Installing Threat Response

Import the Threat Response module.

Before you begin

  • Read the Release Notes.
  • Review the Requirements.
  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • If your environment uses a proxy, you must add localhost to the BypassProxyHostList.

Import Threat Response

Import Threat Response from the Tanium Solutions page.

You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

  1. From the Main menu, click Tanium Solutions.
  2. Locate Threat Response and click Import.

    A progress bar displays as the installation package downloads.

  3. Click Continue. The Import Solution window opens with a list of all the changes and import options. Review the list of categories, saved questions, saved actions, packages, sensors, and content set roles.
  4. Initiate the import. Select Include content set overwrite and click Proceed with Import.

    For more information, see Tanium Core Platform User Guide: Align content for modules.

  5. Enter your password to confirm the installation.
  6. Return to the Tanium Solutions page and review the installed version for Threat Response.

    If you do not see the Threat Response module in the console, refresh your browser.

Migrate Trace and Detect configurations to Threat Response

If you are upgrading to Threat Response from Detect or Trace, any existing Trace and Detect configurations are not automatically migrated when you install the Threat Response solution. You must initiate the migration process.

  1. On the Threat Response home page, click Help , and then click the Migration tab.
  2. Click Start Migration.
  3. Trace and Detect configuration data is imported. If there are problems with any data migration, the migration reports a failure and a description of the issue that caused the failure. Review the messages on the migration page to resolve any issues.
  4. Confirm that you want to perform the migration.

After you have migrated Trace and Detect data you can remove Trace and Detect data from standalone installations of the Trace and Detect modules.

  1. On the Threat Response home page, click Help , and then click the Migration tab.
  2. Click Start Cleanup.
  3. Trace and Detect configuration data is removed from the standalone module installations.
  4. Confirm that you want to perform the cleanup.

Add computer groups to the Tanium Threat Response action group

When you import the Threat Response module, an action group is created automatically. You must select the computer groups that are included in the Threat Response group.

  1. From the Main menu, go to Actions > Scheduled Actions.
  2. In the Action Groups pane, select Tanium Threat Response and click Edit.
  3. In the Computer Groups section, select All Computers.
  4. Click Save.
  5. Enter your password to confirm the changes.

Set service settings

Review and edit service settings to customize the Threat Response user experience. From the Threat Response home page, click Settings . Click Service. Update the service settings and click Save.

Set the service account credentials

For recurring maintenance activities, specify a Tanium user with appropriate permissions. The user must be assigned the Threat Response Service Account role.

The service account must be able to access all computer groups that need Threat Response tools.

  1. From the Threat Response home page, click Settings .
  2. In the Service Credentials tab, provide valid Tanium Server credentials.
  3. Click Submit.

     

Set certificates

Set the certificate that Threat Response uses to make live connections to endpoints.

  1. From the Threat Response home page, click Settings .
  2. Click Certificate.
  3. Select the types of certificates you want to generate. Click Submit.

Configure Sysmon

The recorder is optimized to use the Tanium Event Recorder Driver on Windows systems. Consider using the Tanium Event Recorder Driver for the best performance and data reliability. The use of Sysmon is being deprecated with eventual removal in a future release of Threat Response. Additionally, using the Tanium Event Recorder Driver removes a dependency on a 3rd party application to capture events, and is much more lightweight. The Tanium Event Recorder Driver has demonstrated no truncation of command lines, proven to more effectively track parent and child processes, and offers significant stability advantages.

By default, the Tanium recorder uses the Tanium Event Recorder Driver to capture events on Windows endpoints. If you want to use Sysmon to capture events, you must first deploy a package to enable Sysmon. To acquire the required package to enable Sysmon to capture events, contact your TAM.

When you have worked with your TAM to acquire the necessary package, deploy Recorder - Enable Sysmon Event Source [Windows]. By deploying this package, the recorder uses Sysmon as the source for all event information on Windows endpoints. To revert to using the Tanium Event Recorder Driver to capture events, you must deploy the Recorder - Clear Recorder Extension Setting [Windows] package.

If you make changes to the event source, you must redeploy any recorder enabled profile for the changes to take effect.

(Optional) Sysmon supports Windows endpoints later than Windows 7. For Windows 8.1 or later and Windows Server 2012 R2 or later, Sysmon is not required. You can use Sysmon for recording process hash and command-line information. For more information, see Connecting to live endpoints and exploring data.

  1. Go to https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and download the sysmon.zip file to your local computer.

    Review the Microsoft Software License Terms before you upload Sysmon.

  2. From the Threat Response home page, click Settings . Click the Sysmon tab, and click Configure Sysmon.
  3. Select how you want Threat Response to use Sysmon.

    If you use Threat Response to deploy Sysmon, you must download the sysmon.zip file to your local computer.

    • Only use Sysmon when required for gathering process hash and command-line information.

    • Use Sysmon on all operating systems regardless of whether Threat Response is capable of collecting command-line and process hash information on its own.

    • Do not deploy Sysmon via Tanium Threat Response. Only use Sysmon where it is already installed on a system and it is not otherwise possible to collect the process hash and command-line information.

  4. Browse to the sysmon.zip file and click Upload.
  5. Click OK.

If Sysmon is already installed on the endpoint, you can opt in to using Sysmon with Threat Response. However, if you then later opt out of using Sysmon, the previously installed Sysmon version is removed from the endpoint.

Alternatively, you can use the Tanium Event Recorder Driver or Microsoft Sysmon to record process and command-line events on supported Windows endpoints. To deploy the Tanium Event Recorder Driver to the endpoints, see Tanium Client Recorder Extension User Guide: Installing the Tanium Event Recorder Driver.

Upgrade the Threat Response version

Upgrade Threat Response to the latest version by importing an update to the solution and migrating any existing intel.

Before you upgrade, use Tanium Health Check to generate a report that you can use to resolve any issues or risks associated with the Tanium environment. Fix any issues reported by Tanium Health Check to mitigate problems that you encounter during an upgrade. You can also use this report to discover opportunities for improving the performance of the Tanium environment. For more information, see Tanium Health Check User Guide: Health Check overview.

If upgrading from version 1.4.1 or earlier, the monitor.db file from the endpoint is deleted after the first prune of recorder.db. If you want to save monitor.db from the endpoint for investigation or for historical reasons, download it from the endpoint before upgrading to Threat Response 2.0.

  1. From the Main menu, select Tanium Solutions.
  2. Locate Threat Response and click Upgrade <version>.

    A progress bar displays as the installation package downloads.

  3. Click Continue.

    The Import Solution page opens with a list of all changes and import options.

  4. Initiate the upgrade.
  5. Enter your password to confirm the upgrade.
  6. To confirm the upgrade, return to the Tanium Solutions page and check the Installed version for Threat Response.

    If the Threat Response version has not updated in the console, refresh your browser.

  7. Recreate any custom user roles.
  8. Redeploy profiles to ensure that the latest tools are distributed to endpoints. For more information, see Deploy a profile.

Troubleshoot problems

If you experience problems with installing Threat Response, see Troubleshooting.

What to do next

See Getting started for more information about using Threat Response.

Last updated: 11/7/2019 11:46 AM | Feedback