Adding intel

Intel defines one or more conditions that might indicate malicious behavior on endpoints. Threat Response can leverage multiple sources of intel to identify and alert on potential threats in an environment. In addition to supporting third-party intelligence sources, Tanium provides threat intelligence called Signals. Intel documents and Signals, generally referred to as intel, interact with the engine to provide comprehensive monitoring and alerting.

Some intel document types, such as OpenIOC, STIX, CybOX, and YARA, search against existing or historical artifacts on the endpoint. There are a number of providers for these documents. You can upload them directly or configure source streams.

Always use mutual (two-way) authentication and TLS encryption when connecting to intel feeds. Two-way authentication and data encryption provide additional privacy-related benefits, for example, ensuring that encryption keys that become compromised cannot decrypt TLS communications that were recorded in the past.

Signals

Signals provide real-time monitoring of endpoint telemetry events; for example, process, network, registry, and file events for malicious behaviors and methodologies of attack. Unlike other static forms of intel which focus on specific indicators, Signals are evergreen heuristics; they are perpetually relevant.

Signals interact with the engine differently; they can evaluate continuously with the recorder and match on live process events on endpoints. Signals help to identify malicious activity by correlating events and searching for behavior-based indicators that something is awry. You can use Signals as a source directly from Tanium, or you can write your own Signals. See Reference: Authoring Signals for more information.

Adding Signals to an intel configuration enables the recorder process on endpoints, and loads the Tanium audit rules. This happens even if you do not enable a recorder configuration.

When a Signal evaluates with the recorder database and an event matches, the resulting alert shows the context of the match. If you have filters for specific events in a recorder configuration, signals that match the events can still generate alerts. For a Signal to evaluate with the recorder database, you need to enable both intel and recorder configurations in an active profile.

An exhaustive reference to Signals syntax - including supported objects, properties, and conditions - is available in the evaluation engine documentation. To access the evaluation engine documentation, click from the Threat Response home page and click the Evaluation Engine tab.

Signals do not always evaluate with the recorder database

There are times when Signals cannot be evaluated with the recorder database. For example, it is possible for the recorder to generate Signals, but not record them in the in the recorder database. Additionally, there are cases where events have been recorded, but one or more of the events in the Signal match occurred too far in the past that the event has been purged from the recorder database. If Signals cannot be evaluated with the recorder database, ensure that you have an enabled recorder configuration in a deployed profile.

If you do not select Image Loads as a recorded event type in a recorder configuration, any Signal that uses the image event type results in an Unmatched Events warning in the Alert Details. For more information, see Recorder configurations.

Threat Response integrates with third-party reputation services. Hashes are sent to the reputation service for assessment, then Threat Response enhances intel with the hash ratings. The Definition and Engine Analysis tabs on the Intel details page provide additional information about how the intel document is structured, which parts are applicable, and the hash rating.

Configure intel sources

An intel source is a series of intel documents from an external source. Sources can be a vendor or a folder in your network. You can import sources manually or based on subscription settings.

Intel sources are updated from the Threat Response service, which runs on the Module Server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must allow the intel provider URLs on the Module Server.

Threat Response can use several data formats, with these available source types:

Connect to the Tanium Signals feed

The Tanium Signals feed provides a stream of regularly updated Signals that are designed to detect common patterns of attack on Windows endpoints. Each Signal is mapped to one or more categories in the MITRE ATT&CK Framework.

  1. From the Threat Response menu, click Intel > Sources . Click New Source.
  2. From the Type drop-down menu, select Tanium Signals.
  3. (Optional) If you do not want to use the default feed, enter a different content manifest URL. Use this field for testing beta Signals in non-production environments. Contact your TAM for details.
  4. Select the Require Tanium Signature check box to only use Tanium-verified Signals.
  5. Select the Subscription Interval, in minutes.
  6. (Optional) Click Ignore SSL to skip the certificate validation.
  7. Click Create.

When the Tanium Signals feed gets updated, system notifications get generated that include the release notes about the updates.

Configuring Tanium Signals feed in an airgapped environment

To configure the Tanium Signals feed in an airgapped environment on the Tanium Appliance, see Maintaining airgap content on the Tanium Appliance.

