Upgrading Incident Response

You can upgrade the Taniumâ„¢ Incident Response module, or any of the individual solutions.

Upgrade Tanium Incident Response

Before you begin

  • To use Autoruns content, download the Autoruns.zip file from Autoruns for Windows v13.82. Upload this file during the import of the solution.

  • You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

Import Tanium Incident Response updates

  1. From the Main Menu, click Tanium Solutions.
  2. In the Incident Response section, click Upgrade to Version.
  3. Review the list of saved actions, packages.

    Uploading the Autoruns.zip file is required for the Autoruns content to work properly.

  4. To confirm the upgrade, return to the Tanium Solutions page and check the Installed version for Incident Response.

Upgrade IR solutions

Before you run an upgrade, you might want to back up configuration files that are not preserved during the upgrade process for Index and Live Response. For more information, see Upgrade Tanium Index and Preserve configuration files before upgrading Live Response .

  1. From the Main Menu, click Tanium Solutions.
  2. In the Tanium Content section, select the row and click Upgrade Solution.
  3. Review the list of saved actions, packages.
    • For platform version 6.5 and 7.0, click Proceed with Import
    • For platform version 7.1.314.3071 and later, enable the Include content set overwrite checkbox and click Proceed with Import.

      For more information, see the Tanium Core platform User Guide: Align content for modules.

      Uploading the Autoruns.zip file is required for the Autoruns content to work properly.

  4. When you are returned to the Solutions page, check the installed version of the solution.

Upgrade Tanium Index

Before and after upgrading Index, there are some additional steps to take.

Preserve configuration files

The custom Index config.ini file in the configuration packages is not preserved when you upgrade the Index solution. You must back up the file before upgrading, and re-add the file to your packages after the upgrade.

  1. Save your custom config.ini file.
  2. Delete any scheduled actions that are going to distribute the config.ini file.
    • Deploy Distribute Tanium Endpoint Index Tools
    • Deploy Distribute Tanium Endpoint Index Tools for Mac
    • Deploy Distribute Tanium Endpoint Index Config
    • Deploy Distribute Tanium Endpoint Index Config for Mac
  3. Upgrade the Tanium Index solution. For more information, see Upgrade IR solutions.
  4. Edit the appropriate Index packages to include the custom config.ini file.
  5. Create new scheduled actions to distribute the updated packages.

For more information about editing packages to distribute a custom config.ini file, see Customize Index endpoint settings.

Recreate content and deploy tools

After upgrading, you must update the Tanium components that reference Index content.

  1. Delete and recreate any saved questions that reference Index sensors.
  2. Delete and recreate any scheduled actions that reference Index packages or sensors.
  3. If not completed already, re-deploy endpoint tools.
  4. (Optional) To capture all hard links on Windows endpoints, initiate a reindex of the file system.
    1. Deploy the Delete Tanium Endpoint Index database package.
    2. Use the appropriate saved action to start indexing.

    For Windows endpoints, typically a reindex occurs only if Index has lost its place in the file system; otherwise, Index only checks for new information. For Mac endpoints, deployment causes the directory scan to start from the beginning.

Preserve configuration files before upgrading Live Response

Before you upgrade Live Response, download any customized configuration files. These files are not preserved when you upgrade.

Alternatively, you can host any customized configuration files in a remote location and attach the files to the package.

  1. Open the Live Response - Windows package.
  2. Download all customized collection and transfer configuration files, such as Custom_Collection.json, SCP.json, and any SSH/Amazon S3 private key files.
  3. Upgrade the Live Response solution. For more information, see Upgrade IR solutions.
  4. Open the Live Response - Windows package again.
  5. Upload the customized configuration files to the package.
  6. Create new scheduled actions to distribute the updated packages.

Last updated: 7/11/2018 5:28 PM | Feedback