Installing Threat Response

Import the Threat Response module.

Before you begin

  • Read the Release Notes.
  • Review the Requirements.
  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • If your environment uses a proxy, you must add localhost to the BypassProxyHostList.

Import Threat Response

Import Threat Response from the Tanium Solutions page.

You must be assigned the Administrator reserved role to import a Tanium solution module or content pack.

  1. From the Main menu, click Tanium Solutions.
  2. Locate Threat Response and click Import.

    A progress bar displays as the installation package downloads.

  3. Click Continue. The Import Solution window opens with a list of all the changes and import options. Review the list of categories, saved questions, saved actions, packages, sensors, and content set roles.
  4. Initiate the import
    • For platform version 7.0, click Proceed with Import.
    • For platform version 7.1.314.3071 and later, select Include content set overwrite and click Proceed with Import.

    For more information, see Tanium Core Platform User Guide: Align content for modules.

  5. Enter your password to confirm the installation.
  6. Return to the Tanium Solutions page and review the installed version for Threat Response.

    If you do not see the Threat Response module in the console, refresh your browser.

Migrate Trace and Detect configurations to Threat Response

If you are upgrading to Threat Response from Detect or Trace, any existing Trace and Detect configurations are not automatically migrated when you install the Threat Response solution. You must initiate the migration process.

  1. On the Threat Response home page, click Help , and then click the Migration tab.
  2. Click Start Migration.
  3. Trace and Detect configuration data is imported. If there are problems with any data migration, the migration reports a failure and a description of the issue that caused the failure. Review the messages on the migration page to resolve any issues.
  4. Confirm that you want to perform the migration.

After you have migrated Trace and Detect data you can remove Trace and Detect data from standalone installations of the Trace and Detect modules.

  1. On the Threat Response home page, click Help , and then click the Migration tab.
  2. Click Start Cleanup.
  3. Trace and Detect configuration data is removed from the standalone module installations.
  4. Confirm that you want to perform the cleanup.

Add computer groups to Threat Response action group

When you import the Threat Response module, an action group is created automatically. You must select the computer groups that are included in the Threat Response group.

  1. From the Main menu, go to Actions > Scheduled Actions.
  2. In the Action Groups pane, select Threat Response and click Edit.
  3. Make selections in the Computer Groups section.
  4. Select an operand from the Combine groups using drop-down menu.
  5. (Optional) Review the included machines in the All machines currently included in this action group section.

    This grid might take a few moments to populate when selections change.

  6. Click Save.
  7. Enter your password to confirm the changes.

Set service settings

Review and edit service settings to customize the Threat Response user experience. From the Threat Response home page, click Settings . Click Service. Update the service settings and click Save.

Set the service account credentials

For recurring maintenance activities, specify a Tanium user with appropriate permissions.

  • Platform version 7.0, the user must be assigned administrator or content administrator permissions.
  • Platform version 7.1.314.3071 or later, the user must be assigned the Threat Response Service User role.

The service user must be able to access all computer groups that need Threat Response tools.

  1. From the Threat Response home page, click Settings .
  2. In the Service Credentials tab, provide valid Tanium Server credentials.
  3. Click Submit.

     

Set certificates

Set the certificate that Threat Response uses to make live connections to endpoints.

  1. From the Threat Response home page, click Settings .
  2. Click Certificate.
  3. Select the types of certificates you want to generate. Click Submit.

Configure Sysmon

(Optional) For Windows 7 and Windows Server 2008 endpoints, Sysmon is required for recording process hash and command-line information. Sysmon is not required to capture this information for newer Windows versions. For more information, see Connecting to live endpoints and exploring data.

  1. Go to https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and download the sysmon.zip file to your local computer.

    Review the Microsoft Software License Terms before you upload Sysmon.

  2. From the Threat Response home page, click Settings . Click the Sysmon tab, and click Configure Sysmon.
  3. Select how you want Threat Response to use Sysmon.

    If you use Threat Response to deploy Sysmon, you must download the sysmon.zip file to your local computer.

    • Only use Sysmon when required for gathering process hash and command-line information.

    • Use Sysmon on all operating systems regardless of whether Threat Response is capable of collecting command-line and process hash information on its own.

    • Do not deploy Sysmon via Tanium Threat Response. Only use Sysmon where it is already installed on a system and it is not otherwise possible to collect the process hash and command-line information.

  4. Browse to the sysmon.zip file and click Upload.
  5. Click OK.

If Sysmon is already installed on the endpoint, you can opt in to using Sysmon with Threat Response. However, if you then later opt out of using Sysmon, the previously installed Sysmon version is removed from the endpoint.

Troubleshoot problems

If you experience problems with installing Threat Response, see Troubleshooting.

What to do next

See Getting started for more information about using Threat Response.

Last updated: 6/19/2019 8:59 AM | Feedback