Managing threat data

Threat intelligence comes from many data sources, such as third-party providers, generated from Tanium, or created by your investigations. These intel documents and signals, known generally as intel, interact with the Detect endpoint engine.

Some intel document types, such as OpenIOC, STIX, CybOX, and YARA, search against existing or historical artifacts on the endpoint. There are a number of providers for these documents. You can upload them directly or configure source streams.

Signals are available through an integration with Tanium™ Trace. Signals are another type of intel, but interact with the engine differently. Signals evaluate continuously with the Trace event recorder and match on live process events. You can use signals as a stream source directly from Tanium, or you can write your own signals.

Detect integrates with third-party reputation services. Hashes are sent to the reputation services for assessment, then Detect enhances intel with the hash ratings. The Definition and Engine Analysis tabs on the Intel details page provide additional information about how the intel document is structured, which parts are applicable, and the hash rating. For more information about what Detect does with known malicious hashes, see Review reputation data.

Figure  1:  Intel definition tab

Add signals

Signals are monitored by the Trace event recorder for live process, file, network, registry, and DNS event matching on the endpoint. You can write your own signals. By default, each signal can contain up to 24 unique terms.

To use signals, you must be licensed for Trace, and Trace tools must be deployed to endpoints.

  1. From the Detect menu, go to Management > Intel.
  2. From the Add drop-down menu, select Signal.
  3. Add a name.
  4. Create a definition.
    For more information, see Reference: Authoring signals.
  5. (Optional) Add a description.
  6. Click Save.

If the event is filtered (ignored) by Trace, then it cannot be matched against a signal.

For signals provided by Tanium, see Connect to the Tanium Signals feed.

Upload intel documents

You can upload multiple intel documents at the same time.

  1. From the Detect menu, go to Management > Intel.
  2. From the Add drop-down menu, select Upload.
  3. Browse to the intel files that you want.
    You can use Ctrl and shift-click to select multiple documents.
  4. Click Upload.
  5. Review the intel validation check.

    The intel XML schema validation check shows the documents that were successfully uploaded and any documents with errors.

  6. Click Close.

Create intel documents manually

You can use the Quick Add feature to manually create an intel document.

Quick Add supports some types of defanged IP address formats that are found in threat intelligence documents, such as 10[.]1[.]1[.]1 or 10 . 1 . 1 . 1.

  1. From the Detect menu, go to Management > Intel.
  2. From the Add drop-down menu, select Quick Add.
  3. From the Detect when drop-down menu, select the type of data.
  4. Type the information to be matched.
  5. (Optional) Enable Require exact match.
  6. Type a name for the intel document.
    For long term usability, use a consistent naming convention.
  7. Click Create.

Label the intel

You can create labels to organize any type of intel into sets that are relevant for your environment. For example, you might want to sort your intel by priority, incident case, or based on the applicable attack surface.

Intel gets applied to endpoints based on the sources and labels that you select. These make an intel mapping file for each configured computer group. It is critical that you carefully consider how you want to organize your intel.

Apply a label

  1. From the Detect menu, go to Management > Intel.
  2. Select the check box next to the intel documents or signals.
  3. Click Label.
  4. Choose a method to apply the label.
    • Click Add Label and type in a new label.
    • Select an existing label.
  5. Click Save Changes.

Manage labels

To add or edit labels, to go Management > Labels.

To add a label, click Add Label. Create a name and description for the label and click Create.

To edit or delete a label, hover over the existing label and click Edit .

Configure intel stream sources

An intel stream is a series of intel documents that are imported rather than uploaded. The intel can be managed separately after import. Streams can be from a vendor or a folder in your network. You can import streams manually or based on subscription settings.

Intel streams are updated from the Detect service, which runs on the Tanium Module server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the intel stream provider URLs on the Tanium Module Server.

Detect can use several data formats, with these available stream types:

If you edit an existing stream, for example, by adding subscription choices, Detect indexes and downloads new intel documents on a regular basis, based on the stream type. The intel gets pushed to the endpoint during the next intel publication interval.

For more information about registry settings to use streams with a proxy server, see the Tanium Core Platform Installation Guide: Server Proxy Settings.

Use a local directory

You can stream intel from a local directory. The directories must exist on the Module Server. You can add multiple folders.

  1. The System Administrator for the Module Server host machine must authorize a directory for streaming.
    1. Stop the Detect service.
    2. Add the directory to the <module_server_directory>/services/detect3-files/data/detect-blobs/folder-stream-roots.conf file.

      If you set up a directory, other users can add folders within the authorized directory. For example, if you add a c:\folder_streams directory, other users could add the c:\folder_streams\stream1 and c:\folder_streams\stream2 directories.

