Installing Detect

Import the Detect module and configure integration with other Tanium products.

Before you begin

  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • If your environment uses a proxy, you must add localhost to the BypassProxyHostList.

Import Detect

Import Detect from the Tanium Solutions page.

You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

  1. From the Main menu, click Tanium Solutions.
  2. Under Detect, click Import.
    A progress bar is displayed as the installation package is downloaded.
  3. Click Continue.
    The Import Solution window opens with a list of all the changes and import options.
  4. Initiate the import.
  5. Enter your password to confirm the installation.
  6. To confirm the installation, return to the Tanium Solutions page and check the Installed version for Detect.

    If you do not see the Detect module in the console, refresh your browser.

Set the service account credentials

For recurring maintenance activities, specify a Tanium user with the appropriate permissions. Specifying these credentials is a one-time configuration. No other credentials need to be added.

  • Platform version 6.5 or 7.0, the user must be assigned administrator or content administrator permissions.

    If content administrator credentials are used, they must be able to access all computer groups that need Detect tools.

  • Platform version 7.1.314.3071 or later, the user must be assigned the Detect Service User role.
  1. From the Detect home page, click Settings .
  2. Under the Service Credentials tab, provide your Tanium Server credentials.
  3. Click Submit.
  4. From the Main menu, go to Administration > Whitelisted URLs and verify the Detect URL.

    It should appear as: https://localhost/cache/[a-f0-9]%7B64%7D/?product=detect.*.

    Do not alter this URL. If there is no Detect URL on the list, contact your TAM.

Set up Tanium™ Connect forwarding

Detect sends event information to Connect by default. To save this event information, you must configure Connect for the events to be passed to a destination. If you do not configure a destination, the events are dropped.

You can configure a Connect forwarding connection at any time. If you configure the connection during the installation process, all history is captured.

  1. (Optional) From the Detect home page, enable the encoding settings.
  2. From Connect, create a new connection with Event type and Tanium Detect as the event group.
  3. Select the Detect events that you want preserved.
    • All Events includes scan matches and other Detect events.
    • Match Alerts forwards only the events that match a configuration and specific intel.
  4. Configure the destination; such as a SIEM service or Write to File.

When configuring reputation intel for Detect, you do not need to configure Connect as Detect inserts data into the reputation database.

For more information see the Tanium Connect User Guide.

To turn off event forwarding, see Troubleshooting.

Import Tanium™ Index

Index is a Tanium Platform component that can be distributed to Tanium Clients. Index stores file names, hashes, and magic numbers in a client-side database. Detect uses this database to quickly determine whether a particular indicator is present on the system. This method eliminates the need to sweep the entire file system each time a detection scan is requested and reduces the impact on client resources. Index can be installed before Detect or you can use an existing installation of Index.

Index is included with your Detect license.

For more information about installing and configuring Index, see Tanium Incident Response User Guide: Indexing file systems.

Upgrade the Detect version

You can upgrade from Detect 3.x to the latest version by importing an update to the solution and migrating your intel.

Upgrade from IOC Detect 2.5.x to Detect 3.x is not supported; however, you can migrate some intel from 2.5.x to 3.x. You can have both the 2.5.x and 3.0.x versions installed at the same time, but you must apply them to different computer groups. Using the 2.5.x and 3.0.x versions on the same endpoint is not supported.

Upgrade the solution

  1. From the Main menu, select Tanium Solutions.
  2. Locate Detect and click Upgrade <version>.
    A progress bar is displayed as the installation package is downloaded.
  3. Click Continue.
    The Import Solution page opens with a list of all changes and import options.
  4. Initiate the upgrade.
  5. Enter your password to confirm the upgrade.
  6. To confirm the upgrade, return to the Tanium Solutions page and check the Installed version for Detect.

    If the Detect version has not updated in the console, refresh your browser.

  7. Recreate any custom user roles.

Migrate 2.5.x intel documents

You can migrate uploaded intel from Tanium IOC Detect, version 2.5.x, to Tanium Detect, version 3.0.6 or later, using the workbench. Only schema valid intel is accepted.

Streams are not eligible for migration, you must recreate them as a source. Migration of YARA files is not supported.

  1. From the Detect home page, click Help .
  2. On the Migration tab, click Start Intel Migration from IOC Detect.
  3. Repeat the migration if needed.

The migration shows progress bars for each group. Even though it shows the current total intel count for each group, the migration tool only imports intel that does not exist in Detect, it does not duplicate intel.

What to do next

See Getting started for more information about using Detect.

Last updated: 10/23/2018 1:45 PM | Feedback