions/stream/*.py
  <Tanium Client>/Downloads/Action_nnn/surge-collect1,2
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
macOS endpoints   <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
  <Tanium Client>/Tools/Trace/TaniumExecWrapper
  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.2.x clients <Tanium Client>/python27/python
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
  <Tanium Client>/extensions/libTaniumRecorder.dylib
  <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
  <Tanium Client>/extensions/stream/*.py
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/extensions/libSupportCX.dylib
  <Tanium Client>/extensions/libSupportCX.dylib.sig
1,2 <Tanium Client>/Downloads/Action_nnn/surge-collect
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

3 = TPython requires SHA2 support to allow installation.

Table 2:   Threat Response security exclusions
Target Device Notes Process
Tanium Zone Server   <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TanFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumHandle.exe
  <Tanium Client>\Tools\IR\TanListModules.exe
  <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
  <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
  <Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient64.exe
  <Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
  <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
  <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
  <Tanium Client>\extensions\TaniumRecorder.dll
  <Tanium Client>\extensions\TaniumRecorder.dll.sig
  <Tanium Client>\extensions\recorder\proc.bin
  <Tanium Client>\extensions\recorder\recorder.db
  <Tanium Client>\extensions\recorder\recorder.db-shm
  <Tanium Client>\extensions\recorder\recorder.db-wal
  <Tanium Client>\extensions\TaniumThreatResponse.dll
  <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
  <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe1
  <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
  <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumSensorDebugger.exe
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64 endpoints   <Tanium Client>/TaniumAuditPipe
  <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
  <Tanium Client>/Tools/Trace/TaniumExecWrapper
  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.so
  <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
  <Tanium Client>/extensions/libTaniumRecorder.so
  <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.so
  <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/Downloads/Action_nnn/surge-collect1,2
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
macOS endpoints   <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
  <Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
  <Tanium Client>/Tools/Trace/TaniumExecWrapper
  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
  <Tanium Client>/extensions/libTaniumRecorder.dylib
  <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
1,2 <Tanium Client>/Downloads/Action_nnn/surge-collect
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

User role requirements

To do everything in Threat Response and its features that integrate with other Tanium products, you would need the following roles:

  • Threat Response Administrator role
  • Protect User role to pivot from saved evidence into Protect rules
  • Reputation Administrator and Connect Administrator(if not using Reputation) role privileges to see reputation data
  • Show Interact role to view the status results of endpoints
  • Connect User role for Connect integration for events and for creating the Connect Reputation connections
  • Protect User role for creating remediation policies as response actions

Last updated: 11/19/2020 3:34 PM | Feedback