If you are using Threat Response version 1.0 to 1.3, download Tanium Detect Signals v2.

If you are using Threat Response version 1.4 to 2.4, download Tanium Detect Signals v3.

To deploy signals in an airgapped environment, navigate to https://content.tanium.com/files/misc/ThreatResponse/ThreatResponse.html and download Tanium Detect Signals from a computer that can access the internet. Contact your TAM to determine the version of Tanium Detect Signals to use.

When the download completes, host the .ZIP file on a Web server that is accessible by Threat Response. You can use the Tanium server to host this content. When this content is hosted, follow the instructions for connecting to the Tanium Signals feed.

For example, you can save the .ZIP file in a sub directory of the Tanium Server HTTP directory named signals. In this example, the URL to use when you create the signals feed is:

https://my.tanium.server/signals/DetectSignals.zip

In this scenario, content downloads directly from the Tanium Server, so the Require Tanium Signature option should be deselected. If the environment uses self-signed certificates select the Ignore SSL option.

All downloads of signals are logged on the module server.

Connect to PwC Threat Intelligence

PwC Threat Intelligence is always in OpenIOC format. You can have only one stream of this type at a time.

You must have a PwC subscription.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select PwC.
  3. Add your subscription details including the URL, user name, and password.
  4. Select the Subscription Interval, in minutes.
  5. (Optional) Click Ignore SSL to skip the certificate validation.
  6. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  7. Click Create.

Connect to iSIGHT Partners ThreatScape

The iSIGHT intelligence is always in STIX format. You can have only one stream of this type at a time.

You must have an iSight subscription.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select iSight.
  3. Paste the public and private key for your subscription.
  4. Select the Initial History, in days, and the Subscription Interval, in minutes.
  5. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  6. Click Create.

Connect to a TAXII server

TAXII intelligence is always in STIX format. Unlike other streams, TAXII also sorts intel documents into collections, and a document only appears in one collection. Configure a source for each collection. Tanium does not support Subscription Based TAXII Servers; TAXII servers must be collection based.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select TAXII.
  3. Add a name and description.
  4. Add subscription details including the URL, user name, and password.
  5. Type in the case-sensitive collection name or select from available collections.
  6. Select the Initial History, in days, and the Subscription Interval, in minutes.
  7. Make optional security selections.
    1. If you want two-way SSL validation, paste the certificate and private key for your subscription.
    2. Click Ignore SSL to skip the certificate validation.
  8. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  9. Click Create.

Set up Connect and Wildfire

You can use Connect to integrate intel from a Palo Alto Wildfire subscription. Palo Alto Wildfire differs from other intel sources as this integration is performed through Tanium Connect and results in IOCs being created in the engine. For more full details, see the Tanium Connect User Guide: Configuring Palo Alto Networks WildFire and Tanium Threat Response.

Configurations to Palo Alto Wildfire require the PAN firewall to use a certificate that is self-signed by Palo Alto.

Use a local directory or remote share

Stream intel from a set of local directories on the Module Server. The System Administrator for the computer where the Module Server is hosted must authorize a directory for streaming.

  1. Stop the Tanium Detect service.
  2. Add the directory to the <Tanium Module Server>/services/detect3-files/data/detect-blobs/folder-stream-roots.conf file.

    If you set up a directory, other users can add folders within the authorized directory. For example, if you add a c:\folder_streams directory, other users could add the c:\folder_streams\stream1 and c:\folder_streams\stream2 directories.

  3. Restart the Tanium Detect service.
  4. From the Threat Response menu, click Intel > Sources. Click New Source.
  5. From the Type drop-down menu, select Local Directory.
  6. Add a name and description.
  7. Specify the absolute directory path on the Module Server. The folder must be explicitly authorized for stream activity.
  8. (Optional) Disable update tracking for imported files.
  9. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  10. Click Create.

To mount a file share on a Tanium Appliance, see Tanium Appliance User Guide: Configure solution module file share mounts.

If you edit an existing source, for example, by adding subscription choices, Threat Response indexes and downloads new intel documents every 60 seconds. The intel gets pushed to the endpoint during the next intel publication interval.

For more information about registry settings to use sources with a proxy server, see the Tanium Core Platform Installation Guide: Server Proxy Settings.

