Creating configurations

Overview

Configurations are groups of settings that control the behavior of Threat Response components. You can create different configurations for each Threat Response component to control how it performs on specific groups of endpoints.

For example, you might want to apply and scan for specific intel on one group of endpoints, but not other groups. Or, you might want to apply a subset of Threat Response capabilities to a group of endpoints. Use configurations to customize which intel to apply, how and when to evaluate intel, how to index file systems, and which events to record on all the endpoints in an enterprise.

You can orchestrate configurations for intel, the engine, the recorder, and index in a profile that is assigned to one or more computer groups. You can import and export configurations to make them easy to apply to target groups of computers.

Default configurations are provided to serve as examples, and they feature the most common configuration settings for specific operating systems. While you cannot edit default configurations, you can copy them to use as templates for creating configurations and applying to profiles.

Create intel configurations

Intel configurations are sets of intel that you can group together for deployment to computer groups and apply them to endpoints efficiently. For example, you can create intel configurations that target computer groups that contain only Linux endpoints, or that are exclusively virtual assets.

  1. From the Threat Response menu, click Management > Configurations. Select Intel. Click Create.
  2. In the General Settings section, provide a name and description for the Intel configuration.
  3. In the Intel section, click Add Intel. Select the intel you want to add. Click Add.
  4. Select Intel that you have added to Threat Response. Click OK.
  5. Click Save.

After you have deployed intel configurations to endpoints, you can create engine configurations to generate alerts when the intel is matched on endpoints.

Create engine configurations

Engine configurations instruct the engine how to scan endpoints for intel matches. To avoid scanning important endpoints or to limit when the engine is active, you can include blackout periods to prevent scans during those times.

  1. From the Threat Response menu, click Management > Configurations. Select Engine. Click Create.
  2. In the General Settings section, provide a name and description for the engine configuration.
  3. In the Engine Options section, select the hours and days for the Scan Blackout period.
  4. Configure the Advanced Engine Settings.
  5. Click Save.

After you have deployed engine configurations to endpoints, you can view and manage alerts that result from intel matches. See Managing alerts.

Create recorder configurations

The recorder saves forensic evidence for each endpoint in a local database. With recorder configuration settings, you can restrict database volume by size and days of storage.

Prior to Threat Response 2.5 a common recorder configuration existed for all supported operating systems. In Threat Response 2.5 this common configuration has been replaced with operating system specific configurations. If the legacy default recorder configuration exists, it is deleted if only default profiles were using it, or renamed with a Deprecated suffix if in use with custom profiles. If custom profiles use the legacy default configuration it becomes editable.

Adjust the settings for each endpoint database to suit a specific environment. Systems with different roles can generate a higher volume of certain types of events. For example, domain controllers typically generate more security events and network traffic than an average end-user workstation. You can build custom configurations that maximize event retention across an environment, while excluding unwanted activity.

  1. From the Threat Response menu, click Management > Configurations. Select Recorder. Click Create. Provide a name and description for the recorder configuration.
  2. In the Database Configuration section, configure settings for the recorder database. By default, the recorder database (recorder.db) is encrypted using AES 128 bit encryption. Deselect the database encryption setting if you do not want this data to be encrypted. Deselecting this setting does not revert any encrypted databases to a decrypted state.
  3. In the Tanium Driver section, select Enforce Driver to use the Tanium Event Recorder Driver to capture events on Windows endpoints. When upgrading to Threat Response version 2.2.0 from an earlier version, existing configurations do not have the Enforce Driver check box selected by default. On new Threat Response 2.2.0 installations, the check box is selected by default.
  4. In the Recorded Events section, select the types of events to record for the current configuration.

    Security Events

    Security events such as authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled.

    Global Events

    Global events contain the following:

    • Registry

      [Windows only] Changes to the registry, such as the creation or alteration of registry keys and values. Includes the associated process and user context.

    • Network

      Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP connections.

    • File

      File system events, such as files written to directory locations on the endpoint. The associated process and user context are included. Examples: A malware file copied to a location that Windows Update uses, or content changes made to a file.

    • DNS

      [Windows 8.1 or later] Request information, including the process path, user, query, response, and the type of operation.

    • Image Loads

      [Windows only] Returns historical data from each endpoint regarding image loads; for example, the full path and hash, the entity that signed an image, or a designation of "Unsigned" if the image is not signed. A possible example is the loading of an unsigned DLL. If you do not select Image Loads, any Signal that uses the image event type results in an Unmatched Events warning in the Alert Details.

    • Driver Loads

      [Mac and Linux only] Returns historical data from each endpoint regarding driver loads; for example, the full path and hash of a driver. By default, Driver Load events are not selected.

      When upgrading to Threat Response version 2.5 or later from earlier versions, if Image Loads were selected in configurations, Driver Loads will also be selected. Driver Loads and Image Loads are not mutually exclusive. It is possible to have one or both checked in a configuration.

