Configuring Threat Response

For instructions on installing and configuring Threat Response in an on-premises environment, see Installing Threat Response.

Deploying Threat Response tools

Configure Threat Response action group

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. In the list of action groups, click Tanium Threat Response.
  3. Click Edit, select computer groups to include in the action group, and click Save.

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Threat Response, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

(Tanium Core Platform 7.4.5 or later only) You can set the module action group to target the No Computers filter group by enabling restricted targeting before adding the module to your Tanium licenseimporting the module. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the module action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

Remove legacy Index dependencies from endpoints

If you have previously installed Tanium Index as a standalone application, or used the standalone application to upgrade Tanium Index, ensure that all legacy Index assets are uninstalled from endpoints before deploying the latest Threat Response tools to endpoints. To ensure complete removal of legacy Index dependencies, deploy the Index - Remove Legacy Dependent package to endpoints where legacy versions of Tanium Index dependencies exist.

  1. To target endpoints, issue a question in Interact. Ask the question Get Tanium File Contents[Tools/EPI/dependents.txt] from all machines. If the results for an endpoint display Index it indicates that the standalone Index content has been used in the past.
  2. In the Question Results grid, select the rows for the endpoints that require the action, and click Deploy Action.
  3. From the Deploy Action page, use the Deployment Package search box typeaheads to select packages. Select the Index - Remove Legacy Dependent [Windows] or Index - Remove Legacy Dependent [Non-Windows] package.
  4. Configure a Deployment Schedule and Targeting Criteria. Click Deploy Action. For more information, see Deploying actions.

After you have performed these steps, if the results of the Client Extensions - Statussensor displays recorder|has_subscription|index.fileevents you can use the Recorder - Clear Subscription [OS] package to remove a single subscription from recorder.