Creating configurations

Overview

Configurations are groups of settings that control the behavior of Threat Response components. You can create different configurations for each Threat Response component to control how it performs on specific groups of endpoints.

For example, you might want to apply and scan for specific intel on one group of endpoints, but not other groups. Or, you might want to apply a subset of Threat Response capabilities to a group of endpoints. Use configurations to customize which intel to apply, how and when to evaluate intel, how to index file systems, and which events to record on all the endpoints in an enterprise.

You can orchestrate configurations for detection, the recorder, and index in a profile that is assigned to one or more computer groups. You can import and export configurations to make them easy to apply to target groups of computers.

Threat Response provides example configurations that feature the most common configuration settings for specific operating systems. While you cannot edit example configurations, you can copy them to use as templates for creating configurations and applying to profiles.

Create detection configurations

Detection configurations provide directions for scanning endpoints for intel matches. To avoid scanning important endpoints or to limit when detection is active, you can include blockout periods to prevent scans during those times.

From the Threat Response menu, click Management > Configurations. Click Create > Detection.
In the General Settings section, provide a name and description for the detection configuration.
(Optional) In the Engine Options section, select Use UTC instead of the local time on the endpoint when calculating Scan Blockout.
In the Engine Options section, select the hours and days for the Scan Blockout period to stop scanning against available intel during the times you select.
Configure the Settings.

(Optional) Select Consume Deep Instinct Alerts to enable Threat Response to consume Deep Instinct alerts and display alerts from Deep Instinct detection. Selecting Consume Deep Instinct Alerts requires the Deep Instinct agent to be running on the endpoint. By default this option is disabled.
For the integration to work correctly, you must configure additional flags for the Deep Instinct Agent (D-Client) using the Deep Instinct CLI. For more information refer to the Deep Instinct documentation or contact Deep Instinct support.
(Optional) Select Consume Defender Alerts to enable Threat Response to consume Defender alerts and display alerts from Defender on Windows endpoints. By default this option is enabled.
(Optional) Select Consume Process Injection Alerts to enable Threat Response to consume Process Injection alerts. Selecting Consume Process Injection Alerts requires configuring the Process Injection intel document. See Process injection. By default this option is disabled.
Specify a value (in days) for Initial Lookback. The initial lookback value that you provide defines the number of days in the past to look in the Recorder database for matching.

In the Intel section, click Add Intel. Select the intel you want to add. Click Add.
Select Intel that you have added to Threat Response. Click OK. Click Save.

After you have deployed detection configurations to endpoints, you can view and manage findings that result from intel matches. See Managing alerts.

Create index configurations

Use an index configuration to detect and report threat indicators for files at rest. Index creates an index of local file systems, computes file hashes, and gathers file attributes and magic numbers in an SQLite database on the endpoint. Index returns the files that are contained in zip archives. For information on Index configuration settings, see Client Index Extension User Guide.

To accommodate architectural changes made to Index, when upgrading to the latest version of Threat Response, existing Index exclusions and Hash Types to Calculate are migrated from each legacy Index configuration into a new Index configuration with a matching name. If legacy Index configurations were attached to a Threat Response profile, the corresponding new Index configurations are added to that profile.

Index configurations determine how file indexing and hashing occur on the local file systems of endpoints. Index is optimized to minimize endpoint resource use and work with journaled file systems, when available.

Legacy Index versions must be removed from endpoints before you deploy new Index configurations. For information on removing legacy Index versions, see Upgrade the Threat Response versionConfiguring Threat Response.

