Threat Response requirements

Review the requirements before you install and use Threat Response.

Review the requirements before you use Threat Response.

In Threat Response 4.0this version of Threat Response, the Detect and Event services have been deprecated and replaced by the Threat Response service. The integration with the Threat Response service and the Threat Response Client Extension on the endpoints provides performance improvements and provides a platform for future capability, intelligence, and workflows around intel and alerting.

Threat Response 4.0This version of Threat Response includes API changes that require customers and partners to reconfigure API integrations. The API data format may be changed for many existing routes. Most of these changes have been made for consistency in what each API returns. From the Threat Response Workbench, click Help > API > See API documentation to review the Threat Response 4.0 API documentation to adjust your integrations appropriately.

For more information on the exact changes and required steps to ensure integrations work as intended, see Threat Response Version 4.0 API Changes.

License entitlements

The content that appears in the Threat Response workbench can differ depending on the type of license you have.

The following table illustrates the areas of the Threat Response workbench that are available for various types of licenses.

License	Detection configurations	Recorder configurations	Index configurations	Enterprise hunting	Live Response
Threat Response
Trace (Trace and Incident Response)
Detect (Detect and Incident Response)
Trace and Detect
Trace, Detect, and Incident Response	N/A	N/A	N/A	N/A	N/A
Trace only
Detect only
Incident Response only	N/A	N/A	N/A	N/A	N/A*
* = With an Incident Response license, you can use Live Response, however the Live Response workbench is not provided. See the Incident Response User Guide for more information on using Live Response

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Threat Response
Tanium™ Core Platform servers: 7.4.3.1204 or later
Tanium™ Client:
Any supported version of Tanium Client. For more information about specific Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.
- (Linux, macOS*, Windows) Any supported version of Tanium Client
- (macOS 10.15.x and later) 7.2.314.3608 or later
* = macOS earlier than 10.15.x Catalina
Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Computer group dependencies

When you first sign in to the Tanium Console after a fresh installation of Tanium Server 7.4.2 or later, the server Tanium™ Cloud automatically imports the computer groups that Threat Response requires:

All Computers
All Windows
All Linux
All Mac

For earlier versions of the Tanium Server, or after upgrading from an earlier version, you must manually create the computer groups. See Tanium Console User Guide: Create a computer group.

Solution dependencies

Other Tanium solutions are required for Threat Response to function (required dependencies) or for specific Threat Response features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Threat Response dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Threat Response requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Threat Response, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Threat Response to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Threat Response, the server automatically updates those dependencies to the latest available versions.

If you select only Threat Response to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Threat Response has the following required dependencies at the specified minimum versions:

Tanium™ Client Index Extension^*.
Tanium™ Client Recorder Extension^*.
Tanium™ Connect 4.1.0 to 4.10.5 is required for reputation data without Tanium™ Reputation.
Tanium™ Reputation 6.2.0 or later is required for reputation data with Tanium Connect 4.11 or later.
Tanium™ IR Quarantine 3.4.13. or later is required for isolating endpoints.
Tanium™ Direct Connect 2.2.77 or later is required for live endpoint connections.
Tanium Trends 3.6.331 or later.
Tanium Interact 2.8.102 or later.
Tanium Default Content 8.0.0 or later
Tanium Endpoint Configuration 1.2 or later (installed as part of Tanium Client Management 1.5 or later)
Tanium™ System User Service 1.0.77 or later
Tanium Secrets 1.0.185 or later

^*= The required version of this client extension is installed as part of Threat Response.

Feature-specific dependencies

If you select only Threat Response to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Threat Response has the following feature-specific dependencies at the specified minimum versions:

Tanium™ Enforce 1.6.0 or later is required for alert remediation.
Tanium Impact 1.5.68 or later is required to display Impact ratings for alerts.
Tanium Trends 3.6.331 or later is required to view visualizations that show current and historical data from endpoints.

Tanium™ Reveal 1.15 or later is required if Reveal exists in the same environment. Tanium Reveal is not a required Threat Response dependency.

