Adding intel

Intel defines one or more conditions that might indicate malicious behavior on endpoints. Threat Response can leverage multiple sources of intel to identify and alert on potential threats in an environment. In addition to supporting third-party intelligence sources, Tanium provides threat intelligence called Signals. Intel documents and Signals, generally referred to as intel, interact with Threat Response to provide comprehensive monitoring and alerting.

Some intel document types, such as OpenIOC, STIX, CybOX, and YARA, search against existing or historical artifacts on the endpoint. There are a number of providers for these documents. You can upload them directly or configure source streams. Both the 1.0 and 1.1 versions of OpenIOC are supported. CybOX 2.0 is the currently supported version. The current supported version of STIX is 1.2. STIX 2.0 is required for TAXII 2.0 support. Consequently, TAXII 2.0 is not currently supported. YARA 4.3.1 is supported and support for the following default modules is provided: pe, elf, dotnet, hash, cuckoo, math, magic, macho, dex, string, and time.

Always use mutual (two-way) authentication and TLS encryption when connecting to intel feeds. Two-way authentication and data encryption provide additional privacy-related benefits, for example, ensuring that encryption keys that become compromised cannot decrypt TLS communications that were recorded in the past.

Signals

Signals provide real-time monitoring of endpoint telemetry events; for example, process, network, registry, and file events for malicious behaviors and methodologies of attack. Unlike other static forms of intel which focus on specific indicators, Signals are evergreen heuristics; they are perpetually relevant.

For Tanium Cloud customers, Tanium collects and uses metadata to continually improve the effectiveness of Signals.

Signals interact with the engine differently; they can evaluate continuously with the recorder and match on live process events on endpoints. Signals help to identify malicious activity by correlating events and searching for behavior-based indicators that something is awry. You can use Signals as a source directly from Tanium, or you can write your own Signals. See Reference: Authoring Signals for more information.

Adding Signals to an intel configuration enables the recorder process on endpoints, and loads the Tanium audit rules. This happens even if you do not enable a recorder configuration.

When a Signal evaluates with the recorder database and an event matches, the resulting alert shows the context of the match. If you have filters for specific events in a recorder configuration, signals that match the events can still generate alerts. For a Signal to evaluate with the recorder database, you need to enable both intel and recorder configurations in an active profile.

The events of a Signal match are always written to the database, and override any filters that are included in a recorder configuration.

An exhaustive reference to Signals syntax - including supported objects, properties, and conditions - is available in the Threat Response Intel Support documentation. To access the Threat Response Intel Support documentation, click from the Threat Response overview page and click the Threat Response Intel Support tab.

Signals do not always evaluate with the recorder database

There are times when Signals cannot be evaluated with the recorder database. For example, it is possible for the recorder to generate Signals, but not record them in the in the recorder database. Additionally, there are cases where events have been recorded, but one or more of the events in the Signal match occurred too far in the past that the event has been purged from the recorder database.

Threat Response integrates with third-party reputation services. Hashes are sent to the reputation service for assessment, then Threat Response enhances intel with the hash ratings. The Definition and Engine Analysis tabs on the Intel details page provide additional information about how the intel document is structured, which parts are applicable, and the hash rating.

Configure intel sources

An intel source is a series of intel documents from an external source. Sources can be a vendor or a folder in your network. You can import sources manually or based on subscription settings.

Intel sources are updated from the Threat Response service, which runs on the Module Server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the intel provider URLs on the Module Server.

To determine if Tanium requires specific port exceptions to use Intel feeds, see Contact Tanium Support.

Threat Response can use several data formats, with the following available source types:

Connect to the Tanium Signals feed

The Tanium Signals feed provides a stream of regularly updated Signals that are designed to detect common patterns of attack on Windows endpoints. Each Signal is mapped to one or more categories in the MITRE ATT&CK Framework.

