Deploying intel

Group configurations designate mappings of intel to a computer group. You can associate multiple labels, a mix of signals and intel documents, and blackout periods to each group configuration.

Detect packages are automatically created and deployed when groups are configured or intel is uploaded. Each package is pushed separately on the endpoint, and can be updated independently. The packages consist of the following pieces: 

  • Group configuration package: Contains the Detect tools, the evaluation engine, the intel mapping file, and any blackout periods.
  • Intel package: Contains the intel to investigate on the endpoint. Intel packages can be a sync package (all intel) or a delta package (new intel since previous sync or delta package). When intel is updated, a delta intel package is pushed to the endpoints. The name of this update package contains the word Delta, for example: Detect Intel for Windows Revision 51 Delta. After the configured Intel Package Publication Max Deltas (default: 10), a sync package is deployed again.

Before you begin

  • Import and label intel. For more information, see Managing threat data.
  • Organize computer groups specifically for Detect, based on the common evaluation needs of the endpoints. Detect uses group configurations to define settings and intel list mappings used during evaluation scans on an individual computer group. Some options include:
    • Endpoint type, such as servers or employee workstations
    • Endpoint location, such as by country or time zone
    • Endpoint priority, such as business-critical machines
    • Endpoint configuration needs, such as VDI machines

    Manual computer groups are not supported.

    For more information, see Tanium Core Platform User Guide: Managing computer groups.

Create a group configuration

The group configuration that you send to endpoints contains the Detect tools, any scan blackout periods, and the configuration priority. The configuration file also has an expiration date, which is updated each time the endpoint is in contact with Detect.

  1. Go to Management > Group Configuration.
  2. Click a computer group.
  3. Add the sources and labels for the signals, indicators, or rules.

    For each intel row, only the intel that matches the source and label is included. You can use a mix of intel with multiple intel rows. For more information, see Label the intel.

  4. Select the appropriate checkboxes for the endpoint type.
  5. Select the hours and days for the Scan Blackout period.
  6. (Optional) Change the blackout period to UTC time.
  7. (Optional) Configure the Advanced Engine Settings.
  8. Click Save and Deploy to publish the tools and configuration information.

The group configuration receives a group ID number, a revision number, and the priority. Though endpoints can be members of multiple computer groups, only the highest priority configuration is applied. For more information about changing the priority, see Reorder the group configurations.

Intel is published to the endpoint during the next interval, and applied according to the intel mapping file.

Encrypt intel documents

In addition to deploying the intel in an encrypted format, this setting also encrypts intel documents on the endpoint.

  1. From the Detect home page, click Settings .
  2. Enable Intel Encryption.
  3. Click Update Settings.

Adjust the intel deployment settings

Intel packages are deployed to the endpoints automatically. You can adjust the default settings for an environment.

  1. From the Detect home page, click Settings .
  2. On the Service tab, make intel package selections.
    • Intel Deployment Scheduled Action: Specifies how frequently the action runs. The default is 5 hours.
    • Intel Deployment Distribute Over Time: Specifies how long the deployment action can take. The default is 20 minutes.
    • Intel Package Publication Interval: Specifies how frequently the intel documents and labels are pushed to the endpoints. The default is 48 hours.
    • Intel Package Publication Max Deltas: Specifies the maximum number of delta packages that can be deployed before a baseline (full sync) package must be deployed.

  3. Click Update Settings.

Immediately deploy intel to endpoints

Intel is automatically published to the endpoints on a regular interval. If a situation requires it, you can manually push the intel documents and signals to the endpoints.

  1. Go to Management > Group Configuration.
  2. Click Deploy Intel Now.

All computer groups that have Detect tools installed receive an update to the latest intel packages.

Add intel to an existing configuration

Intel is pushed to the computer groups based on sources and labels. Though any intel added to a label is automatically used, you might need to add more labels after the group configuration is initially created.

  1. Go to Management > Group Configuration.
  2. Click the computer group name.
  3. Add the sources and labels for the signals, indicators, or rules that you want.

    For each intel row, only the intel that matches the source and label is included. You can use a mix of intel with multiple intel rows. For more information, see Label the intel.

  4. Click Save and Deploy.

Each time the group configuration is saved, the revision number increases.

Reorder the group configurations

If an endpoint is part of multiple computer groups with conflicting configurations, only the highest priority configuration is applied.

  1. Go to Management > Group Configuration.
  2. Click Reorder.
  3. Click and drag the configuration to adjust the order.
  4. Click Save.

Remove intel from group configurations

  1. Go to Management > Group Configuration.
  2. Click the computer group name.
  3. For the intel you want to remove, click delete .
  4. Click Save and Deploy.

The updated intel list is pushed down to the endpoints.

Delete a group configuration

  1. Go to Management > Group Configuration.
  2. Click the computer group name.
  3. Click Delete.

If the computer group is part of another group configuration that was a lower priority, then that configuration is applied.

Last updated: 8/29/2018 10:24 AM | Feedback