Client extensions

Tanium Endpoint Configuration installs client extensions for Threat Response on Windows and Linux endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Threat Response functions:

Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension.
Index CX - Provides the ability to index the local file systems on endpoints. Tanium Asset, Tanium Integrity Monitor, Tanium Reveal, or Tanium Threat Response installs this client extension.
Py CX - Provides a library that enables communication between Python-based client extensions and Core CX. Tanium Integrity Monitor, Tanium Reveal, or Tanium Threat Response installs this client extension.
Recorder CX - Provides the ability to save event data on each endpoint and monitor the endpoint kernel and other low-level subsystems to capture a variety of events. Tanium Enforce, Tanium Integrity Monitor, Tanium Map, or Tanium Threat Response installs this client extension.
Support CX - Provides the ability to gather troubleshooting content from endpoints through Tanium Client Management. Tanium Client Management installs this client extension.
Stream CX - Provides the ability to gather large amounts of data from endpoints and send it to an external destination. Tanium Enforce or Tanium Threat Response installs this client extension.
Threat Response CX - Provides Threat Response functions on the endpoint. Tanium Threat Response installs this client extension.

Tanium™ Module Server

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. For more information, see Contact Tanium Support. As a best practice, 250GB to 1TB of disk space is recommended to ensure available storage for snapshots and other saved Threat Response evidence.

Endpoints

The following endpoint operating systems are supported with Threat Response. The endpoint requirements for Threat Response are consistent with those used for Tanium Performance and Tanium Integrity Monitor. Threat Response uses the Tanium™ Client Recorder Extension to gather data from endpoints.

Operating System	Version
Windows	A minimum of Windows 7 (SP1) or Windows Server 2008 R2 (with SP1) is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported. Process injection monitoring is not supported on Windows 8.1 and Windows Server 2012 R2 and earlier. Windows 7 and Windows Server 2008 R2 operating systems must have the following Microsoft KBs installed: KB3033929 - "Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2." For details regarding KB3033929, see https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support. KB4490628 - "Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1." For details regarding KB4490628, see https://support.microsoft.com/en-us/topic/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-march-12-2019-b4dc0cff-d4f2-a408-0cb1-cb8e918feeba. KB4474419 - "SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008." For details regarding 4474419, see https://support.microsoft.com/en-us/topic/sha-2-code-signing-support-update-for-windows-server-2008-r2-windows-7-and-windows-server-2008-september-23-2019-84a8aad5-d8d9-2d5c-6d78-34f9aa5f8339. The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least one hour after system startup to make sure vacuum operations do not interfere with system boot.
macOS	Same as Tanium Client support. Live Response Memory Collection is not supported on macOS endpoints that use M1 ARM processors.
Linux	Same as Tanium Client support with the exceptions noted below. See Tanium Client Management User Guide: Client version and host system requirements. Systemd is required for the Linux autorun sensor to collect data. The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux. eBPF as an event source for the Client Recorder Extension requires Red Hat Enterprise Linux, Oracle Enterprise Linux, CentOS versions 7.8 or later or Ubuntu 18.04 - 20.04. The debugfs file system is required. By default this is mounted under sys/kernel/debug. Make sure that sys/kernel/debug is not unmounted. If you are building a custom kernel, make sure that the DEBUG_FS option is enabled. DNS event recording capability is provided on Linux endpoints where eBPF is enabled. The Client Recorder Extension provides SELinux policies for the following distributions and versions: Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x CentOS 5.4 and later, 6.x, 7.x, and 8.x Amazon Linux 2 LTS (2017.12) At this time, SELinux is not supported on other Linux distributions. Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints. For Linux endpoints: Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions. Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled. Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected. If using eBPF for event data, the entire kernel headers package and the entire kernel devel package must be enabled on RHEL and CentOS versions 7.8 to 8.1 endpoints. This is a requirement of BCC. eBPF adds a BCC library that is compiled on the endpoint. This library is recompiled every time the endpoint is restarted.

Operating System

Version

Windows

A minimum of Windows 7 (SP1) or Windows Server 2008 R2 (with SP1) is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported.

Process injection monitoring is not supported on Windows 8.1 and Windows Server 2012 R2 and earlier.

Windows 7 and Windows Server 2008 R2 operating systems must have the following Microsoft KBs installed:
- KB3033929 - "Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2." For details regarding KB3033929, see https://support.microsoft.com/en-us/help/3033929/microsoft-security-advisory-availability-of-sha-2-code-signing-support.
- KB4490628 - "Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1." For details regarding KB4490628, see https://support.microsoft.com/en-us/topic/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-march-12-2019-b4dc0cff-d4f2-a408-0cb1-cb8e918feeba.
- KB4474419 - "SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008." For details regarding 4474419, see https://support.microsoft.com/en-us/topic/sha-2-code-signing-support-update-for-windows-server-2008-r2-windows-7-and-windows-server-2008-september-23-2019-84a8aad5-d8d9-2d5c-6d78-34f9aa5f8339.
The recorder forces a vacuum if the database size becomes too large to ensure that a continual vacuuming does not exist. A check to only vacuum once per day and at least one hour after system startup to make sure vacuum operations do not interfere with system boot.

macOS

Same as Tanium Client support.