Any changes you make to Signals provided by the Tanium Signals feed, are overwritten when the Signal is updated. For a change to persist, clone (export/import) the Signal, apply the changes to the clone, and only include the clone in the configuration.
  1. From the Threat Response menu, click Intel > Sources . Click New Source.
  2. From the Type drop-down menu, select Tanium Signals.
  3. (Optional) If you do not want to use the default feed, enter a different content manifest URL. Use this field for testing beta Signals in non-production environments. If you require support for a different feed, see Contact Tanium Support.
  4. Select the Require Tanium Signature check box to only use Tanium-verified Signals.
  5. Select the Subscription Interval, in minutes.
  6. (Optional) Click Ignore SSL to skip the certificate validation.
  7. Click Create.

When the Tanium Signals feed gets updated, system notifications get generated that include the release notes about the updates.

Configuring Tanium Signals feed in an airgapped environment

To configure the Tanium Signals feed in an airgapped environment on the Tanium Appliance, see Reference: Air gap support: Install or update Tanium Threat Response Signals.

If you are using one of the following versions of Threat Response, download Tanium Detect Signals v4:

  • Threat Response version 3.10.59 or later 3.10 versions
  • Threat Response version 4.0.1116 or later 4.0 versions
  • Threat Response version 4.2.29 or later 4.2 versions
  • Threat Response version 4.3.176 or later 4.3 versions

If you are using Threat Response version 1.4 to any earlier 3.10, 4.0, 4.2, or 4.3 than listed above, download Tanium Detect Signals v3.

To deploy signals in an airgapped environment, navigate to https://content.tanium.com/files/misc/ThreatResponse/ThreatResponse.html and download Tanium Detect Signals from a computer that can access the internet. If you encounter a problem, see Contact Tanium Support.

When the download completes, host the .ZIP file on a Web server that is accessible by Threat Response. You can use the Tanium server to host this content. When this content is hosted, follow the instructions for connecting to the Tanium Signals feed.

For example, you can save the .ZIP file in a sub directory of the Tanium Server HTTP directory named signals. In this example, the URL to use when you create the signals feed is:

https://my.tanium.server/signals/DetectSignals.zip

In this scenario, content downloads directly from the Tanium Server, so the Require Tanium Signature option should be deselected. If the environment uses self-signed certificates select the Ignore SSL option.

All downloads of signals are logged on the module server.

Connect to iSIGHT Partners ThreatScape

The iSIGHT intelligence is always in STIX format. You can have only one stream of this type at a time.

You must have an iSight subscription. The current supported version of STIX is 1.2. STIX 2.0 is required for TAXII 2.0 support. Consequently, TAXII 2.0 is not currently supported.

  1. From the Threat Response menu, click Intel > Sources. Click Create Source.
  2. From the Type drop-down menu, select iSight.
  3. Paste the public and private key for your subscription.
  4. Select the Initial History in days, and the Subscription Interval in minutes.
  5. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  6. Click Create.

Connect to a TAXII server

TAXII intelligence is always in STIX format. Unlike other streams, TAXII also sorts intel documents into collections, and a document only appears in one collection. Configure a source for each collection. Tanium does not support Subscription Based TAXII Servers; TAXII servers must be collection based.

The current supported version of STIX is 1.2. STIX 2.0 is required for TAXII 2.0 support. Consequently, TAXII 2.0 is not currently supported.

  1. From the Threat Response menu, click Intel > Sources. Click Create Source.
  2. From the Type drop-down menu, select TAXII.
  3. Add a name and description.
  4. Add subscription details including the URL, user name, and password. If you edit user name or password, you have to enter data for both fields.
  5. Type in the case-sensitive collection name or select from available collections.
  6. Select the Initial History in days, and the Subscription Interval in minutes.
  7. Make optional security selections.
    1. If you want two-way SSL validation, paste the certificate and private key for your subscription.
    2. Click Ignore SSL to skip the certificate validation.
  8. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  9. Click Create.