From the Threat Response menu, click Management > Configurations. Click Create > Index. Provide a name and description for the index configuration.
Select the Hashes To Calculate. Index can record any combination of three different hash types: MD5, SHA-1, SHA-256, or SHA512. Do not select any hash type to disable calculation of hashes.
If legacy index configurations included the Include Malicious Hash List setting, you must add the new Reputation intel document to intel configurations. When you upgrade to Threat Response 3.4 or later, any malicious hashes that exist in the reputation database are added to the Reputation Intel document. All malicious hashes identified after upgrade are added to this same intel document moving forward. Open each intel configuration and ensure that the Reputation source is added anywhere you want endpoints to match against the malicious hashes.
In the Priority List section, select filters that you want to designate as high-priority paths. See Create filters for more information. Click Manage Priority List to select existing filters. Select any or all of the available filters. Only filters that have already been created are available to select. When you have selected the filters that you want to add to the configuration, click Apply. See Create filters for more information on filter methods. Click Save. You cannot add more than 24 filter definitions.
In the Exclusions section, click Manage Exclusions to exclude specific file paths by using regular expressions and names from indexing. Default indexing exclusions are provided that feature common paths and files to exclude. For more information about indexing exclusions, see Indexing exclusions.
Click Save.
Click Create.

After you have deployed index configurations to endpoints, you can use sensors to query indexed files. See Using sensors to query indexed files.

Create indexing exclusions

Starting in Tanium Client Management version 1.12.132, In the current version of Tanium Client Management that is available in Tanium Cloud, you can add Index exclusions that apply globally to all Tanium solutions that use Tanium Index. Exclusions that you add Tanium Client Management apply in addition to the exclusions you specify directly in Threat Response. Exclusions that you add in Tanium Client Management are not visible in the list of exclusions that you set in Tanium modules; it is important to view the exclusions in both locations to understand the total exclusions that are applied to the Tanium environment.

To improve performance and save system resources, create configurations to exclude files from being indexed.

Create exclusions to keep specific files and paths out of file system indexes.

From the Threat Response menu, click Management > Exclusions and click Create. Select the operating system and provide a name for the exclusion.
Provide a regular expression to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, (if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
Click Create.

Create recorder configurations

The recorder saves forensic evidence for each endpoint in a local database. With recorder configuration settings, you can restrict database volume by size and days of storage.

Prior to Threat Response 2.5 a common recorder configuration existed for all supported operating systems. In Threat Response 2.5 and later, this common configuration has been replaced with operating system specific configurations. If the legacy default recorder configuration exists, it is deleted if only default profiles were using it, or renamed with a Deprecated suffix if in use with custom profiles. If custom profiles use the legacy default configuration it becomes editable.

Adjust the settings for each endpoint database to suit a specific environment. Systems with different roles can generate a higher volume of certain types of events. For example, domain controllers typically generate more security events and network traffic than an average end-user workstation. You can build custom configurations that maximize event retention across an environment, while excluding unwanted activity. Starting in Threat Response 3.5, recorder configurations that target Windows endpoints require the Tanium Event Recorder Driver to be installed and enabled to record process and command line events. The Tanium Event Recorder Driver is installed as part of Threat Response and is upgraded when Threat Response upgrades are applied.

