Requirements

Review the requirements before you install and use Threat Response.

License entitlements

The content that displays in the Threat Response workbench can differ depending on the type of license you have.

The following table illustrates the areas of the Threat Response workbench that are available for various types of licenses.

License Intel
configurations
Engine
configurations
Recorder
configurations
Index
configurations
Enterprise
hunting
Live
Response
Trace (Trace and Incident Response)
Detect (Detect and Incident Response)
Trace and Detect
Trace, Detect, and Incident Response N/A N/A N/A N/A N/A N/A
Trace only
Detect only
Incident Response only N/A N/A N/A N/A N/A N/A*

* = With an Incident Response license, you can use Live Response, however the Live Response workbench is not provided. See the Incident Response User Guide for more information on using Live Response.

Tanium dependencies

In addition to a license for the Threat Response product module, make sure that your environment also meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.2.314.3550 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium™ Client For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.

One of the following 7.2 Tanium Client versions is required as a minimum:

  • 7.2.314.3476 and later with the exception of 7.2.314.3518 (Linux, MacOS*, Windows)
  • 7.2.314.3608 (MacOS 10.15.x and later)

* = MacOS earlier than 10.15.x Catalina

7.4.1.1955 and later clients are supported on Threat Response 2.1.0 and later.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

For MacOS endpoints running 10.15.x, Tanium Client version 7.2.314.3608 is required as a minimum. There is a known issue with Threat Response version 2.0.5 where protected directories cannot be viewed in the file browser using a live connection. This capability will be provided in a future version of Threat Response.

Tanium products If you clicked the Install with Recommended Configurations button when you installed Threat Response, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Threat Response requires to function, as described under Tanium Console User Guide: Manage Tanium modules.

The following modules are required for features of Threat Response to function. The given versions are the minimum required:

  • Tanium™ Connect 4.1.0 to 4.10.5 is required for reputation data without Tanium™ Reputation.
  • Tanium™ Reputation 5.0 or later is required for reputation data with Tanium Connect 4.11 or later.
  • Tanium™ Protect 2.1.0 or later is required for alert remediation.
  • Tanium™ Quarantine 3.1.1. or later is required for isolating endpoints.

The following modules are optional, but Threat Response requires the given minimum versions to work with them:

  • Tanium Trends 1.0 or later (optional).
Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Threat Response requires:

  • All Computers

  • All Windows

  • All Linux

  • All Mac

For information about activating product licenses, see Tanium Knowledge Base: Licensing.

Tanium™ Module Server

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your Technical Account Manager (TAM) for details.

Endpoints

The following endpoint operating systems are supported with Threat Response. Threat Response uses the Tanium™ Client Recorder Extension to gather data from endpoints.

Operating System Version
Windows A minimum of Windows 7 or Windows Server 2008 R2 is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported.
macOS A minimum of macOS 10.11 or later is required.
Linux Same as Tanium Client support. See Tanium Client User Guide: Host system requirements.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.

Disk space requirements

By default, the endpoint database for Threat Response is between 256 MB and 1 GB in size. The endpoint device must have three times the maximum database size available in free disk space.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%. For full-functionality a minimum of two CPUs per endpoint is recommended.

A minimum of 4 GB RAM is recommended on each endpoint device.

Tanium Event Recorder Driver

Use the Tanium Event Recorder Driver to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver. By default, the Tanium recorder uses the Tanium Event Recorder Driver to capture events on Windows endpoints. The recorder is optimized to use the Tanium Event Recorder Driver on Windows systems when it is installed. It is strongly recommended to use the Tanium Event Recorder Driver for the best performance and data reliability. The use of Sysmon has been deprecated in Threat Response version 2.2.0.

The following table provides information about the available recorder features on Windows.

Feature Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 or later Windows 7 Windows 8 Windows 8.1 or later
DNS events Not Available Not Available Available Not Available Not Available Available
Process hashes and command-line information Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver.
Driver loads Available Available Available Available Available Available

Install the Tanium Event Recorder Driver to capture process and command line events

The Tanium Event Recorder Driver is installed by default on new installations of Threat Response 2.2.0 and later. If you are upgrading to Threat Response 2.2.0 or later from an earlier version, you can manually install the Tanium Event Recorder Driver.

  1. From the Main menu, ask the question Get Tanium Driver Status from all machines and click Search.
  2. Select Install Recommended.
  3. From the Deploy Action page, select Install Tanium Driver.
  4. Validate successful installations by checking the validation query that runs at the end of the package installation.
  5. Collect the action logs from any endpoints that fail the validation query using Live Response.
  6. Run the action Remove Tanium Driver on any endpoints that return anything other than SERVICE_RUNNING for the Tanium Event Recorder Driver service status.