Set up Connect and Wildfire

The Palo Alto Networks Wildfire connection source is deprecated. Customers who need to integrate Palo Alto Networks WildFire and Tanium Threat Response should configure the Tanium Reputation source instead. For more information, see Tanium Reputation User Guide: Configure Palo Alto Networks WildFire reputation source.

For more information on configuring the reputation service, see Set up the reputation service.

Use a local directory or remote share

Stream intel from a set of local directories on the Module Server. The System Administrator for the computer where the Module Server is hosted must authorize a directory for streaming.

In Threat Response 4.0 and later, local directories on the Module Server are no longer stored in the folder-stream-roots.conf file. All directory content is stored in the Threat Response database and all paths in the database are editable by using API routes. The API routes to view, add, or replace paths are available to users with the Tanium Administrator role. Any existing paths in the folder-stream-roots.conf file will be migrated to the Threat Response database when upgrading to Threat Response 4.0 from earlier versions.

To view the allowed paths, use the GET source-types/folder/allowed-roots route. To add or replace paths use the POST source-types/folder/allowed-roots route. Both routes are only available to users who are assigned the Tanium Administrator role. For more information on using the Threat Response API, click Help > API > See API documentation from the Threat Response workbench.

  1. From the Threat Response menu, click Intel > Sources. Click Create Source.
  2. From the Type drop-down menu, select Local Directory.
  3. Add a name and description.
  4. In the Local Directory Path field, specify the absolute directory path on the Module Server. The folder must be explicitly authorized for stream activity.
  5. (Optional) Disable update tracking for imported files.
  6. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  7. Click Create.

To mount a file share on a Tanium Appliance, see Tanium Appliance User Guide: Configure solution module file share mounts. After configuring the Detect file share mount, use the absolute path value /opt/mounts/detect as the Local Directory Path.

If you edit an existing source, for example, by adding subscription choices, Threat Response indexes and downloads new intel documents every 60 seconds. The intel gets pushed to the endpoint during the next intel publication interval.

For more information about registry settings to use sources with a proxy server, see the Tanium Core Platform Installation Guide: Server Proxy Settings.

Delete an intel source

When you delete an intel source, all intel documents that are associated with the source are moved to the unknown source. The unknown source is not displayed on the sources page. To identify intel documents associated with the unknown source, you can filter all intel. Alerts that are associated with the intel from the source you are deleting are not deleted.

  1. From the Threat Response menu, go to Intel > Sources.
  2. Click the intel source that you want to delete.
  3. Click Delete . Click OK to confirm the deletion of the intel source.

Any intel documents that were associated with the source you deleted are now associated with the unknown source. To manage intel in the unknown source, see View orphaned intel documents.

Configure process injection

The Process Injection intel document provides a way to alert on incidents that involve techniques such as process injection and credential dumping. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process can allow access to the memory of the process, system and network resources, and possibly elevated privileges. Process injection can also evade detection from security products since the execution is masked under a legitimate process. In the context of process injection, the actor identifies the process or file that performs the process injection. The target identifies the artifact that has been the subject of injection.

Process injection monitoring is not supported on Windows 8.1 and Windows Server 2012 R2 and earlier.

The Tanium Driver can monitor specific Windows API calls by injecting into user processes and kernel callbacks. The Tanium Driver can detect process injection and enable you to configure which process injection techniques result in an alert.

There are several techniques for process injection for which the Tanium Driver can monitor.

