Threat Response requirements

Review the requirements before you install and use Threat Response.

Review the requirements before you use Threat Response.

License entitlements

The content that appears in the Threat Response workbench can differ depending on the type of license you have.

The following table illustrates the areas of the Threat Response workbench that are available for various types of licenses.

License Intel
configurations
Engine
configurations
Recorder
configurations
Index
configurations
Enterprise
hunting
Live
Response
Threat Response
Trace (Trace and Incident Response)
Detect (Detect and Incident Response)
Trace and Detect
Trace, Detect, and Incident Response N/A N/A N/A N/A N/A N/A
Trace only
Detect only
Incident Response only N/A N/A N/A N/A N/A N/A*
* = With an Incident Response license, you can use Live Response, however the Live Response workbench is not provided. See the Incident Response User Guide for more information on using Live Response

Tanium dependencies

In addition to a license for the Threat Response product module, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium™ Client

Any supported version of Tanium Client. For more information about specific Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.

One of the following Tanium Client versions is required, depending on OS:

  • (Linux, MacOS*, Windows) Any supported version of Tanium Client
  • (MacOS 10.15.x and later) 7.2.314.3608 or later

* = MacOS earlier than 10.15.x Catalina

Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products If you clicked the Install with Recommended Configurations button when you installed Threat Response, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Threat Response requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

The following modules are required for features of Threat Response to function. The given versions are the minimum required:

  • Tanium™ Connect 4.1.0 to 4.10.5 is required for reputation data without Tanium™ Reputation.
  • Tanium™ Reputation 5.0 or later is required for reputation data with Tanium Connect 4.11 or later.
  • Tanium™ Protect 2.1.0 or later is required for alert remediation.
  • Tanium™ Enforce 1.6.0 or later is required for alert remediation.
  • Tanium™ IR Quarantine 3.1.1. or later is required for isolating endpoints.
  • Tanium™ Direct Connect 1.10.39 or later is required for live endpoint connections.
  • Tanium Trends 3.6.331 or later.
  • Tanium Interact 2.6.30 or later.
  • Tanium Default Content 8.0.0 or later

  • Tanium Impact 1.5.68 or later (optional).
  • Tanium Endpoint Configuration 1.2 or later is required for tools deployment and optionally approving configuration changes.

Endpoint Configuration is installed as part of Tanium Client Management 1.5 or later.

Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Threat Response requires:

  • All Computers

  • All Windows

  • All Linux

  • All Mac

For information about activating product licenses, see Tanium Knowledge Base: Licensing.

Tanium™ Module Server

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. For more information, see Contact Tanium Support.

Endpoints

The following endpoint operating systems are supported with Threat Response. The endpoint requirements for Threat Response are consistent with those used for Tanium Performance and Tanium Integrity Monitor. Threat Response uses the Tanium™ Client Recorder Extension to gather data from endpoints.

Operating System Version
Windows

A minimum of Windows 7 (SP1) or Windows Server 2008 R2 (with SP1) is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported.

Windows 7 Service Pack 1 requires Microsoft KB2758857.

macOS A minimum of macOS 10.11 or later is required.
Linux

Same as Tanium Client support with the exceptions noted below. See Tanium Client Management User Guide: Client version and host system requirements.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

eBPF as an event source for the Client Recorder Extension requires Red Hat Enterprise Linux, Oracle Enterprise Linux, and CentOS versions 7.8 or later.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

  • Oracle Linux 5.x, 6.x, 7.x, and 8.x

    When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Threat Response.

  • Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
  • CentOS 5.4 and later, 6.x, 7.x, and 8.x
  • Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

The engine requires LSOF on endpoints to scan open files.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.
  • If using eBPF for event data, kernel headers and kernel devel must be enabled on RHEL and CentOS versions 7.8 to 8.1 endpoints. eBPF adds a BCC library that is compiled on the endpoint. This library is recompiled every time the endpoint is restarted.

Disk space requirements

By default, the endpoint database for Threat Response is 1GB in size. On installation, 100MB is reserved on on disk, and the database increases in size to up to 1GB before event pruning occurs. The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended. Free disk space is checked in two situations: when a snapshot is requested, and as part of the process following a Threat Response 1.x to 2.x migration where a legacy monitor.db is migrated.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

  • (Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
  • (Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

A minimum of 4 GB RAM is recommended on each endpoint device.

Tanium Event Recorder Driver

Use the Tanium Event Recorder Driver to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver. Enable the Tanium Driver by selecting the Enforce Driver setting in a recorder configuration. If checked, this setting distributes the Tanium Driver to endpoints and enforces that the Tanium Driver service is running. The recorder is optimized to use the Tanium Event Recorder Driver on Windows systems when it is installed. It is strongly recommended to use the Tanium Event Recorder Driver for the best performance and data reliability.

