Isolate a Windows, Linux, or Mac endpoint that shows evidence of compromise or other suspicious activity. Use Threat Response to apply, remove, and test for quarantine.
When an endpoint is quarantined, by default the only approved traffic allowed on the quarantined endpoint includes:
- Between the Tanium Client on the quarantined endpoint and Tanium Server over port 17472.
- For essential traffic that is necessary to obtain and resolve IP addresses (DHCP/DNS).
Threat Response includes a safety feature that automatically reverses a quarantine policy. After a quarantine policy is applied, the effect of the policy is logged. If the endpoint is able to communicate with Tanium Server, Threat Response logs the successful application of the policy. If a policy prevents the endpoint from communicating with Tanium Server, Threat Response backs out the policy and saves logs in the action folder.
Import the Tanium Quarantine solution
Install the Tanium Quarantine solution by importing the associated content from the Solutions page.
- From the Main menu, click Administration > Configuration > Solutions.
- In the Content section, select the IR Quarantine row and click Import Selected.
- Review the list of saved actions, packages, and sensors and click Proceed with Import.
- When the import is complete, you are returned to the Solutions page. Verify that the values in the Available Version and Imported Version columns match.
Test quarantine policies in a lab environment before deploying the policy. Do not apply a policy until its behavior is known and predictable. Incorrectly configured policies can block access to the Tanium Server.
- You must have a Content Administrator account for Tanium Console. For more information, see Tanium Core Platform User Guide: Managing Roles.
Identify the traffic that is required when an endpoint is under quarantine.
- You must have a lab endpoint on the target operating system (Windows, Linux, or Mac) you can use to test the quarantine policies. You must be able to physically access the machine or to access it using RDP (Windows) or SSH (Linux, Mac).
- You must have access to the endpoint that you want to quarantine through a sensor or saved question in the Tanium Console.
Supported Windows versions
- Windows 7 (SP1)
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2012R2 or later
- Windows 2008R2 (SP1)
Supported Linux OS versions
- RedHat/CentOS 5 IPTables on SYSV
- RedHat/CentOS 6 IPTables on SYSV
- RedHat/CentOS 7 Firewalld on Systemd (Note: A reboot is required on RedHat/CentOS 7.1 endpoints after removing quarantine.)
Rocky Linux 8.x
- Ubuntu 12,14 UFW on Upstart
Ubuntu 15,16, 18, and 20 UFW on Upstart/Systemd
Supported Mac OS versions
- macOS 13 Ventura
- macOS 12 Monterey
- macOS 11.0 Big Sur
- macOS 10.15 Catalina
- macOS 10.14 Mojave
- macOS 10.13 High Sierra
- macOS 10.12 Sierra
- OS X 10.11 El Capitan
- OS X 10.10 Yosemite
- OS X 10.9 Mavericks
OSX 10.8 - Mountain Lion and earlier releases are based on ipfirewall (IPFW) and are not supported.
The Apply Windows IPsec Quarantine package uses Windows IPsec policies to quarantine the endpoint. You can also add custom rules and options, see Create custom quarantine rules for more information.
You cannot use Windows IPsec Quarantine on networks where a domain IPsec policy is already enforced.
Check that the IPsec Policy Agent service is running on the endpoints
Optionally, you can verify that the IPsec Policy Agent is listed as a running service in Windows.
- In Interact, ask the question: Get Service Details containing "PolicyAgent" from all machines with Service Details containing "PolicyAgent"
- In the table that gets returned, check the results in the following columns.
- Service Status: Running or Stopped
- Service Startup Mode: Manual or Automatic
- If necessary, drill down into the results to determine which endpoints do not have the IPsec Policy agent running.
The Apply Linux IPTables Quarantine package quarantines endpoints that are running Linux-based operating systems that support the use of the iptables module.
Verify that endpoints are not using Network Manager
Linux IPTables Quarantine checks to ensure that the iptables module is installed and disables the use of the Network Manager module on endpoints that are targeted for quarantine.
You can check for Linux-based endpoints that are running Network Manager by using the Linux Network Manager sensor to determine if Network Manager is enabled. In Interact, type network manager to find the sensor. This sensor has no parameters.