Technique Description
Asynchronous Procedure Call A process injection technique where an asynchronous procedure call executes memory that has potentially been created or modified in a malicious manner.
Asynchronous Procedure Call Write A process injection technique where an asynchronous procedure call writes to remote memory. For example, an asynchronous procedure call is queued to execute memset.
Atom Bombing A process injection technique where an asynchronous procedure call is queued to write to memory through GetGlobalAtomName.
Callback Overwrite A process injection technique that encompasses any method that modifies a function callback pointer in the target to potentially execute malicious code.
Ctrl Inject A process injection technique where key combination processing (for example, CTRL+C) is used in a possibly malicious manner.
Exe Header Modification A process injection technique that includes an executable showing in-memory header modification that could be intended to load a DLL or execute code in a malicious manner.
Image Section Replacement A process injection technique that involves the removal of a mapped DLL or executable from memory and replaced with new memory in a possibly malicious manner.
Thread A process injection technique where a new thread has been remotely created in a possibly malicious manner.
Thread Context A process injection technique where the context of a thread context has been modified to execute in a possibly malicious manner. For example, SetThreadContext.
Unknown Asynchronous Procedure Call A process injection technique where an asynchronous procedure call that was not detected as queued is about to execute. Such a situation could be indicative of something malicious running in the kernel and injecting into a process or it could be other security products performing their own injection. It could also be caused by the Tanium process monitoring DLL not being injected into the actor process that queued the APC.
Unusual Initial Thread A process injection technique where the first thread in a process was created in an unusual manner. For example, the operating system did not create the thread, but instead a remote process.
Window One of any process injection techniques that use various window manipulations to execute code in a possibly malicious manner. For example, SetWindowLongPtr or SetProp.


  1. Select Consume Process Injection Alerts in a detection configuration to enable Threat Response to consume Process Injection alerts. For more information, see Create detection configurations.

    By default this option is disabled in new detection configurations.

  2. From the Threat Response menu, go to Intel > Documents. In the Filters section, enter Process Injection.
  3. Select the Process Injection intel document. It is not necessary to add the Process Injection intel document to any detection configuration or intel list to consume Process Injection alerts.
  4. (Optional) From the Techniques tab, Click edit to select the techniques of process injection that you want to monitor. Click Save.
  5. (Optional) Provide system filters to define the event information to record and add them to a recorder configuration. Ensure the Consume Process Injection Alerts setting is enabled in a deployed detection configuration. Apply system filters to exclude particular processes from having the Tanium Driver inject into them for process injection detection in a deployed recorder configuration. For more information, see Create filters.
  6. (Optional) From the Suppression Rules tab, you can view the suppression rules that currently exist for process injection. Suppression rules define the criteria for filtering alerts based on information that you provide. Suppressing alerts for process injection is an effective way to reduce false positive matches and reduce noise in alerts. If you create a suppression rule for process injection it appears in the list displayed on this tab. For more information, see Suppress alerts.

You can view, investigate, and take action on alerts that are the results of matches to process injection criteria from the Alerts tab of the process injection intel document.

Set up the reputation service

Reputation data provides more insight into which alerts might be good candidates to save for further analysis and action. Through a Tanium™ Connect integration, Threat Response uses the reputation data from third parties, such as VirusTotal. Blocklisted hashes are not included in the results unless the hashes are discovered by the saved question.

Threat Response detects if the reputation service is paused or stopped and in this event does not update reputation data. If after 24 hours the reputation service is disabled or deleted, Threat Response deletes the reputation source and any existing intel documents associated with the source are moved to the Unknown source. If reputation is added again, the reputation source is created again.

Configure reputation data in Tanium Connect

In Connect, create a connection from a saved question source to the Tanium Reputation destination. This connection initiates a list of hashes to be sent from a saved question in Connect to Reputation. The detect service queries Reputation for all discovered malicious hashes including known bad hashes. Reputation data requires a Connect version from Connect 4.1 to Connect 4.10.5, or Connect 4.11 and Reputation 5.0. For more information on configuring the reputation service settings, see Tanium Reputation User Guide: Reputation overview.

For endpoints that use reputation data, any hashes found by the saved questions are sent to the third-party reputation service for assessment.

