Isolating endpoints

Isolate a Windows, Linux, or Mac endpoint that shows evidence of compromise or other suspicious activity. Use Threat Response to apply, remove, and test for quarantine.

When an endpoint is quarantined, by default the only approved traffic allowed on the quarantined endpoint includes: 

  • Between the Tanium Client on the quarantined endpoint and Tanium Server over port 17472.
  • For essential traffic that is necessary to obtain and resolve IP addresses (DHCP/DNS).

Threat Response includes a safety feature that automatically reverses a quarantine policy. After a quarantine policy is applied, the effect of the policy is logged. If the endpoint is able to communicate with Tanium Server, Threat Response logs the successful application of the policy. If a policy prevents the endpoint from communicating with Tanium Server, Threat Response backs out the policy and saves logs in the action folder.

Install Quarantine

Import the Tanium Quarantine solution

Install the Tanium Quarantine solution by importing the associated content from the Solutions page.

  1. From the Main menu, click Administration > Configuration > Solutions.
  2. In the Content section, select the IR Quarantine row and click Import Selected.
  3. Review the list of saved actions, packages, and sensors and click Proceed with Import.
  4. When the import is complete, you are returned to the Solutions page. Verify that the values in the Available Version and Imported Version columns match.

Before you begin

Test quarantine policies in a lab environment before deploying the policy. Do not apply a policy until its behavior is known and predictable. Incorrectly configured policies can block access to the Tanium Server.

  • You must have a Content Administrator account for Tanium Console. For more information, see Tanium Core Platform User Guide: Managing Roles.

  • Identify the traffic that is required when an endpoint is under quarantine.

  • You must have a lab endpoint on the target operating system (Windows, Linux, or Mac) you can use to test the quarantine policies. You must be able to physically access the machine or to access it using RDP (Windows) or SSH (Linux, Mac).
  • You must have access to the endpoint that you want to quarantine through a sensor or saved question in the Tanium Console.

Endpoint operating system requirements

Supported Windows versions

  • Windows 7 (SP1)
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2012R2 or later
  • Windows 2008R2 (SP1)

Supported Linux OS versions

  • AlmaLinux 8.x

  • AlmaLinux 9.x

  • RedHat/CentOS 5 IPTables on SYSV
  • RedHat/CentOS 6 IPTables on SYSV
  • RedHat/CentOS 7 Firewalld on Systemd (Note: A reboot is required on RedHat/CentOS 7.1 endpoints after removing quarantine.)

  • RedHat/CentOS 8

  • Rocky Linux 8.x

  • Rocky Linux 9.x

  • Ubuntu 12,14 UFW on Upstart

  • Ubuntu 15,16, 18, and 20 UFW on Upstart/Systemd

CentOSStream 8 and 9 variants of CentOS are not currently supported.

Supported Mac OS versions

  • macOS 13 Ventura
  • macOS 12 Monterey
  • macOS 11.0 Big Sur
  • macOS 10.15 Catalina
  • macOS 10.14 Mojave
  • macOS 10.13 High Sierra
  • macOS 10.12 Sierra
  • OS X 10.11 El Capitan
  • OS X 10.10 Yosemite
  • OS X 10.9 Mavericks

OSX 10.8 - Mountain Lion and earlier releases are based on ipfirewall (IPFW) and are not supported.

Configure Windows endpoints

The Apply Windows IPsec Quarantine package uses Windows IPsec policies to quarantine the endpoint. You can also add custom rules and options, see Create custom quarantine rules for more information.

You cannot use Windows IPsec Quarantine on networks where a domain IPsec policy is already enforced.

Check that the IPsec Policy Agent service is running on the endpoints

Optionally, you can verify that the IPsec Policy Agent is listed as a running service in Windows.

  1. In Interact, ask the question: Get Service Details containing "PolicyAgent" from all machines with Service Details containing "PolicyAgent"
  2. In the table that gets returned, check the results in the following columns.
    • Service Status: Running or Stopped
    • Service Startup Mode: Manual or Automatic
  3. If necessary, drill down into the results to determine which endpoints do not have the IPsec Policy agent running.