If the Tanium Event Recorder Driver is updated, endpoints that use Threat Response require a reboot to ensure that all events are returned, to see the process tree in an alert, and to ensure that signals are working as intended.

If unchecked, the Tanium Driver will not be distributed to the endpoint; if the Tanium Driver is already installed, the Tanium Driver service will no longer be enforced and will continue running unless manually disabled or removed.

The use of Sysmon has been deprecated in Threat Response version 2.2.0.

The following table provides information about the available recorder features on Windows.

Feature Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 or later Windows 7 SP1 Windows 8 Windows 8.1 or later*
DNS events Not Available Not Available Available Not Available Not Available Available
Process hashes and command-line information Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver.
Driver loads Available Available Available Available Available Available

* = Windows 10 operating systems must be Windows 10 1607 or greater.

Install the Tanium Event Recorder Driver to capture process and command line events

The Tanium Event Recorder Driver is installed by default on new installations of Threat Response 2.2.0 and later. If you are upgrading to Threat Response 2.2.0 or later from an earlier version, you can manually install the Tanium Event Recorder Driver.

  1. From the Tanium Console home page, ask the question Get Tanium Driver Status from all machines and click Search.
  2. Select Install Recommended.
  3. From the Deploy Action page, select Install Tanium Driver.
  4. Validate successful installations by checking the validation query that runs at the end of the package installation.
  5. Collect the action logs from any endpoints that fail the validation query using Live Response.
  6. Run the action Remove Tanium Driver on any endpoints that return anything other than SERVICE_RUNNING for the Tanium Event Recorder Driver service status.

If you make changes to the event source, you must redeploy any recorder enabled profile for the changes to take effect.

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Component Port number Direction Service Purpose

Module Server

Tanium as a Service

17475


Inbound Threat Response service Threat Response agents connecting to the Module Server Tanium as a Service for live connections to endpoints.

17487 (Direct Connect communication port)

and

17488 (Direct Connect provision and status monitoring port)

Outbound

Direct Connect Service

or

Zone hub

(Optional) Tanium zone hub connection to Tanium zone proxy.
80 Outbound Threat Response service Integration of intel streams.
443 Outbound Threat Response service Integration of intel streams.
17477 Inbound Tanium Server Tanium Server initiates connections to the Module Server Tanium as a Service on port 17477.
Zone Server 17487 (Direct Connect communication port)

and


17488 (Direct Connect provision and status monitoring port)

Inbound Zone proxy (Optional) Connection to Tanium zone proxy. This port only needs to be accessible from the internal network to the DMZ.
17486 (Direct Connect)
Inbound Zone proxy (Optional) Used by the Zone Server for endpoint connections to external clients. The default port number is 17486. If needed, you can specify a different port number when you configure the zone proxy.
Tanium Client

17475 (Direct Connect)

Outbound Tanium Client Connections to the Module Server Tanium as a Service or the zone proxy for live connections.
Threat Response data collection 443 (S3), 22 (SFTP/SCP), or 445 (SMB) Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.
Threat Response Stream configurations for Splunk

(Required for Stream configurations to Splunk destinations)
TCP (provided by a Splunk administrator) Outbound Threat Response service The port for the stream communication to the host. This TCP port is provided by a Splunk administrator to correspond to a data source.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Threat Response security exclusions
Target Device Notes Process
Tanium Module Server    <Module Server>\services\detect3\node.exe
  <Module Server>\services\detect3\twsm.exe
  <Module Server>\services\event-service\node.exe
  <Module Server>\services\event-service\twsm.exe
  <Module Server>\services\threat-response-service\node.exe
  <Module Server>\services\twsm-v1\twsm.exe
  <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Tanium Zone Server   <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TanFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumHandle.exe
  <Tanium Client>\Tools\IR\TanListModules.exe
  <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
   <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
  <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
  <Tanium Client>\extensions\TaniumRecorder.dll
  <Tanium Client>\extensions\TaniumRecorder.dll.sig
  <Tanium Client>\extensions\SupportCX.dll
  <Tanium Client>\extensions\SupportCX.dll.sig
  <Tanium Client>\extensions\recorder\proc.bin
  <Tanium Client>\extensions\recorder\recorder.db
  <Tanium Client>\extensions\recorder\recorder.db-shm
  <Tanium Client>\extensions\recorder\recorder.db-wal
  <Tanium Client>\extensions\TaniumThreatResponse.dll
  <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  <Tanium Client>\extensions\stream\*.py
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
  <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe1
  <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
  <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.2.x clients, 3 <Tanium Client>\Python27\TPython.exe
7.4.x clients, 3 <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumSensorDebugger.exe
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64 endpoints   <Tanium Client>/TaniumAuditPipe
  <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
   <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.2.x clients <Tanium Client>/python27/python
7.2.x clients <Tanium Client>/python27/bin/pybin
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/libSupportCX.so
  <Tanium Client>/libSupportCX.so.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.so
  <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
  <Tanium Client>/extensions/libTaniumRecorder.so
  <Tanium Client>/extensions/libTaniumRecorder.so.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.so
  <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/extensions/stream/*.py
  <Tanium Client>/Downloads/Action_nnn/surge-collect1,2
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
macOS endpoints   <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
   <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.2.x clients <Tanium Client>/python27/python
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
  <Tanium Client>/extensions/libTaniumRecorder.dylib
  <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
  <Tanium Client>/extensions/stream/*.py
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  <Tanium Client>/extensions/libSupportCX.dylib
  <Tanium Client>/extensions/libSupportCX.dylib.sig
1,2 <Tanium Client>/Downloads/Action_nnn/surge-collect
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