    3. Restart the Detect service.
  2. From the Detect menu, go to Management > Sources.
  3. Click New Source.
  4. From the Type drop-down menu, select Local Directory.
  5. Add a name and description.
  6. Type in the absolute directory path on the Tanium Module Server.

    The folder must be explicitly authorized for stream activity.

  7. (Optional) Disable update tracking for imported files.
  8. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly.

    Invalid documents show a warning next to their type on the individual intel page.

  9. Click Create.

If needed, you can edit the source name later.

Connect to PwC Threat Intelligence

PwC Threat Intelligence is always in OpenIOC format. You can have only one stream of this type at a time.

You must have a PwC subscription.

  1. From the Detect menu, go to Management > Sources.
  2. Click New Source.
  3. From the Type drop-down menu, select PwC.
  4. Add your subscription details including the URL, username, and password.
  5. Select the Subscription Interval, in minutes.
  6. (Optional) Click Ignore SSL to skip the certificate validation.
  7. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly.

    Invalid documents show a warning next to their type on the individual intel page.

  8. Click Create.

Connect to iSIGHT Partners ThreatScape

The iSIGHT intelligence is always in STIX format. You can have only one stream of this type at a time.

You must have an iSight subscription.

  1. From the Detect menu, go to Management > Sources.
  2. Click New Source.
  3. From the Type drop-down menu, select iSight.
  4. Paste the public and private key for your subscription.
  5. Select the Initial History, in days, and the Subscription Interval, in minutes.
  6. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly.

    Invalid documents show a warning next to their type on the individual intel page.

  7. Click Create.

Connect to the Tanium Signals feed

The Tanium Signals Feed provides a stream of regularly updated signals designed to detect common patterns of attack. Each signal is mapped to one or more categories in the MITRE ATT&CK Framework.

  1. From the Detect menu, go to Management > Sources.
  2. Click New Source.
  3. From the Type drop-down menu, select Tanium Signals.
  4. (Optional) If you do not want to use the default feed, enter a different content manifest URL.

    This field can be used for testing beta signals in non-production environments. Contact your TAM for details.

  5. Enable the Require Tanium Signature checkbox to only use Tanium-verified signals.
  6. Select the Subscription Interval, in minutes.
  7. (Optional) Click Ignore SSL to skip the certificate validation.
  8. Click Create.

When the Tanium Signals feed gets updated, system notifications get generated that include the release notes about the updates. From the Detect menu, go to Management > System Notifications.

Connect to a TAXII server

TAXII intelligence is always in STIX format. Unlike other streams, TAXII also sorts intel documents into collections, and a document only appears in one collection. Configure a source for each collection.

  1. From the Detect menu, go to Management > Sources.
  2. Click New Source.
  3. From the Type drop-down menu, select TAXII.
  4. Add a name and description.
  5. Add your subscription details including the URL, username, and password.
  6. Type in the case-sensitive collection name or select from available collections.
  7. Select the Initial History, in days, and the Subscription Interval, in minutes.
  8. Make your optional security selections.
    1. If you want two-way SSL validation, paste the certificate and private key for your subscription.
    2. Click Ignore SSL to skip the certificate validation.
  9. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly.

    Invalid documents show a warning next to their type on the individual intel page.

  10. Click Create.

If needed, you can edit the source name later.

Set up Connect and Wildfire

You can use Connect to integrate the intel from your Palo Alto Wildfire subscription. For more full details, see the Tanium Connect User Guide: Configuring Palo Alto Networks WildFire and Tanium Detect.

Set up the reputation service

Reputation data provides more insight into which alerts might be good candidates to save for further analysis and action. Through a Tanium™ Connect integration, Detect uses the reputation data from third-parties, such as VirusTotal or Palo Alto Networks WildFire.

Setting up reputation data is a two-part process:

  1. Configure reputation data in Connect.
  2. Create a reputation source in Detect.

The reputation data is included in the intel that gets deployed to endpoints as part of what can generate alerts. For more information about how Detect uses reputation data, see Review reputation data.

Configure reputation data in Connect

Detect hash reputation data requires Connect version 4.1 or later. For more information on configuring the reputation service settings, see Tanium Connect User Guide: Configuring Reputation Data.

Create a reputation source in Detect

Configure Detect to search for specific columns of data to send to the reputation service.

  1. From the Detect menu, go to Management > Sources.
  2. Click New Source.
  3. From the Type drop-down menu, select Reputation.
  4. Select a saved question and column name.

    You can create your own saved questions, if needed.

