Installing Incident Response solutions

Install Tanium Incident Response

Use the Taniumâ„¢ Incident Response solution to scan and hunt for incidents, examine forensic artifacts, and collect system data for analysis.

Note: The procedures and screen captures that are in the documentation are for Version 7 and later. Version 6 procedures and screens might vary.

Before you begin

  • To use Autoruns content, download the Autoruns.zip file from Autoruns for Windows v13.82. Upload this file during the import of the solution.

  • You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

Import the Tanium Incident Response solution

  1. From the Main Menu, click Tanium Solutions.
  2. In the Incident Response section, click Import Version.
  3. Review the list of categories, dashboards, saved questions, saved actions, packages, sensors, and content set roles.
  4. Upload the Autoruns.zip file.


    Uploading the Autoruns.zip file is required for the Autoruns content to work properly.

  5. Complete the import.
  6. Verify that the IR sensors and packages were installed.
    1. From the Main Menu, click Authoring > Packages.
    2. Search for Incident Response.
    3. From the Main Menu, click Authoring > Sensors.
    4. In the Category column, click the menu button and create a filter that contains Incident Response.

What to do next

Deploy the IR tools to the endpoint. For more information, see Deploying IR tools.

You can also install other IR solutions.

Install Index

Tanium Index is a solution that runs locally on endpoints to gather, compute, and provide information that is useful to detect and investigate threat indicators for files at rest. Index is optimized to minimize endpoint resource utilization and work with journaling file systems when available. The solution performs the following actions:

  • Indexes local file system
  • Computes file hashes
  • Records file attributes and magic numbers

Import the Tanium Index solution

Install the Tanium Index solution by importing the associated content from the Tanium Solutions page.

  1. From the Main Menu, click Tanium Solutions.
  2. In the Tanium Content section, select the Tanium Index row and click Import Solution.
  3. Review the list of saved actions and packages.
  4. When the import completes, you are returned to the Tanium Solutions page. Verify that the values in the Available Version and Imported Version columns match.

After you import Tanium Index, the Index sensors, packages, and scheduled actions are viewable in the console.

What to do next

By default, the actions to distribute Index to the endpoints are disabled. Enable the Deploy Distribute Tanium Endpoint Index Tools scheduled action to distribute Index endpoint tools your endpoints. Then, create the custom configuration file and enable the Distribute Tanium Endpoint Index Config action with the new file. For more information about enabling Index on the endpoints, see Indexing file systems.

Install IR Gatherer

Use Tanium IR Gatherer to collect information from compromised endpoints for further forensic analysis.

System requirements

Import the Tanium IR Gatherer solution

  1. From the Main Menu, click Tanium Solutions.
  2. In the Tanium Content section, select the IR Gatherer row and click Import Solution.
  3. Review the list of packages and sensors and click Proceed with Import.

    If you are prompted to specify whether to keep or overwrite database items that duplicate content in the downloaded solution, select the option to overwrite duplicates.

  4. When you are returned to the Solutions page, verify that the values in the Available Version and Imported Version columns match.
  5. Verify that the IR Gatherer sensors and packages were installed.
    1. From the Main Menu, click Authoring > Packages. Search for gatherer.
    2. From the Main Menu, click Authoring > Sensors. Search for gatherer. The Last IR Gatherer Push Date sensor is displayed.

What to do next

For more information, see Collecting data with IR Gatherer.

Install Live Response

Tanium Live Response is content that you can use to collect extensive data from Windows systems that have PowerShell 2.0 or later.

Before you begin

To use Autoruns content, download the Autoruns.zip file from Autoruns for Windows v13.82. Upload this file during the import of the solution.

Import the Tanium Live Response solution

Install the Tanium Live Response solution by importing the associated content from the Tanium Solutions page.

  1. From the Main Menu, click Tanium Solutions.
  2. In the Tanium Content section, select the Live Response row and click Import Solution.
  3. Review the list of saved actions, packages, and sensors and click Proceed with Import.
  4. Upload the Autoruns.zip file.
    Uploading the Autoruns.zip file is required for the Autoruns content to work properly.
  5. Click Import.
  6. When the import is complete, you are returned to the Solutions page. Verify that the values in the Available Version and Imported Version columns match.

What to do next

For more information about Live Response, see Collecting data with Live Response.

Install Quarantine

Tanium Quarantine is a collection of packages and sensors that you can use to isolate endpoints that show evidence of compromise or other suspicious activity. You can use Quarantine to apply, remove, and test for quarantine. Quarantine is supported on Windows, Linux, and Mac OS X endpoints.

Import the Tanium Quarantine solution

Install the Tanium Quarantine solution by importing the associated content from the Tanium Solutions page.

  1. From the Main Menu, click Tanium Solutions.
  2. In the Tanium Content section, select the Quarantine row and click Import Solution.
  3. Review the list of saved actions, packages, and sensors and click Proceed with Import.
  4. When the import is complete, you are returned to the Solutions page. Verify that the values in the Available Version and Imported Version columns match.

What to do next

For more information about Quarantine, see Isolating endpoints.

Last updated: 9/6/2018 2:58 PM | Feedback