Adding intel

Intel defines one or more conditions that might indicate malicious behavior on endpoints. Threat Response can leverage multiple sources of intel to identify and alert on potential threats in an environment. In addition to supporting third-party intelligence sources, Tanium provides threat intelligence called Signals. Intel documents and Signals, generally referred to as intel, interact with the engine to provide comprehensive monitoring and alerting.

Some intel document types, such as OpenIOC, STIX, CybOX, and YARA, search against existing or historical artifacts on the endpoint. There are a number of providers for these documents. You can upload them directly or configure source streams.

Signals are another type of intel, but interact with the engine differently. Signals evaluate continuously with the recorder and match on live process events on Windows endpoints. Signals help to identify malicious activity by correlating events and searching for behavior-based indicators that something is awry. You can use Signals as a source directly from Tanium, or you can write your own Signals.

Threat Response integrates with third-party reputation services. Hashes are sent to the reputation service for assessment, then Threat Response enhances intel with the hash ratings. The Definition and Engine Analysis tabs on the Intel details page provide additional information about how the intel document is structured, which parts are applicable, and the hash rating.

Configure intel sources

An intel source is a series of intel documents from an external source. Sources can be a vendor or a folder in your network. You can import sources manually or based on subscription settings.

Intel sources are updated from the Threat Response service, which runs on the Module Server. If security software is deployed in the environment to monitor and block unknown URLs, your security administrator must whitelist the intel provider URLs on the Module Server.

Threat Response can use several data formats, with these available source types:

Connect to the Tanium Signals feed

The Tanium Signals feed provides a stream of regularly updated Signals that are designed to detect common patterns of attack on Windows endpoints. Each Signal is mapped to one or more categories in the MITRE ATT&CK Framework.

  1. From the Threat Response menu, click Intel > Sources . Click New Source.
  2. From the Type drop-down menu, select Tanium Signals.
  3. (Optional) If you do not want to use the default feed, enter a different content manifest URL. Use this field for testing beta Signals in non-production environments. Contact your TAM for details.
  4. Select the Require Tanium Signature check box to only use Tanium-verified Signals.
  5. Select the Subscription Interval, in minutes.
  6. (Optional) Click Ignore SSL to skip the certificate validation.
  7. Click Create.

When the Tanium Signals feed gets updated, system notifications get generated that include the release notes about the updates.

Connect to PwC Threat Intelligence

PwC Threat Intelligence is always in OpenIOC format. You can have only one stream of this type at a time.

You must have a PwC subscription.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select PwC.
  3. Add your subscription details including the URL, user name, and password.
  4. Select the Subscription Interval, in minutes.
  5. (Optional) Click Ignore SSL to skip the certificate validation.
  6. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  7. Click Create.

Connect to iSIGHT Partners ThreatScape

The iSIGHT intelligence is always in STIX format. You can have only one stream of this type at a time.

You must have an iSight subscription.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select iSight.
  3. Paste the public and private key for your subscription.
  4. Select the Initial History, in days, and the Subscription Interval, in minutes.
  5. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  6. Click Create.

Connect to a TAXII server

TAXII intelligence is always in STIX format. Unlike other streams, TAXII also sorts intel documents into collections, and a document only appears in one collection. Configure a source for each collection.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select TAXII.
  3. Add a name and description.
  4. Add subscription details including the URL, user name, and password.
  5. Type in the case-sensitive collection name or select from available collections.
  6. Select the Initial History, in days, and the Subscription Interval, in minutes.
  7. Make optional security selections.
    1. If you want two-way SSL validation, paste the certificate and private key for your subscription.
    2. Click Ignore SSL to skip the certificate validation.
  8. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  9. Click Create.

Set up Connect and Wildfire

You can use Connect to integrate intel from a Palo Alto Wildfire subscription. For more full details, see the Tanium Connect User Guide: Configuring Palo Alto Networks WildFire and Tanium Threat Response.

Use a local directory

Stream intel from a set of local directories on the Module Server. The System Administrator for the computer where the Module Server is hosted must authorize a directory for streaming.

  1. Stop the Threat Response service.
  2. Add the directory to the <Tanium Module Server>/services/detect3-files/data/detect-blobs/folder-stream-roots.conf file.

    If you set up a directory, other users can add folders within the authorized directory. For example, if you add a c:\folder_streams directory, other users could add the c:\folder_streams\stream1 and c:\folder_streams\stream2 directories.

  3. Restart the Tanium Detect service.
  4. From the Threat Response menu, click Intel > Sources. Click New Source.
  5. From the Type drop-down menu, select Local Directory.
  6. Add a name and description.
  7. Specify the absolute directory path on the Module Server. The folder must be explicitly authorized for stream activity.
  8. (Optional) Disable update tracking for imported files.
  9. (Optional) Click Allow schema invalid documents to enable the import of intel that might be formatted incorrectly. Invalid documents show a warning next to their type on the individual intel page.
  10. Click Create.

If you edit an existing source, for example, by adding subscription choices, Threat Response indexes and downloads new intel documents on a regular basis, based on the source type. The intel gets pushed to the endpoint during the next intel publication interval.

For more information about registry settings to use sources with a proxy server, see the Tanium Core Platform Installation Guide: Server Proxy Settings.

Delete an intel source

When you delete an intel source, all intel documents that are associated with the source are moved to the unknown source. The unknown source is not displayed on the sources page. To identify intel documents associated with the unknown source, you can filter all intel. Alerts that are associated with the intel from the source you are deleting are not deleted.