From the Threat Response menu, click Management > Configurations. Click Create > Recorder. Provide a name and description for the recorder configuration.
In the Database Configuration section, configure settings for the recorder database. The recorder database contains configuration data, Signal match data, and configured event data. The events of a Signal match are always written to the database, and override any filters that are included in a recorder configuration.
1. Provide a Maximum Database Size. The endpoint purges events if the maximum database size is reached. If this database is larger than 2.5 GB, you cannot reimport the database if it is exported.
2. Provide the Maximum Days to Retain Events to specify the number of days that events are retained. Older events are purged from the endpoint database. Entering 0 prevents events from being purged based on age.
3. Select whether or not to Record Tanium Client Processes. Selecting this option includes all Tanium Client processes, and all child process of the Tanium Client in recorded events.
4. Select whether or not to Encrypt Database. By default, the recorder database (recorder.db) is encrypted using AES 128 bit encryption. Deselect the database encryption setting if you do not want this data to be encrypted. Deselecting this setting does not revert any encrypted databases to a decrypted state. If changing an endpoint to a decrypted state, change the configuration, deploy the updated profile, and then deploy an action to the endpoints with Recorder - Reset Database. After the reset action is complete, the recorder.db exists in a decrypted state.
  If encryption is enabled, a recorder database cannot be decrypted offline.
In the Recorded Events section, select the types of events to record for the current configuration.
Security Events
Security events such as authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled. For Linux security events, see https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.h for more information on specific event IDs. For Windows security events, see https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq for more information on specific event IDs.
Global Events
Event types under global events do not apply the same across operating systems. Global events contain the following:
- Registry
  [Windows only] Changes to the registry, such as the creation or alteration of registry keys and values. Includes the associated process and user context.
- Network
  Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP connections.
- Process
  Process events, such as path, hash, command line, user information, ancestry, and the signed status of a process.
- File
  File system events, such as files written to directory locations on the endpoint. The associated process and user context are included. Examples: A malware file copied to a location that Windows Update uses, or content changes made to a file.
- DNS
  [Windows 8.1 or later and Linux endpoints where eBPF is enabled] Request information, including the process path, user, query, response, and the type of operation. On Windows and Linux endpoints where eBPF is enabled, DNS events are only recorded when you use the system DNS client. DNS events for applications that use their own DNS client are not recorded. For example, nslookup and Google Chrome.
- Image Loads
  [Windows only] Returns historical data from each endpoint regarding image loads; for example, the full path and hash, the entity that signed an image, or a designation of "Unsigned" if the image is not signed. A possible example is the loading of an unsigned DLL. If you do not select Image Loads, any Signal that uses the image event type results in an Unmatched Events warning in the Alert Details. Selecting Image Loads filters for image and process.path is not 'system'. Selecting Image Loads does not apply filters for Linux or Mac endpoints.
  Note: The driver load view in recorder is categorized as an image load ending in .sys and originating from PID 4 (SYSTEM). Driver load events display in the image load event view and therefore image load events might be displayed on Linux and Mac endpoints. While there is no support for image loads on Linux and Mac endpoints, driver load events such as these are presented as image loads.
- Driver Loads
  Returns historical data from each endpoint regarding driver loads; for example, the full path and hash of a driver. By default, Driver Load events are not selected. Selecting Driver Loads on Windows filters for image and process.path is 'system'. Selecting Driver Loads on Linux or macOS filters for image.
  When upgrading to Threat Response version 2.5 or later from earlier versions, if Image Loads were selected in configurations, Driver Loads will also be selected. Driver Loads and Image Loads are not mutually exclusive. It is possible to have one or both checked in a configuration.
- HTTP headers
  [Windows only] Returns HTTP header information from connections on endpoints including the time connections occurred, the connection ID of the connection, the remote (destination) address, and the header name and value.
  When using HTTP headers as recorded events, be aware that CPU usage on endpoints is impacted; especially on servers. When capturing HTTP headers as recorded events, ensure that you are monitoring the performance impacts on the endpoints from which they are captured and tune their collection appropriately.
In the Filters section, click Manage File Filters to select existing filters. Select any or all of the available filters. Only filters that have already been created are available to select. See Create filters for more information on filter creation. When you have selected the filters that you want to add to the configuration, click Apply. In the Filters section, designate the method you want to apply for each set of filters. Select either Include or Exclude. See Create filters for more information on filter methods.
(Linux only) In the Advanced section, add Custom Audit Rules. Provide custom audit rules for use on Linux endpoints. Audit rules are provided to the auditd service and are in the following format: -a exit,always -S adjtimex -S settimeofday -k time_change. You can provide up to 500 custom audit rules.

By default, in Threat Response 3.3 and later, eBPF is enabled on supported endpoints. When eBPF is enabled, any custom auditd rules that you have added to a Recorder configuration are not used. To disable eBPF, use the CX.recorder.BPFEnableBPF configuration setting and set the value to "off". For more information, see the Client Recorder Extension User Guide.
Click Save.

After you have deployed recorder configurations, you can view events that occur on the endpoints where you have applied the configuration. See Connecting to live endpoints and exploring data.

Create stream configurations

Stream provides the ability to send rich endpoint data from the recorder to an external destination. This raw data includes process, network, file, driver events that you can can use to investigate incidents, enrich other workflows, or perform custom analytics. Stream configurations enable you to specify and filter recorder events for the endpoints in an environment, and provide instructions for exporting - or streaming - these events directly to an SIEM for analysis in JSON format. For example, you can specify that all network events with one or more filters be streamed to Chronicle, Splunk or Elastic. Tanium customers use this data to solve critical data gaps and Tanium Partners leverage this data to build their own Security Programs.

