Requirements

Review the requirements before you install and use Threat Response.

Tanium dependencies

In addition to a license for the Threat Response product module, make sure that your environment also meets the following requirements.

Component Requirement
Platform 7.2.314.3550 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium Client For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.

For best results, the following Tanium Client versions are suggested:

  • 6.0.314.1540 (Windows)
  • 7.2.314.3211 (Linux, MacOS, Windows)
  • 7.2.314.3476 (Linux, MacOS, Windows)
  • 7.2.314.3518 (Linux, MacOS, Windows)

Tanium™ Connect 4.1.0 to 4.10.5 is required for reputation data without Tanium™ Reputation.
Tanium Reputation 5.0 or later is required for reputation data with Tanium Connect 4.11 or later.
Tanium Protect 1.0.1 or later (optional).
Tanium Trends 1.0 or later (optional).

For information about activating product licenses, see Tanium Knowledge Base: Licensing.

Endpoint hardware and software requirements

The recorder and engine are supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, a minimum of Windows 7 or Windows Server 2008 R2 is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported.

You can use the Tanium Event Recorder Driver or Microsoft Sysmon to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver.

A minimum of 100 MB RAM is required on each endpoint device. By default, the endpoint database is 1 GB. The endpoint device must have three times the maximum database size available in free disk space. The CPU demand on the endpoint averages less than 1%.

For full-functionality a minimum of two CPUs per endpoint is recommended.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Linux recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.

Threat Response tools deployment is not supported on RedHat Enterprise Linux 8.0.

For Mac endpoints, macOS 10.11 or later is required.

Tanium Module Server computer resources

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your Technical Account Manager (TAM) for details.

Third-party software

(Windows, Optional) Microsoft Sysmon

You can use the Tanium Event Recorder Driver or the latest released version of Microsoft Sysmon to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver.

Sysmon supports Windows endpoints later than Windows 7. For Windows 8.1 or later and Windows Server 2012 R2 or later, Sysmon is not required. To configure Sysmon on endpoints, see Configure Sysmon .

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Component Port number Direction Service Purpose
Module Server 17443 Inbound Threat Response service Support for uploading snapshots.
17444 Inbound Threat Response service Threat Response agents connecting to the Module Server for live connections to endpoints.
17449 Outbound Zone hub (Optional) Tanium zone hub connection to Tanium zone proxy.
80 Outbound Threat Response service Integration of intel streams.
443 Outbound Threat Response service Integration of intel streams.
Zone Server 17449 Inbound Zone proxy (Optional) Tanium zone hub connection to Tanium zone proxy. This port only needs to be accessible from the internal network to the DMZ.
17444 Inbound Zone proxy (Optional) Connections from Threat Response agents.
Tanium Client 17444 Outbound Tanium Client WebsocketClient.exe connecting to the Module Server or the zone proxy for live connections.
Threat Response data collection 443,22,21,or 445 Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.
Threat Response data collection 443 (S3), 22 (SFTP/SCP), or 445 (SMB) Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Table 1:   Threat Response security exclusions
Target device Process
Tanium Module Server <Tanium Module Server>\services\trace-service\node.exe
<Tanium Module Server>\services\detect3\node.exe
<Tanium Module Server>\services\detect3\twsm.exe
<Tanium Module Server>\services\event-service\node.exe
<Tanium Module Server>\services\event-service\twsm.exe
<Tanium Module Server>\services\threat-response\node.exe
<Tanium Module Server>\services\twsm-v1\twsm.exe
Tanium Zone Server <Trace Zone Proxy>\proxy\node.exe
Windows x86 and x64 endpoints <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Python27\TPython.exe
<Installation Location>\sysmon.exe
Mac OS, and Linux x86 and x64 endpoints <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Tools/Trace/recorder (Linux)
<Tanium Client>/Tools/Trace/TaniumRecorder (Mac)
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
<Tanium Client>/python27/python
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer

Console roles and privileges

Table 2:   Threat Response user role permissions
Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account

Detect Administrator User

Provides privileges for a Detect administrator.

Detect Alert Read

Access to read alerts

1 1

Detect Alert Write

Access to modify alerts

Detect Intel Read2

Access to read intel

1 1

Detect Intel Write

Access to modify intel

Detect Label Read

Access to read intel labels

1 1

Detect Label Write

Access to modify intel labels

Detect Notification Read

Access to read notifications

1 1

Detect Notification Write

Access to modify notifications

Detect Quickscan Read2

Access to read the results of quick scans

1 1

Detect Quickscan Write

Access to run quick scans

Detect Source Read

Access to read sources

1 1

Detect Source Write2

Access to modify sources

Detect Workbench User

Access to provide privileges for a user

Detect Use API

Perform Detect operations using the API

1 1 1 1

Show Detect33

Access to the Detect workbench

1

Show Threat Response3

Access to the Threat Response workbench

1 1 1

Threat Response API Doc Read

View and list API Docs

Threat Response Configs Read

Access to read configurations

Threat Response Alert Deploy Action

Allows for action deployment from a Threat Response alert

Threat Response Configs Write

Access to create configurations

Threat Response Filters Read

Access to read filters

Threat Response Filters Write

Access to create filters

Threat Response Profiles

Deploy

Access to deploy profiles to endpoints

Threat Response Profiles

Read

Access to read profiles

Threat Response Profiles

Write

Access to create profiles

Threat Response Response Actions Write

Enables users to create and stop response actions

Threat Response Response Actions Read

Enables users to view response actions

1 1

Threat Response Service User

Access to perform service account administration

Threat Response Service User

Read

Read configurations, intel, and alerts

1

Threat Response Service User

Write

Access to deploy configurations, deploy intel, gather alerts, gather group configuration stats, and ingest intel from streams

