Threat Response requirements

Review the requirements before you install and use Threat Response.

Review the requirements before you use Threat Response.

License entitlements

The content that appears in the Threat Response workbench can differ depending on the type of license you have.

The following table illustrates the areas of the Threat Response workbench that are available for various types of licenses.

License Intel
configurations
Engine
configurations
Recorder
configurations
Index
configurations
Enterprise
hunting
Live
Response
Threat Response
Trace (Trace and Incident Response)
Detect (Detect and Incident Response)
Trace and Detect
Trace, Detect, and Incident Response N/A N/A N/A N/A N/A N/A
Trace only
Detect only
Incident Response only N/A N/A N/A N/A N/A N/A*
* = With an Incident Response license, you can use Live Response, however the Live Response workbench is not provided. See the Incident Response User Guide for more information on using Live Response

Tanium dependencies

Component Requirement
Tanium™ Core Platform 7.3.314.4250 or later.

For more information, see Tanium Core Platform Installation Guide: Installing Tanium Server.
Tanium™ Client

Any supported version of Tanium Client. For more information about specific Tanium Client versions, see Tanium Client Management User Guide: Client version and host system requirements.

One of the following Tanium Client versions is required, depending on OS:

  • (Linux, macOS*, Windows) Any supported version of Tanium Client
  • (macOS 10.15.x and later) 7.2.314.3608 or later

* = macOS earlier than 10.15.x Catalina

Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium solutions If you selected Tanium Recommended Installation when you installed Threat Response, the Tanium Server automatically installed all your licensed solutions at the same time. Otherwise, you must manually install the Tanium solutions that Threat Response requires to function, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.

The following solutions are required for features of Threat Response to function. The given versions are the minimum required:

  • Tanium™ Connect 4.1.0 to 4.10.5 is required for reputation data without Tanium™ Reputation.
  • Tanium™ Reputation 5.0 or later is required for reputation data with Tanium Connect 4.11 or later.
  • Tanium™ Enforce 1.6.0 or later is required for alert remediation.
  • Tanium™ IR Quarantine 3.1.1. or later is required for isolating endpoints.
  • Tanium™ Direct Connect 1.10.39 or later is required for live endpoint connections.
  • Tanium Trends 3.6.331 or later.
  • Tanium Interact 2.7.214 or later.
  • Tanium Default Content 8.0.0 or later

  • Tanium Impact 1.5.68 or later (optional).
  • Tanium Endpoint Configuration 1.2 or later is required for tools deployment and optionally approving configuration changes.

Endpoint Configuration is installed as part of Tanium Client Management 1.5 or later.

Tanium™ Reveal 1.15 or later is required if Reveal exists in the same environment. Tanium Reveal is not a required Threat Response dependency.

Computer groups

When you first log into the Tanium Console after installing the Tanium Server, the server automatically imports the computer groups that Threat Response requires:

  • All Computers

  • All Windows

  • All Linux

  • All Mac

For information about activating product licenses, see Tanium Console User Guide: Managing the Tanium license.

Tanium™ Module Server

Threat Response is installed and runs as a service on the Module Server host computer. The impact on Module Server host computer sizing is minimal and depends on usage. For more information, see Contact Tanium Support.

Endpoints

The following endpoint operating systems are supported with Threat Response. The endpoint requirements for Threat Response are consistent with those used for Tanium Performance and Tanium Integrity Monitor. Threat Response uses the Tanium™ Client Recorder Extension to gather data from endpoints.

Operating System Version
Windows

A minimum of Windows 7 (SP1) or Windows Server 2008 R2 (with SP1) is required. Windows 8.1 provides DNS event recording capability. Windows XP, Windows Server 2008, and Windows Server 2003 are not supported.

Windows 7 Service Pack 1 requires Microsoft KB2758857.

macOS A minimum of macOS 10.11 or later is required.
Linux

Same as Tanium Client support with the exceptions noted below. See Tanium Client Management User Guide: Client version and host system requirements.

