Creating profiles


Profiles combine configurations and apply them to one or more computer groups. Create and apply profiles to provide the most relevant Threat Response capabilities to specific groups of endpoints. For example, you can create profiles that apply configurations for such groups as:

  • Endpoint type, such as servers or employee workstations
  • Endpoint location, such as by country or time zone
  • Endpoint priority, such as business-critical endpoints
  • Endpoint configuration needs, such as VDI endpoints

The Profiles page displays all the profiles that are available to use with Threat Response. For each profile, you can view a description and the computer groups that have the profile assigned. Profiles display as Active, Inactive, Outdated, or Pending.


Indicates that the profile is currently in use on one or more computer groups and that no changes have been made to the profile settings


Indicates that the profile has never been deployed to endpoints


Indicates that the profile is in use but there are pending changes that cannot take effect until the profile is deployed again


Indicates that the profile is in the process of being deployed to endpoints

Create a profile

Create a profile to manage configurations for deployment to one or more computer groups.

  1. From the Threat Response menu, click Management > Profiles. Click Create Profile. Provide a name and description for the profile.
  2. In the Computer Groups section, click Manage to add the computer groups to which you want to deploy the Threat Response configurations.

    Manual computer groups are not supported.

  3. Configure the Advanced Settings for the profile.
  4. In the Intel, Engine, Recorder, and Index sections, select Enable if you want to enable the respective component for the profile. If you select Enable, select an available configuration. A summary of the configuration is available to preview. If you need to make changes to the configuration, click Edit.

    If any component of an active profile is not configured, the implications are as follows:

    IntelIf the Intel component of an active Threat Response profile is not configured, intel documents are still updated on endpoints. However, intel is not used by the engine to generate alerts.
    EngineIf the engine component of an active Threat Response profile is not configured, the TaniumDetectEngine process continues to run. However, intel documents are not processed. Quick Scans are evaluated if the endpoint is part of a targeted group and is not within a blackout window. An engine configuration should be specified with a 24/7 blackout scan window to prevent Quick Scans from evaluating.

    If the recorder component of an active Threat Response profile is not configured, the TaniumClient.exe process continues running. However, the recorder does not record activity on endpoints in the action group.

    On Linux endpoints, the auditd and audispd processes restart.

    On Windows endpoints, the DisableExtension_recorder is set in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tanium\Tanium Client.

    IndexIf the index component of an active Threat Response profile is removed, the TaniumEndpointIndex process stops if currently running, and does not restart when the revised profile is deployed.

  5. Click Save.

Prioritize profiles

A computer group can have one assigned profile. However, an endpoint can be a member of multiple computer groups. If an endpoint is a member of multiple computer groups, the profile with the highest priority is applied to that endpoint.

  1. From the Threat Response menu, click Management > Profiles.
  2. Click Prioritize.
  3. Order the profiles in the order of their priority. The profile with the priority number of one (1) has the highest priority.
  4. Click Save.

Deploy a profile

Deploy a profile to enable the functionality of Threat Response on all of the endpoints in the computer groups that the profile targets.

When you deploy a profile, all of the configuration information you have assigned in a profile is deployed to endpoints. The order in which the components of a profile deploy is the profile information, the Threat Response tools, and finally intel.

  1. From the Threat Response menu, click Management > Profiles.
  2. Select one or more profiles to deploy and click Action > Deploy.

    Profile deployment is not part of a scheduled action. You need to deploy a profile in order for Threat Response capabilities to function on endpoints.

  3. Enter your password to confirm the deployment. Click OK.

Deploy intel

Deploy intel to all of the endpoints in the Threat Response action group. An intel package contains the intel to investigate on the endpoint. Intel packages can be a sync package (all intel) or a delta package (new intel since previous sync or delta package). When intel is updated, a delta intel package is pushed to the endpoints. The name of this update package contains the word Delta, for example: Intel for Windows Revision 51 Delta. After the configured Intel Package Publication Max Deltas (default: 10), a sync package is deployed again.

Configure the intel deployment settings

  1. From the Threat Response home page, click Settings .
  2. On the Service tab, click Intel. Make intel package selections:
    • Intel Package Publication Interval: Specifies how frequently the intel documents and labels are pushed to the endpoints (Default: 24 hours).
    • Intel Deployment Distribute Over Time: Specifies how long the deployment action can take (Default: 20 minutes).
    • Intel Package Publication Max Deltas: Specifies the maximum number of delta packages that can be deployed before a baseline (full sync) package must be deployed (Default: 10).
  3. Click Save.

Immediately deploy intel to endpoints

Intel is automatically published to the endpoints on a regular interval. If a situation requires it, you can manually push the intel documents and Signals to the endpoints.

  1. Click Management > Profiles.
  2. Click Deploy Intel.

Last updated: 9/17/2019 1:47 PM | Feedback