Creating profiles

Overview

Profiles combine configurations and apply them to one or more computer groups. Create and apply profiles to provide the most relevant Threat Response capabilities to specific groups of endpoints. For example, you can create profiles that apply configurations for such groups as:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical endpoints
  • Endpoint configuration needs, such as VDI endpoints

The Profiles page displays all the profiles that are available to use with Threat Response. Threat Response provides default profiles that feature commonly used configurations as examples. While you cannot edit default profiles, you can duplicate them and create a version that you can customize. For each profile, you can view a description and the computer groups that have the profile assigned. Profiles display as Deployed, New, Updated, or Deploying.

Deployed

Indicates that the profile is currently in use on one or more computer groups and that no changes have been made to the profile settings

New

Indicates that the profile has never been deployed to endpoints

Updated

Indicates that the profile is in use but there are pending changes that cannot take effect until the profile is deployed again

Deploying

Indicates that the profile is in the process of being deployed to endpoints

Create a profile

Create a profile to manage configurations for deployment to one or more computer groups.

  1. From the Threat Response menu, click Management > Profiles. Click Create Profile. Provide a name and description for the profile.
  2. In the Computer Groups section, click Manage to add the computer groups to which you want to deploy the Threat Response configurations. Computer groups that you have associated with custom tags provides advantages over common Computer Groups, such as All Computers, or All Windows. By using Custom Tags, can to take advantage of the profile prioritization in Threat Response without needing to make any changes to the profiles themselves, for example, needing to re-deploy the profiles after changes are made.

    Manual computer groups are not supported.

  3. In the Detection, Index, Recorder, and Stream sections, select Enable if you want to enable the respective component for the profile. If you select Enable, select an available configuration. A summary of the configuration is available to preview. If you need to make changes to the configuration, click Edit.

    When a detection configuration is not enabled, you can still perform on-demand scans. To fully disable detection from running on endpoints, create and enable a detection profile and configure a complete blockout window.


    If any component of an active profile is not configured, the implications are as follows:

    ConfigurationImplication
    Detection

    If the Intel component of an active Threat Response profile is not configured, intel documents are still updated on endpoints. However, intel is not used by Threat Response to generate alerts.

    On-demand scans are evaluated if the endpoint is part of a targeted group and is not within a blackout window. A detection configuration should be specified with a 24/7 blockout scan window to prevent on-demand scans from evaluating.

    Recorder

    If the recorder component of an active Threat Response profile is not configured, the TaniumClient process continues running. However, the recorder does not record activity on endpoints in the action group.

    On Linux endpoints, the auditd and audispd processes restart when a configuration is added or changed.
    Ensure the Track Changes setting is not enabled in an Index Configuration or the recorder could become enabled.

    IndexIf the index component of an active Threat Response profile is removed, Index continues to be deployed to endpoints, however Threat Response does not perform Index tasks.
    StreamNo data is streamed to a destination outside of Tanium.

  4. Click Save.

Prioritize profiles

A computer group can have one assigned profile. However, an endpoint can be a member of multiple computer groups. If an endpoint is a member of multiple computer groups, the profile with the highest priority is applied to that endpoint. If another user updates profiles before the prioritization of profiles can complete, the prioritization is reset.

  1. From the Threat Response menu, click Management > Profiles.
  2. Click Prioritize.
  3. Order the profiles in the order of their priority. The profile with the priority number of one (1) has the highest priority.
  4. Click Save.

Deploy a profile

Deploy a profile to enable the functionality of Threat Response on all of the endpoints in the computer groups that the profile targets. A user must have management group rights to all computer groups in all profiles being deployed. When deploying profiles using the system user service, a user must have either unrestricted management rights, or rights to All Computers to deploy profiles.

Confirm that all packages are cached before you deploy a profile. A ribbon appears on the profiles page if you attempt to deploy a profile prior to all packages being cached. Click the ribbon to view details about the state of package caching.

When you deploy a profile, all of the configuration information you have assigned in a profile is deployed to endpoints. The order in which the components of a profile deploy is the profile information, the Threat Response tools, and finally intel.

Track the deployment of Threat Response tools to the endpoints in an environment by viewing the Threat Response Coverage panel in Tanium Trends. The coverage of Threat Response tools across endpoints is important to measure; if you are not including the entirety of your estate when searching for specific activity, then you are at risk.
  1. From the Threat Response menu, click Management > Profiles.
  2. Select one or more profiles to deploy and click Action > Deploy.

    Profile deployment is not part of a scheduled action. You need to deploy a profile in order for Threat Response capabilities to function on endpoints.

  3. Enter your password to confirm the deployment. Click OK.

    If the account of a Tanium Administrator who last edited a profile is disabled for any reason, the profiles that administrator edited become displayed as Not Configured. In such a situation you can enable the Deploy as Service Account setting. Click Settings > Service > Misc and select Deploy as Service Account to use the service account to deploy profiles. Selecting this setting causes Threat Response to ignore user permissions you have configured. Any user that can create or deploy profiles can deploy profiles to any computer groups.

Deploy intel

Before you deploy intel, ensure that you have thoroughly tested intel to verify that:

  • The intel matches on what you expect
  • The intel does not match a high number of false positives

See Testing Intel for deployment for more information.

Configure the intel deployment setting

  1. From the Threat Response overview page, click Settings .
  2. On the Service tab, click Intel. Make intel package selections:
    • Intel Package Publication Interval: Specifies how frequently the intel documents and labels are pushed to the endpoints (Default: 24 hours).
  3. Click Save.

Immediately deploy intel to endpoints

Intel is automatically published to the endpoints on a regular interval. If a situation requires it, you can manually push the intel documents and Signals to the endpoints.

  1. Click Management > Profiles.
  2. Click Deploy Intel.

Assign the Threat Response Intel Deploy Approval Bypass permission to roles that deploy intel to bypass approvals for intel.