Configuring Threat Response

If you did not install Threat Response with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

(Tanium Core Platform 7.4.5 or later only) You can set the Threat Response action group to target the No Computers filter group by enabling restricted targeting before adding Threat Response to your Tanium licenseimporting Threat Response. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Threat Response action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

When you import Threat Response with automatic configuration, the following default settings are configured:

The following default settings are configured for Threat Response:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group.
  • Restricted targeting enabled: No Computers computer group.
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Tanium Signals are imported.

The following Threat Response profiles are created and deployed to specific computer groups:

Profile Name Intel configuration Engine configuration Recorder Configuration Index Configuration
[Tanium Default] - Windows

Deploys to All Windows computer group.
[Tanium Default] - Linux

Deploys to All Linux computer group.
[Tanium Default] - Mac

Deploys to All Mac computer group.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Threat Response, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Creating, updating, or deleting patch lists
  • Adding or removing enforcements
  • Removing all enforcements
  • Updating scan configuration priorities
  • Creating deployments
  • Stopping deployments
  • Adding targets to deployments
  • User-initiated actions, such as initializing endpoints, uploading custom field files, enabling Linux

Configure Threat Response

Configure service account

The service account is a user that runs several background processes for Threat Response. This user requires the following roles and access:

  • Tanium Administrator or Threat Response Service Account role.
  • (Optional) Connect User role to send Threat Response data to Tanium Connect.
  • If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

For more information about Threat Response permissions, see User role requirements.

If you imported Threat Response with default settings, the service account is set to the account that you used to perform the import. Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization.

  1. From the Main menu, click Modules >Threat Response to open the Threat Response Overview page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure Threat Response action group

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. In the list of action groups, click Tanium Threat Response.
  3. Click Edit, select computer groups to include in the action group, and click Save.

Remove legacy Index dependencies from endpoints

If you have previously installed Tanium Index as a standalone application, or used the standalone application to upgrade Tanium Index, ensure that all legacy Index assets are uninstalled from endpoints before deploying the latest Threat Response tools to endpoints. To ensure complete removal of legacy Index dependencies, deploy the Index - Remove Legacy Dependent package to endpoints where legacy versions of Tanium Index dependencies exist.

  1. To target endpoints, issue a question in Interact. Ask the question Get Tanium File Contents[Tools/EPI/dependents.txt] from all machines. If the results for an endpoint display Index it indicates that the standalone Index content has been used in the past.
  2. In the Question Results grid, select the rows for the endpoints that require the action, and click Deploy Action.
  3. From the Deploy Action page, use the Deployment Package search box typeaheads to select packages. Select the Index - Remove Legacy Dependent [Windows] or Index - Remove Legacy Dependent [Non-Windows] package.
  4. Configure a Deployment Schedule and Targeting Criteria. Click Deploy Action. For more information, see Deploying actions.

After you have performed these steps, if the results of the Client Extensions - Status sensor displays recorder|has_subscription|index.fileevents you can use the Recorder - Clear Subscription [OS] package to remove a single subscription from recorder.

Set up Threat Response users

You can use the following set of predefined user roles to set up Threat Response users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Threat Response Administrator

Assign the Threat Response Administrator role to users who manage the configuration and deployment of Threat Response functionality to endpoints.
This role can perform the following tasks:

  • Configure Threat Response service settings
  • Read and modify Threat Response configurations
  • Take action on alerts
  • Connect to remote endpoints
  • Dismiss or reject approvals for Threat Response tasks in Tanium Endpoint Configuration

Threat Response Operator

Assign the Threat Response Operator role to users who manage the configuration and deployment of Threat Response functionality to endpoints.
This role can perform the following tasks:

  • Configure Threat Response service settings
  • Read and modify Threat Response configurations
  • Take action on alerts
  • Connect to remote endpoints
  • Dismiss or reject approvals for Threat Response tasks in Tanium Endpoint Configuration

Threat Response User

Assign the Threat Response User role to users who work with alerts and performing analysis on remote endpoints.
This role can perform the following tasks:

  • View service settings
  • View and modify alerts and intel documents
  • Suppress and take action on alerts
  • Run and review quick scans
  • Connect to remote endpoints and manage downloads from them, and read configurations and profiles

Threat Response Read Only User

Assign the Threat Response Read Only User role to users who need visibility into Threat Response data and Threat Response findings on endpoints.
This role can perform the following tasks:

  • View service settings, alerts, and intel documents
  • Review quick scans
  • Read configurations and profiles

Threat Response Service Account

Assign the Threat Response Service Account role to an account that configures system settings for Threat Response.
This role performs several background processes for Threat Response. For more information, see Installing Threat Response .

Threat Response Endpoint Configuration Approver

Assign the Threat Response Endpoint Configuration Approver role to a user who approves or rejects Threat Response configuration items in Tanium Endpoint Configuration.
This role approves, rejects, or dismisses changes that target endpoints where Threat Response is installed.

Migrate Trace and Detect configurations to Threat Response

If you are upgrading to Threat Response from Detect or Trace, any existing Trace and Detect configurations are not automatically migrated when you install the Threat Response solution. You must initiate the migration process.

  1. On the Threat Response overview page, click Help , and then click the Migration tab.
  2. Click Start Migration.
  3. Trace and Detect configuration data is imported. If there are problems with any data migration, the migration reports a failure and a description of the issue that caused the failure. Review the messages on the migration page to resolve any issues.
  4. Confirm that you want to perform the migration.

After you have migrated Trace and Detect data you can remove Trace and Detect data from standalone installations of the Trace and Detect modules.

  1. On the Threat Response overview page, click Help , and then click the Migration tab.
  2. Click Start Cleanup.
  3. Trace and Detect configuration data is removed from the standalone module installations.
  4. Confirm that you want to perform the cleanup.