Creating configurations

Overview

Configurations are groups of settings that control the behavior of Threat Response components. You can create different configurations for each Threat Response component to control how it performs on specific groups of endpoints.

For example, you might want to apply and scan for specific intel on one group of endpoints, but not other groups. Or, you might want to apply a subset of Threat Response capabilities to a group of endpoints. Use configurations to customize which intel to apply, how and when to evaluate intel, how to index file systems, and which events to record on all the endpoints in an enterprise.

You can orchestrate configurations for intel, the engine, the recorder, and index in a profile that is assigned to one or more computer groups. You can import and export configurations to make them easy to apply to target groups of computers.

Threat Response provides example configurations that feature the most common configuration settings for specific operating systems. While you cannot edit example configurations, you can copy them to use as templates for creating configurations and applying to profiles.

Create engine configurations

Engine configurations instruct the engine how to scan endpoints for intel matches. To avoid scanning important endpoints or to limit when the engine is active, you can include blackout periods to prevent scans during those times.

  1. From the Threat Response menu, click Management > Configurations. Click Create > Engine.
  2. In the General Settings section, provide a name and description for the engine configuration.
  3. In the Engine Options section, select the hours and days for the Scan Blackout period.
  4. Configure the Advanced Engine Settings.
  5. Click Save.

After you have deployed engine configurations to endpoints, you can view and manage alerts that result from intel matches. See Managing alerts.

Create intel configurations

Intel configurations are sets of intel that you can group together for deployment to computer groups and apply them to endpoints efficiently. For example, you can create intel configurations that target computer groups that contain only Linux endpoints, or that are exclusively virtual assets.

  1. From the Threat Response menu, click Management > Configurations. Click Create >Intel.
  2. In the General Settings section, provide a name and description for the Intel configuration.
  3. In the Intel section, click Add Intel. Select the intel you want to add. Click Add
  4. Select Intel that you have added to Threat Response. Click OK.
  5. Click Save.

After you have deployed intel configurations to endpoints, you can create engine configurations to generate alerts when the intel is matched on endpoints.

Create index configurations

Use an index configuration to detect and report threat indicators for files at rest. Index creates an index of local file systems, computes file hashes, and gathers file attributes and magic numbers in an SQLite database on the endpoint.

Index configurations determine how file indexing and hashing occur on the local file systems of endpoints. Index is optimized to minimize endpoint resource use and work with journaled file systems, when available.

  1. From the Threat Response menu, click Management > Configurations. Click Create > Index. Provide a name and description for the index configuration.
  2. Configure the Index Settings.





    Ensure that the Track Changes setting is not selected in the Index Configuration if you are enabling Index in a profile, but do not want the recorder enabled.

  3. In the Exclude From Hashing section, click Add Hashing Exclusion to exclude specific files from hashing. Default hashing exclusions are provided that feature common paths and files to exclude. For more information about hashing exclusions, see Indexing and hashing exclusions.
  4. In the Exclude From Indexing section, click Add Indexing Exclusion to exclude specific file paths by using regular expressions and names from indexing. Default indexing exclusions are provided that feature common paths and files to exclude. For more information about indexing exclusions, see Indexing and hashing exclusions.
  5. Click Save.

After you have deployed index configurations to endpoints, you can use sensors to query indexed files. See Using sensors to query indexed files.

Create indexing and hashing exclusions

To improve performance and save system resources, create configurations to exclude files from being indexed or hashed. When hashing is enabled, every file that is indexed is hashed by default.

For example, consider creating an exclusion if you have an application that writes to a temp file. With an exclusion, the temp file is not indexed and hashed every time it changes.

Hashing

Create exclusions from hashing to exclude specific files and paths from having hash values calculated.

  1. From the Threat Response menu, click Management > Exclusions and select Hashing. Click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to match a path to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, (if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Indexing

Create exclusions to keep specific files and paths out of file system indexes.