If you make changes to the event source, you must redeploy any recorder enabled profile for the changes to take effect.

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Component Port number Direction Service Purpose
Module Server 17443 Inbound Threat Response service Support for uploading snapshots.
17444 Inbound Threat Response service Threat Response agents connecting to the Module Server for live connections to endpoints.
17449 Outbound Zone hub (Optional) Tanium zone hub connection to Tanium zone proxy.
80 Outbound Threat Response service Integration of intel streams.
443 Outbound Threat Response service Integration of intel streams.
17477 Inbound Tanium Server Tanium Server initiates connections to the Module Server on port 17477.
Zone Server 17449 Inbound Zone proxy (Optional) Tanium zone hub connection to Tanium zone proxy. This port only needs to be accessible from the internal network to the DMZ.
17444 Inbound Zone proxy (Optional) Connections from Threat Response agents.
Tanium Client 17444 Outbound Tanium Client WebsocketClient.exe connecting to the Module Server or the zone proxy for live connections.
Threat Response data collection 443 (S3), 22 (SFTP/SCP), or 445 (SMB) Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Table 1:   Threat Response security exclusions
Target device Process
Tanium Module Server <Module Server>\services\trace-service\node.exe
<Module Server>\services\detect3\node.exe
<Module Server>\services\detect3\twsm.exe
<Module Server>\services\event-service\node.exe
<Module Server>\services\event-service\twsm.exe
<Module Server>\services\threat-response-service\node.exe
<Module Server>\services\twsm-v1\twsm.exe
Tanium Zone Server <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient64.exe
<Tanium Client>\Tools\Recorder\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
<Tanium Client>\extensions\TaniumRecorder.dll
<Tanium Client>\extensions\TaniumRecorder.dll.sig
<Tanium Client>\extensions\recorder\proc.bin
<Tanium Client>\extensions\recorder\recorder.db
<Tanium Client>\extensions\recorder\recorder.db-shm
<Tanium Client>\extensions\recorder\recorder.db-wal
<Tanium Client>\extensions\TaniumThreatResponse.dll
<Tanium Client>\extensions\TaniumThreatResponse.dll.sig
<Tanium Client>\extensions\core\libTaniumPythonCx.dll
<Tanium Client>\extensions\core\libTaniumPythonCx.dll.sig
<Tanium Client>\TaniumClientExtensions.dll
<Tanium Client>\TaniumClientExtensions.dll.sig
<Tanium Client>\Downloads\Action_nnn\TaniumFileTransfer.exe
<Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
<Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
<Tanium Client>\Python27\TPython.exe(7.2.x clients)
<Tanium Client>\Python38\TPython.exe(7.4.x clients)
<Tanium Client>\Python38\*.dll(7.4.x clients)
<Tanium Client>\TaniumSensorDebugger.exe
<Tanium Client>\TaniumCX.exe
Linux x86 and x64 endpoints <Tanium Client>/TaniumAuditPipe
<Tanium Client>/TaniumCX
<Tanium Client>/TaniumSensorDebugger
<Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
<Tanium Client>/python27/python (7.2.x clients)
<Tanium Client>/python38/python (7.4.x clients)
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer
<Tanium Client>/libTaniumClientExtensions.so
<Tanium Client>/libTaniumClientExtensions.so.sig
<Tanium Client>/extensions/libTaniumThreatResponse.so
<Tanium Client>/extensions/libTaniumThreatResponse.so.sig
<Tanium Client>/extensions/libTaniumRecorder.so
<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
<Tanium Client>/extensions/recorder/proc.bin
<Tanium Client>/extensions/recorder/recorder.db
<Tanium Client>/extensions/recorder/recorder.db-shm
<Tanium Client>/extensions/recorder/recorder.db-wal
<Tanium Client>/extensions/recorder/recorder.auditpipe
<Tanium Client>/extensions/core/libTaniumPythonCx.so
<Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
Mac OS endpoints <Tanium Client>/TaniumCX
<Tanium Client>/TaniumSensorDebugger
<Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
<Tanium Client>/Tools/Detect3/TaniumDetectEngine
<Tanium Client>/python27/python(7.2.x clients)
<Tanium Client>/python38/python(7.4.x clients)
<Tanium Client>/Downloads/Action_nnn/TaniumFileTransfer
<Tanium Client>/libTaniumClientExtensions.dylib
<Tanium Client>/libTaniumClientExtensions.dylib.sig
<Tanium Client>/extensions/libTaniumThreatResponse.dylib
<Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
<Tanium Client>/extensions/libTaniumRecorder.dylib
<Tanium Client>/extensions/libTaniumRecorder.dylib.sig
<Tanium Client>/extensions/recorder/proc.bin
<Tanium Client>/extensions/recorder/recorder.db
<Tanium Client>/extensions/recorder/recorder.db-shm
<Tanium Client>/extensions/recorder/recorder.db-wal
<Tanium Client>/extensions/recorder/recorder.auditpipe
<Tanium Client>/extensions/core/libTaniumPythonCx.dylib
<Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig

User role requirements

Table 2:   Threat Response user role permissions
Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account

Detect Administrator User

Provides privileges for a Detect administrator.