Threat Response Content Incident Response Administrator

Provides content privileges for Threat Response Incident Response administrators

Threat Response Content Incident Response User

Provides content privileges for Threat Response Incident Response users

1

Threat Response Content Incident Response Readonly User

Provides content privileges for Threat Response Incident Response read only users

1 1

Threat Response Content Index Administrator

Provides content privileges for Threat Response Index administrators

Threat Response Content Index User

Provides content privileges for Threat Response Index users

1

Threat Response Content Detect User

Provides content privileges for Threat Response Detect users

Threat Response Intel Deploy

Allows deploying Threat Response Intel

Threat Response Logs Read

Allows viewing Threat Response logs

Threat Response Settings Write

Allows editing Threat Response settings

Threat Response Settings Read

Allows viewing Threat Response settings

1

Threat Response Stats Read

Allows viewing Threat Response stats

Threat Response Tasks Read

Access to read Threat Response tasks

Threat Response Live Response Collection Configs Read

Access to read Threat Response Live Response Collection configurations

1 1

Threat Response Live Response Collection Configs Write

Access to create Threat Response Live Response collection configurations

Threat Response Live Response Destinations Read

Access to read Threat Response Live Response destinations

1 1

Threat Response Live Response Destinations Write

Access to create Threat Response Live Response destinations

Threat Response Live Response File Collector Sets Read

Access to read Threat Response Live Response file collector set configurations

1 1

Threat Response Live Response File Collector Sets Write

Access to create Threat Response Live Response file collector sets

Threat Response Live Response Packages Generate

Access to create Threat Response Live Response packages

Threat Response Live Response Script Sets Read

Access to read Threat Response Live Response script set configuration information

1 1

Threat Response Live Response Script Sets Write

Access to create Threat Response Script Sets

Threat Response Threat Response Live Response Modules Read

Access to read Threat Response Live Response module configuration information

1

Threat Response Threat Response Audit Read

Allows viewing and exporting Threat Response Audit data

Threat Response Use API

Perform Threat Response operations using the API

1 1 1

Show Trace3

Access to the Trace workbench

1 1 1

Trace API Doc Read

View and list API Docs

1 1 1

Trace Deployment Read

View and list deployments

1 1

Trace Deployment Write

Deploy Trace to endpoints

Trace Endpoint Configuration

Read

View and list endpoint configurations

1 1 1

Trace Enterprise Hunting

Read2

View and list sensors for enterprise hunting

Trace Exports Read

View and list exported events

1 1

Trace Exports Write

Create and delete exported events

Trace File Downloads Read

View and list file downloads from live endpoints

1 1

Trace File Downloads Write

Download and delete files from live connections

Trace IOCs Read2

View and list indicators of compromise

1 1

Trace IOCs Write2

Create, edit, and delete indicators of compromise

Trace Live Connections Read

View and list live endpoint connections

1 1

Trace Live Connections Write

Add, remove, and connect to live endpoints

Trace Live Connections File Delete

Delete files on endpoints from a live connection

Trace Live Connections Filesystem Browse

Browse the filesystem on live connections

Trace Protect Rules Write2

Create, edit, and delete Protect rules

Trace Saved Events Read

View and list saved events

1 1

Trace Saved Events Write

Save events from live endpoint connections

Trace Snapshots Read

View and list snapshots

1 1

Trace Snapshots Write

Capture and delete snapshots

Trace Use API

Perform Trace operations using the API

1 1 1 1

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

1 Denotes a provided permission.

2 Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

3 To install Threat Response, you must have the reserved role of Administrator.

Table 3:   Provided Threat Response Micro Admin user role permissions
Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account
Read User
Table 4:   Provided Threat Response Advanced user role permissions
Permission Content Set for Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account
Ask Dynamic Questions  
Read Sensor Base
Read Sensor Reserved
Read Sensor Detect
Read Sensor Detect Service
Read Sensor Threat Response
Read Sensor Trace Analysis
Read Sensor Trace Deployment
Read Sensor Incident Response
Read Sensor Index
Write Sensor Trace Deployment
Write Sensor Incident Response
Read Action Detect
Read Action Detect Service
Read Action Threat Response
Read Action Incident Response
Read Action Index
Write Action Detect Service
Write Action Detect
Write Action Threat Response
Write Action Trace Analysis
Write Action Trace Deployment
Write Action Incident Response
Write Action Index
Read Plugin Detect Service
Read Plugin Threat Response Service
Execute Plugin Detect
Execute Plugin Detect Service
Execute Plugin Threat Response
Execute Plugin Threat Response Service
Execute Plugin Trace Analysis
Execute Plugin Trace Analysis
Read Package Detect
Read Package Incident Response
Read Package Index
Write Package Detect Service
Write Package Threat Response
Write Package Trace Analysis
Write Package Trace Deployment
Write Package Incident Response
Write Package Index
Read Saved Question Detect
Read Saved Question Detect Service
Read Saved Question Threat Response
Read Saved Question Incident Response
Write Saved Question Incident Response
Read Dashboard Incident Response
Write Dashboard Incident Response
Read Dashboard Group Incident Response
Write Dashboard Group Incident Response

For example, to do everything in Threat Response and its features that integrate with other Tanium products, you would need the following roles:

  • Threat Response Administrator role
  • Protect User role to pivot from saved evidence into Protect rules
  • Connect Administrator role or just the Connect Reputation Read privilege to see reputation data
  • Show Interact role to view the status results of endpoints

Provide the Bypass Action Approval Advanced Role to the Trace Analysis Content Set so that Trace users can make Live Connections to endpoints without having to go through action approval and still require approval on all other actions.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

Last updated: 9/17/2019 1:47 PM | Feedback