Copying IR data to a central location

Tanium™ Incident Response includes Tanium Copy Tools. Use these tools to copy files that you specify from endpoints to a central location. When you run a Copy action, you must specify the target endpoints for the operation and the method of transport.

Before you begin

Set up a copy location and service account

You must have a server location to which you are copying the IR data.

Assign write-only access to the account used by IR Gatherer when performing copy operations. Read and append access for this account are not necessary and present a security risk due to IR Gatherer operating in a potentially hostile environment.

The accounts used for file transfer should expire as soon as possible after use because log data might include the user names and passwords for these access accounts.

Copy location file transfer methods

The following methods of transfer are available:

File Transfer Protocol (FTP) / Secure Copy Protocol (SCP)

Requires a user account limited to write access. Do not assign read, append and delete permissions to the user. An account that expires soon after creation is preferred.

Secure File Transport Protocol (SFTP)

Requires a user account limited to write access. Do not assign read, append and delete permissions. An account that expires soon after creation is preferred.

Server Block Message (SMB) Protocol

(Windows only) A \\server\share location, ideally a Distributed File System (DFS) location, that allows write access to the Domain Computers group. Do not enter user name and password information for the SMB transfer type.

Configure the Copy Tools packages

You can customize settings in the Copy Tools - Copy Files to Central Location and Copy Tools - Copy Files to Central Location (Mac/Linux) packages that are applied any time that package is deployed as an action.

Open the package to edit

From the Main menu, click Content > Packages. Type copy in the search box. Select the package that you want to update and click Edit.

Update package timeouts

When you deploy a Copy Tools package as an action on endpoints, the minimum expiration time for the action is the sum of the Command Timeout and Download Timeout values. You can change the default values to increase or decrease the timeout when you deploy the action.

Field Description
Command Timeout

The interval of time, in minutes, before the package command expires.

By default, the command times out after 15 minutes.

Download Timeout The interval of time, in minutes, before the download operation times out.

By default, the download operation times out after 10 minutes.

Ignore Action Lock Enable locked clients to run actions that include this package. For more information about the Action Lock setting, see Tanium Knowledge Base: Action Lock.

Save the package

After you configure other settings and parameters, click Save.

Target endpoints

To target endpoints, you can ask a question, then drill down and deploy an action to a set of endpoints. When you are targeting endpoints, be careful not to overload the copy location. Verify that the count field in the results for your endpoint targeting is not too high. For more information about targeting endpoints, see Tanium Interact User Guide: Using Deploy action.

Copy with the general purpose action

  1. Use the Copy Tools - Copy Files to Central Location and Copy Tools - Copy Files to Central Location (Mac/Linux) actions for general purpose copy operations of a comma-separated list of files to be copied from the specified endpoints.
  2. Choose the transfer method, and specify the server and login information for your copy location. If you are using the SMB transfer method, do not enter username or password information.
  3. In the File Paths field, indicate a comma-separated list of absolute paths to files that you want to copy from each endpoint.
  4. Choose a setting for how often the copy operation runs to prevent the copy destination from being overloaded. Choose from one of the following settings: 
    • Random Wait Time in Seconds field: Enter the maximum number of seconds to wait before sending the files. The actual time when the endpoint runs the action is a random wait time between zero (no delay) and the specified count of seconds. For best results, as the number of endpoints in the security network increase, increase the maximum number of seconds that are specified.
    • Schedule Deployment section:  Use the Distribute over time option to randomize the package copy process to smooth the distribution and avoid spikes in traffic.
  5. Click Show Preview to Continue to preview the targeted endpoints on which you are deploying the action.
  6. Click Deploy Action.

Copy by IR Job ID

For file copy operations that are required after an incident, use the Incident Response - Copy IR Results to Central Location action. This action requires an IR job ID. Use the IR job ID that was created during the deployment of any IR packages that require the use of an IR job ID. For more information about IR job IDs, see About deploying parameterized sensors as actions.

File copy results

Both actions copy the specified files to a directory in the copy destination, for example: <remote_root_directory>/YYYY-MM-DD-hh-mm-ComputerName/<file_paths>. <remote_root_directory> is the value of the Remote Root Directory field and <file_paths> are the files that you specified in the File Paths field. The copied files retain the original directory structure.

Last updated: 11/28/2018 9:27 AM | Feedback