3 = TPython requires SHA2 support to allow installation.

Threat Response security exclusions
Target Device Notes Process
Tanium Zone Server   <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
  <Tanium Client>\Tools\IR\TanFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumFileInfo.exe
  <Tanium Client>\Tools\IR\TaniumHandle.exe
  <Tanium Client>\Tools\IR\TanListModules.exe
  <Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
   <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
  <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
  <Tanium Client>\extensions\TaniumRecorder.dll
  <Tanium Client>\extensions\TaniumRecorder.dll.sig
  <Tanium Client>\extensions\recorder\proc.bin
  <Tanium Client>\extensions\recorder\recorder.db
  <Tanium Client>\extensions\recorder\recorder.db-shm
  <Tanium Client>\extensions\recorder\recorder.db-wal
  <Tanium Client>\extensions\TaniumThreatResponse.dll
  <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll
  <Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
  <Tanium Client>\TaniumClientExtensions.dll
  <Tanium Client>\TaniumClientExtensions.dll.sig
  <Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
  <Tanium Client>\Downloads\Action_nnn\Winpmem.gb414603.exe1
  <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
  <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.4.x clients <Tanium Client>\Python38\TPython.exe
7.4.x clients <Tanium Client>\Python38\*.dll
  <Tanium Client>\TaniumSensorDebugger.exe
  <Tanium Client>\TaniumCX.exe
  <Tanium Client>\extensions\TaniumDEC.dll
  <Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64 endpoints   <Tanium Client>/TaniumAuditPipe
  <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
   <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.so
  <Tanium Client>/libTaniumClientExtensions.so.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.so
  <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
  <Tanium Client>/extensions/libTaniumRecorder.so
  <Tanium Client>/extensions/libTaniumRecorder.so.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.so
  <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  <Tanium Client>/extensions/libTaniumDEC.so
  <Tanium Client>/extensions/libTaniumDEC.so.sig
  <Tanium Client>/Downloads/Action_nnn/surge-collect1,2
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/linpmem-<version>.bin
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
macOS endpoints   <Tanium Client>/TaniumCX
  <Tanium Client>/TaniumSensorDebugger
  <Tanium Client>/Tools/EPI/TaniumExecWrapper
  <Tanium Client>/Tools/IR/TaniumExecWrapper
  <Tanium Client>/Tools/EPI/TaniumEndpointIndex
   <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.4.x clients <Tanium Client>/python38/python
  <Tanium Client>/libTaniumClientExtensions.dylib
  <Tanium Client>/libTaniumClientExtensions.dylib.sig
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib
  <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
  <Tanium Client>/extensions/libTaniumRecorder.dylib
  <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  <Tanium Client>/extensions/recorder/proc.bin
  <Tanium Client>/extensions/recorder/recorder.db
  <Tanium Client>/extensions/recorder/recorder.db-shm
  <Tanium Client>/extensions/recorder/recorder.db-wal
  <Tanium Client>/extensions/recorder/recorder.auditpipe
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
  <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
  <Tanium Client>/extensions/libTaniumDEC.dylib
  <Tanium Client>/extensions/libTaniumDEC.dylib.sig
1,2 <Tanium Client>/Downloads/Action_nnn/surge-collect
1,2 <Tanium Client>/Downloads/Action_nnn/surge.dat
1 <Tanium Client>/Downloads/Action_nnn/osxpmem.app/osxpmem
1 <Tanium Client>/Downloads/Action_nnn/taniumfiletransfer
1 = Where nnn corresponds to the action ID.

