Installing Threat Response

Tanium Cloud automatically handles module installations and upgrades.

For information about configuring Threat Response for Tanium Cloud, see Configuring Threat Response.

Use the Solutions page to install Threat Response and choose between automatic and manual configuration:

  • Automatic configuration with default settings(Tanium Core Platform 7.4.2 or later only): Threat Response is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Threat Response, see Import Threat Response with default settings.
  • Manual configuration with custom settings: After installing Threat Response, you must manually configure required settings. Select this option only if Threat Response requires settings that differ from the recommended default settings. For more information, see Import Threat Response with custom settings.

Before you begin

  • Read the Release Notes.
  • Review the Threat Response requirements.
  • If you are upgrading from a previous version, see Upgrade the Threat Response version.
  • If the Tanium Server uses a self-signed certificate, you must add localhost to the TrustedHostList.
  • Assign the correct roles to users for Threat Response. Review the User role requirements.
    • To import the Threat Response solution, you must be assigned the Administrator reserved role.
    • To configure the Threat Response action group, you must be assigned the Administrator reserved role, Content Administrator reserved role, or a role that has the Action Group write permission.

Import Threat Response with default settings

When you import Threat Response with automatic configuration, the following default settings are configured:

The following default settings are configured:

Tanium Signals are imported.

The following Threat Response profiles are created and deployed to specific computer groups:

Profile Name Detection configuration Index Configuration Recorder Configuration
[Tanium Default] - Windows

Deploys to All Windows computer group.
[Tanium Default] - Linux

Deploys to All Linux computer group.
[Tanium Default] - Mac

Deploys to All Mac computer group.

(Tanium Core Platform 7.4.5 or later only) You can set the Threat Response action group to target the No Computers filter group by enabling restricted targeting before adding Threat Response to your Tanium licenseimporting Threat Response. This option enables you to control tools deployment through scheduled actions that are created during the import and that target the Tanium Threat Response action group. For example, you might want to test tools on a subset of endpoints before deploying the tools to all endpoints. In this case, you can manually deploy the tools to an action group that you configured to target only the subset. To configure an action group, see Tanium Console User Guide: Managing action groups. To enable or disable restricted targeting, see Tanium Console User Guide: Dependencies, default settings, and tools deployment.

To import Threat Response and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Threat Response version.

If Tanium Reveal and Tanium Threat Response exist in the same environment, both solutions must be on a version that is running the same architecture of Tanium Index. Threat Response 3.4 and later must be installed in the same environment as Reveal 1.15 and later. Threat Response versions earlier than Threat Response 3.4 can be installed in the same environment as Reveal 1.14 and earlier.

Import Threat Response with custom settings

To import Threat Response without automatically configuring default settings, clear the Apply All Tanium recommended configurations check box while performing the steps under Tanium Console User Guide: Import, re-import, or update specific solutions. After the import, verify that the correct version is installed: see Verify Threat Response version.

To configure the Threat Response action group, see (Optional) Configure the Threat Response action group.

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Recorder - Legacy Installed. If the Supported Endpoints column displays Yes, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Manage solution dependencies

When you start the Threat Response workbench for the first time, the Tanium Server checks whether all the Tanium modules and shared services (solutions) that are required for Threat Response are installed at the required versions. The Threat Response workbench cannot load unless all required dependencies are installed. If you selected Tanium Recommended Installation when you imported Threat Response, the Tanium Server automatically imported all your licensed solutions at the same time. Otherwise, if you manually imported Threat Response and did not import all its dependencies, the Tanium Console displays a banner that lists the dependencies and the required versions. See Solution dependencies.

Perform the following steps if a banner indicates any Threat Response dependencies are not installed:

  1. Install the dependencies as described in Tanium Console User Guide: Import, re-import, or update specific solutions.
  2. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page and verify that the Console no longer displays a banner to list missing dependencies.

Upgrade the Threat Response version

Upgrade Threat Response to the latest version by importing an update to the solution and migrating any existing intel.

In Threat Response , the steps required to configure the service account are no longer necessary due to the adoption of the System User Service, which performs these tasks automatically. When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is not possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.

Before you upgrade, use Tanium Health Check to generate a report that you can use to resolve any issues or risks associated with the Tanium environment. Fix any issues reported by Tanium Health Check to mitigate problems that you encounter during an upgrade. You can also use this report to discover opportunities for improving the performance of the Tanium environment. For more information, see Tanium Health Check User Guide: Health Check overview.

For the steps to upgrade Threat Response, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Threat Response version.

If Tanium Reveal and Tanium Threat Response exist in the same environment, both solutions must be on a version that is running the same architecture of Tanium Index. Threat Response 3.4 and later must be installed in the same environment as Reveal 1.15 and later. Threat Response versions earlier than Threat Response 3.4 can be installed in the same environment as Reveal 1.14 and earlier.

When upgrading Threat Response, you can select to automatically upgrade the Threat Response tools package on all of the endpoints in an environment to ensure that the latest version of the Threat Response tools are distributed. When you import Threat Response with automatic configuration this option is configured by default. You can change this upgrade setting if you do not want to automatically upgrade the Threat Response tools on endpoints.

Auto Upgrade is not intended to automatically perform upgrades across major versions.

  1. From the Threat Response overview page, click Settings .
  2. Click Service > Misc.
  3. Select or deselect the Enable Tools Automatic Upgrade setting.

When you install Threat Response tools as part of upgrade to Threat Response 3.8 or later the legacy Tanium Detect Engine is automatically removed.

Verify Threat Response version

After you import or upgrade Threat Response, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, go to Modules > Threat Response to open the Threat Response Overview page.
  3. To display version information, click Info Info.