  5. In the Process Filters section, click Manage Process Filters to select existing or create new process filters. See Create filters for more information.
  6. In the Network Filters section, click Manage Network Filters to select existing or create new network filters. See Create filters for more information.
  7. In the Registry Filters section, click Manage Registry Filters to select existing or create new registry filters. See Create filters for more information.
  8. In the File Filters section, click Manage File Filters to select existing or create new file filters. See Create filters for more information.
  9. (Linux only) In the System File Filters section, click Manage System File Filters to select existing or create new system file filters. See Create filters for more information.

  10. Click Save.

After you have deployed recorder configurations, you can view events that occur on the endpoints where you have applied the configuration. See Connecting to live endpoints and exploring data.

Create index configurations

Use an index configuration to detect and report threat indicators for files at rest. Index creates an index of local file systems, computes file hashes, and gathers file attributes and magic numbers in an SQLite database on the endpoint.

Index configurations determine how file indexing and hashing occur on the local file systems of endpoints. Index is optimized to minimize endpoint resource use and work with journaled file systems, when available.

  1. From the Threat Response menu, click Management > Configurations. Select Index. Click Create. Provide a name and description for the index configuration.
  2. Configure the Index Settings.

    Ensure that the Track Changes setting is not selected in the Index Configuration if you are enabling Index in a profile, but do not want the recorder enabled.

  3. In the Exclude From Hashing section, click Add Hashing Exclusion to exclude specific files from hashing. Default hashing exclusions are provided that feature common paths and files to exclude. For more information about hashing exclusions, see Indexing and hashing exclusions.
  4. In the Exclude From Indexing section, click Add Indexing Exclusion to exclude specific file paths by using regular expressions and names from indexing. Default indexing exclusions are provided that feature common paths and files to exclude. For more information about indexing exclusions, see Indexing and hashing exclusions.
  5. Click Save.

After you have deployed index configurations to endpoints, you can use sensors to query indexed files. See Using sensors to query indexed files.

Create indexing and hashing exclusions

To improve performance and save system resources, create configurations to exclude files from being indexed or hashed. When hashing is enabled, every file that is indexed is hashed by default.

For example, consider creating an exclusion if you have an application that writes to a temp file. With an exclusion, the temp file is not indexed and hashed every time it changes.

Hashing

Create exclusions from hashing to exclude specific files and paths from having hash values calculated.

  1. From the Threat Response menu, click Management > Exclusions and select Hashing. Click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to match a path to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, (if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Indexing

Create exclusions to keep specific files and paths out of file system indexes.

  1. From the Threat Response menu, click Management > Exclusions and select Indexing. Click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, (if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Create stream configurations

Stream provides the ability to gather large amounts of data from endpoints and send it to an external destination. Stream configurations enable you to specify and filter recorder events for the endpoints in an environment, and provide instructions for exporting - or streaming - these events directly to an SIEM for analysis in JSON format. For example, you can specify that all network events with one or more filters be streamed to Chronicle, Splunk or Elastic to perform further data analysis or forensic investigation outside of Tanium.

  1. From the Threat Response menu, click Management > Configurations. Select Stream. Click Create. Provide a name and description for the stream configuration.
  2. In the Configuration section, select a Destination Type. The Destination Type you select determines the additional configuration settings that you are prompted to provide.

    Chronicle

    • API Key - The API key that is used to authenticate calls.
    • Customer ID - The Chronicle customer ID for your environment.

    ELK

    • URL - URL for Logstash HTTP input.
    • Trust Certificate - Select to secure the connection to ELK with TLS.

    Splunk HEC

    • URL - The URL to access the Splunk REST API.
    • Authorization Token - The authorization token to access your Splunk environment.
    • Trust Certificate - Select to secure the connection to Splunk with TLS.

    Splunk TCP

    • Host - The fully-qualified Splunk host domain name.
    • Port - The port for the stream communication to the host.

    Select Dry Run if you want to collect statistics about the data that would be streamed to the destination, but not actually send data.

    By default, Dry Run is enabled when you create a stream configuration. Analyze the amount of event data that would be streamed to a destination before you deselect Dry Run. While this setting is enabled, no data is streamed to a destination; it must be disabled for data streaming to occur.

    You can use the Threat Response - Daily Stream Stats sensor to gain an understanding of the amount of data that would be sent.

  3. In the Event Types subsection, select the event types that you want to stream. For more information on event types, see event types.
  4. In the Advanced subsection, select Filter Tanium Processes to filter all Tanium Client processes, and all child processes of the Tanium Client in the recorded events. For example, if the Tanium Client starts Python to run a sensor, this is filtered from the recorded events.
  5. In the Filters section, click Manage Filters to add or create filters to use in the stream configuration. See Create filters for more information.
  6. Click Save.

Create filters

Filters provide a way to exclude event information from recording to reduce performance impacts and enable quick event identification. Filters are applied in recorder configurations and are created for specific types of recorder events. Threat Response provides a default set of filters for each type of recorder event that you can use in configurations. You can also create your own filters.

  1. From the Threat Response menu, click Management > Filters. Click Create.
  2. Select a Filter Type.

    File

    File filters exclude files from recording when path or operation values match.

    Network

    Network filters exclude network events that match a defined IP address, port, or DNS query.