  1. From the Threat Response menu, click Management > Exclusions and select Indexing. Click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to exclude from indexing. Search for more complex patterns and further constrain the scope of the search. For example, (if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Use an index configuration to detect and report threat indicators for files at rest. Index creates an index of local file systems, computes file hashes, and gathers file attributes and magic numbers in an SQLite database on the endpoint. For information on Index configuration settings, see Client Index Extension User Guide.

To accommodate architectural changes made to Index, when upgrading to the latest version of Threat Response, existing Index exclusions and Hash Types to Calculate are migrated from each legacy Index configuration into a new Index configuration with a matching name. If legacy Index configurations were attached to a Threat Response profile, the corresponding new Index configurations are added to that profile.

Index configurations determine how file indexing and hashing occur on the local file systems of endpoints. Index is optimized to minimize endpoint resource use and work with journaled file systems, when available.

Legacy Index versions must be removed from endpoints before you deploy new Index configurations. For information on removing legacy Index versions, see Upgrade the Threat Response versionConfiguring Threat Response.

  1. From the Threat Response menu, click Management > Configurations. Click Create > Index. Provide a name and description for the index configuration.
  2. Select the Hashes To Calculate. Index can record any combination of three different hash types: MD5, SHA-1, SHA-256, or SHA512. Do not select any hash type to disable calculation of hashes.

    If legacy index configurations included the Include Malicious Hash List setting, you must add the new Reputation intel document to intel configurations. When you upgrade to Threat Response 3.4, any malicious hashes that exist in the reputation database are added to the Reputation Intel document. All malicious hashes identified after upgrade are added to this same intel document moving forward. Open each intel configuration and ensure that the Reputation source is added anywhere you want endpoints to match against the malicious hashes.

  3. In the Priority List section, select filters that you want to designate as high-priority paths. See Create filters for more information. Click Manage Priority List to select existing filters. Select any or all of the available filters. Only filters that have already been created are available to select. When you have selected the filters that you want to add to the configuration, click Apply. See Create filters for more information on filter methods. Click Save. You cannot add more than 24 filter definitions.
  4. In the Exclusions section, click Manage Exclusions to exclude specific file paths by using regular expressions and names from indexing. Default indexing exclusions are provided that feature common paths and files to exclude. For more information about indexing exclusions, see Indexing exclusions.
  5. Click Save.
  6. Click Create.

After you have deployed index configurations to endpoints, you can use sensors to query indexed files. See Using sensors to query indexed files.

Create indexing exclusions

To improve performance and save system resources, create configurations to exclude files from being indexed.

Create exclusions to keep specific files and paths out of file system indexes.

  1. From the Threat Response menu, click Management > Exclusions and click Create. Select the operating system and provide a name for the exclusion.
  2. Provide a regular expression to exclude from indexing.Search for more complex patterns and further constrain the scope of the search. For example, (if|ip)config(\.exe)?$ matches ifconfig, ipconfig, ifconfig.exe, and ipconfig.exe.
  3. Click Create.

Create recorder configurations

The recorder saves forensic evidence for each endpoint in a local database. With recorder configuration settings, you can restrict database volume by size and days of storage.

Prior to Threat Response 2.5 a common recorder configuration existed for all supported operating systems. In Threat Response 2.5 and later, this common configuration has been replaced with operating system specific configurations. If the legacy default recorder configuration exists, it is deleted if only default profiles were using it, or renamed with a Deprecated suffix if in use with custom profiles. If custom profiles use the legacy default configuration it becomes editable.

Adjust the settings for each endpoint database to suit a specific environment. Systems with different roles can generate a higher volume of certain types of events. For example, domain controllers typically generate more security events and network traffic than an average end-user workstation. You can build custom configurations that maximize event retention across an environment, while excluding unwanted activity.

  1. From the Threat Response menu, click Management > Configurations. Click Create > Recorder. Provide a name and description for the recorder configuration.
  2. In the Database Configuration section, configure settings for the recorder database.
    1. Provide a Maximum Database Size. The endpoint purges events if the maximum database size is reached.
    2. Provide the Maximum Days to Retain Events to specify the number of days that events are retained. Older events are purged from the endpoint database. Entering 0 prevents events from being purged based on age.