Live Response Memory Collection is not supported on macOS endpoints that use M1 ARM processors.

Linux

Same as Tanium Client support with the exceptions noted below. See Tanium Client Management User Guide: Client version and host system requirements.

Systemd is required for the Linux autorun sensor to collect data.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

eBPF as an event source for the Client Recorder Extension requires Red Hat Enterprise Linux, Oracle Enterprise Linux, CentOS versions 7.8 or later or Ubuntu 18.04 - 20.04. The debugfs file system is required. By default this is mounted under sys/kernel/debug. Make sure that sys/kernel/debug is not unmounted. If you are building a custom kernel, make sure that the DEBUG_FS option is enabled.

DNS event recording capability is provided on Linux endpoints where eBPF is enabled.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
CentOS 5.4 and later, 6.x, 7.x, and 8.x
Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints.

For Linux endpoints:

Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.
If using eBPF for event data, the entire kernel headers package and the entire kernel devel package must be enabled on RHEL and CentOS versions 7.8 to 8.1 endpoints. This is a requirement of BCC. eBPF adds a BCC library that is compiled on the endpoint. This library is recompiled every time the endpoint is restarted.

Disk space requirements

By default, the endpoint database for Threat Response is 1GB in size. On installation, 100MB is reserved on on disk, and the database increases in size to up to 1GB before event pruning occurs. 3GB is recommended. Free disk space is checked when a snapshot is requested.

If Indexing is enabled, space should also be reserved for the Index database. The size of the database depends on several factors, including the types of hashes recorded, the types and number of exclusions to indexing, and the number of files present on the volumes indexed. For planning, a general guideline is that the database size is 1MB per 1GB of files on disk.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

(Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
(Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

A minimum of 4 GB RAM is recommended on each endpoint device.

Tanium Driver

The Tanium Driver records process and command-line events on supported Windows endpoints. The Tanium Driver is included in initial installations and any subsequent updates of Threat Response. To record event data from Windows endpoints, the Tanium Driver must be installed on endpoints. When you deploy a Threat Response profile to endpoints that includes a recorder configuration or a detection configuration that evaluates Signals intel, the Tanium Driver is installed on the target endpoints. Driver 3.0 introduces a new service on Windows endpoints named TaniumDriverSvc.

The latest version of the Tanium Driver is 3.x. If you are deploying the 3.x Tanium Driver to endpoints for the first time, a reboot of endpoints is not required for the driver to capture events, but a reboot is required to view complete process tree data.

If you are using Threat Response version 1.3 to 2.6.4, Tanium Driver version 1.x is provided.

If you are using Threat Response version 2.6.5 to 3.4, Tanium Driver version 2.x is provided.

If you are using Threat Response version 3.5 or later, Tanium Driver version 3.x is provided.

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Source	Destination	Port	Protocol	Purpose
Module Server	Direct Connect Zone Proxy	17487 (Direct Connect communication port) and 17488 (Direct Connect provision and status monitoring port)	TCP	(Optional) Tanium Direct Connect connection to Direct Connect Zone Proxy
	Module Server (loopback)	17466	TCP	Internal purposes, not externally accessible
	Intel provider	80, 443	TCP	Integration of intel streams
Tanium Server	Module Server	17477	TCP	Tanium Server initiates connections to the Module Server on port 17477
Tanium Client	Direct Connect	17475 (Direct Connect on Module Server) 17486 (Direct Connect Zone Proxy)	TCP	Connections to the Module Server or the Direct Connect Zone Proxy for live connections
Tanium Client	Live Response destination	443 (S3), 22 (SFTP/SCP), or 445 (SMB)	TCP	Outbound connections over ports depending on how the collected data is being transferred
Threat Response Stream configurations for Splunk (Required for Stream configurations to Splunk destinations)	Splunk	TCP (provided by a Splunk administrator)	TCP	The port for the stream communication to the host. This TCP port is provided by a Splunk administrator to correspond to a data source

Source	Destination	Port	Protocol	Purpose
Tanium Cloud	Intel provider	80, 443	TCP	Integration of intel streams
Tanium Client	Direct Connect	17486 (Direct Connect)	TCP	Live connections to Tanium Cloud
Tanium Client	Live Response destination	443 (S3), 22 (SFTP/SCP), or 445 (SMB)	TCP	Outbound connections over ports depending on how the collected data is being transferred
Threat Response Stream configurations for Splunk (Required for Stream configurations to Splunk destinations)	Splunk	TCP (provided by a Splunk administrator)	TCP	The port for the stream communication to the host. This TCP port is provided by a Splunk administrator to correspond to a data source