The Client Recorder Extension does not support CentOS and Red Hat Enterprise Linux versions 5.3 and earlier. Endpoints require version 5.4 or later of CentOS or Red Hat Enterprise Linux.

eBPF as an event source for the Client Recorder Extension requires Red Hat Enterprise Linux, Oracle Enterprise Linux, and CentOS versions 7.8 or later.

The Client Recorder Extension provides SELinux policies for the following distributions and versions:

  • Oracle Linux 5.x, 6.x, 7.x, and 8.x

    When SELinux is enabled, only process information is returned. This is a known issue and will be addressed in a future version of Threat Response.

  • Red Hat Enterprise Linux (RHEL) 5.4 and later, 6.x, 7.x, and 8.x
  • CentOS 5.4 and later, 6.x, 7.x, and 8.x
  • Amazon Linux 2 LTS (2017.12)

At this time, SELinux is not supported on other Linux distributions.

The engine requires LSOF on endpoints to scan open files.

For Linux endpoints:

  • Install the most recent stable version of the audit daemon and audispd-plugins. For information on deprecated parameters in the audit daemon configuration, see Tanium Client Recorder Extension User Guide. See the specific operating system documentation for instructions.
  • Be aware that when using immutable "-e 2" mode, the recorder adds Tanium audit rules in front of the immutable flag. When using the -e 2 flag on Linux, the endpoint must be restarted after the recorder is enabled.
  • Be aware that when using the failure "-f 2" mode, the Linux kernel panics in the event that auditd message is lost. The recorder does not add audit rules if this configuration is detected.
  • If using eBPF for event data, kernel headers and kernel devel must be enabled on RHEL and CentOS versions 7.8 to 8.1 endpoints. eBPF adds a BCC library that is compiled on the endpoint. This library is recompiled every time the endpoint is restarted.

Disk space requirements

By default, the endpoint database for Threat Response is 1GB in size. On installation, 100MB is reserved on on disk, and the database increases in size to up to 1GB before event pruning occurs. The amount of free disk space that is required depends on the configuration of the Client Recorder Extension. 3GB is recommended. Free disk space is checked in two situations: when a snapshot is requested, and as part of the process following a Threat Response 1.x to 2.x migration where a legacy monitor.db is migrated.

CPU and memory requirements

The CPU demand on the endpoint averages less than 1%.

The Client Recorder Extension does not start on endpoints with a single logical core without updating the CX.recorder.EnableSingleCpuRequirement configuration setting to 0. To update CX.recorder.EnableSingleCpuRequirement to 0, edit the Recorder - Set Recorder Extension Setting [OS] package to add a parameter with the configuration key EnableSingleCpuRequirement and a value of 0, and deploy the package to appropriate endpoints. Alternatively, you can run the following command from the Tanium Client directory on endpoints to update this configuration setting:

  • (Windows) TaniumClient.exe config set CX.recorder.EnableSingleCpuRequirement 0
  • (Linux and macOS) ./TaniumClient config set CX.recorder.EnableSingleCpuRequirement 0

A minimum of 4 GB RAM is recommended on each endpoint device.

Tanium Event Recorder Driver

Use the Tanium Event Recorder Driver to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver. Enable the Tanium Driver by selecting the Enforce Driver setting in a recorder configuration. If checked, this setting distributes the Tanium Driver to endpoints and enforces that the Tanium Driver service is running. The recorder is optimized to use the Tanium Event Recorder Driver on Windows systems when it is installed. It is strongly recommended to use the Tanium Event Recorder Driver for the best performance and data reliability.

If the Tanium Event Recorder Driver is updated, endpoints that use Threat Response require a reboot to ensure that all events are returned, to see the process tree in an alert, and to ensure that signals are working as intended.

If unchecked, the Tanium Driver will not be distributed to the endpoint; if the Tanium Driver is already installed, the Tanium Driver service will no longer be enforced and will continue running unless manually disabled or removed.

The use of Sysmon has been deprecated in Threat Response version 2.2.0.