2 = Exception is required if Volexity Surge is used for memory collection.

3 = TPython requires SHA2 support to allow installation.

User role requirements

To do everything in Threat Response and its features that integrate with other Tanium products, you would need the following roles:

  • Threat Response Administrator role
  • Protect User role to pivot from saved evidence into Protect rules
  • Reputation Administrator and Connect Administrator(if not using Reputation) role privileges to see reputation data
  • Show Interact role to view the status results of endpoints
  • Connect User role for Connect integration for events and for creating the Connect Reputation connections
  • Protect User role for creating remediation policies as response actions

Threat Response user role permissions

Threat Response user role permissions
Permission Threat Response Administrator1 Threat Response
Operator1
Threat Response User1 Threat Response Read Only User1 Threat Response Service Account1,2,3,4,8 Threat Response Endpoint Configuration Approver5

Detect Administrator User

Provides privileges for a Detect administrator.

Detect Alert Read

Access to read alerts

Detect Alert Write

Access to modify alerts

Detect Intel Read6

Access to read intel

Detect Intel Write

Access to modify intel

Detect Label Read

Access to read intel labels

Detect Label Write

Access to modify intel labels

Detect Notification Read

Access to read notifications

Detect Notification Write

Access to modify notifications

Detect Quickscan Read6

Access to read the results of quick scans

Detect Quickscan Write

Access to run quick scans

Detect Config Read

Detect Config Write

Detect Source Read

Access to read sources

Detect Source Write6

Access to modify sources

Detect Workbench User

Access to provide privileges for a user

Detect Use API

Perform Detect operations using the API

Detect Service User

Deploy group configs and intel, gather alerts and group config stats, and ingest intel from streams

Detect Suppressionrule Write

Create, edit, and delete suppression rules

Detect Suppressionrule Read

View and list suppression rules

Show Detect37

Access to the Detect workbench

Direct Connect Session Read

Read Direct Connect sessions

Direct Connect Session Write

Instantiate Direct Connect sessions

Event Service Use API

Perform Event Service operations using the API

Show Threat Response7

Access to the Threat Response workbench

Threat Response API Doc Read

View and list API Docs

Threat Response Configs Read

Access to read configurations

Threat Response Alert Deploy Action

Allows for action deployment from a Threat Response alert

Threat Response Configs Write

Access to create configurations

Threat Response Filters Read

Access to read filters

Threat Response Filters Write

Access to create filters

Threat Response Profiles

Deploy

Access to deploy profiles to endpoints

Threat Response Profiles

Read

Access to read profiles

Threat Response Profiles

Write

Access to create profiles

Threat Response Response Actions Write

Enables users to create and stop response actions

Threat Response Response Actions Read

Enables users to view response actions

Threat Response Service User

Access to perform service account administration

Threat Response Service User

Read

Read configurations, intel, and alerts

Threat Response Service User

Write

Access to deploy configurations, deploy intel, gather alerts, gather group configuration stats, and ingest intel from streams

Threat Response Content Incident Response Administrator

Provides content privileges for Threat Response Incident Response administrators

Threat Response Content Incident Response User

Provides content privileges for Threat Response Incident Response users

Threat Response Content Incident Response Readonly User

Provides content privileges for Threat Response Incident Response read only users

Threat Response Content Index Administrator

Provides content privileges for Threat Response Index administrators

Threat Response Content Index User

Provides content privileges for Threat Response Index users

Threat Response Content Detect User

Provides content privileges for Threat Response Detect users

Threat Response Intel Deploy

Allows deploying Threat Response Intel

Threat Response Logs Read

Allows viewing Threat Response logs

Threat Response Settings Write

Allows editing Threat Response settings

Threat Response Settings Read

Allows viewing Threat Response settings

Threat Response Stats Read

Allows viewing Threat Response stats

Threat Response Tasks Read

Access to read Threat Response tasks

Threat Response Live Response Collection Configs Read

Access to read Threat Response Live Response Collection configurations

Threat Response Live Response Collection Configs Write

Access to create Threat Response Live Response collection configurations

Threat Response Live Response Destinations Read

Access to read Threat Response Live Response destinations

Threat Response Live Response Destinations Write

Access to create Threat Response Live Response destinations

Threat Response Live Response File Collector Sets Read

Access to read Threat Response Live Response file collector set configurations

Threat Response Live Response File Collector Sets Write

Access to create Threat Response Live Response file collector sets

Threat Response Live Response Packages Generate

Access to create Threat Response Live Response packages

Threat Response Live Response Script Sets Read

Access to read Threat Response Live Response script set configuration information

