Connect requirements

Review the requirements before you install and use Connect.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers: 7.4.6.1114 or later

  • Tanium™ Client: No client requirements.

Solution dependencies

Other Tanium solutions are required for specific Connect features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Connect dependencies have their own dependencies, which you can see by clicking the links in the lists of Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Connect requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Connect, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Connect to import and are using Tanium Core Platform 7.5.2.3531 or later with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Connect, the server automatically updates those dependencies to the latest available versions.

If you select only Connect to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Connect has the following required dependencies at the specified minimum versions:

  • Tanium™ Email Service 1.0.26 or later
  • Tanium™ RDB Service 1.2.155 or later
  • Tanium™ Secrets Service 1.0.185 or later
  • Tanium™ System User Service 1.0.192 or later

Feature-specific dependencies

If you select only Connect to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. Connect has the following feature-specific dependencies at the specified minimum versions:

  • Tanium Interact 2.9.91 or later for the Tanium Data Service source and to view charts on the Connect Overview page

    Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later

  • Tanium Trends 3.8.129 or later for the Tanium Trends source and to view charts on the Connect Overview page

  • Tanium Asset 1.18.204 or later for the Tanium Asset source
  • Tanium Comply 2.11.686 or later for the Tanium Comply source
  • Tanium Direct Connect 2.1.138 or later for the Tanium Direct Connect source
  • Tanium Discover 4.5.144 or later for the Tanium Discover or Event sources
  • Tanium Endpoint Configuration 1.5.255 or later and Connect 5.9 or later for the Tanium Endpoint Configuration source
  • Tanium Impact 1.7.62 or later for the Tanium Impact source
  • Tanium Integrity Monitor for the Event source (2.13.54 or later for the Tanium Integrity Monitor source)
  • Tanium Integrity Monitor for the Tanium Integrity Monitor or Event sources
  • Tanium Reporting 1.8.52 or later for the Tanium Reporting source
  • Tanium Reputation 6.1.32 or later for the Tanium Reputation source
  • Tanium Threat Response 3.5.284 or later for the Tanium Threat Response source

Client extensions

Connect installs client extensions on the Tanium™ Module Server. Client Extensions perform tasks that are common to certain Tanium solutions. The Module Server uses code signatures to verify the integrity of each client extension prior to loading the extension. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Connect functions:

  • Software Manager CX - Provides a catalog of all installed software on an endpoint. Tanium Asset or Tanium Patch installs this client extension. Tanium Connect installs this client extension on the Module Server.

Tanium Module Server

Connect installs and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Connect does not deploy packages to endpoints. For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Third-party software

With Connect, you can integrate with several different kinds of third-party software. If no specific version is listed, there are no version requirements for that software.

  • Microsoft SQL Server 2008, 2012 or 2014.
  • Elasticsearch:
    • Elasticsearch destination: Elasticsearch 8.1.2 or earlier.
    • Socket Receiver destination: Elasticsearch 8.7 or earlier.
  • (SIEM) products and services including: HP ArcSight, LogRhythm, McAfee SIEM, and Splunk.

Host and network security requirements

Specific ports and processes are needed to run Connect.

Ports

The following ports are required for Connect communication.

Source Destination Port Protocol Purpose
Tanium Cloud Service providers (external) Varies TCP

Connections to external threat intelligence feeds, SIEM, SMTP, Elasticsearch, and so on.

Cloud provider restrictions prevent opening port 25/TCP for Tanium Cloud customers. If you want to configure SMTP forwarding, request opening port 465/TCP, 587/TCP, or 2525/TCP. For more information on ports to open, see your service provider's documentation.
graph.microsoft.com 443 TCP For the Email (O365) destination, to use Microsoft 365 mail functionality
login.microsoftonline.com 443 TCP For the Email (O365) destination, to log in to Microsoft 365
outlook.office.com 443 TCP

For the Email (O365) destination, if you assign the Mail.ReadWrite permission to the Microsoft Entra ID (formerly Azure Active Directory) application, enabling email attachments up to 150 MB (subject to your Microsoft 365 attachment settings)

Microsoft Entra ID was previously known as Microsoft Azure Active Directory or Microsoft Azure AD.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

The following ports are required for Connect communication.

Source Destination Port Protocol Purpose
Module Server Module Server (loopback) 17441 TCP Internal purposes, not externally accessible
Service providers (external) Varies TCP Connections to external threat intelligence feeds, SIEM, SMTP, Elasticsearch, and so on.
graph.microsoft.com 443 TCP For the Email (O365) destination, to use Microsoft 365 mail functionality
login.microsoftonline.com 443 TCP For the Email (O365) destination, to log in to Microsoft 365
outlook.office.com 443 TCP

For the Email (O365) destination, if you assign the Mail.ReadWrite permission to the Microsoft Entra ID (formerly Azure Active Directory) application, enabling email attachments up to 150 MB (subject to your Microsoft 365 attachment settings)

Microsoft Entra ID was previously known as Microsoft Azure Active Directory or Microsoft Azure AD.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Connect security exclusions for Tanium Core Platform servers (Windows deployments only)
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\connect-service\node.exe
  Process <Module Server>\services\email-service\TaniumEmailService.exe
  File <Module Server>\extensions\TaniumSoftwareManager.dll
  File <Module Server>\extensions\TaniumSoftwareManager.dll.sig

Connect requires no specific security exclusions. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow access to the following internet URLs on the Tanium Module Server to use the Email (O365) destination:

  • graph.microsoft.com:443

  • login.microsoftonline.com:443

  • outlook.office.com:443

    if you assign the Mail.ReadWrite permission to the Microsoft Entra ID application

User role requirements

The following tables list the role permissions required to use Connect. To review a summary of the predefined roles, see Set up Connect users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Do not assign the Connect Service Account, Email Service Account, or Email Service Account - All Content Sets roles to users. These roles are for internal purposes only.