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Threat Response security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Tanium Module Server		Process	<Module Server>\services\threat-response-service\node.exe
		Process	<Module Server>\services\twsm-v1\twsm.exe
		Process	<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Tanium Zone Server		Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Tanium Zone Server		Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Windows x86 and x64 endpoints		Process	<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
		Process	<Tanium Client>\Tools\IR\TanFileInfo.exe
		Process	<Tanium Client>\Tools\IR\TaniumFileInfo.exe
		Process	<Tanium Client>\Tools\IR\TaniumHandle.exe
		Process	<Tanium Client>\Tools\IR\TaniumListModules.exe
		File	<Tanium Client>\extensions\TaniumIndex.dll
		File	<Tanium Client>\extensions\TaniumIndex.dll.sig
		Process	<Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
		File	<Tanium Client>\extensions\TaniumRecorder.dll
		File	<Tanium Client>\extensions\TaniumRecorder.dll.sig
		File	<Tanium Client>\extensions\SupportCX.dll
		File	<Tanium Client>\extensions\SupportCX.dll.sig
		File	<Tanium Client>\extensions\recorder\proc.bin
		File	<Tanium Client>\extensions\recorder\recorder.db
		File	<Tanium Client>\extensions\recorder\recorder.db-shm
		File	<Tanium Client>\extensions\recorder\recorder.db-wal
		File	<Tanium Client>\extensions\index\index.db
		File	<Tanium Client>\extensions\index\index.db-shm
		File	<Tanium Client>\extensions\index\index.db-wal
		Process	<Tanium Client>\tools\driver\TaniumDriverCtl.exe
		Process	<Tanium Client>\tools\driver\TaniumDriverCtl64.exe
		Process	<Tanium Client>\tools\driver\TaniumDriverSvc.exe
		Process	<Tanium Client>\tools\driver\TaniumDriverSvc64.exe
		Process	<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe
		Process	<Tanium Client>\tools\driver\service\TaniumDriverSvc64.exe
		File	<Tanium Client>\tools\driver\TaniumProcessMonitor.dll
		File	<Tanium Client>\tools\driver\TaniumProcessMonitor64.dll
		File	<Tanium Client>\extensions\TaniumThreatResponse.dll
		File	<Tanium Client>\extensions\TaniumThreatResponse.dll.sig
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
		Folder	<Tanium Client>\extensions\stream
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
	¹	Process	<Tanium Client>\Downloads\Action_*\TaniumFileTransfer.exe
	¹	Process	<Tanium Client>\Downloads\Action_*\Winpmem.gb414603.exe
		Process	<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
		File	<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
	7.2.x clients, ³	Process	<Tanium Client>\Python27\TPython.exe
	7.4.x clients, ³	Process	<Tanium Client>\Python38\TPython.exe
	7.2.x clients	Folder	<Tanium Client>\Python27
	7.4.x clients	Folder	<Tanium Client>\Python38
		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\extensions\TaniumDEC.dll
		File	<Tanium Client>\extensions\TaniumDEC.dll.sig
		File	C:\Windows\System32\drivers\TaniumRecorderDrv.sys
		File	C:\Windows\SysWOW64\TaniumProcessMonitor.dll
		File	C:\Windows\system32\drivers\TaniumProcessMonitor.dll
Linux x86 and x64 endpoints		Process	<Tanium Client>/extensions/recorder/TaniumAuditPipe
		Process	<Tanium Client>/TaniumCX
		Process	<Tanium Client>/Tools/IR/TaniumExecWrapper
		File	<Tanium Client>/extensions/libTaniumIndex.so