The Apply Mac PF Quarantine package quarantines endpoints that are running Mac OS X operating systems that support the use of Packet Filter (PF) rules. This package creates packet filter rules that isolate endpoints by eliminating communication with network resources. PF software must be installed on endpoints that are targeted for quarantine.
By default, the quarantine on the lab endpoint blocks all communication except the Tanium Server. You can configure custom rules to define allowed traffic direction, allowed IP addresses, ports, and protocols. For more information about how to create and deploy custom rules, see Create custom quarantine rules .
Do not quarantine without testing the rules configuration in the lab.
- Target computers for quarantine.
- In Tanium Console, use the Is Windows,Is Linux, or Is Mac sensor to locate an endpoint to quarantine.
Select the entry for True, and click Drill Down.
- On the saved questions page, select Computer Name and click Load.
A Computer Names list displays the names of all computers that are running the selected OS.
Select the lab endpoint as a target and click Deploy Action.
- In the Deployment Package field, type the name of the quarantine package that you want to deploy:
- Apply Windows IPsec Quarantine
- Apply Linux IPTables Quarantine
- Apply Mac PF Quarantine
- (Optional) Define quarantine rules and options.
For more information about quarantine rules, see Create custom quarantine rules .
- If you already attached a taniumquarantine.dat file to the package you are deploying, you do not need to make any other configurations.
- Otherwise, select Override Config to apply custom rules to the action.
- If you are using the options and rules in this package deployment, select any options that you want to enable and enter your custom quarantine rules into the Custom Quarantine Rules field.
- Click Show Preview to Continue to preview the targeting criteria for the action. Click Deploy Action.
- Verify quarantine of the targeted lab endpoint.
Confirm that the computer has no available means of communication to resources other than Tanium Server and any endpoints that you configured in custom quarantine rules.
You can use RDP (Windows) SSH (Linux/Mac), the Ping network utility, or a similar means to confirm that communication is blocked. By default, the only traffic that the quarantine allows is between Tanium Client on the quarantined computer and Tanium Server over port 17472. If the computer is a server that must allow connections to name servers, verify that those connections are allowed to pass through.
- Verify the visibility of the quarantined computer to Tanium Server.
- Target the lab computer with a question or sensor.
- Check the sensor results for the visibility of the quarantined computer.
On the Quarantine dashboard, click Isolated Machines. A single computer is listed with a Yes on the Quarantine: Isolated Machines page.
Action folders are located under the Tanium Client installation folder on the endpoint, usually Downloads\Action_XXXX.log.
Deploy the Remove Windows IPsec Quarantine, Remove Mac PF Quarantine, or Remove Linux IPTables Quarantine package to the endpoint to remove the quarantine from the computer. Use RDP (Windows), SSH (Mac/Linux), the Ping utility, or another method to confirm the removal of the quarantine and the normal communication of the test computer.
Quarantine rules and options define allowed traffic direction, allowed IP addresses, ports, and protocols. All other traffic is blocked. These rules are in the same format for Windows, Linux and Mac. For custom quarantine rule syntax, see Reference: Custom rules and options.
If you do not define any quarantine rules, the default values are used, which gives the quarantined endpoint access only to the Tanium Server and permits DNS/DHCP traffic.
If you do not define any quarantine rules, the default values are used, which gives the quarantined endpoint access only to the Tanium Cloud and permits DNS/DHCP traffic.
If you previously provided a Windows IPsec policy file, the IPsec policy overrides the custom quarantine rules.
Test the quarantine policy in a lab environment before deploying the policy. Do not apply a policy until its behavior is known and predictable. Incorrectly configured policies can block access to the Tanium Server.
Options for deploying custom quarantine rules and options
You can define quarantine rules and options by either attaching a configuration file to the package, or by selecting options in the Tanium Console when you deploy a quarantine action.
Attach configuration file to package
You can attach a taniumquarantine.dat configuration file that defines quarantine rules and options to either a new package or the existing Quarantine packages. Then push that package out to the endpoints. For an example taniumquarantine.dat file, see Reference: Custom rules examples.
The content of taniumqarantine.dat is restored to the default values every time quarantine content is updated.
- From the Main menu, go to Administration > Content > Packages.
- You can either create a new package, or edit one of the existing Quarantine packages:
- Apply Windows IPsec Quarantine
- Apply Mac PF Quarantine
- Apply Linux IPTables Quarantine.
