Adding intel

Intel defines one or more conditions that might indicate malicious behavior on endpoints. Threat Response can leverage multiple sources of intel to identify and alert on potential threats in an environment. In addition to supporting third-party intelligence sources, Tanium provides threat intelligence called signals. Intel documents and signals, generally referred to as intel, interact with the engine to provide comprehensive monitoring and alerting.

Some intel document types, such as OpenIOC, STIX, CybOX, and YARA, search against existing or historical artifacts on the endpoint. There are a number of providers for these documents. You can upload them directly or configure source streams.

Signals are another type of intel, but interact with the engine differently. Signals evaluate continuously with the recorder and match on live process events on Windows endpoints. Signals help to identify malicious activity by correlating events and searching for behavior-based indicators that something is awry. You can use signals as a source directly from Tanium, or you can write your own signals.

Threat Response integrates with third-party reputation services. Hashes are sent to the reputation service for assessment, then Threat Response enhances intel with the hash ratings. The Definition and Engine Analysis tabs on the Intel details page provide additional information about how the intel document is structured, which parts are applicable, and the hash rating.

Configure intel sources

An intel source is a series of intel documents from an external source. Sources can be a vendor or a folder in your network. You can import sources manually or based on subscription settings.

Intel sources are updated from the Threat Response service, which runs on the Module Server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the intel provider URLs on the Module Server.

Threat Response can use several data formats, with these available source types:

Connect to the Tanium Signals feed

The Tanium Signals feed provides a stream of regularly updated signals that are designed to detect common patterns of attack on Windows endpoints. Each signal is mapped to one or more categories in the MITRE ATT&CK Framework.

  1. From the Threat Response menu, click Intel > Sources . Click New Source.
  2. From the Type drop-down menu, select Tanium Signals.
  3. (Optional) If you do not want to use the default feed, enter a different content manifest URL. Use this field for testing beta signals in non-production environments. Contact your TAM for details.
  4. Select the Require Tanium Signature check box to only use Tanium-verified signals.
  5. Select the Subscription Interval, in minutes.
  6. (Optional) Click Ignore SSL to skip the certificate validation.
  7. Click Create.

When the Tanium Signals feed gets updated, system notifications get generated that include the release notes about the updates.

Connect to PwC Threat Intelligence

PwC Threat Intelligence is always in OpenIOC format. You can have only one stream of this type at a time.

You must have a PwC subscription.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select PwC.
  3. Add your subscription details including the URL, user name, and password.
  4. Select the Subscription Interval, in minutes.
  5. (Optional) Click Ignore SSL to skip the certificate validation.
  6. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  7. Click Create.

Connect to iSIGHT Partners ThreatScape

The iSIGHT intelligence is always in STIX format. You can have only one stream of this type at a time.

You must have an iSight subscription.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select iSight.
  3. Paste the public and private key for your subscription.
  4. Select the Initial History, in days, and the Subscription Interval, in minutes.
  5. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  6. Click Create.

Connect to a TAXII server

TAXII intelligence is always in STIX format. Unlike other streams, TAXII also sorts intel documents into collections, and a document only appears in one collection. Configure a source for each collection.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select TAXII.
  3. Add a name and description.
  4. Add subscription details including the URL, user name, and password.
  5. Type in the case-sensitive collection name or select from available collections.
  6. Select the Initial History, in days, and the Subscription Interval, in minutes.
  7. Make optional security selections.
    1. If you want two-way SSL validation, paste the certificate and private key for your subscription.
    2. Click Ignore SSL to skip the certificate validation.
  8. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  9. Click Create.

Set up Connect and Wildfire

You can use Connect to integrate intel from a Palo Alto Wildfire subscription. For more full details, see the Tanium Connect User Guide: Configuring Palo Alto Networks WildFire and Tanium Threat Response.

Use a local directory

Stream intel from a set of local directories on the Module Server. The System Administrator for the computer where the Module Server is hosted must authorize a directory for streaming.

  1. Stop the Threat Response service.
  2. Add the directory to the <Tanium Module Server>/services/detect3-files/data/detect-blobs/folder-stream-roots.conf file.

    If you set up a directory, other users can add folders within the authorized directory. For example, if you add a c:\folder_streams directory, other users could add the c:\folder_streams\stream1 and c:\folder_streams\stream2 directories.