The following table provides information about the available recorder features on Windows.

Feature Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 or later Windows 7 SP1 Windows 8 Windows 8.1 or later*
DNS events Not Available Not Available Available Not Available Not Available Available
Process hashes and command-line information Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver. Requires Tanium driver.
Driver loads Available Available Available Available Available Available

* = Windows 10 operating systems must be Windows 10 1607 or greater.

Install the Tanium Event Recorder Driver to capture process and command line events

The Tanium Event Recorder Driver is installed by default on new installations of Threat Response 2.2.0 and later. If you are upgrading to Threat Response 2.2.0 or later from an earlier version, you can manually install the Tanium Event Recorder Driver.

  1. From the Tanium Console home page, ask the question Get Tanium Driver Status from all machines and click Search.
  2. Select Install Recommended.
  3. From the Deploy Action page, select Install Tanium Driver.
  4. Validate successful installations by checking the validation query that runs at the end of the package installation.
  5. Collect the action logs from any endpoints that fail the validation query using Live Response.
  6. Run the action Remove Tanium Driver on any endpoints that return anything other than SERVICE_RUNNING for the Tanium Event Recorder Driver service status.

If you make changes to the event source, you must redeploy any recorder enabled profile for the changes to take effect.

Host and network security requirements

Specific ports and processes are needed to run Threat Response.

Ports

The following ports are required for Threat Response communication.

Source Destination Port Protocol Purpose

Module Server

 

Direct Connect Zone Proxy

 

17487 (Direct Connect communication port)

and

17488 (Direct Connect provision and status monitoring port)

  TCP   (Optional) Tanium Direct Connect connection to Direct Connect Zone Proxy
Module Server (loopback) 17466 TCP Internal purposes, not externally accessible
Intel provider 80, 443 TCP Integration of intel streams
Tanium Server Module Server 17477 TCP Tanium Server initiates connections to the Module Server on port 17477
Tanium Client Direct Connect

17475 (Direct Connect on Module Server)
17486 (Direct Connect Zone Proxy)

TCP Connections to the Module Server or the Direct Connect Zone Proxy for live connections
Live Response destination 443 (S3), 22 (SFTP/SCP), or 445 (SMB) TCP Outbound connections over ports depending on how the collected data is being transferred
Threat Response Stream configurations for Splunk

(Required for Stream configurations to Splunk destinations)
Splunk TCP (provided by a Splunk administrator) TCP The port for the stream communication to the host. This TCP port is provided by a Splunk administrator to correspond to a data source
Source Destination Port Protocol Purpose

Tanium as a Service

Intel provider 80, 443 TCP Integration of intel streams
Tanium Client Direct Connect

17486 (Direct Connect)

TCP Live connections to Tanium as a Service
Live Response destination 443 (S3), 22 (SFTP/SCP), or 445 (SMB) TCP Outbound connections over ports depending on how the collected data is being transferred
Threat Response Stream configurations for Splunk

(Required for Stream configurations to Splunk destinations)
Splunk TCP (provided by a Splunk administrator) TCP The port for the stream communication to the host. This TCP port is provided by a Splunk administrator to correspond to a data source

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

A security administrator must create exclusions to allow Tanium processes to run without interference if security software is in use in the environment to monitor and block unknown host system processes.