    3. Select whether or not to Record Tanium Client Processes. Selecting this option includes all Tanium Client processes, and all child process of the Tanium Client in recorded events.
    4. Select whether or not to Encrypt Database. By default, the recorder database (recorder.db) is encrypted using AES 128 bit encryption. Deselect the database encryption setting if you do not want this data to be encrypted. Deselecting this setting does not revert any encrypted databases to a decrypted state. If changing an endpoint to a decrypted state, change the configuration, deploy the updated profile, and then deploy an action to the endpoints with Recorder - Reset Database. After the reset action is complete, the recorder.db exists in a decrypted state.

      If encryption is enabled, a recorder database cannot be decrypted offline.

  3. In the Tanium Driver section, select Enforce Driver to use the Tanium Event Recorder Driver to capture events on Windows endpoints. When upgrading to Threat Response version 2.2.0 from an earlier version, existing configurations do not have the Enforce Driver check box selected by default. On new Threat Response 2.2.0 installations, the check box is selected by default.
  4. In the Recorded Events section, select the types of events to record for the current configuration.

    Security Events

    Security events such as authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled.

    Global Events

    Event types under global events do not apply the same across operating systems. Global events contain the following:

    • Registry

      [Windows only] Changes to the registry, such as the creation or alteration of registry keys and values. Includes the associated process and user context.

    • Network

      Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP connections.

    • File

      File system events, such as files written to directory locations on the endpoint. The associated process and user context are included. Examples: A malware file copied to a location that Windows Update uses, or content changes made to a file.

    • DNS

      [Windows 8.1 or later] Request information, including the process path, user, query, response, and the type of operation.

    • Image Loads

      [Windows only] Returns historical data from each endpoint regarding image loads; for example, the full path and hash, the entity that signed an image, or a designation of "Unsigned" if the image is not signed. A possible example is the loading of an unsigned DLL. If you do not select Image Loads, any Signal that uses the image event type results in an Unmatched Events warning in the Alert Details.

    • Driver Loads

      Returns historical data from each endpoint regarding driver loads; for example, the full path and hash of a driver. By default, Driver Load events are not selected. Selecting Driver Loads on Windows filters for image and process.path is 'system'. Selecting Driver Loads on Linux or macOS filters for image.

      When upgrading to Threat Response version 2.5 or later from earlier versions, if Image Loads were selected in configurations, Driver Loads will also be selected. Driver Loads and Image Loads are not mutually exclusive. It is possible to have one or both checked in a configuration.

    • HTTP headers

      [Windows only] Returns HTTP header information from connections on endpoints including the time connections occurred, the connection ID of the connection, the remote (destination) address, and the header name and value. HTTP Headers are not captured until the endpoint is restarted.

      When using HTTP headers as recorded events, be aware that CPU usage on endpoints is impacted; especially on servers. When capturing HTTP headers as recorded events, ensure that you are monitoring the performance impacts on the endpoints from which they are captured and tune their collection appropriately.

  5. In the Filters section, click Manage File Filters to select existing filters. Select any or all of the available filters. Only filters that have already been created are available to select. See Create filters for more information on filter creation. When you have selected the filters that you want to add to the configuration, click Apply. In the Filters section, designate the method you want to apply for each set of filters. Select either Include or Exclude. See Create filters for more information on filter methods.
  6. (Linux only) In the Advanced section, add Custom Audit Rules. Provide custom audit rules for use on Linux endpoints. Audit rules are provided to the auditd service and are in the following format: -a action,filter -S system_call -F field=value -k key_name . You can provide up to 500 custom audit rules.

    By default, in Threat Response 3.3 and later, eBPF is enabled on supported endpoints. When eBPF is enabled, any custom auditd rules that you have added to a Recorder configuration are not used. To disable eBPF, use the CX.recorder.BPFEnableBPF configuration setting and set the value to "off". For more information, see the Client Recorder Extension User Guide.