Detect Alert Read

Access to read alerts

1 1

Detect Alert Write

Access to modify alerts

Detect Intel Read2

Access to read intel

1 1

Detect Intel Write

Access to modify intel

Detect Label Read

Access to read intel labels

1 1

Detect Label Write

Access to modify intel labels

Detect Notification Read

Access to read notifications

1 1

Detect Notification Write

Access to modify notifications

Detect Quickscan Read2

Access to read the results of quick scans

1 1

Detect Quickscan Write

Access to run quick scans

Detect Source Read

Access to read sources

1 1

Detect Source Write2

Access to modify sources

Detect Workbench User

Access to provide privileges for a user

Detect Use API

Perform Detect operations using the API

1 1 1 1

Detect Service User

Deploy group configs and intel, gather alerts and group config stats, and ingest intel from streams

Detect Suppressionrule Write

Create, edit, and delete suppression rules

Detect Suppressionrule Read

View and list suppression rules

1 1

Show Detect33

Access to the Detect workbench

1

Show Threat Response3

Access to the Threat Response workbench

1 1 1

Threat Response API Doc Read

View and list API Docs

Threat Response Configs Read

Access to read configurations

Threat Response Alert Deploy Action

Allows for action deployment from a Threat Response alert

Threat Response Configs Write

Access to create configurations

Threat Response Filters Read

Access to read filters

Threat Response Filters Write

Access to create filters

Threat Response Profiles

Deploy

Access to deploy profiles to endpoints

Threat Response Profiles

Read

Access to read profiles

Threat Response Profiles

Write

Access to create profiles

Threat Response Response Actions Write

Enables users to create and stop response actions

Threat Response Response Actions Read

Enables users to view response actions

1 1

Threat Response Service User

Access to perform service account administration

Threat Response Service User

Read

Read configurations, intel, and alerts

1

Threat Response Service User

Write

Access to deploy configurations, deploy intel, gather alerts, gather group configuration stats, and ingest intel from streams

Threat Response Content Incident Response Administrator

Provides content privileges for Threat Response Incident Response administrators

Threat Response Content Incident Response User

Provides content privileges for Threat Response Incident Response users

1

Threat Response Content Incident Response Readonly User

Provides content privileges for Threat Response Incident Response read only users

1 1

Threat Response Content Index Administrator

Provides content privileges for Threat Response Index administrators

Threat Response Content Index User

Provides content privileges for Threat Response Index users

1

Threat Response Content Detect User

Provides content privileges for Threat Response Detect users

Threat Response Intel Deploy

Allows deploying Threat Response Intel

Threat Response Logs Read

Allows viewing Threat Response logs

Threat Response Settings Write

Allows editing Threat Response settings

Threat Response Settings Read

Allows viewing Threat Response settings

1

Threat Response Stats Read

Allows viewing Threat Response stats

Threat Response Tasks Read

Access to read Threat Response tasks

Threat Response Live Response Collection Configs Read

Access to read Threat Response Live Response Collection configurations

1 1

Threat Response Live Response Collection Configs Write

Access to create Threat Response Live Response collection configurations

Threat Response Live Response Destinations Read

Access to read Threat Response Live Response destinations

1 1

Threat Response Live Response Destinations Write

Access to create Threat Response Live Response destinations

Threat Response Live Response File Collector Sets Read

Access to read Threat Response Live Response file collector set configurations

1 1

Threat Response Live Response File Collector Sets Write

Access to create Threat Response Live Response file collector sets

Threat Response Live Response Packages Generate

Access to create Threat Response Live Response packages

Threat Response Live Response Script Sets Read

Access to read Threat Response Live Response script set configuration information