Threat Response security exclusions
Target Device Notes Exclusion Type Exclusion
Tanium Module Server   Process  <Module Server>\services\detect3\node.exe
  Process <Module Server>\services\detect3\twsm.exe
  Process <Module Server>\services\event-service\node.exe
  Process <Module Server>\services\event-service\twsm.exe
  Process <Module Server>\services\threat-response-service\node.exe
  Process <Module Server>\services\twsm-v1\twsm.exe
  Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Tanium Zone Server   Process <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  Process <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
  Process <Tanium Client>\Tools\IR\TanFileInfo.exe
  Process <Tanium Client>\Tools\IR\TaniumFileInfo.exe
  Process <Tanium Client>\Tools\IR\TaniumHandle.exe
  Process <Tanium Client>\Tools\IR\TanListModules.exe
  Process <Tanium Client>\extensions\TaniumIndex.dll
  Process <Tanium Client>\extensions\TaniumIndex.dll.sig
  Process  <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
  Process <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
  Process <Tanium Client>\extensions\TaniumRecorder.dll
  Process <Tanium Client>\extensions\TaniumRecorder.dll.sig
  Process <Tanium Client>\extensions\SupportCX.dll
  Process <Tanium Client>\extensions\SupportCX.dll.sig
  Process <Tanium Client>\extensions\recorder\proc.bin
  Process <Tanium Client>\extensions\recorder\recorder.db
  Process <Tanium Client>\extensions\recorder\recorder.db-shm
  Process <Tanium Client>\extensions\recorder\recorder.db-wal
  Process <Tanium Client>\extensions\TaniumThreatResponse.dll
  Process <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
  Process <Tanium Client>\extensions\core\TaniumPythonCx.dll
  Process <Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
  Folder <Tanium Client>\extensions\stream
  Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
1 Process <Tanium Client>\Downloads\Action_*\TaniumFileTransfer.exe
1 Process <Tanium Client>\Downloads\Action_*\Winpmem.gb414603.exe
  Process <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
  Process <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.2.x clients, 3 Process <Tanium Client>\Python27\TPython.exe
7.4.x clients, 3 Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64 endpoints   Process <Tanium Client>/TaniumAuditPipe
  Process <Tanium Client>/TaniumCX
  Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
  Process <Tanium Client>/Tools/IR/TaniumExecWrapper
  Process <Tanium Client>/extensions/libTaniumIndex.so
  Process <Tanium Client>/extensions/libTaniumIndex.so.sig
  Process  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.2.x clients Process <Tanium Client>/python27/python
7.2.x clients Process <Tanium Client>/python27/bin/pybin
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/libSupportCX.so
  Process <Tanium Client>/libSupportCX.so.sig
  Process <Tanium Client>/extensions/libTaniumThreatResponse.so
  Process <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
  Process <Tanium Client>/extensions/libTaniumRecorder.so
  Process <Tanium Client>/extensions/libTaniumRecorder.so.sig
  Process <Tanium Client>/extensions/recorder/proc.bin
  Process <Tanium Client>/extensions/recorder/recorder.db
  Process <Tanium Client>/extensions/recorder/recorder.db-shm
  Process <Tanium Client>/extensions/recorder/recorder.db-wal
  Process <Tanium Client>/extensions/recorder/recorder.auditpipe
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.so
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  Process <Tanium Client>/extensions/libTaniumDEC.so
  Process <Tanium Client>/extensions/libTaniumDEC.so.sig
  Folder <Tanium Client>/extensions/stream
1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect
1,2 File <Tanium Client>/Downloads/Action_*/surge.dat
1 Process <Tanium Client>/Downloads/Action_*/linpmem-*.bin
1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer
macOS endpoints   Process <Tanium Client>/TaniumCX
  Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
  Process <Tanium Client>/Tools/IR/TaniumExecWrapper
  Process <Tanium Client>/extensions/TaniumIndex.dylib
  Process <Tanium Client>/extensions/TaniumIndex.dylib.sig
  Process  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.2.x clients Process <Tanium Client>/python27/python
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib
  Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
  Process <Tanium Client>/extensions/libTaniumRecorder.dylib
  Process <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  Process <Tanium Client>/extensions/recorder/proc.bin
  Process <Tanium Client>/extensions/recorder/recorder.db
  Process <Tanium Client>/extensions/recorder/recorder.db-shm
  Process <Tanium Client>/extensions/recorder/recorder.db-wal
  Process <Tanium Client>/extensions/recorder/recorder.auditpipe
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
  Folder <Tanium Client>/extensions/stream
  Process <Tanium Client>/extensions/libTaniumDEC.dylib
  Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
  Process <Tanium Client>/extensions/libSupportCX.dylib
  Process <Tanium Client>/extensions/libSupportCX.dylib.sig
1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect
1,2 File <Tanium Client>/Downloads/Action_*/surge.dat
1 Process <Tanium Client>/Downloads/Action_*/osxpmem.app/osxpmem
1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer
1 = Where * corresponds to the action ID or the version of linpmem.