		File	<Tanium Client>/extensions/libTaniumIndex.so.sig
	7.2.x clients	Folder	<Tanium Client>/python27
	7.2.x clients	Process	<Tanium Client>/python27/python
	7.2.x clients	Process	<Tanium Client>/python27/bin/pybin
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/libSupportCX.so
		File	<Tanium Client>/libSupportCX.so.sig
		File	<Tanium Client>/extensions/libTaniumThreatResponse.so
		File	<Tanium Client>/extensions/libTaniumThreatResponse.so.sig
		File	<Tanium Client>/extensions/libTaniumRecorder.so
		File	<Tanium Client>/extensions/libTaniumRecorder.so.sig
		File	<Tanium Client>/extensions/recorder/proc.bin
		File	<Tanium Client>/extensions/recorder/recorder.db
		File	<Tanium Client>/extensions/recorder/recorder.db-shm
		File	<Tanium Client>/extensions/recorder/recorder.db-wal
		File	<Tanium Client>/extensions/recorder/recorder.auditpipe
		File	<Tanium Client>/extensions/index/index.db
		File	<Tanium Client>/extensions/index/index.db-shm
		File	<Tanium Client>/extensions/index/index.db-wal
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
		File	<Tanium Client>/extensions/libTaniumDEC.so
		File	<Tanium Client>/extensions/libTaniumDEC.so.sig
		Folder	<Tanium Client>/extensions/stream
	¹,²	Process	<Tanium Client>/Downloads/Action_*/surge-collect
	¹,²	File	<Tanium Client>/Downloads/Action_*/surge.dat
	¹	File	<Tanium Client>/Downloads/Action_/linpmem-.bin
	¹	Process	<Tanium Client>/Downloads/Action_*/taniumfiletransfer
macOS endpoints		Process	<Tanium Client>/TaniumCX
		Process	<Tanium Client>/Tools/IR/TaniumExecWrapper
		File	<Tanium Client>/extensions/libTaniumIndex.dylib
		File	<Tanium Client>/extensions/libTaniumIndex.dylib.sig
	7.2.x clients	Folder	<Tanium Client>/python27
	7.2.x clients	Process	<Tanium Client>/python27/python
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		File	<Tanium Client>/extensions/libTaniumThreatResponse.dylib
		File	<Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
		File	<Tanium Client>/extensions/libTaniumRecorder.dylib
		File	<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
		File	<Tanium Client>/extensions/recorder/proc.bin
		File	<Tanium Client>/extensions/recorder/recorder.db
		File	<Tanium Client>/extensions/recorder/recorder.db-shm
		File	<Tanium Client>/extensions/recorder/recorder.db-wal
		File	<Tanium Client>/extensions/recorder/recorder.auditpipe
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib
		File	<Tanium Client>/extensions/index/index.db
		File	<Tanium Client>/extensions/index/index.db-shm
		File	<Tanium Client>/extensions/index/index.db-wal
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
		Folder	<Tanium Client>/extensions/stream
		File	<Tanium Client>/extensions/libTaniumDEC.dylib
		File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
		File	<Tanium Client>/extensions/libSupportCX.dylib
		File	<Tanium Client>/extensions/libSupportCX.dylib.sig
	¹,²	Process	<Tanium Client>/Downloads/Action_*/surge-collect
	¹,²	File	<Tanium Client>/Downloads/Action_*/surge.dat
	¹	Process	<Tanium Client>/Downloads/Action_*/osxpmem.app/osxpmem
	¹	Process	<Tanium Client>/Downloads/Action_*/taniumfiletransfer
¹ = Where * corresponds to the action ID or the version of linpmem. ² = Exception is required if Volexity Surge is used for memory collection. ³ = TPython requires SHA2 support to allow installation.