1 1

Threat Response Live Response Script Sets Write

Access to create Threat Response Script Sets

Threat Response Threat Response Live Response Modules Read

Access to read Threat Response Live Response module configuration information

1

Threat Response Threat Response Audit Read

Allows viewing and exporting Threat Response Audit data

Threat Response Use API

Perform Threat Response operations using the API

1 1 1

Show Trace3

Access to the Trace workbench

1 1 1

Trace API Doc Read

View and list API Docs

1 1 1

Trace Deployment Read

View and list deployments

1 1

Trace Deployment Write

Deploy Trace to endpoints

Trace Endpoint Configuration

Read

View and list endpoint configurations

1 1 1

Trace Enterprise Hunting

Read2

View and list sensors for enterprise hunting

Trace Exports Read

View and list exported events

1 1

Trace Exports Write

Create and delete exported events

Trace File Downloads Read

View and list file downloads from live endpoints

1 1

Trace File Downloads Write

Download and delete files from live connections

Trace IOCs Read2

View and list indicators of compromise

1 1

Trace IOCs Write2

Create, edit, and delete indicators of compromise

Trace Live Connections Read

View and list live endpoint connections

1 1

Trace Live Connections Write

Add, remove, and connect to live endpoints

Trace Live Connections File Delete

Delete files on endpoints from a live connection

Trace Live Connections Filesystem Browse

Browse the filesystem on live connections

Trace Protect Rules Write2

Create, edit, and delete Protect rules

Trace Saved Events Read

View and list saved events

1 1

Trace Saved Events Write

Save events from live endpoint connections

Trace Snapshots Read

View and list snapshots

1 1

Trace Snapshots Write

Capture and delete snapshots

Trace Use API

Perform Trace operations using the API

1 1 1 1

Connect Event Write

Write access to events.

Connect Eventschema Write

Write access to event schemas via API

Connect Eventschema Read

Read access to event schemas via API

1

Reputation Write

Write access to the Reputation shared service.

Reputation Read

Read access to the Reputation shared service.

1

Trends API Board Write

Create, edit, delete, and configure boards, sections, and panels for specified content sets.

Trends API Board Read

View boards, sections, and panels for specified content sets.

1

Trends API Source Write

View boards, sections, and panels for specified content sets.

Trends API Source Read

View and list sources for specified content sets.

1

Trends Data Read

Run data queries against sources.

Trends Integration Service Account

Provides access for module service accounts to read and write data, and to define sources and boards.

Trends Import

Import from file or gallery.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

1 Denotes a provided permission.

2 Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

3 To install Threat Response, you must have the reserved role of Administrator.

Table 3:   Provided Threat Response Micro Admin user role permissions
Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account
Read User
Read Action Group
Read Computer Group
Read Filter Group
Table 4:   Provided Threat Response Advanced user role permissions
Permission Content Set for Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account
Ask Dynamic Questions  
Read Sensor Base
Read Sensor Reserved
Read Sensor Detect
Read Sensor Detect Service
Read Sensor Threat Response
Read Sensor Trace Analysis
Read Sensor Trace Deployment
Read Sensor Incident Response
Read Sensor Index
Write Sensor Trace Deployment
Write Sensor Incident Response
Read Action Detect
Read Action Detect Service
Read Action Threat Response
Read Action Incident Response
Read Action Index
Write Action Detect Service
Write Action Detect
Write Action Threat Response
Write Action Trace Analysis
Write Action Trace Deployment
Write Action Incident Response
Write Action Index
Read Plugin Detect Service
Read Plugin Threat Response Service
Execute Plugin Detect
Execute Plugin Detect Service
Execute Plugin Threat Response
Execute Plugin Threat Response Service
Execute Plugin Trace Analysis
Execute Plugin Trace Analysis
Read Package Detect
Read Package Incident Response
Read Package Index
Write Package Detect Service
Write Package Threat Response
Write Package Trace Analysis
Write Package Trace Deployment
Write Package Incident Response
Write Package Index
Read Saved Question Detect
Read Saved Question Detect Service
Read Saved Question Threat Response
Read Saved Question Incident Response
Write Saved Question Incident Response
Read Dashboard Incident Response
Write Dashboard Incident Response
Read Dashboard Group Incident Response
Write Dashboard Group Incident Response
Read Filter Group Reserved
Read Filter Group Incident Response
Read Filter Group Index
Read Filter Group Threat Response

For example, to do everything in Threat Response and its features that integrate with other Tanium products, you would need the following roles:

  • Threat Response Administrator role
  • Protect User role to pivot from saved evidence into Protect rules
  • Reputation Administrator and Connect Administrator(if not using Reputation) role privileges to see reputation data
  • Show Interact role to view the status results of endpoints
  • Connect User role for Connect integration for events and for creating the Connect Reputation connections
  • Protect User role for creating remediation policies as response actions

Provide the Bypass Action Approval Advanced Role to the Trace Analysis Content Set so that Trace users can make Live Connections to endpoints without having to go through action approval and still require approval on all other actions.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

Last updated: 4/2/2020 4:52 PM | Feedback