Configure Linux endpoints

The Apply Linux IPTables Quarantine package quarantines endpoints that are running Linux-based operating systems that support the use of the iptables module.

You cannot use Apply Linux IPTables Quarantine on endpoints where SELinux is enforcing without first adding a policy for Tanium Quarantine. Deploy the Apply Linux Quarantine SELinux Policy package to endpoints that are enforcing SELinux policies to add a policy for Tanium Quarantine. When the policy for Tanium Quarantine is added to an endpoint that is enforcing SELinux, you can quarantine the endpoint using the Apply Linux IPTables Quarantine package.

Verify that endpoints are not using Network Manager

Linux IPTables Quarantine checks to ensure that the iptables module is installed and disables the use of the Network Manager module on endpoints that are targeted for quarantine.

You can check for Linux-based endpoints that are running Network Manager by using the Linux Network Manager sensor to determine if Network Manager is enabled. In Interact, type network manager to find the sensor. This sensor has no parameters.

Configure Mac endpoints

The Apply Mac PF Quarantine package quarantines endpoints that are running Mac OS X operating systems that support the use of Packet Filter (PF) rules. This package creates packet filter rules that isolate endpoints by eliminating communication with network resources. PF software must be installed on endpoints that are targeted for quarantine.

View quarantined endpoints

You can easily and immediately see what endpoints are quarantined from the Overview page of the Threat Response workbench. You can remove endpoints from quarantine from the Overview page of the Threat Response workbench.  For more information on removing endpoints from quarantine, see Remove quarantine.

Test quarantine on lab endpoints

By default, the quarantine on the lab endpoint blocks all communication except the Tanium Server. You can configure custom rules to define allowed traffic direction, allowed IP addresses, ports, and protocols. For more information about how to create and deploy custom rules, see Create custom quarantine rules .

Do not quarantine without testing the rules configuration in the lab.

  1. Target computers for quarantine.
    1. In Tanium Console, use the Is Windows,Is Linux, or Is Mac sensor to locate an endpoint to quarantine.

    2. Select the entry for True, and click Drill Down.

    3. On the saved questions page, select Computer Name and click Load.

      A Computer Names list displays the names of all computers that are running the selected OS.

    4. Select the lab endpoint as a target and click Deploy Action.

  2. In the Deployment Package field, type the name of the quarantine package that you want to deploy: 
    • Apply Windows IPsec Quarantine
    • Apply Linux IPTables Quarantine
    • Apply Mac PF Quarantine

  3. (Optional) Define quarantine rules and options.
    For more information about quarantine rules, see Create custom quarantine rules .
    • If you already attached a taniumquarantine.dat file to the package you are deploying, you do not need to make any other configurations.
    • Otherwise, select Override Config to apply custom rules to the action.
    • If you are using the options and rules in this package deployment, select any options that you want to enable and enter your custom quarantine rules into the Custom Quarantine Rules field.
  4. Click Show Preview to Continue to preview the targeting criteria for the action. Click Deploy Action.
  5. Verify quarantine of the targeted lab endpoint.

    Confirm that the computer has no available means of communication to resources other than Tanium Server and any endpoints that you configured in custom quarantine rules.

    You can use RDP (Windows) SSH (Linux/Mac), the Ping network utility, or a similar means to confirm that communication is blocked. By default, the only traffic that the quarantine allows is between Tanium Client on the quarantined computer and Tanium Server over port 17472. If the computer is a server that must allow connections to name servers, verify that those connections are allowed to pass through.

  6. Verify the visibility of the quarantined computer to Tanium Server.
    1. Target the lab computer with a question or sensor.
    2. Check the sensor results for the visibility of the quarantined computer.

    3. On the Quarantine dashboard, click Isolated Machines. A single computer is listed with a Yes on the Quarantine: Isolated Machines page.

Action folders are located under the Tanium Client installation folder on the endpoint, usually Downloads\Action_XXXX.log.

Remove quarantine

You can remove endpoints from quarantine from the Overview page of the Threat Response workbench. In the Quarantined Endpoints section of the Overview page of the Threat Response workbench, view the endpoints that are currently quarantined. Select one or more endpoints to remove from quarantine and click Remove from Quarantine.