Delete an intel source

When you delete an intel source, all intel documents that are associated with the source are moved to the unknown source. The unknown source is not displayed on the sources page. To identify intel documents associated with the unknown source, you can filter all intel. Alerts that are associated with the intel from the source you are deleting are not deleted.

  1. From the Threat Response menu, go to Management > Intel.
  2. Click the intel source that you want to delete.
  3. Click Delete . Click OK to confirm the deletion of the intel source.

Any intel documents that were associated with the source you deleted are now associated with the unknown source. To manage intel in the unknown source, see View orphaned intel documents.

Set up the reputation service

Reputation data provides more insight into which alerts might be good candidates to save for further analysis and action. Through a Tanium™ Connect integration, Threat Response uses the reputation data from third parties, such as VirusTotal or Palo Alto Networks WildFire. Blocklisted hashes are not included in the results unless the hashes are discovered by the saved question.

Setting up reputation data is a two-part process:

  1. Configure reputation data in Connect.
  2. Create a reputation source in Threat Response.

Configure reputation data in Connect

In Tanium Connect, Create a connection from a saved question source to the Tanium Reputation destination. This connection initiates a list of hashes to be sent from a saved question in Connect to Reputation. For every subscription interval, the detect service queries Reputation for all discovered malicious hashes. Reputation data requires a Connect version from Connect 4.1 to Connect 4.10.5, or Connect 4.11 and Reputation 5.0. For more information on configuring the reputation service settings, see Tanium Reputation User Guide: Reputation overview.

Create a reputation source in Threat Response

Configure Threat Response to search for specific data from the reputation service.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select Reputation.
  3. Enter a number of Reputations per IOC to send to the reputation source. Each reputation includes up to three hash values.

  4. Enter a Subscription Interval (in minutes). For every subscription interval, the detect service queries the reputation service for all discovered hash data.
  5. When known malicious indicators are found, choose a computer group to be automatically quick scanned.
  6. Click Create.

For endpoints that use reputation data, any hashes found by the saved questions are sent to the third-party reputation service for assessment.

Reputation Intel Source improvements (requires Reputation 5.0.0+) including Saved Questions for reputation hashes must now be configured and managed entirely within Tanium Connect. The naming convention of Reputation Intel has changed from Malicious Files $Date:$Time to Reputation Malicious Files $Date:$Time. Additionally, any Reputation intel that has existed before an upgrade is renamed with the date and time of the upgrade appended to the Signal name.

Add Signals

Signals are monitored by the recorder for live process, file, network, registry, and DNS event matching on the endpoint providing a recorder configuration is enabled in an active profile. If a recorder configuration is not enabled in an active profile, Signal matches still trigger alerts, however no specific information regarding the context of the Signal match displays in the resulting alert. You can write your own Signals. By default, each Signal can contain up to 24 unique terms.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Signal.
  3. Add a name and description.
  4. Select the operating systems for the signal to target.
  5. Select a MITRE Technique ID. Selecting a MITRE Technique ID allows users to align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can assign multiple technique IDs to a single Signal.
  6. Configure the Signal. For more information, see Reference: Authoring Signals.
  7. (Optional) Add a description.
  8. Click Save.

If the event is filtered (ignored), it cannot be matched against a Signal.

For Signals provided by Tanium, see Connect to the Tanium Signals feed.

Import and export Signals

Import and export Signals to move them from one platform to another. For example, you can export Signals from a test system and import them to a production system. Signals are imported and exported as JSON files and have a file size limit of 1 MB.

Export Signals

  1. From the Threat Response menu, click Intel.
  2. Select the Signals you want to export and click Actions > Export. Any intel documents that are not Signals are omitted from the export.
  3. For each Signal that you include in an export, select to Include all Labels and Include all Suppressions if you want to preserve the labels and suppression rules that you have associated with the Signal. Click OK. If you do not select to include labels or suppressions, the Signal is exported without any associated labels or suppression rules.
  4. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import Signals

  1. From the Threat Response menu, click Intel.
  2. Click Import > Signals.
  3. Browse to the JSON files that correspond to the Signals you want to import. Click OK. Click Next.
  4. If the Signal already exists, or exists with different suppression rules or labels associated with it, select Action > Skip to not import the Signal. Click Next.
  5. Review the list of the imported Signals and click Finish.

