Installing Incident Response solutions

Install Tanium Incident Response

Use the Tanium™ Incident Response solution to scan and hunt for incidents, examine forensic artifacts, and collect system data for analysis.

Do not install Incident Response if you have installed Tanium Threat Response.

Note: The procedures and screen captures that are in the documentation are for Version 7 and later. Version 6 procedures and screens might vary.

Before you begin

  • To use Autoruns content, download the latest version of file from Autoruns for Windows. Upload this file during the import of the solution.

  • You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

Import the Tanium Incident Response solution

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. In the Incident Response section, click Import Version.
  3. Review the list of categories, dashboards, saved questions, saved actions, packages, sensors, and content set roles.
  4. Upload the file.

    Uploading the file is required for the Autoruns content to work properly.

  5. Complete the import.
  6. Verify that the IR sensors and packages were installed.
    1. From the Main menu, click Administration > Content > Packages.
    2. Search for Incident Response.
    3. From the Main menu, click Administration > Content > Sensors.
    4. In the Category column, click the menu button and create a filter that contains Incident Response.

What to do next

Deploy the IR tools to the endpoint. For more information, see Deploying IR tools.

You can also install other IR solutions.

Install Index

Tanium Index is a solution that runs locally on endpoints to gather, compute, and provide information that is useful to detect and investigate threat indicators for files at rest. Index is optimized to minimize endpoint resource utilization and work with journaling file systems when available. The solution performs the following actions:

  • Indexes local file system
  • Computes file hashes
  • Records file attributes and magic numbers

Obtain the Tanium Index solution

To obtain the Tanium Index solution, send an email to [email protected].

After you import Tanium Index, the Index sensors, packages, and scheduled actions are viewable in the console.

What to do next

By default, the actions to distribute Index to the endpoints are disabled. Enable the Deploy Distribute Tanium Endpoint Index Tools scheduled action to distribute Index endpoint tools your endpoints. Then, create the custom configuration file and enable the Distribute Tanium Endpoint Index Config action with the new file. For more information about enabling Index on the endpoints, see Indexing file systems.

Install Quarantine

Tanium Quarantine is a collection of packages and sensors that you can use to isolate endpoints that show evidence of compromise or other suspicious activity. You can use Quarantine to apply, remove, and test for quarantine. Quarantine is supported on Windows, Linux, and Mac OS X endpoints.

Import the Tanium Quarantine solution

Install the Tanium Quarantine solution by importing the associated content from the Tanium Solutions page.

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. In the Tanium Content section, select the Quarantine row and click Import Solution.
  3. Review the list of saved actions, packages, and sensors and click Proceed with Import.
  4. When the import is complete, you are returned to the Solutions page. Verify that the values in the Available Version and Imported Version columns match.

What to do next

For more information about Quarantine, see Isolating endpoints.