Alternatively, you can deploy the Remove Windows IPsec Quarantine, Remove Mac PF Quarantine, or Remove Linux IPTables Quarantine package to the endpoint to remove the quarantine from the computer. Use RDP (Windows), SSH (Mac/Linux), the Ping utility, or another method to confirm the removal of the quarantine and the normal communication of the test computer.

Create custom quarantine rules

Quarantine rules and options define allowed traffic direction, allowed IP addresses, ports, and protocols. All other traffic is blocked. These rules are in the same format for Windows, Linux and Mac. For custom quarantine rule syntax, see Reference: Custom rules and options.

If you do not define any quarantine rules, the default values are used, which gives the quarantined endpoint access only to the Tanium Server and permits DNS/DHCP traffic.

If you do not define any quarantine rules, the default values are used, which gives the quarantined endpoint access only to the Tanium Cloud and permits DNS/DHCP traffic.

If you previously provided a Windows IPsec policy file, the IPsec policy overrides the custom quarantine rules.

Test the quarantine policy in a lab environment before deploying the policy. Do not apply a policy until its behavior is known and predictable. Incorrectly configured policies can block access to the Tanium Server.

Options for deploying custom quarantine rules and options

You can define quarantine rules and options by either attaching a configuration file to the package, or by selecting options in the Tanium Console when you deploy a quarantine action.

Attach configuration file to package

You can attach a taniumquarantine.dat configuration file that defines quarantine rules and options to either a new package or the existing Quarantine packages. Then push that package out to the endpoints. For an example taniumquarantine.dat file, see Reference: Custom rules examples.

The content of taniumqarantine.dat is restored to the default values every time quarantine content is updated.

By default the following synchronization occurs every 30 minutes. If taniumqarantine.dat is changed, or is not the default and not stored in the service, it is stored in the service. If taniumqarantine.dat is the default version and it is stored in the service, the file in the package is overwritten with the one in the service.

The process will happen every 30 minutes.

 

  1. From the Main menu, go to Administration > Content > Packages.
  2. You can either create a new package, or edit one of the existing Quarantine packages: 
    • Apply Windows IPsec Quarantine
    • Apply Mac PF Quarantine
    • Apply Linux IPTables Quarantine.
  3. Update the taniumquarantine.dat file.
    1. To download the current file, click Download .
    2. Remove the file that is currently in the package.
    3. Click Add to upload the updated taniumquarantine.dat file.
  4. Click Save to save the updates to the package.

    5. Add custom quarantine rules that allow connectivity for Direct Connect and Live Response to the quarantine package to avoid issues collecting artifacts during an investigation.

Select options in user interface when you deploy Quarantine actions

When you deploy the Apply Windows IPsec Quarantine, Apply Mac PF Quarantine, or Apply Linux IPTables Quarantine actions, you can define the quarantine rules and options as a part of that action. For more information, see Test quarantine on lab endpoints.

Reference: Custom rules and options

Custom rules format

The format for custom rules is not case sensitive. Put each rule on a new line. Trailing white spaces are not supported. This format is used for both the configuration file and in the user interface.

Direction:Protocol:IPAddress:CIDR:Port
#Comment

Direction

Valid values: IN or OUT
Specifies whether incoming or outgoing traffic is allowed.

Protocol

Valid values: ICMP, TCP, UDP
If you specify ICMP, the ICMP protocol is allowed to communicate to and from the specified addresses. This limitation is because IPSec does not filter ICMP Type/Codes. The filtering is done by ADVFirewall.

When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.

IPAddress

Specifies any IPv4 address or you can use ANY for all.

CIDR

Valid values: 0-32 or, if ANY is used in IPAddress, undefined.
Subnet masks in dotted decimal format are not permitted in the input file. Undefined (blank) is same as 32 and uses the IPAddress only.

Port

Valid values: 0-65535 or undefined
Leave undefined (blank) to permit all ports. Ranges are not currently supported, only individual ports or all ports can be defined.

When using the Custom Quarantine Rules parameter in the package, the total characters should be 1100 or less. If you need more characters, you can use a custom DAT file.

Quarantine options

You can configure quarantine options in a configuration file or in the deploy action user interface when you quarantine an endpoint.