  7. Click Save.

After you have deployed recorder configurations, you can view events that occur on the endpoints where you have applied the configuration. See Connecting to live endpoints and exploring data.

Create stream configurations

Stream provides the ability to gather large amounts of data from endpoints and send it to an external destination. Stream configurations enable you to specify and filter recorder events for the endpoints in an environment, and provide instructions for exporting - or streaming - these events directly to an SIEM for analysis in JSON format. For example, you can specify that all network events with one or more filters be streamed to Chronicle, Splunk or Elastic to perform further data analysis or forensic investigation outside of Tanium.

  1. From the Threat Response menu, click Management > Configurations. Click Create > Stream. Provide a name and description for the stream configuration.
  2. Select a Management Method. You can manually provide configuration parameters, or upload a JSON file with configuration parameters for a stream configuration. Select either Manual or File Upload. If you select File Upload, click Browse for File and select a JSON file to upload. The JSON file contains the configuration parameters for the stream configuration. If you select Manual, complete the following tasks.
  3. In the Configuration section, select a Destination Type. The Destination Type you select determines the additional required configuration settings that you are prompted to provide.

    Chronicle

    • Chronicle Configuration URL - The URL to configure Chronicle. The provided URL must be complete and begin with HTTPS://.
    • API Key - The API key that is used to authenticate calls.
    • Customer ID - The Chronicle customer ID for your environment.

    ELK

    • URL - URL for Logstash HTTP input.
    • Trust Certificate - Select to secure the connection to ELK with TLS.

    Splunk HEC

    • URL - The URL to access the Splunk REST API.
    • Authorization Token - The authorization token to access your Splunk environment. Do not include the Splunk prefix in this tolken.
    • Trust Certificate - Select to secure the connection to Splunk with TLS.

    Splunk TCP

    • Host - The fully-qualified Splunk host domain name.
    • Port - The port for the stream communication to the host.

    Select Dry Run if you want to collect statistics about the data that would be streamed to the destination, but not actually send data.

    By default, Dry Run is enabled when you create a stream configuration. Analyze the amount of event data that would be streamed to a destination before you deselect Dry Run. Dry Run is an effective end-to-end test for Stream configurations and tests the access to the URL you provide for a destination. While this setting is enabled, no data is streamed to a destination; it must be disabled for data streaming to occur.

    You can use the Threat Response - Daily Stream Stats sensor to gain an understanding of the amount of data that would be sent.

  4. In the Event Types subsection, select the event types that you want to stream. For more information on event types, see event types.
  5. In the Advanced subsection, select Filter Tanium Processes to filter all Tanium Client processes, and all child processes of the Tanium Client in the recorded events. For example, if the Tanium Client starts Python to run a sensor, this is filtered from the recorded events.
  6. In the Filters section, click Manage Filters to add filters to use in the stream configuration. Only filters that have already been created are available to select. See Create filters for more information on filter creation. When you have selected the filters that you want to add to the configuration, click Apply. In the Filters section, designate the method you want to apply for each set of filters. Select either Include or Exclude. See Create filters for more information on filter methods.
  7. Click Save.

Create filters

Filters provide a way to define the event information to record to reduce performance impacts and enable quick event identification. Filters are applied in index, recorder, and stream configurations and are created for specific types of recorder events. Threat Response provides a default set of filters for each type of recorder event that you can use in configurations. You can also create your own filters. You can either include or exclude filters. The Include method of filtering enables you to replace the default filter to only include the filters you specify to reduce performance impact and enable quick event identification. The Exclude method of filtering prevents events that match the criteria you provide from recording.

Filters are constructed in Signals syntax. You cannot have more than 24 unique terms in a Signal.

If a configuration enables process, file and network event types but an include filter only includes process events. No file or network events are recorded. When using an include filter for network events, the associated process events are automatically included.

Include filters do not support not conditions. If you use an include filter in a configuration, no default include filters for other filter types are provided.

