Requirements

Review the requirements before you install and use Threat Response.

Tanium dependencies

In addition to a license for the Threat Response product module, make sure that your environment also meets the following requirements.

Component Requirement
Platform Version 7.0.314.6042 and later. For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium Client For more information about specific Tanium Client versions, see Tanium Client Deployment Guide: Client host system requirements.
Tanium Connect 4.1.0 or later (optional).
Tanium Protect 1.0.1 or later (optional).
Tanium Trends 1.0 or later (optional).

For information about activating product licenses, see Tanium Knowledge Base: Licensing.

Endpoint hardware and software requirements

The recorder is supported on the same Linux and Mac endpoints as the Tanium Client. For Windows endpoints, you must have a minimum of Windows 7 or Windows Server 2008 R2. Windows 8.1 provides DNS event recording capability.

The engine is supported on Linux, Mac, and Windows endpoints. Windows XP must have SP3 installed and Windows 2003 must have SP2 installed.

A minimum of 100 MB RAM is required on each endpoint device. By default, the endpoint database is 1 GB. The endpoint device must have three times the maximum database size available in free disk space. The CPU demand on the endpoint averages less than 1%.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the Linux recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.

Tanium Module Server computer resources

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. Contact your Technical Account Manager (TAM) for details.

Third-party software

(Windows, Optional) Microsoft Sysmon

The latest supported version of Microsoft Sysmon is required to record process hashes and command-line information on Windows endpoints earlier than Windows 8.1 and Windows Server 2012 R2. For Windows 8.1 or later and Windows Server 2012 R2 or later, Sysmon is not required.

To configure Sysmon on endpoints, see Configure Sysmon .

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Component Port number Direction Service Purpose
Module Server 17443 Inbound Threat Response service Support for uploading snapshots.
17444 Inbound Threat Response service Threat Response agents connecting to the Module Server for live connections to endpoints.
17449 Outbound Zone hub (Optional) Tanium zone hub connection to Tanium zone proxy.
80 Outbound Threat Response service Integration of intel streams.
443 Outbound Threat Response service Integration of intel streams.
Zone Server 17449 Inbound Zone proxy (Optional) Tanium zone hub connection to Tanium zone proxy. This port only needs to be accessible from the internal network to the DMZ.
17444 Inbound Zone proxy (Optional) Connections from Threat Response agents.
Tanium Client 17444 Outbound Tanium Client WebsocketClient.exe connecting to the Module Server or the zone proxy for live connections.
Threat Response data collection 443,22,21,or 445 Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.
Threat Response data collection 443 (S3), 22 (SFTP/SCP), or 445 (SMB) Outbound Threat Response data collection Outbound connections over ports depending on how the collected data is being transferred.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Target device Process
Tanium Module Server <Tanium Module Server>\services\trace\node.exe
<Tanium Module Server>\services\detect3\node.exe
<Tanium Module Server>\services\detect3\twsm.exe
<Tanium Module Server>\services\event-service\node.exe
<Tanium Module Server>\services\event-service\twsm.exe
<Tanium Module Server>\services\threat-response\node.exe
<Tanium Module Server>\services\twsm-v1\twsm.exe
Tanium Zone Server <Trace Zone Proxy>\proxy\node.exe
Windows x86 and x64 endpoints <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TaniumExecWrapper.exe
<Tanium Client>\Tools\IR\TanFileInfo.exe
<Tanium Client>\Tools\IR\TaniumHandle.exe
<Tanium Client>\Tools\IR\TanListModules.exe
<Tanium Client>\Tools\EPI\TaniumEndpointIndex.exe
<Tanium Client>\Tools\Trace\TaniumTraceWebsocketClient.exe
<Tanium Client>\Tools\Trace\TaniumSQLiteQuery.exe
<Tanium Client>\Tools\Trace\TaniumExecWrapper.exe
<Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
<Installation Location>\sysmon.exe
Mac OS, and Linux x86 and x64 endpoints <Tanium Client>/Tools/EPI/TaniumExecWrapper
<Tanium Client>/Tools/IR/TaniumExecWrapper
<Tanium Client>/Tools/EPI/TaniumEndpointIndex
<Tanium Client>/Tools/Trace/recorder
<Tanium Client>/Tools/Trace/TaniumTraceWebsocketClient
<Tanium Client>/Tools/Trace/TaniumExecWrapper
<Tanium Client>/Tools/Detect3/TaniumDetectEngine

Console roles and privileges

Table 1:   Threat Response Module Privileges
Privilege Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account

Detect Administrator User

Provides privileges for a Detect administrator.

