Deploying IR tools

The IR tools are a package that is deployed on the endpoint. The package includes scripts and utilities that enable the functionality of IR module. The tools must be fully deployed for IR to function.

For Windows, the Distribute Incident Response Tools package is automatically deployed to endpoints by a scheduled action that is enabled by default. Unless you want to make changes to the package or action schedule, no action is required.

The Distribute IR Tools (Mac) and Distribute IR tools (Linux) scheduled actions are disabled by default. You must enable these scheduled actions before the tools are deployed to your endpoints.

Before you begin

The Tanium Incident Response solution must be installed. For more information, see Install Tanium Incident Response.

Updating scheduled actions

You can enable, disable, or edit the scheduled actions that deploy IR tools. When the scheduled action is enabled, the IR tools are distributed to any endpoints that do not have them already installed. The frequency of the distribution is defined in the scheduled action.

  1. From the main menu, click Actions > Scheduled Actions.
  2. Search for the action Distribute Incident Response Tools, Distribute IR Tools (Mac), or Distribute IR tools (Linux).
  3. To change the schedule for the action, click Edit.
  4. To enable the action, select the row and click More > Enable Action.

Verify that IR tools are deployed on the endpoints

To check that IR tools are deployed on the endpoints, you can ask the question: Get Has Incident Response Tools from all machines. You can then drill down on the rows that are returned to display more information about the endpoints that need to have the IR tools deployed.

Last updated: 2/13/2018 3:25 PM | Feedback