  1. From the Threat Response menu, go to Management > Intel.
  2. Click the intel source that you want to delete.
  3. Click Delete . Click OK to confirm the deletion of the intel source.

Any intel documents that were associated with the source you deleted are now associated with the unknown source. To manage intel in the unknown source, see View orphaned intel documents.

Set up the reputation service

Reputation data provides more insight into which alerts might be good candidates to save for further analysis and action. Through a Tanium™ Connect integration, Threat Response uses the reputation data from third parties, such as VirusTotal or Palo Alto Networks WildFire.

Setting up reputation data is a two-part process:

  1. Configure reputation data in Connect.
  2. Create a reputation source in Threat Response.

Configure reputation data in Connect

Reputation data requires a Connect version from Connect 4.1 to Connect 4.10.5, or Connect 4.11 and Reputation 5.0. For more information on configuring the reputation service settings, see Tanium Reputation User Guide: Reputation overview.

Create a reputation source in Threat Response

Configure Threat Response to search for specific columns of data to send to the reputation service.

  1. From the Threat Response menu, click Intel > Sources. Click New Source.
  2. From the Type drop-down menu, select Reputation.
  3. Select a saved question and column name. You can create your own saved questions, if needed.

    The Threat Response service account user needs to have the read saved question privilege on the content set where saved questions are created.

  4. Select how often Threat Response polls for new responses to the saved question.
  5. When known malicious indicators are found, choose a computer group to be automatically quick scanned.
  6. Click Create.

For endpoints that use reputation data, any hashes found by the saved questions are sent to the third-party reputation service for assessment.

Add Signals

Signals are monitored by the recorder for live process, file, network, registry, and DNS event matching on the endpoint. You can write your own Signals. By default, each Signal can contain up to 24 unique terms.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Signal.
  3. Add a name and description.
  4. Select the operating systems for the signal to target.
  5. (Optional) Select a MITRE Technique ID. Selecting a MITRE Technique ID allows users to align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can assign multiple technique IDs to a single Signal.
  6. Configure the Signal. For more information, see Reference: Authoring Signals.
  7. (Optional) Add a description.
  8. Click Save.

If the event is filtered (ignored), it cannot be matched against a Signal.

For Signals provided by Tanium, see Connect to the Tanium Signals feed.

Import and export Signals

Import and export Signals to move them from one platform to another. For example, you can export Signals from a test system and import them to a production system. Signals are imported and exported as JSON files and have a file size limit of 1 MB.

Export Signals

  1. From the Threat Response menu, click Intel.
  2. Select the Signals you want to export and click Actions > Export. Any intel documents that are not Signals are omitted from the export.
  3. For each Signal that you include in an export, select to Include all Labels and Include all Suppressions if you want to preserve the labels and suppression rules that you have associated with the Signal. Click OK. If you do not select to include labels or suppressions, the Signal is exported without any associated labels or suppression rules.
  4. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import Signals

  1. From the Threat Response menu, click Intel.
  2. Click Import > Signals.
  3. Browse to the JSON files that correspond to the Signals you want to import. Click OK. Click Next.
  4. If the Signal already exists, or exists with different suppression rules or labels associated with it, select Action > Skip to not import the Signal. Click Next.
  5. Review the list of the imported Signals and click Finish.

Exporting Signals that include MITRE technique IDs and importing them into an environment where the same Signals exist without associated MITRE technique IDs results in a new Signal with the same content and the addition of MITRE technique ID information. The result is that two Signals exist; one with MITRE technique information, and one without.

Upload intel documents

You can upload multiple intel documents at the same time.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Upload.
  3. Select intel files and click Upload.
  4. Review the intel validation check. The intel XML schema validation check shows the documents that were successfully uploaded and any documents with errors.
  5. Click Close.

Create intel documents

Create an intel document with a set of user-defined rules.

Quick Add supports some types of defanged IP address formats that are found in threat intelligence documents, such as 10[.]1[.]1[.]1 or 10 . 1 . 1 . 1.

  1. From the Threat Response menu, click Intel.
  2. Click Add > Quick Add.
  3. From the Detect when drop-down menu, select the type of data.
  4. Type the information to match.
  5. (Optional) Enable Require exact match.
  6. Type a name for the intel document. For long term usability, use a consistent naming convention.
  7. Click Create.

Label intel

Use labels to organize intel into sets that are relevant for your environment. For example, you might want to sort intel by priority, incident case, or based on the applicable attack surface.

Apply a label

  1. From the Threat Response menu, click Intel.
  2. Select the check box next to the intel documents or Signals. Click Label.
  3. Click Add Label and type in a new label or select an existing label.
  4. Click Save Changes.

Configure YARA files

YARA files function like other intel documents, in regards to uploading, streaming from a folder, and labeling. However, Threat Response automatically assigns a scope to limit the evaluation scan; by default, all YARA files are set to scan live files. You can change the evaluation scope for any YARA file.

  1. From the Threat Response menu, click Intel.
  2. Click the intel name, then click the Search Scope tab.
  3. Select the scope of evaluation scan.
    • Live Files: Limited to the running processes and their executable and library files.
    • Memory: (Windows and Mac only) Limited to the memory of all running processes.
    • Paths: Limited to the configured directory paths. The path search is recursive, up to 32 directories.
  4. Click Save.

View orphaned intel documents

When the source for a piece of intel is removed, the intel moves into an orphaned state.

  1. From the Threat Response menu, click Intel.
  2. Expand the Filter Results section and set the Source to Unknown.

Last updated: 11/7/2019 11:46 AM | Feedback