Installing Threat Response

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Threat Response and choose between automatic and manual configuration:

  • Automatic configuration with default settings(Tanium Core Platform 7.4.2 or later only): Threat Response is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Threat Response, see Import and configure Threat Response with default settings.
  • Manual configuration with custom settings: After installing Threat Response, you must manually configure required settings. Select this option only if Threat Response requires settings that differ from the recommended default settings. For more information, see Import and configure Threat Response with custom settings.

Before you begin

  • Read the Release Notes.
  • Review the Requirements.
  • If you are upgrading from a previous version, see Upgrade the Threat Response version.
  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • If your environment uses a proxy, you must add localhost to the BypassProxyHostList.

Import and configure Threat Response with default settings

When you import Threat Response with automatic configuration, the following default settings are configured:

  • The Threat Response service account is set to the account that you used to import the module.
  • The Threat Response action group is set to the computer group All Computers.
  • Tanium Signals are imported.
  • The following Threat Response profiles are created and deployed to specific computer groups:
Profile Name Intel configuration Engine configuration Recorder Configuration Index Configuration
[Tanium Default] - Windows

Deploys to All Windows computer group.
[Tanium Default] - Linux

Deploys to All Linux computer group.
[Tanium Default] - Mac

Deploys to All Mac computer group.

To import Threat Response and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Threat Response version.

Import and configure Threat Response with custom settings

To import Threat Response without automatically configuring default settings, clear the Apply Tanium recommended configurations check box while performing the steps under Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Threat Response version.

Configure service account

The service account is a user that runs several background processes for Threat Response. This user requires the following roles and access:

  • Tanium Administrator or Threat Response Service Account role.
  • (Optional) Connect User role to send Threat Response data to Tanium Connect.
  • If you installed Tanium Client Management, this This user requires the Endpoint Configuration Service Account role. Endpoint Configuration is installed as a part of Tanium Client Management.

For more information about Threat Response permissions, see User role requirements.

  1. From the Main menu, click Modules > Threat Response to open the Threat Response Overview page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure Threat Response action group

  1. From the Main menu, go to Administration > Actions > Scheduled Actions.
  2. In the list of action groups, click Tanium Threat Response.
  3. Click Edit, select computer groups to include in the action group, and click Save.

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

Endpoint Configuration is installed as a part of Tanium Client Management. For more information, see the Tanium Client Management User Guide: Installing Client Management.

Additionally you can use Endpoint Configuration to manage configuration approval. For example, configuration changes are not deployed to endpoints until a user with approval permission approves the configuration changes in Endpoint Configuration. For more information about the roles and permissions that are required to approve configuration changes for Threat Response, see User role requirements.

To use Endpoint Configuration to manage approvals, you must enable configuration approvals.

  1. From the Main menu, go to Administration > Shared Services > Endpoint Configuration to open the Endpoint Configuration Overview page.
  2. Click Settings and click the Global tab.
  3. Select Enable configuration approvals, and click Save.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Legacy - Recorder Installed. If the Supported Endpoints column displays No, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Migrate Trace and Detect configurations to Threat Response

If you are upgrading to Threat Response from Detect or Trace, any existing Trace and Detect configurations are not automatically migrated when you install the Threat Response solution. You must initiate the migration process.

  1. On the Threat Response overview page, click Help , and then click the Migration tab.
  2. Click Start Migration.
  3. Trace and Detect configuration data is imported. If there are problems with any data migration, the migration reports a failure and a description of the issue that caused the failure. Review the messages on the migration page to resolve any issues.
  4. Confirm that you want to perform the migration.

After you have migrated Trace and Detect data you can remove Trace and Detect data from standalone installations of the Trace and Detect modules.

  1. On the Threat Response overview page, click Help , and then click the Migration tab.
  2. Click Start Cleanup.
  3. Trace and Detect configuration data is removed from the standalone module installations.
  4. Confirm that you want to perform the cleanup.

Set the service account credentials

For recurring maintenance activities, specify a Tanium user with appropriate permissions. The user must be assigned the Threat Response Service Account role.

The service account must be able to access all computer groups that need Threat Response tools.

  1. From the Threat Response home page, click Settings .
  2. In the Service Account tab, provide valid Tanium Server credentials.
  3. Click Submit.

Manage dependencies for Tanium solutions

When you start the Threat Response workbench for the first time, the Tanium console ensures that all of the required dependencies for Threat Response are installed at the required version. You must install all required Tanium dependencies before the Threat Response workbench can load. A banner appears if one or more Tanium dependencies are not installed in the environment. The Tanium Console lists the required Tanium dependencies and the required versions.

  1. From the Main menu, go to Administration > Configuration > Solutions.
  2. Select the required solutions, click Import Selected, and then click Begin Import. When the import is complete, you are returned to the Tanium Solutions page.
  3. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page after you import all of the required Tanium dependencies.

Upgrade the Threat Response version

Upgrade Threat Response to the latest version by importing an update to the solution and migrating any existing intel.

Before you upgrade, use Tanium Health Check to generate a report that you can use to resolve any issues or risks associated with the Tanium environment. Fix any issues reported by Tanium Health Check to mitigate problems that you encounter during an upgrade. You can also use this report to discover opportunities for improving the performance of the Tanium environment. For more information, see Tanium Health Check User Guide: Health Check overview.

If upgrading from version 1.x or earlier, the monitor.db file from the endpoint is deleted after the first prune of recorder.db. If you want to save monitor.db from the endpoint for investigation or for historical reasons, download it from the endpoint before upgrading to Threat Response 2.0. or later.

For the steps to upgrade Threat Response, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Threat Response version.

When upgrading Threat Response, you can select to automatically upgrade the Threat Response tools package on all of the endpoints in an environment to ensure that the latest version of the Threat Response tools are distributed. When you import Threat Response with automatic configuration this option is configured by default. You can change this upgrade setting if you do not want to automatically upgrade the Threat Response tools on endpoints.

  1. From the Threat Response overview page, click Settings .
  2. Click Service > Auto Upgrade.
  3. Select or deselect the Create Actions to Automatically Upgrade Threat Response Tools on Endpoints setting.

Verify Threat Response version

After you import or upgrade Threat Response, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page.
  3. To display version information, click Info Info.

Troubleshoot problems

If you experience problems with installing Threat Response, see Troubleshooting.

Last updated: 11/19/2020 3:34 PM | Feedback