Threat Response security exclusions
Target Device	Notes	Exclusion Type	Exclusion
Tanium Zone Server		Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\node.exe
Tanium Zone Server		Process	<Tanium Installation Directory>\Tanium Direct Connect Zone Proxy\twsm.exe
Windows x86 and x64 endpoints		Process	<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
		Process	<Tanium Client>\Tools\IR\TanFileInfo.exe
		Process	<Tanium Client>\Tools\IR\TaniumFileInfo.exe
		Process	<Tanium Client>\Tools\IR\TaniumHandle.exe
		Process	<Tanium Client>\Tools\IR\TaniumListModules.exe
		File	<Tanium Client>\extensions\TaniumIndex.dll
		File	<Tanium Client>\extensions\TaniumIndex.dll.sig
		Process	<Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
		File	<Tanium Client>\extensions\TaniumRecorder.dll
		File	<Tanium Client>\extensions\TaniumRecorder.dll.sig
		File	<Tanium Client>\extensions\recorder\proc.bin
		File	<Tanium Client>\extensions\recorder\recorder.db
		File	<Tanium Client>\extensions\recorder\recorder.db-shm
		File	<Tanium Client>\extensions\recorder\recorder.db-wal
		File	<Tanium Client>\extensions\TaniumThreatResponse.dll
		File	<Tanium Client>\extensions\index\index.db
		File	<Tanium Client>\extensions\index\index.db-shm
		File	<Tanium Client>\extensions\index\index.db-wal
		File	<Tanium Client>\extensions\TaniumThreatResponse.dll.sig
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll
		File	<Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
		File	<Tanium Client>\TaniumClientExtensions.dll
		File	<Tanium Client>\TaniumClientExtensions.dll.sig
	¹	Process	<Tanium Client>\Downloads\Action_*\TaniumFileTransfer.exe
	¹	Process	<Tanium Client>\Downloads\Action_*\Winpmem.gb414603.exe
		Process	<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
		File	<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
	7.4.x clients	Process	<Tanium Client>\Python38\TPython.exe
	7.4.x clients	Folder	<Tanium Client>\Python38
		Process	<Tanium Client>\TaniumCX.exe
		File	<Tanium Client>\extensions\TaniumDEC.dll
		File	<Tanium Client>\extensions\TaniumDEC.dll.sig
		File	C:\Windows\System32\drivers\TaniumRecorderDrv.sys
		File	C:\Windows\SysWOW64\TaniumProcessMonitor.dll
		File	C:\Windows\system32\drivers\TaniumProcessMonitor.dll
		Process	<Tanium Client>\tools\driver\TaniumDriverCtl.exe
		Process	<Tanium Client>\tools\driver\TaniumDriverCtl64.exe
		Process	<Tanium Client>\tools\driver\TaniumDriverSvc.exe
		Process	<Tanium Client>\tools\driver\TaniumDriverSvc64.exe
		Process	<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe
		Process	<Tanium Client>\tools\driver\service\TaniumDriverSvc64.exe
Linux x86 and x64 endpoints		Process	<Tanium Client>/extensions/recorder/TaniumAuditPipe
		Process	<Tanium Client>/TaniumCX
		Process	<Tanium Client>/Tools/IR/TaniumExecWrapper
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.so
		File	<Tanium Client>/libTaniumClientExtensions.so.sig
		File	<Tanium Client>/extensions/libTaniumThreatResponse.so
		File	<Tanium Client>/extensions/libTaniumThreatResponse.so.sig
		File	<Tanium Client>/extensions/libTaniumRecorder.so
		File	<Tanium Client>/extensions/libTaniumRecorder.so.sig
		File	<Tanium Client>/extensions/recorder/proc.bin
		File	<Tanium Client>/extensions/recorder/recorder.db
		File	<Tanium Client>/extensions/recorder/recorder.db-shm
		File	<Tanium Client>/extensions/recorder/recorder.db-wal
		File	<Tanium Client>/extensions/recorder/recorder.auditpipe
		File	<Tanium Client>/extensions/index/index.db
		File	<Tanium Client>/extensions/index/index.db-shm
		File	<Tanium Client>/extensions/index/index.db-wal
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
		File	<Tanium Client>/extensions/libTaniumDEC.so
		File	<Tanium Client>/extensions/libTaniumDEC.so.sig
		File	<Tanium Client>/extensions/libTaniumIndex.so
		File	<Tanium Client>/extensions/libTaniumIndex.so.sig
	¹,²	Process	<Tanium Client>/Downloads/Action_*/surge-collect
	¹,²	File	<Tanium Client>/Downloads/Action_*/surge.dat
	¹	File	<Tanium Client>/Downloads/Action_/linpmem-.bin
	¹	Process	<Tanium Client>/Downloads/Action_*/taniumfiletransfer
macOS endpoints		Process	<Tanium Client>/TaniumCX
		Process	<Tanium Client>/Tools/IR/TaniumExecWrapper
		File	<Tanium Client>/extensions/libTaniumIndex.dylib
		File	<Tanium Client>/extensions/libTaniumIndex.dylib.sig
	7.4.x clients	Folder	<Tanium Client>/python38
	7.4.x clients	Process	<Tanium Client>/python38/python
		File	<Tanium Client>/libTaniumClientExtensions.dylib
		File	<Tanium Client>/libTaniumClientExtensions.dylib.sig
		File	<Tanium Client>/extensions/libTaniumThreatResponse.dylib
		File	<Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
		File	<Tanium Client>/extensions/libTaniumRecorder.dylib
		File	<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
		File	<Tanium Client>/extensions/recorder/proc.bin
		File	<Tanium Client>/extensions/recorder/recorder.db
		File	<Tanium Client>/extensions/recorder/recorder.db-shm
		File	<Tanium Client>/extensions/recorder/recorder.db-wal
		File	<Tanium Client>/extensions/recorder/recorder.auditpipe
		File	<Tanium Client>/extensions/index/index.db
		File	<Tanium Client>/extensions/index/index.db-shm
		File	<Tanium Client>/extensions/index/index.db-wal
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib
		File	<Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
		File	<Tanium Client>/extensions/libTaniumDEC.dylib
		File	<Tanium Client>/extensions/libTaniumDEC.dylib.sig
	¹,²	Process	<Tanium Client>/Downloads/Action_*/surge-collect
	¹,²	File	<Tanium Client>/Downloads/Action_*/surge.dat
	¹	Process	<Tanium Client>/Downloads/Action_*/osxpmem.app/osxpmem
	¹	Process	<Tanium Client>/Downloads/Action_*/taniumfiletransfer
¹ = Where * corresponds to the action ID or the version of linpmem. ² = Exception is required if Volexity Surge is used for memory collection. ³ = TPython requires SHA2 support to allow installation.