2 = Exception is required if Volexity Surge is used for memory collection.

3 = TPython requires SHA2 support to allow installation.

Threat Response security exclusions
Target Device Notes Exclusion Type Exclusion
Tanium Zone Server   Process <Zone Server>\proxy\node.exe
Windows x86 and x64 endpoints   Process <Tanium Client>\Tools\EPI\TaniumExecWrapper.exe
  Process <Tanium Client>\Tools\IR\TaniumExecWrapper.exe
  Process <Tanium Client>\Tools\IR\TanFileInfo.exe
  Process <Tanium Client>\Tools\IR\TaniumFileInfo.exe
  Process <Tanium Client>\Tools\IR\TaniumHandle.exe
  Process <Tanium Client>\Tools\IR\TanListModules.exe
  Process <Tanium Client>\extensions\TaniumIndex.dll
  Process <Tanium Client>\extensions\TaniumIndex.dll.sig
  Process  <Tanium Client>\Tools\recorder\TaniumRecorderCtl.exe
  Process <Tanium Client>\Tools\Detect3\TaniumDetectEngine.exe
  Process <Tanium Client>\extensions\TaniumRecorder.dll
  Process <Tanium Client>\extensions\TaniumRecorder.dll.sig
  Process <Tanium Client>\extensions\recorder\proc.bin
  Process <Tanium Client>\extensions\recorder\recorder.db
  Process <Tanium Client>\extensions\recorder\recorder.db-shm
  Process <Tanium Client>\extensions\recorder\recorder.db-wal
  Process <Tanium Client>\extensions\TaniumThreatResponse.dll
  Process <Tanium Client>\extensions\TaniumThreatResponse.dll.sig
  Process <Tanium Client>\extensions\core\TaniumPythonCx.dll
  Process <Tanium Client>\extensions\core\TaniumPythonCx.dll.sig
  Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
1 Process <Tanium Client>\Downloads\Action_*\TaniumFileTransfer.exe
1 Process <Tanium Client>\Downloads\Action_*\Winpmem.gb414603.exe
  Process <Tanium Client>\Tools\IR\TaniumPersistenceAnalyzer.exe
  Process <Tanium Client>\Tools\IR\PowerForensics\PowerForensics.dll
7.4.x clients Process <Tanium Client>\Python38\TPython.exe
7.4.x clients Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
  Process <Tanium Client>\extensions\TaniumDEC.dll
  Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Linux x86 and x64 endpoints   Process <Tanium Client>/TaniumAuditPipe
  Process <Tanium Client>/TaniumCX
  Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
  Process <Tanium Client>/Tools/IR/TaniumExecWrapper
  Process  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/libTaniumClientExtensions.so
  Process <Tanium Client>/libTaniumClientExtensions.so.sig
  Process <Tanium Client>/extensions/libTaniumThreatResponse.so
  Process <Tanium Client>/extensions/libTaniumThreatResponse.so.sig
  Process <Tanium Client>/extensions/libTaniumRecorder.so
  Process <Tanium Client>/extensions/libTaniumRecorder.so.sig
  Process <Tanium Client>/extensions/recorder/proc.bin
  Process <Tanium Client>/extensions/recorder/recorder.db
  Process <Tanium Client>/extensions/recorder/recorder.db-shm
  Process <Tanium Client>/extensions/recorder/recorder.db-wal
  Process <Tanium Client>/extensions/recorder/recorder.auditpipe
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.so
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.so.sig
  Process <Tanium Client>/extensions/libTaniumDEC.so
  Process <Tanium Client>/extensions/libTaniumDEC.so.sig
  Process <Tanium Client>/extensions/libTaniumIndex.so
  Process <Tanium Client>/extensions/libTaniumIndex.so.sig
1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect
1,2 File <Tanium Client>/Downloads/Action_*/surge.dat
1 Process <Tanium Client>/Downloads/Action_*/linpmem-*.bin
1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer
macOS endpoints   Process <Tanium Client>/TaniumCX
  Process <Tanium Client>/Tools/EPI/TaniumExecWrapper
  Process <Tanium Client>/Tools/IR/TaniumExecWrapper
  Process <Tanium Client>/extensions/TaniumIndex.dylib
  Process <Tanium Client>/extensions/TaniumIndex.dylib.sig
  Process  <Tanium Client>/Tools/Detect3/TaniumDetectEngine
7.4.x clients Process <Tanium Client>/python38/python
  Process <Tanium Client>/libTaniumClientExtensions.dylib
  Process <Tanium Client>/libTaniumClientExtensions.dylib.sig
  Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib
  Process <Tanium Client>/extensions/libTaniumThreatResponse.dylib.sig
  Process <Tanium Client>/extensions/libTaniumRecorder.dylib
  Process <Tanium Client>/extensions/libTaniumRecorder.dylib.sig
  Process <Tanium Client>/extensions/recorder/proc.bin
  Process <Tanium Client>/extensions/recorder/recorder.db
  Process <Tanium Client>/extensions/recorder/recorder.db-shm
  Process <Tanium Client>/extensions/recorder/recorder.db-wal
  Process <Tanium Client>/extensions/recorder/recorder.auditpipe
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib
  Process <Tanium Client>/extensions/core/libTaniumPythonCx.dylib.sig
  Process <Tanium Client>/extensions/libTaniumDEC.dylib
  Process <Tanium Client>/extensions/libTaniumDEC.dylib.sig
1,2 Process <Tanium Client>/Downloads/Action_*/surge-collect
1,2 File <Tanium Client>/Downloads/Action_*/surge.dat
1 Process <Tanium Client>/Downloads/Action_*/osxpmem.app/osxpmem
1 Process <Tanium Client>/Downloads/Action_*/taniumfiletransfer
1 = Where * corresponds to the action ID or the version of linpmem.