Threat Response Live Response Script Sets Write

Access to create Threat Response Script Sets

Threat Response Live Response Modules Read

Access to read Threat Response Live Response module configuration information

Threat Response Audit Read

Allows viewing and exporting Threat Response Audit data

Threat Response Use API

Perform Threat Response operations using the API

Threat Response Operator Settings Read

Allows the operator to read available settings

Threat Response Operator Settings Write

Allows the operator to modify available settings

Threat Response Operator Status Read

Allows the operator to view thew module status

Threat Response Enterprise Hunting

Read2

View and list sensors for enterprise hunting

Threat Response Endpoint Configuration Approve

Enables approver privileges in Tanium Endpoint Configuration for Threat Response configuration changes

Threat Response Content User

Provides content privileges for Threat Response users

Threat Response Content Readonly User

Provides content privileges for Threat Response Readonly users

Threat Response Live Connection File Delete

Allows deletion of a file on the endpoint during a live connection

Threat Response Live Connection Write

Allows setting a live connection

Threat Response Snapshot Write

Capture and delete snapshots

Threat Response Exports Write

Create and delete exported events

Threat Response Saved Evidence Write

Save events from live endpoint connections

Threat Response Downloads Read

Read downloaded files from live connections

Threat Response Live Connection Read

View Create live connections to endpoints

Threat Response Snapshot Read

View snapshots

Threat Response Exports Read

View exported events

Threat Response Saved Evidence Read

View events from live endpoint connections

Threat Response Visibility Bypass Read

Enables users to view all alerts and saved evidence regardless of computer group membership

Trace Enterprise Hunting Read

View and list sensors for enterprise hunting

Trace File Downloads Write

Download files from live connections to the Tanium Server. This permission also provides the ability to delete these downloaded files

Trace Live Connections File Delete

Delete files on endpoints from a live connection

Trace Live Connections Filesystem Browse

Browse the filesystem on live connections

Trace Live Connections Write

Create live connections to endpoints

Trace Protect Rules Write

Create, edit, and delete Protect rules

Trace Saved Events Write

Save events from live endpoint connections

Trace Snapshots Write

Capture and delete snapshots

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

1 This role provides module permissions for Tanium Impact. For more information, see the Tanium Impact User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. For more information, see the Tanium Trends User Guide: User role requirements.

3 This role provides module permissions for Tanium Reputation. For more information, see the Tanium Reputation User Guide: User role requirements.

4 This role provides module permissions for Tanium Connect. For more information, see the Tanium Connect User Guide: User role requirements.

5 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

6 Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

7 To install Threat Response, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

8 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Provided Threat Response Micro Admin user role permissions
Permission Threat Response Administrator Threat Response Operator Threat Response User Threat Response Read Only User Threat Response Service Account Threat Response Endpoint Configuration Approver
Read User
Read Action Group
Read Computer Group
Read Filter Group
Provided Threat Response Advanced user role permissions
Permission Content Set for Permission Threat Response Administrator Threat Response Operator Threat Response User Threat Response Read Only User Threat Response Service Account Threat Response Endpoint Configuration Approver
Ask Dynamic Questions  
Read Sensor Base
Read Sensor Reserved
Read Sensor Detect
Read Sensor Detect Service
Read Sensor Threat Response
Read Sensor Incident Response
Read Sensor Index
Write Sensor Incident Response
Read Action Detect
Read Action Detect Service
Read Action Threat Response
Read Action Incident Response
Read Action Index
Write Action Detect Service
Write Action Detect
Write Action Threat Response
Write Action Incident Response
Write Action Index
Read Plugin Detect Service
Read Plugin Threat Response Service
Execute Plugin Detect
Execute Plugin Detect Service
Execute Plugin Threat Response
Execute Plugin Threat Response Service
Execute Plugin Endpoint Configuration
Read Package Detect
Read Package Incident Response
Read Package Index
Write Package Detect Service
Write Package Threat Response
Write Package Incident Response
Write Package Index
Read Saved Question Detect
Read Saved Question Detect Service
Read Saved Question Threat Response
Read Saved Question Incident Response
Write Saved Question Incident Response
Read Dashboard Incident Response
Write Dashboard Incident Response
Read Dashboard Group Incident Response
Write Dashboard Group Incident Response
Read Filter Group Reserved
Read Filter Group Incident Response
Read Filter Group Index
Read Filter Group Threat Response

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.