    Process

    Process filters exclude events based on the process path, hash, user name, user group, or command-line.

    Registry

    Registry filters exclude Windows registry events from recording when specific key-value pairs match.

    System File

    System File filters provide paths of files or operations to filter from the Linux audit daemon (auditd) logging. Filter system files from recording to reduce the performance impact on Linux endpoints with high activity levels.


  3. Select an Operating System. Provide a name and description for the filter.
  4. In the Filter Definition section, click Filter Builder.
  5. Click Add. Select a type, a property, and condition. The available properties and conditions differ for each filter type. You can use properties and conditions to create logical patterns for matching specific events. You can add multiple statements to each filter. For each statement that you add, specify a logical and or a logical or to define the relationship of the statements in a filter. The following table provides a reference for e available properties and conditions for each filter type.
    TypePropertySupported ConditionsComments
    Fileoperation

    is

    is not

    One of create, write, open_write, rename, or delete.
    pathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the file.
    Processpathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the process executable.
    hash

    is

    is not

    The MD5/SHA1/SHA256 of the process executable file.
    command lineis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full command line of the process.
    user nameis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user name executing the process.
    user groupis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user group or domain of the user executing the process.
    parent path is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the parent process file.
    parent command line is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full command line of the parent process.
    ancestry path is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to any of the parent processes.
    ancestry hash

    is

    is not

    The MD5/SHA1/SHA256 of any of the parent processes.
    ancestry command line is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full command line of any of the parent processes.
    ancestry user name is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user name executing any of the parent processes.
    ancestry user group is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user group or domain of the user executing any of the parent processes.
    signature status

    is

    is not

    One of verified, unverified, or no_signature
    signature issuer is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature issuer of the process.
    signature subjectis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature subject of the process.
    Networkaddressis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The IPv4 remote address.
    port is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The remote port number. Ports that you specify in Network Events match the destination port. The destination port is the port to which a connection is made on the targeted host.
    dns queryis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The hostname requested for DNS resolution.
    Registrykey pathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the registry key, including the full hive name.
    value nameis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The registry value name.
    Imagepathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the file.
    hash

    is

    is not

    The MD5/SHA1/SHA256 of file.
    signature status

    is

    is not

    One of verified, unverified, or no_signature
    signature issueris
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature issuer of the process.
    signature subjectis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature subject of the process.
    System Filepathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the file.
    operation

    is

    is not

    One of create,write, open_write, rename, or delete.

    Property values can be an integer, a simple alphanumeric string, or they can be more complex and include other characters, such as spaces, backslashes, and hex-encoded values. Property values do not support regular expressions or wildcards. To create patterns for properties that start with, contain, or end with, use conditions and add additional statements to filters. For searches with non-alphanumeric values or spaces, enclose the value in single quotes. To escape special characters within the single quotes, the following sequences are supported:

    • \r For carriage return
    • \n For newline
    • \t For tab
    • \\ For the backslash itself
    • \' For a single quote within the quotes
    • \x To allow a single-byte hex-encoded sequence. For example \x20 would translate to a single space.

    The hex-encoding is required to handle UTF-8 characters outside of the single-byte character set. Any UTF-8 character can be added via the hex-encoding, if needed.

    For full details about the supported objects, properties, and conditions, see the engine documentation.

    The following sample expressions demonstrate combined expressions, precedence, and escaped special characters:

    • process.command_line contains 'evil' AND process.path starts with 'c:\\windows'
    • (file.path starts with 'c:\\temp' OR file.path ends with '.evil.tmp') AND process.path contains cmd.exe
  6. (Optional) Click Group. Using a group indicates that you intend to match all conditions in the group against a single event. For example, to ensure that matches happen against the same file event, you should group those events. You can then include multiple groups to achieve matches against different events in time. You can use logical AND and logical OR to further refine group behavior.
  7. Click Save.

Import and export configurations and filters

Import and export configurations and filters to apply them in a different Threat Response environment. For example, you can export configurations or filters that you have tested from a lab environment and import them into a production environment. With the exception of index configurations, both configurations and filters are imported and exported exclusively as JSON files. You can import either config.ini files or JSON files for Index configurations.

The import/export format for filters has changed in Threat Response version 2.5. You cannot export filters from Threat Response versions earlier than 2.5 and import them on Threat Response versions equal to or greater than Threat Response 2.5. Similarly, you cannot export filters from Threat Response versions equal to or greater than Threat Response 2.5 and import them on Threat Response versions earlier than 2.5.

Export configurations or filters

  1. From the Threat Response menu, click Management > Configurations for configurations or Management > Filters for filters.
  2. Click Import/Export. Select Export All.
  3. On the export page, provide a name and click Export. All of the configurations in the Threat Response environment are exported.

Import configurations or filters

  1. From the Threat Response menu, click Management > Configurations for configurations or Management > Filters for filters.
  2. Click Import/Export. Select Import JSON or Import INI and browse to a JSON file, or an INI file for index configurations.
  3. Click Import.

Last updated: 9/9/2020 3:33 PM | Feedback