2 = Exception is required if Volexity Surge is used for memory collection.

3 = TPython requires SHA2 support to allow installation.

User role requirements

To do everything in Threat Response and its features that integrate with other Tanium solutions, you would need the following roles:

  • Threat Response Administrator role
  • Reputation Administrator and Connect Administrator(if not using Reputation) role privileges to see reputation data
  • Show Interact role to view the status results of endpoints
  • Connect User role for Connect integration for events and for creating the Connect Reputation connections
  • Enforce User role for creating remediation policies as response actions and to pivot from saved evidence into Enforce rules

The following tables list the role permissions required to use Threat Response. To review a summary of the predefined roles, see Set up Threat Response users.

Threat Response user role permissions

Threat Response user role permissions
Permission Threat Response Administrator2,3,5,8,10 Threat Response
Operator2,3,5,8,10
Threat Response User2,3,8,10 Threat Response Read Only User2,3,8,10, 11 Threat Response Service Account1,2,3,4,5,8,9,10 Threat Response Endpoint Configuration Approver2,5

Detect Alert

Access to read and modify alerts


READ
WRITE

READ
WRITE

READ
WRITE

READ

READ

Detect API

Perform Detect operations using the API


EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Detect Config

Access to read and modify Detect configurations


READ
WRITE

Detect Intel 6

Access to read and modify intel


READ
WRITE

READ
WRITE

 