From the Threat Response menu, click Management > Configurations. Click Create > Stream. Provide a name and description for the stream configuration.
Select a Management Method. You can manually provide configuration parameters, or upload a JSON file with configuration parameters for a stream configuration. Select either Manual or File Upload. If you select File Upload, click Browse for File and select a JSON file to upload. The JSON file contains the configuration parameters for the stream configuration. If you select Manual, complete the following tasks.
In the Configuration section, select a Destination Type. The Destination Type you select determines the additional required configuration settings that you are prompted to provide.
Chronicle
- Chronicle Configuration URL - The URL to configure Chronicle. The provided URL must be complete and begin with HTTPS://.
- API Key - The API key that is used to authenticate calls.
- Customer ID - The Chronicle customer ID for your environment.
ELK
- URL - URL for Logstash HTTP input.
- Disable Certificate Validation (Less Secure) - Select to disable the validation of the certificate presented by the destination. By default certificate validation is performed.
Splunk HEC
- URL - The URL to access the Splunk REST API.
- Authorization Token - The authorization token to access your Splunk environment. Do not include the Splunk prefix in this token.
- Disable Certificate Validation (Less Secure) - Select to disable the validation of the certificate presented by the destination. By default certificate validation is performed.
Splunk TCP
- Host - The fully-qualified Splunk host domain name.
- Port - The port for the stream communication to the host.
Select Dry Run if you want to collect statistics about the data that would be streamed to the destination, but not actually send data.
By default, Dry Run is enabled when you create a stream configuration. Analyze the amount of event data that would be streamed to a destination before you deselect Dry Run. While this setting is enabled, no data is streamed to a destination; it must be disabled for data streaming to occur.
You can use the Threat Response - Daily Stream Stats sensor to gain an understanding of the amount of data that would be sent.
(Optional) If you want to use a proxy to provide a gateway, provide the host, port, and a username and password for the proxy.
Select Filter Tanium Processes to filter all Tanium Client processes, and all child processes of the Tanium Client in the recorded events. For example, if the Tanium Client starts Python to run a sensor, this is filtered from the recorded events.
In the Event Types subsection, select the event types that you want to stream. For more information on event types, see event types. At least one event type is required.
In the Filters section, click Manage Filters to add filters to use in the stream configuration. Only filters that have already been created are available to select. See Create filters for more information on filter creation. When you have selected the filters that you want to add to the configuration, click Apply. In the Filters section, designate the method you want to apply for each set of filters. Select either Include or Exclude. See Create filters for more information on filter methods.
Click Save.

Create filters

Filters provide a way to define the event information to record to reduce performance impacts and enable quick event identification. Filters are applied in index, recorder, and stream configurations and are created for specific types of recorder events. Threat Response provides a default set of filters for each type of recorder event that you can use in configurations. You can also create your own filters. You can either include or exclude filters. The Include method of filtering enables you to replace the default filter to only include the filters you specify to reduce performance impact and enable quick event identification. The Exclude method of filtering prevents events that match the criteria you provide from recording.

Filters are constructed in Signals syntax. You cannot have more than 55 unique terms in a Signal.

If a configuration enables process, file and network event types but an include filter only includes process events. No file or network events are recorded. When using an include filter for network events, the associated process events are automatically included.

Include filters do not support not conditions. If you use an include filter in a configuration, no default include filters for other filter types are provided.