Configuration file format

OPTION:OptionName:OptionValue

Options

Option Name (Deploy Action screen in Tanium Console) Option Name (configuration file) Description
Allow All DHCP AllDHCP Set to true to allow DHCP traffic to any server.
Default: true
Allow All DNS AllDNS Set to true to allow DNS traffic to any destination.
Default: true
N/A CurrentDNS
  • Set to true to allow DNS traffic to only the Current DNS.
    Default: false
    		•
    Allow All Tanium Servers TaniumServers Set to true to allow Tanium traffic to the Tanium Servers that are defined in your ServerList or Servers configuration on the Tanium Client.
    Default: true

    This option only applies to Tanium Servers and Zone Servers on TCP/17472. It does not include the module server, and it does not include TCP/17475 and TCP/17486 required for Direct Connect/Live Endpoint connections. Additional rules are required.
    Allow Alternate Tanium Servers ALTTS Specify IP addresses. For example, use this option when you want to avoid using DNS during Quarantine. When removed from quarantine, the original Tanium Server is restored.
    Separate with a comma or leave empty for no alternates.
    Validate Tanium Server Availability CheckTS Set to true to validate that the Tanium Server can be reached on the Tanium port. If this validation fails, back out the rules.
    Default: true
    VPN Servers VPNSERVERS

    Specify the VPN servers to automatically create rules for with a comma-separated list. Adding servers creates rules for each host as follows: IP:50/51, UDP:500, 4500 TCP/UDP:443
    Default: NO VPNServers
    Notification Message Notify

    Specify a string message to notify the user that the system is being quarantined.
    The message limit is 255 characters. Certain characters are not allowed, such as ($), (!), (`), (‘),(*) and some characters require escapes, such as (\"). Test any special characters before using in production.

    The Notification Message option is not supported on Windows 10 and 11 Home edition or Linux endpoints.

    Notification messages in languages other than English might require a different character code. For example, in the case of Japanese messages, apply the following character codes:

    For Windows: Shift-JIS
    For macOS: UTF-8

    Character codes are applied when the notification message is defined in the taniumquarantine.dat file.

    Default: No notification

    Reference: Custom rules examples

    Example for Custom Quarantine Rules field

    IN:UDP:10.0.0.21:32:161
    OUT:UDP:10.0.0.21:32:162

    This example defines two rules:

    • Allow SNMP queries (UDP Port 161) from another device at 10.0.0.21.
    • Allow SNMP traps (UDP Port 162) to be sent to a device at 10.0.0.21.

      • This example demonstrates the use of parameter options in the package and not a taniumquarantine.dat file.

    taniumquarantine.dat sample file

    For DAT files, each entry must be on one line; you cannot use pipe (|) characters to combine lines. Trailing white spaces are not supported.

    #Allow ICMP out to a specific IP Address
    OUT:ICMP:192.168.10.15:32:0
    #Allow ICMP in from a specific IP Address
    IN:ICMP:192.168.20.10:32:0
    #Allow ICMP out to any IP Address
    OUT:ICMP:ANY::0
    #Allow ICMP in from any IP Address
    IN:ICMP:ANY::0
    #Allow TCP port 80 in from a specific /24 subnet
    IN:TCP:192.168.1.0:24:80
    #Allow UDP port 161 in from a specific IP Address
    IN:UDP:10.0.0.21:16:161
    #Allow HTTPS (tcp 443) out to a specific /16 subnet
    OUT:TCP:192.168.0.0:16:443
    OPTION:ALLDNS:TRUE
    OPTION:CURRENTDNS:FALSE
    OPTION:ALLDHCP:TRUE
    OPTION:TANIUMSERVERS:TRUE
    OPTION:CHECKTS:TRUE
    OPTION:NOTIFY:This Device has been Quarantined
    #Allow Live Endpoint/Direct Connect from LAN to Tanium Module Server (192.168.10.9)
    OUT:TCP:192.168.10.9:32:17475
    #Allow Live Endpoint/Direct Connect from remote endpoint to Zone Server (172.16.31.31)
    OUT:TCP:172.16.31.31:32:17486