READ
WRITE

READ

READ

Detect Label

Access to read and modify intel labels


READ
WRITE

READ
WRITE

READ
WRITE

READ

Detect Notification

Access to read and modify notifications


READ
WRITE

READ
WRITE

READ
WRITE

READ

Detect Quickscan 6

Access to run and read the results of quick scans


READ
WRITE

READ
WRITE

READ
WRITE

READ

Detect Source 6

Access to read and modify sources


READ
WRITE

READ
WRITE

READ
WRITE

READ

READ

Detect Suppressionrule

Create, edit, view, list, and delete suppression rules


READ
WRITE

READ
WRITE

READ
WRITE

READ

Direct Connect Session

Read and instantiate Direct Connect sessions


READ
WRITE

READ
WRITE

READ
WRITE

READ

Threat Response7

Access to the Threat Response workbench


SHOW

SHOW

SHOW

SHOW

SHOW

Threat Response Alert Deploy

Allows for action deployment from a Threat Response alert


ACTION

ACTION

ACTION

Threat Response API

Perform Threat Response operations using the API


EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

EXECUTE

Threat Response API Doc

View and list API Docs


READ

READ

READ

READ

Threat Response Audit

Allows viewing and exporting Threat Response Audit data


READ

READ

Threat Response Configs

Access to read and create configurations


READ
WRITE

READ
WRITE

READ

READ

Threat Response Content

Provides content privileges for Threat Response users


USER

USER

USER

Threat Response Content Detect

Provides content privileges for Threat Response Detect users


USER

USER

USER

USER

Threat Response Content Incident Response

Provides content privileges for Threat Response Incident Response users


USER

USER

USER

Threat Response Content Incident Response Administrator

Provides content privileges for Threat Response Incident Response administrators


ADMINISTRATOR

ADMINISTRATOR

Threat Response Content Incident Response Readonly

Provides content privileges for Threat Response Incident Response read only users


USER

USER

USER

USER

Threat Response Content Index

Provides content privileges for Threat Response Index users


USER

USER

USER

USER

Threat Response Content Index Administrator

Provides content privileges for Threat Response Index administrators


ADMINISTRATOR

ADMINISTRATOR

Threat Response Content Readonly

Provides content privileges for Threat Response Readonly users


USER

USER

USER

USER

Threat Response Downloads

Read and manage downloaded files from live connections


READ
WRITE

READ
WRITE

READ
WRITE

READ

Threat Response Enterprise Hunting 2

View and list sensors for enterprise hunting


READ
WRITE

READ
WRITE

READ

READ

READ

Threat Response Exports

Create, view, and delete exported events


READ
WRITE

READ
WRITE

READ
WRITE

READ

Threat Response Filters

Access to read and create filters


READ
WRITE

READ
WRITE

READ

READ

Threat Response Intel

Allows deploying Threat Response Intel


DEPLOY

DEPLOY

Threat Response Live Connection

Allows setting and viewing live connections to endpoints


READ
WRITE

READ
WRITE

READ

READ 11

Threat Response Live Connection File

Allows deletion of a file on the endpoint during a live connection


DELETE

DELETE

Threat Response Live Connections Filesystem

Browse the filesystem on live connections


BROWSE

BROWSE

BROWSE

BROWSE

Threat Response Live Response Collection Configs

Access to read and create Threat Response Live Response Collection configurations


READ
WRITE

READ
WRITE

READ

READ

Threat Response Live Response File Collector Sets

Access to read and create Threat Response Live Response file collector set configurations


READ
WRITE

READ
WRITE

READ

READ

Threat Response Live Response Modules

Access to read Threat Response Live Response module configuration information


READ
WRITE

READ
WRITE

READ

READ

Threat Response Live Response Packages

Access to create Threat Response Live Response packages


GENERATE

GENERATE

Threat Response Live Response Script Sets

Access to read and create Threat Response Live Response script set configuration information