From the Threat Response menu, click Management > Filters. Click Create.
Select a Filter Type.
File
File filters define criteria for files to record when path or operation values match.
High Priority Path
Threat Response uses Index to scan the entire disk on an endpoint at regular intervals that typically occur between once a day and once a week. Index does not use recorder events to update file data across the entire disk. It is common to want more frequent updates for files in certain regions of the disk. To provide this visibility, in addition to the baseline disk scan, Threat Response enables you to specify high priority paths that use recorder events to update data and also scans every 24 hours by default. To change the default setting:
1. From the Main menu, click Modules >Threat Response to open the Threat Response Overview page.
2. Click Settings and open the Service tab.
3. In the Misc section provide a value (in hours) for the High Priority Path Scanning for Index Configurations (Hours) setting.
4. Click Save.
A high priority path must include a file.path starts with clause in Tanium signal syntax. Escape backslash characters in paths. For example, use C:\\Users\\Administrator to make C:\Users\Administrator a high profile path.
- Supported: file.path starts with 'C:\\Users\\Administrator'
- Unsupported: file.path starts with 'C:\'
A high priority path, in addition to the file.path starts with clause, can additionally specify one or more file.path ends with clauses to narrow the file types to inspect.
- Supported: file.path starts with 'C:\\Users\\Administrator' and file.path ends with '.dat'
- Supported: file.path starts with 'C:\\Windows\\System32' and file.path ends with '.dll' and file.path ends with '.exe'
- Unsupported: file.path ends with '.dat'
Image
Image filters define criteria for image events to record when path, hash, or signature values match.
Network
Network filters define criteria for network events to record when a match is made for a defined IP address, port, or DNS query.
Process
Process filters exclude events based on the process path, hash, user name, user group, or command-line.
Registry
Registry filters define criteria for Windows registry events to record when specific key-value pairs match.
System (Windows and Linux only)
System filters provide paths of files to match or filter from the Linux audit daemon (auditd) logging. On Windows endpoints, system filters exclude particular processes from having the Tanium Driver inject into them for API monitoring and process injection monitoring.
Select an Operating System. Provide a name and description for the filter.
In the Filter Definition section, click Filter Builder.

Click Row or Grouping to add a filter definition using the filter builder. Select a type, a property, and condition. The available properties and conditions differ for each filter type. You can use properties and conditions to create logical patterns for matching specific events. You can add multiple statements to each filter. For each statement that you add, specify a logical and or a logical or to define the relationship of the statements in a filter. The following table provides a reference for properties and conditions for each filter type.

Type	Property	Supported Conditions	Comments
File	operation	is is not	One of create, write, open_write, rename, or delete.
File	path	is is not contains contains not starts with starts with not ends with ends with not	The full path to the file.
Process	path	is is not contains contains not starts with starts with not ends with ends with not	The full path to the process executable. Process path filters do not exclude child processes from being captured to recorder.db. Use an ancestry statement to exclude child processes.
	hash	is is not	The MD5 hash of the process executable file.
	command line	is is not contains contains not starts with starts with not ends with ends with not	The full command line of the process.
	user name	is is not contains contains not starts with starts with not ends with ends with not	The user name executing the process.
	user group	is is not contains contains not starts with starts with not ends with ends with not	The user group or domain of the user executing the process.
	parent path	is is not contains contains not starts with starts with not ends with ends with not	The full path to the parent process file.
	parent command line	is is not contains contains not starts with starts with not ends with ends with not	The full command line of the parent process.
	ancestry path	is is not contains contains not starts with starts with not ends with ends with not	The full path to any of the parent processes.
	ancestry hash	is is not	The MD5 hash of any of the parent processes.
	ancestry command line	is is not contains contains not starts with starts with not ends with ends with not	The full command line of any of the parent processes.
	ancestry user name	is is not contains contains not starts with starts with not ends with ends with not	The user name executing any of the parent processes.
	ancestry user group	is is not contains contains not starts with starts with not ends with ends with not	The user group or domain of the user executing any of the parent processes.
	signature status	is is not	One of verified, unverified, or no_signature
	signature issuer	is is not contains contains not starts with starts with not ends with ends with not	The signature issuer of the process.
	signature subject	is is not contains contains not starts with starts with not ends with ends with not	The signature subject of the process.
Network	address	is is not contains contains not starts with starts with not ends with ends with not	The IPv4 remote address.
	port	is is not contains contains not starts with starts with not ends with ends with not	A direction-specific non-ephemeral port. Local on incoming, remote on outgoing.
	dns query	is is not contains contains not starts with starts with not ends with ends with not	The hostname requested for DNS resolution.
	operation	is is not	Network operations that include connect and accept.
Registry	key path	is is not contains contains not starts with starts with not ends with ends with not	The full path to the registry key, including the full hive name.
	operation	is is not	Registry operations that include create, set_value, delete, and rename.
	value name	is is not contains contains not starts with starts with not ends with ends with not	The registry value name.
Image	path	is is not contains contains not starts with starts with not ends with ends with not	The full path to the file.
	hash	is is not	The MD5 hash.
	signature status	is is not	One of verified, unverified, or no_signature
	signature issuer	is is not contains contains not starts with starts with not ends with ends with not	The signature issuer of the process.
	signature subject	is is not contains contains not starts with starts with not ends with ends with not	The signature subject of the process.
System	path (Linux)	starts with starts with not	The full path to the file.
System	actor path (Windows)	is is not starts with starts with not	The full path to the process or file that performs the process injection. When using is or is not filter construction, the filter must match a file and not a folder. For example, process_injection.actor_path is C:\\exclude\\ is invalid construction.