  5. Select how often Detect polls for new responses to the saved question.
  6. When known malicious indicators are found, choose a computer group to be automatically quick scanned.
  7. Click Create.

For endpoints that use reputation data, any hashes found by the saved questions are sent to the third-party reputation service for assessment.

Configure YARA files

YARA files function like other intel documents, in regards to uploading, streaming from a folder, and labeling. However, Detect automatically assigns a scope to limit the evaluation scan; by default, all YARA files are set to scan live files. If needed, you can change the evaluation scope for any YARA file.

  1. From the Detect menu, go to Management > Intel.
  2. Click the intel name.
  3. If needed, filter the list of intel.
  4. Click the Search Scope tab.
  5. Select the scope of evaluation scan.
    • Live Files: Limited to the running processes and their executable and library files.
    • Memory: (Windows and Mac only) Limited to the memory of all running processes.
    • Paths: Limited to the configured directory paths. The path search is recursive, up to 32 directories.
  6. Click Save.

Edit the intel definition

If needed, you can edit the structure and terms within an intel definition.

  1. From the Detect menu, go to Management > Intel.
  2. Click the intel name.
  3. If needed, filter the list of intel.
  4. Click the Edit tab and make your changes.
  5. Click Save.

View orphaned intel documents

When the source for a piece of intel is removed, the intel moves into an orphaned state.

  1. From the Detect menu, go to Management > Intel.
  2. Expand the Filter Results section and set the Source to Unknown.

Assign orphaned intel to a new source

You can assign intel in an orphaned state to the Workbench source.

  1. From the Detect menu, go to Management > Intel.
  2. Expand the Filter Results section and set the Source to Unknown.
  3. Select the check box that corresponds with one or more items of intel with an Unknown source.
  4. Click Actions > Assign to Workbench Source.
  5. Any items of intel that have a Source of Unknown that you select are assigned to the Workbench source. Click OK.

Delete intel documents

You can manually remove one or more intel documents.

  1. From the Detect menu, go to Management > Intel.
  2. Select the intel you want to remove.
  3. Click Actions > Delete.
  4. Provide your credentials and click OK to confirm.

Suppression rules

Create suppression rules to prevent the display of an alert when an intel match has been detected. Use suppression rules to reduce false positives for signals that you cannot edit, such as those from the Tanium Signal Feed. Suppression rules are not intended for use as a substitution for properly crafted signals. You can apply rules that suppress alerts that match Process Path, Process Command Line, Parent Command Line, Process Hash, and User.

  1. From the Detect menu, go to Management > Intel.
  2. Select a signal.
  3. Click Actions > Add Suppression Rule.
  4. Provide a name and description for the suppression rule.
  5. Select the fields that you want to use for suppressions:
    1. Process path: The path in the file system to a specific process. For example, c:\windows\notepad.exe.
    2. Process command line: Additional parameters that were provided for a process. For example, if a process is wevtutil.exe, a possible process command line is wevtutil cl Application.
    3. Parent command line: The full command line of the parent process.
    4. Process hash: A specific hash value that corresponds to a process. Process hash is only applicable to MD5 hashes.
    5. User: A specific user on the system that is associated with a process. This value can include a domain.

    If a signal has generated an alert, you can click the Suppress Alert link from an alert page to preview the expected values for each of the fields.

  6. Specify how you want to compare the field to the alert. You can choose to suppress an alert if a field is a direct match, contains a value, or matches a pattern.
    1. Select Is to suppress an alert when a direct match occurs. For example, a specific hash value or user name matches.
    2. Select Contains to suppress an alert when a subset of the alert criteria matches. For example, a path that contains "Windows".
    3. Select Matches to suppress an alert when a pattern matches the criteria. A regular expression needs to match the whole string. For example, the regular expression needs to be .*Win.* if you want to match Win and Windows.

      Use of the ^ and $ special characters and flags are not supported.

Edit existing suppression rules

You can edit existing suppression rules to change the behavior of how they suppress alerts.

  1. From the Detect menu, go to Management > Intel.
  2. Select a signal that has the suppression rule you want to edit associated with it.
  3. Select the check box that corresponds with the suppression rule you want to edit.
  4. Click Actions > Edit.
  5. Make changes to the existing suppression rule and click Save.

Delete suppression rules

You can delete suppression rules that you no longer want to associate with intel.

  1. From the Detect menu, go to Management > Intel.
  2. Select a signal that has one or more suppression rules that you want to delete associated with it.
  3. Select the check box that corresponds with one or more suppression rules that you want to delete.
  4. Click Actions > Delete.
  5. Click OK to confirm that you want to delete the suppression rules.

Last updated: 10/23/2018 1:45 PM | Feedback