For the best results, do not assign the Connect Write (All) permission to a custom role. A user with this permission might edit a connection that they otherwise would not have the proper permission to access, and send unintended source data to a destination. Instead, if you want to edit a connection, take ownership, then make updates.

Connect user role permissions
Permission Connect Administrator1, 2 Connect Operator1, 2 Connect User2

Connect

READ: Read own connections

RUN: Run own connections

SHOW: View the Connect workbench

WRITE: Write own connections
READ
RUN
SHOW
WRITE
READ
RUN
SHOW
WRITE
READ
RUN
SHOW
WRITE

Connect Administrator

Administrative-level access to Connect. Provides the User read permission.
ADMINISTER

Connect Event

Write access to events through the Connect API
WRITE
WRITE
WRITE

Connect Eventschema

Read and write access to event schemas through the Connect API
READ
READ
WRITE
READ
WRITE

Connect Owner

Write access to take ownership of connections owned by other users
WRITE
WRITE

Connect Read

View all connections.
ALL
ALL

Connect Run

Run all connections. Provides the User read permission.
ALL
ALL

Connect Write (All)

Create, view, edit, or delete any connection. Provides the User read permission.

Connect Service Account

Access to module service accounts to read and write data

1 This role provides module permissions for Tanium Trends 2.4 or later. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see the Tanium Trends User Guide: User role requirements.

2 Users with this role can reuse a configured destination that they own, but cannot modify destinations owned by other users.
Connect user role permissions
Permission Connect Operator1, 2 Connect User2

Connect

READ: Read own connections

RUN: Run own connections

SHOW: View the Connect workbench

WRITE: Write own connections
READ
RUN
SHOW
WRITE
READ
RUN
SHOW
WRITE

Connect Administrator

Administrative-level access to Connect and Reputation. Provides the User read permission.

Connect Event

Write access to events through the Connect API
WRITE
WRITE

Connect Eventschema

Read and write access to event schemas through the Connect API
READ
WRITE
READ
WRITE

Connect Owner

Write access to take ownership of connections owned by other users
WRITE

Connect Read

View all connections.
ALL

Connect Run

Run all connections. Provides the User read permission.
ALL

Connect Write (All)

Create, view, edit, or delete any connection. Provides the User read permission.

Connect Service Account

Access to module service accounts to read and write data

1 This role provides module permissions for Tanium Trends 2.4 or later. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see the Tanium Trends User Guide: User role requirements.

2 Users with this role can reuse a configured destination that they own, but cannot modify destinations owned by other users.

 

Email user role permissions
Permission Connect Administrator Connect Operator Connect User

Email

Send emails using the Email (O365) destination
SEND
SEND
SEND

Email Config

Read and write access to O365 email server configuration
READ
WRITE
READ
WRITE

Email Support Bundle

Read access to the email (O365) support bundle
WRITE

 

Email user role permissions
Permission Connect Operator Connect User

Email

Send emails using the Email (O365) destination
SEND
SEND

Email Config

Read and write access to O365 email server configuration
READ
WRITE

Email Support Bundle

Read access to the email (O365) support bundle

 

Provided Connect platform content permissions
Permission Content Set for Permission Connect Administrator Connect Operator Connect User
Plugin Connect
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ
Plugin Connect Audit Plugins
EXECUTE
READ
Plugin Trends1
EXECUTE
READ
EXECUTE
READ
EXECUTE
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

1 Denotes a permission when Trends 2.4 or later is installed.

 

Provided Connect platform content permissions
Permission Content Set for Permission Connect Operator Connect User
Plugin Connect
EXECUTE
READ
EXECUTE
READ
Plugin Trends1
EXECUTE
READ
EXECUTE
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

1 Denotes a permission when Trends is installed.

Connections are hidden from the Connections list view if the authenticated user does not have the required permissions for the data source. Examples that could limit the view of an authenticated user include RBAC access to a saved question or computer group, or System Administrator access to the various types of audit logs that are available from the Tanium Platform. See the following table for required permissions for specific sources.

Optional roles for Connect
Role Enables
A custom role that includes the Action read platform content permission Access to the Action History source.

For more information, see Tanium Console User Guide: Configure a custom role.
A custom role that includes the Audit read administration permission Access to the Tanium Audit Source source.

For more information, see Tanium Console User Guide: Configure a custom role.
A custom role that includes the Question History read administration permission Access to the Question History source.

For more information, see Tanium Console User Guide: Configure a custom role.
A custom role that includes the System Status read administration permission Access to the Client Status source.

For more information, see Tanium Console User Guide: Configure a custom role.
Tanium Administrator Access to the Server Information Source source.

Connections use the owner's role permissions to access content. If the connection owner has insufficient permission for content that a connection requires, such as inability to view a computer group, the connection might not fully export the data that you intend to export. For more information and descriptions of content sets and permissions, see Tanium Console User Guide: RBAC overview.