Reputation Intel Source improvements (requires Reputation 5.0.0+) including Saved Questions for reputation hashes must now be configured and managed entirely within Tanium Connect. The naming convention of Reputation Intel has changed from Malicious Files $Date:$Time to Reputation Malicious Files $Date:$Time. Additionally, any Reputation intel that has existed before an upgrade is renamed with the date and time of the upgrade appended to the Signal name.

Add Signals

Signals are monitored by the recorder for live process, file, network, registry, and DNS event matching on the endpoint providing a recorder configuration is enabled in an active profile. If a recorder configuration is not enabled in an active profile, Signal matches still initiate alerts, however no specific information regarding the context of the Signal match appears in the resulting alert. You can write your own Signals. By default, each Signal can contain up to 55 terms.

  1. From the Threat Response menu, click Intel > Documents.
  2. Click Add > Upload Signal(s).
  3. Add a name and description.
  4. Select the operating systems for the signal to target.
  5. Select a MITRE Technique ID. Selecting a MITRE Technique ID allows users to align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can assign multiple technique IDs to a single Signal.
  6. Configure the Signal. For more information, see Reference: Authoring Signals.
  7. (Optional) Add a description.
  8. Click Save.

If the event is filtered (ignored), it cannot be matched against a Signal.

For Signals provided by Tanium, see Connect to the Tanium Signals feed.

Import and export Signals

Import and export Signals to move them from one platform to another. For example, you can export Signals from a test system and import them to a production system. Signals are imported and exported as JSON files and have a file size limit of 10 MB.

Export Signals

  1. From the Threat Response menu, click Intel > Documents.
  2. Select the Signals you want to export and click Actions > Export. Any intel documents that are not Signals are omitted from the export.
  3. For each Signal that you include in an export, select to Include all Labels and Include all Suppressions if you want to preserve the labels and suppression rules that you have associated with the Signal. Click OK. If you do not select to include labels or suppressions, the Signal is exported without any associated labels or suppression rules.

    When exporting a signal, only signal-specific suppression rules are included in the signal.

  4. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import Signals

  1. From the Threat Response menu, click Intel > Documents.
  2. Click Add > Upload Signal(s).
  3. Browse to the JSON files that correspond to the Signals you want to import. Click OK. Click Next.
  4. If the Signal already exists, or exists with different suppression rules or labels associated with it, select Action > Skip to not import the Signal. Click Next.
  5. Review the list of the imported Signals and click Finish.

Exporting Signals that include MITRE technique IDs and importing them into an environment where the same Signals exist without associated MITRE technique IDs results in a new Signal with the same content and the addition of MITRE technique ID information. The result is that two Signals exist; one with MITRE technique information, and one without.

Upload intel documents

You can upload multiple intel documents at the same time, including YARA files. The size limit for uploading intel documents is 10MB for IOCs in XML format, such as STIX version 1.x, and Signals in JSON format.

Do not add more than 900 terms per type in a single IOC.

  1. From the Threat Response menu, click Intel > Documents.
  2. Click Add > Upload IOC(s) or Add > Upload Signal(s). Select Add > Upload IOC(s) to upload YARA files.
  3. Select intel files and click Upload.
  4. Review the intel validation check. The intel XML schema validation check shows the documents that were successfully uploaded and any documents with errors.
  5. Click Close.

Create intel documents

Create an intel document with a set of user-defined rules.

Quick Add supports some types of defanged IP address formats that are found in threat intelligence documents, such as 10[.]1[.]1[.]1 or 10 . 1 . 1 . 1.

  1. From the Threat Response menu, click Intel > Documents.
  2. Click Add > Quick Add.
  3. From the Detect when drop-down menu, select the type of data.
  4. Type the information to match.
  5. (Optional) Enable Exact match required.
  6. Type a name for the intel document. For long term usability, use a consistent naming convention.
  7. Click Create.

Label intel

Use labels to organize intel into sets that are relevant for your environment. For example, you might want to sort intel by priority, incident case, or based on the applicable attack surface.

