Installing Threat Response

Tanium as a Service automatically handles module installations and upgrades.

For information about configuring Threat Response for Tanium as a Service (TaaS), see Configuring Threat Response.

Use the Solutions page to install Threat Response and choose between automatic and manual configuration:

  • Automatic configuration with default settings(Tanium Core Platform 7.4.2 or later only): Threat Response is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Threat Response, see Import Threat Response with default settings.
  • Manual configuration with custom settings: After installing Threat Response, you must manually configure required settings. Select this option only if Threat Response requires settings that differ from the recommended default settings. For more information, see Import Threat Response with custom settings.

Before you begin

  • Read the Release Notes.
  • Review the Threat Response requirements.
  • If you are upgrading from a previous version, see Upgrade the Threat Response version.
  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • If your environment uses a proxy, you must add localhost to the BypassProxyHostList.
  • Assign the correct roles to users for Threat Response. Review the User role requirements.
    • To import the Threat Response solution, you must be assigned the Administrator reserved role.
    • To configure the Threat Response action group, you must be assigned the Administrator reserved role, Content Administrator reserved role, or a role that has the Action Group write permission.

Import Threat Response with default settings

When you import Threat Response with automatic configuration, the following default settings are configured:

The following default settings are configured for Threat Response:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group.
  • Restricted targeting enabled: No Computers computer group.
Service account

The service account is set to the account that you used to import the module.

Configuring a unique service account for each Tanium solution is an extra security measure to consider in consultation with the security team of your organization. See Configure service account.

Tanium Signals are imported.

The following Threat Response profiles are created and deployed to specific computer groups:

Profile Name Intel configuration Engine configuration Recorder Configuration Index Configuration
[Tanium Default] - Windows

Deploys to All Windows computer group.
[Tanium Default] - Linux

Deploys to All Linux computer group.
[Tanium Default] - Mac

Deploys to All Mac computer group.

(Tanium Core Platform 7.4.5 or later only) You can set the Threat Response action group to target the No Computers filter group by enabling restricted targeting before adding Threat Response to your Tanium licenseimporting Threat Response. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Threat Response action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

To import Threat Response and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Threat Response version.

If Tanium Reveal and Tanium Threat Response exist in the same environment, both solutions must be on a version that is running the same architecture of Tanium Index. Threat Response 3.4 and later must be installed in the same environment as Reveal 1.15 and later. Threat Response versions earlier than Threat Response 3.4 can be installed in the same environment as Reveal 1.14 and earlier.

Import Threat Response with custom settings

To import Threat Response without automatically configuring default settings, clear the Apply All Tanium recommended configurations check box while performing the steps under Tanium Console User Guide: Import, re-import, or update specific solutions. After the import, verify that the correct version is installed: see Verify Threat Response version.

To configure the service account, see Configure service account.

To configure the Threat Response action group, see Configure Threat Response action group.

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Legacy - Recorder Installed. If the Supported Endpoints column displays No, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Manage dependencies for Tanium solutions

When you start the Threat Response workbench for the first time, the Tanium Console ensures that all of the required dependencies for Threat Response are installed at the required version. You must install all required Tanium dependencies before the Threat Response workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. Install the modules and shared services that the Tanium Console lists as dependencies, as described under Tanium Console User Guide: Import, re-import, or update specific solutions.
  2. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page.

Upgrade the Threat Response version

Upgrade Threat Response to the latest version by importing an update to the solution and migrating any existing intel.

Before you upgrade, use Tanium Health Check to generate a report that you can use to resolve any issues or risks associated with the Tanium environment. Fix any issues reported by Tanium Health Check to mitigate problems that you encounter during an upgrade. You can also use this report to discover opportunities for improving the performance of the Tanium environment. For more information, see Tanium Health Check User Guide: Health Check overview.

If upgrading from version 1.x or earlier, the monitor.db file from the endpoint is deleted after the first prune of recorder.db. If you want to save monitor.db from the endpoint for investigation or for historical reasons, download it from the endpoint before upgrading to Threat Response 2.0. or later.

For the steps to upgrade Threat Response, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Threat Response version.

If Tanium Reveal and Tanium Threat Response exist in the same environment, both solutions must be on a version that is running the same architecture of Tanium Index. Threat Response 3.4 and later must be installed in the same environment as Reveal 1.15 and later. Threat Response versions earlier than Threat Response 3.4 can be installed in the same environment as Reveal 1.14 and earlier.

When upgrading Threat Response, you can select to automatically upgrade the Threat Response tools package on all of the endpoints in an environment to ensure that the latest version of the Threat Response tools are distributed. When you import Threat Response with automatic configuration this option is configured by default. You can change this upgrade setting if you do not want to automatically upgrade the Threat Response tools on endpoints.

Auto Upgrade is not intended to automatically perform upgrades across major versions.

  1. From the Threat Response overview page, click Settings .
  2. Click Service > Auto Upgrade.
  3. Select or deselect the Create Actions to Automatically Upgrade Threat Response Tools on Endpoints setting.

Verify Threat Response version

After you import or upgrade Threat Response, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page.
  3. To display version information, click Info Info.