User role requirements

To do everything in Threat Response and its features that integrate with other Tanium solutions, you would need the following roles:

Threat Response Administrator role
Reputation Operator and Connect Administrator(if not using Reputation) role privileges to see reputation data
Show Interact role to view the status results of endpoints
Connect User role for Connect integration for events and for creating the Connect Reputation connections
Enforce User role for creating remediation policies as response actions and to pivot from saved evidence into Enforce rules

The following tables list the role permissions required to use Threat Response. To review a summary of the predefined roles, see Set up Threat Response users.

Threat Response user role permissions

Threat Response user role permissions
Permission	Threat Response Administrator^1,2,3,6,7	Threat Response Operator^1,2,3,6,7	Threat Response User^1,2,6,7	Threat Response Read Only User^1,2,6,7,8	Threat Response Endpoint Configuration Approver^1,3
Threat Response⁵ Access to the Threat Response workbench	SHOW	SHOW	SHOW	SHOW	SHOW
Threat Response Alert Deploy Allows for action deployment from a Threat Response alert	ACTION	ACTION	ACTION
Threat Response Alerts Access to read and modify alerts	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response API Perform Threat Response operations using the API	EXECUTE	EXECUTE	EXECUTE	EXECUTE	EXECUTE
Threat Response API Doc View and list API Docs	READ	READ	READ	READ
Threat Response Audit Allows viewing and exporting Threat Response Audit data	READ	READ
Threat Response Configs Access to read and create configurations	READ WRITE	READ WRITE	READ		READ
Threat Response Content Provides content privileges for Threat Response users	USER	USER	USER
Threat Response Content Incident Response Provides content privileges for Threat Response Incident Response users	USER	USER	USER
Threat Response Content Incident Response Administrator Provides content privileges for Threat Response Incident Response administrators	ADMINISTRATOR	ADMINISTRATOR
Threat Response Content Incident Response Readonly Provides content privileges for Threat Response Incident Response read only users	USER	USER	USER	USER
Threat Response Content Index Provides content privileges for Threat Response Index users	USER	USER	USER	USER
Threat Response Content Index Administrator Provides content privileges for Threat Response Index administrators	ADMINISTRATOR	ADMINISTRATOR
Threat Response Content Readonly Provides content privileges for Threat Response Readonly users	USER	USER	USER	USER
Threat Response Data Collection Identify Allows the user to use the TDS Oracle service to get EIDs	WRITE
Threat Response Direct Connect Allows bypassing Direct Connect action approvals	BYPASS	BYPASS	BYPASS
Threat Response Downloads Read and manage downloaded files from live connections	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Endpoint Configuration Enables approver privileges in Tanium Endpoint Configuration for Threat Response configuration changes		DISMISS REJECT			APPROVE
Threat Response Enterprise Hunting ¹ View and list sensors for enterprise hunting	READ	READ WRITE	READ	READ	READ
Threat Response Examine Permission intended for possible future use	WRITE	WRITE	WRITE
Threat Response Exports Create, view, and delete exported events	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Filters Access to read and create filters	READ WRITE	READ WRITE	READ		READ
Threat Response Health Status Allows use of health status actions	WRITE
Threat Response Intel Allows creating, viewing, and deploying Threat Response Intel	DEPLOY READ WRITE	DEPLOY READ WRITE
Threat Response Investigation Permission intended for possible future use	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Labels Access to read and modify intel labels	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Live Connection Allows setting and viewing live connections to endpoints	READ WRITE	READ WRITE	READ	READ ¹¹
Threat Response Live Connection File Allows deletion of a file on the endpoint during a live connection	DELETE	DELETE
Threat Response Live Connections Filesystem Browse the filesystem on live connections	BROWSE	BROWSE	BROWSE	BROWSE
Threat Response Live Response Collection Configs Access to read and create Threat Response Live Response Collection configurations	READ WRITE	READ WRITE	READ	READ
Threat Response Live Response Destinations Access to read and createThreat Response Live Response destinations	READ WRITE	READ WRITE	READ	READ
Threat Response Live Response File Collector Sets Access to read and create Threat Response Live Response file collector set configurations	READ WRITE	READ WRITE	READ	READ