Create custom labels to control the promotion of intel in a production environment. The names of labels provided by Tanium are subject to change. Signals are generally updated automatically, creating a possibility that label changes could cause unintended consequences in a production environment. A best practice is to adopt a convention for naming custom labels that follows an organization’s object naming guidelines. Intel documents that Threat Response provides by default, such as Defender, Deep Instinct, and Process injection do not support labels.

You can apply labels to the Reputation intel document, however if you want to add reputation intel for background scanning, you must add the reputation source in a Detection configuration. You cannot add the reputation intel document to a detection configuration as you would add other intel.

Apply a label

  1. From the Threat Response menu, click Intel > Documents.
  2. Select the check box next to the intel documents or Signals. Click Labels.
  3. Click Add Label and type in a new label or select an existing label.
  4. Click Save Changes.

Manage existing labels

  1. From the Threat Response menu, click Intel > Documents.
  2. Select the check box next to the intel documents or Signals. Click Labels.
  3. Click Manage Existing Labels and select or deselect the labels you want to apply to the intel document or Signal. In the Selection Preview section, review the impact of making changes to intel documents.
  4. Click Save Changes.

Configure YARA files

YARA files function like other intel documents, in regards to uploading, streaming from a folder, and labeling. However, Threat Response automatically assigns a scope to limit the evaluation scan; by default, all YARA files are set to scan live files. You can change the evaluation scope for any YARA file.

YARA 4.3.1 is supported and support for the following default modules is provided: pe, elf, dotnet, hash, cuckoo, math, magic, macho, dex, string, and time.

  1. From the Threat Response menu, click Intel > Documents.
  2. Click the intel name, then click the Search Scope tab.
  3. Select the scope of evaluation scan.
    • Live Files: This instructs Threat Response to find the files for any running processes (executable and loaded library files) and then use the YARA rule to scan their file on disk. Limited to the running processes and their executable and library files.
    • Memory: Limited to the memory of all running processes.
    • Paths: Limited to the configured directory paths. The path search is recursive, up to six directories. When adding paths ensure that no duplicate entries or empty values are added.
  4. Click Save.

View orphaned intel documents

When the source for a piece of intel is removed, the intel moves into an orphaned state.

  1. From the Threat Response menu, click Intel > Documents.
  2. Expand the Filter Results section and set the Source to Unknown.

Testing Intel for deployment

Test intel in a lab or test environment before deploying to a production environment. Create the new Intel and use on-demand scans to test against endpoints to verify the intel matches on what you expect and that the intel does not match a high number of false positives.

When you are ready to promote the intel in a production environment, the following process is advised as a best practice:

  1. Import or create the new intel in a production environment.
  2. On-demand scan the intel against a computer group that contains a small number of endpoints that you have identified as appropriate for testing purposes. See Tanium Console User Guide: Create computer groups for more information. Verify the performance of the intel; for example, ensure it is matching and generating alerts for expected indicators of compromise.
  3. On-demand scan the intel against an Alpha computer group that contains approximately 10% of the total endpoints the intel will ultimately target. Verify the performance of the intel. Modify the intel if necessary.
  4. Add the Alpha label to the new Intel and deploy. See Label the intel and Deploy intel for more information. Allow time for the intel to deploy. Verify the performance of the intel. Modify the intel if necessary.
  5. On-demand scan the intel against a Beta computer group that contains approximately 20% of the total endpoints the intel will ultimately target. Verify the performance of the intel. Modify the intel if necessary correctly.
  6. Add the Beta label to the new Intel and deploy. Allow time for the intel to deploy. Verify the performance of the intel. Modify the intel if necessary.
  7. On-demand scan the intel against the Threat Response Production computer group. Verify the performance of the intel. Modify the intel if necessary.
  8. Add the Production label to the new intel and deploy. The intel is now fully deployed in production. Continue to verify the performance of intel and refine as necessary.