Property values can be an integer, a simple alphanumeric string, or they can be more complex and include other characters, such as spaces, backslashes, and hex-encoded values. Property values do not support regular expressions or wildcards. On Windows platforms, case is not sensitive for provided property values; for example, TaniumClient or taniumclient has the same effect. To create patterns for properties that start with, contain, or end with, use conditions and add additional statements to filters. For searches with non-alphanumeric values or spaces, enclose the value in single quotes. To escape special characters within the single quotes, the following sequences are supported:

\r For carriage return
\n For newline
\t For tab
\\ For the backslash itself
\' For a single quote within the quotes
\x To allow a single-byte hex-encoded sequence. For example \x20 would translate to a single space.

The hex-encoding is required to handle UTF-8 characters outside of the single-byte character set. Any UTF-8 character can be added via the hex-encoding, if needed

The following sample expressions demonstrate combined expressions, precedence, and escaped special characters:

process.command_line contains 'evil' AND process.path starts with 'c:\\windows'
(file.path starts with 'c:\\temp' OR file.path ends with '.evil.tmp') AND process.path contains cmd.exe

(Optional) Click Group. Using a group indicates that you intend to match all conditions in the group against a single event. For example, to ensure that matches happen against the same file event, you should group those events. You can then include multiple groups to achieve matches against different events in time. You can use logical AND and logical OR to further refine group behavior.
Click Save.
In the Filters section of a Recorder or Stream configuration, click Include or Exclude next to any filter that you have added to designate the method you want to apply for each set of filters. The Include method of filters enables you to replace the default filter to only include the filters you specify to reduce performance impact and enable quick event identification. For example, for registry events, if you provide one or more registry filters as include, those replace the default include filter of ‘registry’. The Exclude method enables you to effectively prevent events from recording. If a set of filters that you designate to Include contains a specific filter that has been designated to a set of filters to Exclude, a warning displays in the workbench.
DNS filters are not supported as valid Include filters.

Import and export configurations and filters

Import and export configurations and filters to apply them in a different Threat Response environment. For example, you can export configurations or filters that you have tested from a lab environment and import them into a production environment. With the exception of index configurations, both configurations and filters are imported and exported exclusively as JSON files.

The import/export format for filters has changed in Threat Response version 2.5. You cannot export filters from Threat Response versions earlier than 2.5 and import them on Threat Response versions equal to or greater than Threat Response 2.5. Similarly, you cannot export filters from Threat Response versions equal to or greater than Threat Response 2.5 and import them on Threat Response versions earlier than 2.5.

Export configurations

From the Threat Response menu, click Management > Configurations.
Select one or more configurations to export. Click Actions > Export to export the selected configurations. To export all configurations, click Export All.
On the export page, provide a name and click Export. All of the configurations in the Threat Response environment are exported.

Export filters

From the Threat Response menu, click Management > Filters.
Click Export All.
On the export page, provide a name and click Export. All of the filters in the Threat Response environment are exportedop

Import configurations

From the Threat Response menu, click Management > Configurations.
Click Import/Export. Select Import JSON and browse to a JSON file.
Click Import.

Import filters

From the Threat Response menu, click Management > Filters.
Click Import. Browse to a JSON file.
Click Import.