Threat Response Live Response Modules Access to read Threat Response Live Response module configuration information	READ WRITE	READ WRITE	READ	READ
Threat Response Live Response Packages Access to create Threat Response Live Response packages	GENERATE	GENERATE
Threat Response Live Response Script Sets Access to read and create Threat Response Live Response script set configuration information	READ WRITE	READ WRITE	READ	READ
Threat Response Logs Allows viewing Threat Response logs	READ
Threat Response Notification Access to read and modify notifications	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response On Demand Scans ⁴ Access to run and read the results of on-demand scans	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Operator Settings Allows the operator to read and modify available settings	READ WRITE	READ WRITE
Threat Response Operator Status Allows the operator to view the module status	READ		READ	READ
Threat Response Override Scan Allows for overriding scan blockout windows on endpoints.	BLOCKOUTS	BLOCKOUTS
Threat Response Profiles Access to read, create, and deploy profiles	READ WRITE DEPLOY	READ WRITE DEPLOY	READ		READ
Threat Response Reputation Allows operations against Reputation	READ INTEGRATIONS	READ INTEGRATIONS	READ	READ
Threat Response Response Actions Enables users to view, create, and stop response actions	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Saved Evidence View and save events from live endpoint connections	READ WRITE	READ WRITE	READ WRITE
Threat Response Service User Access to perform service account administration	READ WRITE
Threat Response Settings Allows viewing and editing Threat Response settings	READ WRITE		READ	READ
Threat Response Snapshot Capture,view, and delete snapshots	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Sources ⁴ Access to read and modify sources	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Stats Allows viewing Threat Response stats	READ	READ	READ	READ
Threat Response Status Allows the operator to view status information	READ	READ	READ	READ
Threat Response Suppression Rules Create, edit, view, list, and delete suppression rules	READ WRITE	READ WRITE	READ WRITE	READ
Threat Response Tasks Access to read Threat Response tasks	READ	READ	READ	READ
Threat Response Trends Board Allows the user to view Trends data	READ	WRITE
Threat Response Visibility Bypass Enables users to view all alerts and saved evidence regardless of computer group membership	READ	READ
For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups. ¹ This role provides module permissions for Tanium Trends. For more information, see the Tanium Trends User Guide: User role requirements. ² This role provides module permissions for Tanium Reputation. For more information, see the Tanium Reputation User Guide: User role requirements. ³ This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. ⁴ Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed. ⁵ To install Threat Response, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator. ⁶ This role provides module permissions for Tanium Interact and Tanium Data Service. For more information, see the Tanium Interact User Guide: User role requirements. ⁷ This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see the Tanium Direct Connect User Guide: User role requirements. ⁸ The Threat Response Read Only User role does not have the ability to create live endpoint direct connections. The Threat Response User role is required as a minimum for creating live endpoint connections.

Provided Threat Response administration and platform content permissions
Permission	Permission Type	Threat Response Administrator¹	Threat Response Operator	Threat Response User	Threat Response Read Only User	Threat Response Endpoint Configuration Approver
Action Group	Administration	READ	READ	READ
Computer Group	Administration	READ	READ	READ	READ	READ
User	Administration	READ
Allowed URLs	Administration
Action	Platform Content	READ WRITE	READ WRITE	WRITE
Dashboard	Platform Content	READ WRITE	READ WRITE	READ	READ
Dashboard Group	Platform Content	READ WRITE	READ WRITE	READ	READ
Filter Group	Platform Content	READ	READ	READ	READ	READ
Own Action	Platform Content	READ	READ	READ
Package	Platform Content	READ WRITE	READ WRITE	READ	READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ WRITE	READ WRITE	READ	READ
Sensor	Platform Content	READ WRITE	READ WRITE	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. ¹ This role provides content set permissions for Tanium Reputation. You can view which Reputation content sets are granted to this role in the Tanium Console. For more information, see Tanium Reputation User Guide: User role requirements. ² This role provides content set permissions for Tanium Direct Connect. You can view which Direct Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.