  3. Restart the Threat Response service.
  4. From the Threat Response menu, click Intel > Sources. Click New Source.
  5. From the Type drop-down menu, select Local Directory.
  6. Add a name and description.
  7. Specify the absolute directory path on the Module Server. The folder must be explicitly authorized for stream activity.
  8. (Optional) Disable update tracking for imported files.
  9. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  10. Click Create.

If you edit an existing source, for example, by adding subscription choices, Threat Response indexes and downloads new intel documents on a regular basis, based on the source type. The intel gets pushed to the endpoint during the next intel publication interval.

For more information about registry settings to use sources with a proxy server, see the Tanium Core Platform Installation Guide: Server Proxy Settings.

Set up the reputation service

Reputation data provides more insight into which alerts might be good candidates to save for further analysis and action. Through a Tanium™ Connect integration, Threat Response uses the reputation data from third parties, such as VirusTotal or Palo Alto Networks WildFire.

Setting up reputation data is a two-part process:

  1. Configure reputation data in Connect.
  2. Create a reputation source in Threat Response.

Configure reputation data in Connect

Reputation data requires a Connect version from Connect 4.1 to Connect 4.10.5, or Connect 4.11 and Reputation 5.0. For more information on configuring the reputation service settings, see Tanium Reputation User Guide: Reputation overview.

Create a reputation source in Threat Response

Configure Threat Response to search for specific columns of data to send to the reputation service.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select Reputation.
  3. Select a saved question and column name. You can create your own saved questions, if needed.

    The Threat Response service account user needs to have the read saved question privilege on the content set where saved questions are created.

  4. Select how often Threat Response polls for new responses to the saved question.
  5. When known malicious indicators are found, choose a computer group to be automatically quick scanned.
  6. Click Create.

For endpoints that use reputation data, any hashes found by the saved questions are sent to the third-party reputation service for assessment.

Add signals

Signals are monitored by the recorder for live process, file, network, registry, and DNS event matching on the endpoint. You can write your own signals. By default, each signal can contain up to 24 unique terms.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Signal.
  3. Add a name and definition.
  4. Configure the signal. For more information, see Reference: Authoring signals.
  5. (Optional) Add a description.
  6. Click Save.

If the event is filtered (ignored), it cannot be matched against a signal.

For signals provided by Tanium, see Connect to the Tanium Signals feed.

Upload intel documents

You can upload multiple intel documents at the same time.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Upload.
  3. Select intel files and click Upload.
  4. Review the intel validation check. The intel XML schema validation check shows the documents that were successfully uploaded and any documents with errors.
  5. Click Close.

Create intel documents

Create an intel document with a set of user-defined rules.

Quick Add supports some types of defanged IP address formats that are found in threat intelligence documents, such as 10[.]1[.]1[.]1 or 10 . 1 . 1 . 1.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Quick Add.
  3. From the Detect when drop-down menu, select the type of data.
  4. Type the information to be matched.
  5. (Optional) Enable Require exact match.
  6. Type a name for the intel document. For long term usability, use a consistent naming convention.
  7. Click Create.

Label intel

Use labels to organize intel into sets that are relevant for your environment. For example, you might want to sort your intel by priority, incident case, or based on the applicable attack surface.

Apply a label

  1. From the Threat Response menu, click Intel.
  2. Select the check box next to the intel documents or signals. Click Label.
  3. Click Add Label and type in a new label or select an existing label.
  4. Click Save Changes.

Configure YARA files

YARA files function like other intel documents, in regards to uploading, streaming from a folder, and labeling. However, Threat Response automatically assigns a scope to limit the evaluation scan; by default, all YARA files are set to scan live files. You can change the evaluation scope for any YARA file.

  1. From the Threat Response menu, click Intel.
  2. Click the intel name, then click the Search Scope tab.
  3. Select the scope of evaluation scan.
    • Live Files: Limited to the running processes and their executable and library files.
    • Memory: (Windows and Mac only) Limited to the memory of all running processes.
    • Paths: Limited to the configured directory paths. The path search is recursive, up to 32 directories.
  4. Click Save.

View orphaned intel documents

When the source for a piece of intel is removed, the intel moves into an orphaned state.

  1. From the Threat Response menu, click Intel.
  2. Expand the Filter Results section and set the Source to Unknown.

Last updated: 6/20/2019 1:57 PM | Feedback