Detect Alert Read

Access to read alerts

1 1

Detect Alert Write

Access to modify alerts

Detect Intel Read2

Access to read intel

1 1

Detect Intel Write

Access to modify intel

Detect Label Read

Access to read intel labels

1 1

Detect Label Write

Access to modify intel labels

Detect Notification Read

Access to read notifications

1 1

Detect Notification Write

Access to modify notifications

Detect Quickscan Read2

Access to read the results of quick scans

1 1

Detect Quickscan Write

Access to run quick scans

Detect Source Read

Access to read sources

1 1

Detect Source Write2

Access to modify sources

Detect Workbench User

Access to provide privileges for a user

Detect Use API

Perform Detect operations using the API

1 1 1 1

Show Detect33

Access to the Detect workbench

1 1

Show Threatresponse3

Access to the Threat Response workbench

1 1 1

Threat Response API Doc Read

View and list API Docs

Threat Response Configs Read

Access to read configurations

Threat Response Configs Write

Access to create configurations

Threat Response Filters Read

Access to read filters

Threat Response Filters Write

Access to create filters

Threat Response Profiles

Deploy

Access to deploy profiles to endpoints

Threat Response Profiles

Read

Access to read profiles

Threat Response Profiles

Write

Access to create profiles

Threat Response Service User

Access to perform service account administration

Threat Response Service User

Read

Read configurations, intel, and alerts

1

Threat Response Service User

Write

Access to deploy configurations, deploy intel, gather alerts, gather group configuration stats, and ingest intel from streams

Threat Response Tasks Read

Access to read Threat Response tasks

Threat Response Use API

Perform Threat Response operations using the API

1 1 1

Show Trace3

Access to the Trace workbench

1 1 1

Trace API Doc Read

View and list API Docs

1 1 1

Trace Deployment Read

View and list deployments

1 1

Trace Deployment Write

Deploy Trace to endpoints

Trace Endpoint Configuration

Read

View and list endpoint configurations

1 1 1

Trace Enterprise Hunting

Read2

View and list sensors for enterprise hunting

Trace Exports Read

View and list exported events

1 1

Trace Exports Write

Create and delete exported events

Trace File Downloads Read

View and list file downloads from live endpoints

1 1

Trace File Downloads Write

Download and delete files from live connections

Trace IOCs Read2

View and list incidents of compromise

1 1

Trace IOCs Write2

Create, edit, and delete incidents of compromise

Trace Live Connections Read

View and list live endpoint connections

1 1

Trace Live Connections Write

Add, remove, and connect to live endpoints

Trace Protect Rules Write2

Create, edit, and delete Protect rules

Trace Saved Events Read

View and list saved events

1 1

Trace Saved Events Write

Save events from live endpoint connections

Trace Snapshots Read

View and list snapshots

1 1

Trace Snapshots Write

Capture and delete snapshots

Trace Use API

Perform Trace operations using the API

1 1 1 1

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

1 Denotes a provided permission.

2 Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

3 To install Threat Response, you must have the reserved role of Administrator.

Table 2:   Micro Admin Role Privileges
Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account
Read User *

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.

Table 3:   Advanced User Role Privileges
Permission Content Set for Permission Threat Response Administrator Threat Response User Threat Response Read Only User Threat Response Service Account
Ask Dynamic Questions   * * * *
Read Sensor Base * *
Read Sensor Reserved * * * *
Read Sensor Detect * * * *
Read Sensor Detect Service *
Read Sensor Threat Response * *
Read Sensor Trace Analysis * * *
Read Sensor Trace Deployment * * *
Read Sensor Incident Response * * *
Read Sensor Index * * *
Write Sensor Trace Deployment *
Write Sensor Incident Response *
Read Action Detect *
Read Action Detect Service *
Read Action Threat Response * *
Read Action Incident Response *
Read Action Index *
Write Action Detect Service *
Write Action Detect * *
Write Action Threat Response * *
Write Action Trace Analysis * *
Write Action Trace Deployment *
Write Action Incident Response *
Write Action Index *
Read Plugin Detect Service *
Read Plugin Threat Response Service *
Execute Plugin Detect * * * *
Execute Plugin Detect Service *
Execute Plugin Threat Response * * * *
Execute Plugin Threat Response Service *
Execute Plugin Trace Analysis *
Execute Plugin Trace Analysis * *
Read Package Detect * *
Read Package Incident Response * *
Read Package Index * * *
Write Package Detect Service *
Write Package Threat Response *
Write Package Trace Analysis *
Write Package Trace Deployment *
Write Package Incident Response *
Write Package Index *
Read Saved Question Detect *
Read Saved Question Detect Service *
Read Saved Question Threat Response * *
Read Saved Question Incident Response * * *
Write Saved Question Incident Response *
Read Dashboard Incident Response * * *
Write Dashboard Incident Response *
Read Dashboard Group Incident Response * * *
Write Dashboard Group Incident Response *

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

* Denotes an implied permission.

For example, to do everything in Threat Response and its features that integrate with other Tanium products, you would need the following roles:

  • Threat Response Administrator role
  • Protect User role to pivot from saved evidence into Protect rules
  • Connect Administrator role or just the Connect Reputation Read privilege to see reputation data
  • Show Interact role to view the status results of endpoints

Provide the Bypass Action Approval Advanced Role to the Trace Analysis Content Set so that Trace users can make Live Connections to endpoints without having to go through action approval and still require approval on all other actions.

Last updated: 2/15/2019 10:34 AM | Feedback