  1. From the Threat Response menu, click Management > Filters. Click Create.
  2. Select a Filter Type.

    File

    File filters define criteria for files to record when path or operation values match.

    High Priority Path

    Threat Response uses Index to scan the entire disk on an endpoint at regular intervals that typically occur between once a day and once a week. Index does not use recorder events to update file data across the entire disk. It is common to want more frequent updates for files in certain regions of the disk. To provide this visibility, in addition to the baseline disk scan, Threat Response enables you to specify high priority paths that use recorder events to update data and also scans every 24 hours by default. To change the default setting:

    1. From the Main menu, click Modules >Threat Response to open the Threat Response Overview page.
    2. Click Settings and open the Service tab.
    3. In the Misc section provide a value (in hours) for the High Priority Path Scanning for Index Configurations (Hours) setting.
    4. Click Save.

    A high priority path must include a file.path starts with clause in Tanium signal syntax. Escape backslash characters in paths. For example, use C:\\Users\\Administrator to make C:\Users\Administrator a high profile path.

    • Supported: file.path starts with 'C:\\Users\\Administrator'
    • Unsupported: file.path starts with 'C:\'



    A high priority path, in addition to the file.path starts with clause, can additionally specify one or more file.path ends with clauses to narrow the file types to inspect.



    • Supported: file.path starts with 'C:\\Users\\Administrator' and file.path ends with '.dat'
    • Supported: file.path starts with 'C:\\Windows\\System32' and file.path ends with '.dll' and file.path ends with '.exe'
    • Unsupported: file.path ends with '.dat'



    A high priority path can include one wildcard, indicated by an asterisk, in the starts with clause. The wildcard must appear two or more levels deeper than the disk root.



    • Supported: file.path starts with 'C:\\Users\\*\\Downloads'
    • Unsupported: file.path starts with 'C:\*\Tanium`
    • Unsupported: file.path starts with '*:\Program Files'

    Image

    Image filters define criteria for image events to record when path, hash, or signature values match.

    Network

    Network filters define criteria for network events to record when a match is made for a defined IP address, port, or DNS query.

    Process

    Process filters exclude events based on the process path, hash, user name, user group, or command-line.

    Registry

    Registry filters define criteria for Windows registry events to record when specific key-value pairs match.

    System File

    System File filters provide paths of files or operations to match or filter from the Linux audit daemon (auditd) logging. Exclude system files from recording to reduce the performance impact on Linux endpoints with high activity levels.


  3. Select an Operating System. Provide a name and description for the filter.
  4. In the Filter Definition section, click Filter Builder.
  5. Click Add. Select a type, a property, and condition. The available properties and conditions differ for each filter type. You can use properties and conditions to create logical patterns for matching specific events. You can add multiple statements to each filter. For each statement that you add, specify a logical and or a logical or to define the relationship of the statements in a filter. The following table provides a reference for properties and conditions for each filter type.
    TypePropertySupported ConditionsComments
    Fileoperation

    is

    is not

    One of create, write, open_write, rename, or delete.
    pathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the file.
    Processpathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the process executable.
    hash

    is

    is not

    The MD5 hash of the process executable file.
    command lineis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full command line of the process.
    user nameis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user name executing the process.
    user groupis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user group or domain of the user executing the process.
    parent path is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the parent process file.
    parent command line is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full command line of the parent process.
    ancestry path is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to any of the parent processes.
    ancestry hash

    is

    is not

    The MD5 hash of any of the parent processes.
    ancestry command line is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full command line of any of the parent processes.
    ancestry user name is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user name executing any of the parent processes.
    ancestry user group is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The user group or domain of the user executing any of the parent processes.
    signature status

    is

    is not

    One of verified, unverified, or no_signature
    signature issuer is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature issuer of the process.
    signature subjectis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature subject of the process.
    Networkaddressis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The IPv4 remote address.
    port is
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The remote port number. Ports that you specify in Network Events match the destination port. The destination port is the port to which a connection is made on the targeted host.
    dns queryis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The hostname requested for DNS resolution.
    Registrykey pathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the registry key, including the full hive name.
    value nameis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The registry value name.
    Imagepathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the file.
    hash

    is

    is not

    The MD5 hash.
    signature status

    is

    is not

    One of verified, unverified, or no_signature
    signature issueris
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature issuer of the process.
    signature subjectis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The signature subject of the process.
    System Filepathis
    is not
    contains
    contains not
    starts with
    starts with not
    ends with
    ends with not
    The full path to the file.
    operation

    is

    is not

    One of create,write, open_write, rename, or delete.