- Update the taniumquarantine.dat file.
- To download the current file, click Download .
- Remove the file that is currently in the package.
- Click Add to upload the updated taniumquarantine.dat file.
- Click Save to save the updates to the package.
Add custom quarantine rules that allow connectivity for Direct Connect and Live Response to the quarantine package to avoid issues collecting artifacts during an investigation.
Select options in user interface when you deploy Quarantine actions
When you deploy the Apply Windows IPsec Quarantine, Apply Mac PF Quarantine, or Apply Linux IPTables Quarantine actions, you can define the quarantine rules and options as a part of that action. For more information, see Test quarantine on lab endpoints.
Custom rules format
The format for custom rules is not case sensitive. Put each rule on a new line. Trailing white spaces are not supported. This format is used for both the configuration file and in the user interface.
Valid values: IN or OUT
Specifies whether incoming or outgoing traffic is allowed.
Valid values: ICMP, TCP, UDP
If you specify ICMP, the ICMP protocol is allowed to communicate to and from the specified addresses. This limitation is because IPSec does not filter ICMP Type/Codes. The filtering is done by ADVFirewall.
When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
Specifies any IPv4 address or you can use ANY for all.
Valid values: 0-32 or, if ANY is used in IPAddress, undefined.
Subnet masks in dotted decimal format are not permitted in the input file. Undefined (blank) is same as 32 and uses the IPAddress only.
Valid values: 0-65535 or undefined
Leave undefined (blank) to permit all ports. Ranges are not currently supported, only individual ports or all ports can be defined.
When using the Custom Quarantine Rules parameter in the package, the total characters should be 1100 or less. If you need more characters, you can use a custom DAT file.
You can configure quarantine options in a configuration file or in the deploy action user interface when you quarantine an endpoint.
Configuration file format
|Option Name (Deploy Action screen in Tanium Console)||Option Name (configuration file)||Description|
|Allow All DHCP||AllDHCP||Set to true to allow DHCP traffic to any server.
|Allow All DNS||AllDNS||Set to true to allow DNS traffic to any destination.
|Allow All Tanium Servers||TaniumServers||Set to true to allow Tanium traffic to the Tanium Servers that are defined in your ServerList or Servers configuration on the Tanium Client.
This option only applies to Tanium Servers and Zone Servers on TCP/17472. It does not include the module server, and it does not include TCP/17475 and TCP/17486 required for Direct Connect/Live Endpoint connections. Additional rules are required.
|Allow Alternate Tanium Servers||ALTTS||Specify IP addresses. For example, use this option when you want to avoid using DNS during Quarantine. When removed from quarantine, the original Tanium Server is restored.
Separate with a comma or leave empty for no alternates.
|Validate Tanium Server Availability||CheckTS||Set to true to validate that the Tanium Server can be reached on the Tanium port. If this validation fails, back out the rules.
Specify the VPN servers to automatically create rules for with a comma-separated list. Adding servers creates rules for each host as follows: IP:50/51, UDP:500, 4500 TCP/UDP:443
Specify a string message to notify the user that the system is being quarantined.
The Notification Message option is not supported on Linux endopoints.
Default: No notification
Example for Custom Quarantine Rules field
This example defines two rules:
- Allow SNMP queries (UDP Port 161) from another device at 10.0.0.21.
- Allow SNMP traps (UDP Port 162) to be sent to a device at 10.0.0.21.
This example demonstrates the use of parameter options in the package and not a taniumquarantine.dat file.
taniumquarantine.dat sample file
For DAT files, each entry must be on one line; you cannot use pipe (|) characters to combine lines. Trailing white spaces are not supported.
#Allow ICMP out to a specific IP Address
#Allow ICMP in from a specific IP Address
#Allow ICMP out to any IP Address
#Allow ICMP in from any IP Address
#Allow TCP port 80 in from a specific /24 subnet
#Allow UDP port 161 in from a specific IP Address
#Allow HTTPS (tcp 443) out to a specific /16 subnet
OPTION:NOTIFY:This Device has been Quarantined
#Allow Live Endpoint/Direct Connect from LAN to Tanium Module Server (192.168.10.9)
#Allow Live Endpoint/Direct Connect from remote endpoint to Zone Server (172.16.31.31)
Last updated: 1/31/2023 12:08 PM | Feedback