Installing Threat Response

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Threat Response and choose between automatic and manual configuration:

  • Automatic configuration with default settings(Tanium Core Platform 7.4.2 or later only): Threat Response is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Threat Response, see Import and configure Threat Response with default settings.
  • Manual configuration with custom settings: After installing Threat Response, you must manually configure required settings. Select this option only if Threat Response requires settings that differ from the recommended default settings. For more information, see Import and configure Threat Response with custom settings.

Before you begin

  • Read the Release Notes.
  • Review the Requirements.
  • If you are upgrading from a previous version, see Upgrade the Threat Response version.
  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • If your environment uses a proxy, you must add localhost to the BypassProxyHostList.

Import and configure Threat Response with default settings

When you import Threat Response with automatic configuration, the following default settings are configured:

  • The Threat Response service account is set to the account that you used to import the module.
  • The Threat Response action group is set to the computer group All Computers.
  • Tanium Signals are imported.
  • The following Threat Response profiles are created and deployed to specific computer groups:
Profile Name Intel configuration Engine configuration Recorder Configuration Index Configuration
[Tanium Default] - Windows

Deploys to All Windows computer group.
[Tanium Default] - Linux

Deploys to All Linux computer group.
[Tanium Default] - Mac

Deploys to All Mac computer group.

To import Threat Response and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Threat Response version.

Import and configure Threat Response with custom settings

To import Threat Response without automatically configuring default settings, clear the Apply Tanium recommended configurations check box while performing the steps under Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Threat Response version.

Configure service account

The service account is a user that runs several background processes for Threat Response. This user requires the following roles and access:

  • Tanium Administrator or Threat Response Service Account role
  • (Optional) Connect User role to send Threat Response data to Tanium Connect

For more information about Threat Response permissions, see User role requirements.

  1. From the Main menu, click Modules >Threat Response to open the Threat Response Home page.
  2. Click Settings and open the Service Account tab.
  3. Update the service account settings and click Save.

Configure Threat Response action group

  1. From the Main menu, click Actions > Scheduled Actions.
  2. In the list of action groups, click Tanium Threat Response.
  3. Click Edit, select computer groups to include in the action group, and click Save.

Migrate Trace and Detect configurations to Threat Response

If you are upgrading to Threat Response from Detect or Trace, any existing Trace and Detect configurations are not automatically migrated when you install the Threat Response solution. You must initiate the migration process.

  1. On the Threat Response home page, click Help , and then click the Migration tab.
  2. Click Start Migration.
  3. Trace and Detect configuration data is imported. If there are problems with any data migration, the migration reports a failure and a description of the issue that caused the failure. Review the messages on the migration page to resolve any issues.
  4. Confirm that you want to perform the migration.

After you have migrated Trace and Detect data you can remove Trace and Detect data from standalone installations of the Trace and Detect modules.

  1. On the Threat Response home page, click Help , and then click the Migration tab.
  2. Click Start Cleanup.
  3. Trace and Detect configuration data is removed from the standalone module installations.
  4. Confirm that you want to perform the cleanup.

Set the service account credentials

For recurring maintenance activities, specify a Tanium user with appropriate permissions. The user must be assigned the Threat Response Service Account role.

The service account must be able to access all computer groups that need Threat Response tools.

  1. From the Threat Response home page, click Settings .
  2. In the Service Account tab, provide valid Tanium Server credentials.
  3. Click Submit.

Upgrade the Threat Response version

Upgrade Threat Response to the latest version by importing an update to the solution and migrating any existing intel.

Before you upgrade, use Tanium Health Check to generate a report that you can use to resolve any issues or risks associated with the Tanium environment. Fix any issues reported by Tanium Health Check to mitigate problems that you encounter during an upgrade. You can also use this report to discover opportunities for improving the performance of the Tanium environment. For more information, see Tanium Health Check User Guide: Health Check overview.

If upgrading from version 1.x or earlier, the monitor.db file from the endpoint is deleted after the first prune of recorder.db. If you want to save monitor.db from the endpoint for investigation or for historical reasons, download it from the endpoint before upgrading to Threat Response 2.0. or later.

For the steps to upgrade Threat Response, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Threat Response version.

When upgrading Threat Response, you can select to automatically upgrade the Threat Response tools package on all of the endpoints in an environment to ensure that the latest version of the Threat Response tools are distributed. When you import Threat Response with automatic configuration this option is configured by default. You can change this upgrade setting if you do not want to automatically upgrade the Threat Response tools on endpoints.

  1. From the Threat Response home page, click Settings .
  2. Click Service > Auto Upgrade.
  3. Select or deselect the Create Actions to Automatically Upgrade Threat Response Tools on Endpoints setting.

Verify Threat Response version

After you import or upgrade Threat Response, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page.
  3. To display version information, click Info Info.

Troubleshoot problems

If you experience problems with installing Threat Response, see Troubleshooting.

What to do next

See Getting started for more information about using Threat Response.

Last updated: 9/9/2020 3:32 PM | Feedback