READ
WRITE

READ
WRITE

READ

READ

Threat Response Operator Settings

Allows the operator to read and modify available settings


READ
WRITE

READ
WRITE

Threat Response Operator Status

Allows the operator to view the module status


READ

READ

READ

Threat Response Profiles

Access to read, create, and deploy profiles


READ
WRITE
DEPLOY

READ
WRITE
DEPLOY

READ

READ

Threat Response Response Actions

Enables users to view, create, and stop response actions


READ
WRITE

READ
WRITE

READ
WRITE

READ

Threat Response Saved Evidence

View and save events from live endpoint connections


READ
WRITE

READ
WRITE

READ
WRITE

Threat Response Snapshot

Capture,view, and delete snapshots


READ
WRITE

READ
WRITE

READ
WRITE

READ

Threat Response Stats

Allows viewing Threat Response stats


READ

READ

READ

READ

Threat Response Tasks

Access to read Threat Response tasks


READ

READ

READ

READ

Threat Response Visibility Bypass

Enables users to view all alerts and saved evidence regardless of computer group membership


READ

READ

READ

Threat Response Service

Access to perform service account administration


READ
WRITE

USER

Threat Response Logs

Allows viewing Threat Response logs


READ

Threat Response Settings

Allows viewing and editing Threat Response settings


READ
WRITE

READ

READ

Threat Response Endpoint Configuration

Enables approver privileges in Tanium Endpoint Configuration for Threat Response configuration changes


DISMISS
REJECT

DISMISS
REJECT

APPROVE

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.

 

1 This role provides module permissions for Tanium Impact. For more information, see the Tanium Impact User Guide: User role requirements.

2 This role provides module permissions for Tanium Trends. For more information, see the Tanium Trends User Guide: User role requirements.

3 This role provides module permissions for Tanium Reputation. For more information, see the Tanium Reputation User Guide: User role requirements.

4 This role provides module permissions for Tanium Connect. For more information, see the Tanium Connect User Guide: User role requirements.

5 This role provides module permissions for Tanium Endpoint Configuration. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

6 Requires permissions for other modules or solutions to complete all tasks in other modules and see all content; such as Protect (version 1.3.0 or later), Connect (version 4.3.0 or later), or Interact. You can assign a role for another product, or create a custom role that lists just the specific privileges needed.

7 To install Threat Response, you must have the Import Signed Content micro admin permission (Tanium Core Platform 7.4 or later) or the reserved role of Administrator.

8 This role provides module permissions for Tanium Interact and Tanium Data Service. For more information, see the Tanium Interact User Guide: User role requirements.

9 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

10 This role provides module permissions for Tanium Direct Connect. You can view which Direct Connect permissions are granted to this role in the Tanium Console. For more information, see the Tanium Direct Connect User Guide: User role requirements.

11 The Threat Response Read Only User role does not have the ability to create live endpoint direct connections. The Threat Response User role is required as a minimum for creating live endpoint connections.

Provided Threat Response administration and platform content permissions
Permission Permission Type Threat Response Administrator1 Threat ResponseOperator Threat Response User Threat Response Read Only User Threat Response Service Account Threat Response Endpoint Configuration Approver
Action Group Administration
READ

READ

READ

READ
Computer Group Administration
READ

READ

READ

READ

READ

READ
User Administration
READ
Allowed URLs Administration
READ
WRITE
Action Platform Content
READ
WRITE

READ
WRITE

WRITE

READ
WRITE
Dashboard Platform Content
READ
WRITE

READ
WRITE

READ

READ
Dashboard Group Platform Content
READ
WRITE

READ
WRITE

READ

READ
Filter Group Platform Content
READ

READ

READ

READ

READ

READ
Own Action Platform Content
READ

READ

READ

READ
Package Platform Content
READ
WRITE

READ
WRITE

READ

READ

READ
WRITE
Plugin Platform Content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question Platform Content
READ
WRITE

READ
WRITE

READ

READ

READ
WRITE
Sensor Platform Content
READ
WRITE

READ
WRITE

READ

READ

READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Reputation. You can view which Reputation content sets are granted to this role in the Tanium Console. For more information, see Tanium Reputation User Guide: User role requirements.

2 This role provides content set permissions for Tanium Direct Connect. You can view which Direct Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements.

For more information and descriptions of content sets and permissions, see the Tanium Core Platform User Guide: Users and user groups.