    Property values can be an integer, a simple alphanumeric string, or they can be more complex and include other characters, such as spaces, backslashes, and hex-encoded values. Property values do not support regular expressions or wildcards. On Windows platforms, case is not sensitive for provided property values; for example, TaniumClient or taniumclient has the same effect. To create patterns for properties that start with, contain, or end with, use conditions and add additional statements to filters. For searches with non-alphanumeric values or spaces, enclose the value in single quotes. To escape special characters within the single quotes, the following sequences are supported:

    • \r For carriage return
    • \n For newline
    • \t For tab
    • \\ For the backslash itself
    • \' For a single quote within the quotes
    • \x To allow a single-byte hex-encoded sequence. For example \x20 would translate to a single space.

    The hex-encoding is required to handle UTF-8 characters outside of the single-byte character set. Any UTF-8 character can be added via the hex-encoding, if needed.

    For full details about the supported objects, properties, and conditions, see the engine documentation.

    The following sample expressions demonstrate combined expressions, precedence, and escaped special characters:

    • process.command_line contains 'evil' AND process.path starts with 'c:\\windows'
    • (file.path starts with 'c:\\temp' OR file.path ends with '.evil.tmp') AND process.path contains cmd.exe
  6. (Optional) Click Group. Using a group indicates that you intend to match all conditions in the group against a single event. For example, to ensure that matches happen against the same file event, you should group those events. You can then include multiple groups to achieve matches against different events in time. You can use logical AND and logical OR to further refine group behavior.
  7. Click Save.
  8. In the Filters section of a Recorder or Stream configuration, click Include or Exclude next to any filter that you have added to designate the method you want to apply for each set of filters. The Include method of filters enables you to replace the default filter to only include the filters you specify to reduce performance impact and enable quick event identification. For example, for registry events, if you provide one or more registry filters as include, those replace the default include filter of ‘registry’. The Exclude method enables you to effectively prevent events from recording. If a set of filters that you designate to Include contains a specific filter that has been designated to a set of filters to Exclude, a warning displays in the workbench.

    DNS filters are not supported as valid Include filters.

Import and export configurations and filters

Import and export configurations and filters to apply them in a different Threat Response environment. For example, you can export configurations or filters that you have tested from a lab environment and import them into a production environment. With the exception of index configurations, both configurations and filters are imported and exported exclusively as JSON files.

The import/export format for filters has changed in Threat Response version 2.5. You cannot export filters from Threat Response versions earlier than 2.5 and import them on Threat Response versions equal to or greater than Threat Response 2.5. Similarly, you cannot export filters from Threat Response versions equal to or greater than Threat Response 2.5 and import them on Threat Response versions earlier than 2.5.

Export configurations

  1. From the Threat Response menu, click Management > Configurations .
  2. Click Import/Export. Select Export All.
  3. On the export page, provide a name and click Export. All of the configurations in the Threat Response environment are exported.

Export filters

  1. From the Threat Response menu, click Management > Filters.
  2. Click Export All.
  3. On the export page, provide a name and click Export. All of the filters in the Threat Response environment are exported.

Import configurations

  1. From the Threat Response menu, click Management > Configurations.
  2. Click Import/Export. Select Import JSON and browse to a JSON file.
  3. Click Import.

Import filters

  1. From the Threat Response menu, click Management > Filters.
  2. Click Import. Browse to a JSON file.
  3. Click Import.