Exporting Signals that include MITRE technique IDs and importing them into an environment where the same Signals exist without associated MITRE technique IDs results in a new Signal with the same content and the addition of MITRE technique ID information. The result is that two Signals exist; one with MITRE technique information, and one without.

Upload intel documents

You can upload multiple intel documents at the same time.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Upload.
  3. Select intel files and click Upload.
  4. Review the intel validation check. The intel XML schema validation check shows the documents that were successfully uploaded and any documents with errors.
  5. Click Close.

Create intel documents

Create an intel document with a set of user-defined rules.

Quick Add supports some types of defanged IP address formats that are found in threat intelligence documents, such as 10[.]1[.]1[.]1 or 10 . 1 . 1 . 1.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Quick Add.
  3. From the Detect when drop-down menu, select the type of data.
  4. Type the information to match.
  5. (Optional) Enable Exact match required.
  6. Type a name for the intel document. For long term usability, use a consistent naming convention.
  7. Click Create.

Label intel

Use labels to organize intel into sets that are relevant for your environment. For example, you might want to sort intel by priority, incident case, or based on the applicable attack surface.

Create custom labels to control the promotion of intel in a production environment. The names of labels provided by Tanium are subject to change. Signals are generally updated automatically, creating a possibility that label changes could cause unintended consequences in a production environment. A best practice is to adopt a convention for naming custom labels that follows an organization’s object naming guidelines.

Apply a label

  1. From the Threat Response menu, click Intel.
  2. Select the check box next to the intel documents or Signals. Click Label.
  3. Click Add Label and type in a new label or select an existing label.
  4. Click Save Changes.

Configure YARA files

YARA files function like other intel documents, in regards to uploading, streaming from a folder, and labeling. However, Threat Response automatically assigns a scope to limit the evaluation scan; by default, all YARA files are set to scan live files. You can change the evaluation scope for any YARA file.

  1. From the Threat Response menu, click Intel.
  2. Click the intel name, then click the Search Scope tab.
  3. Select the scope of evaluation scan.
    • Live Files: Limited to the running processes and their executable and library files.
    • Memory: (Windows and Mac only) Limited to the memory of all running processes.
    • Paths: Limited to the configured directory paths. The path search is recursive, up to 32 directories.
  4. Click Save.

View orphaned intel documents

When the source for a piece of intel is removed, the intel moves into an orphaned state.

  1. From the Threat Response menu, click Intel.
  2. Expand the Filter Results section and set the Source to Unknown.

Testing Intel for deployment

Test intel an a lab or test environment before deploying to a production environment. Create the new Intel and use Quick Scans to test against endpoints to verify:

  • The intel matches on what you expect.
  • The intel does not match a high number of false positives.

When you are ready to promote the intel in a production environment, the following process is advised as a best practice:

  1. Import or create the new intel in a production environment.
  2. Quick scan the intel against a computer group that contains a small number of endpoints that you have identified as appropriate for testing purposes. See Tanium Console User Guide: Create computer groups for more information. Verify the performance of the intel; for example, ensure it is matching and generating alerts for expected indicators of compromise.
  3. Quick scan the intel against an Alpha computer group that contains approximately 10% of the total endpoints the intel will ultimately target. Verify the performance of the intel. Modify the intel if necessary.
  4. Add the Alpha label to the new Intel and deploy. See Label the intel and Deploy intel for more information. Allow time for the intel to deploy. Verify the performance of the intel. Modify the intel if necessary.
  5. Quick scan the intel against a Beta computer group that contains approximately 20% of the total endpoints the intel will ultimately target. Verify the performance of the intel. Modify the intel if necessary correctly.
  6. Add the Beta label to the new Intel and deploy. Allow time for the intel to deploy. Verify the performance of the intel. Modify the intel if necessary.
  7. Quick scan the intel against the Threat Response Production computer group. Verify the performance of the intel. Modify the intel if necessary.
  8. Add the Production label to the new intel and deploy. The intel is now fully deployed in production. Continue to verify the performance of intel and refine as necessary.

Last updated: 8/12/2020 2:47 PM | Feedback