Maintaining Threat Response
Perform monthly maintenance tasks to ensure that Threat Response successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Threat Response is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting for related procedures.
Review and remediate Tanium Threat Response issues
-
From the Main menu, go to Administration > Shared Services > Client Management.
- From the Client Management menu, select Client Health and click the Deployment tab.
- Review the Health Failures panel for issues that relate to Threat Response domains:
-
dec (Direct Connect)
- index (Tanium Index)
- recorder (Tanium Recorder)
- stream (Tanium™ Stream)
- threatresponse (Tanium™ Threat Response Client Extension)
- Investigate health failures and review the status and configurations of endpoint tools for Threat Response, including:
- Non-default configuration settings on clients
- Tools versions
- Client extension versions
- (Windows only) Tanium™ Driver status and version
- Berkeley Packet Filter (BPF) support
For the specific steps, see Troubleshooting.
-
From the Main menu, go to Modules > Threat Response > Overview.
- Scroll to the Metrics panel and check the Threat Response Coverage.
- If the Coverage is lower than expected, investigate and remediate coverage as described under Troubleshooting. If coverage issues might result from missing or misconfigured Threat Response profiles, click the Coverage value to open the Profiles page and review profile configurations. For details about profile issues, see My device has no profile or the wrong profile.
- To investigate and remediate other Threat Response issues, see:
Get Threat Response endpoint tools status and configurations
Ask the question: Get Client Extensions - Status from all machines.
This retrieves the status of Client Extensions (such as Threat Response, Index, Recorder), Threat Response profile status, and any client extensions health issues.
The following domains are Threat Response related:
- dec
- index
- recorder
- stream
- threatresponse
| Domain | Key | Value | Explanation |
|---|---|---|---|
| [Any] |
health_check |
[Any value] | For more information, seeTanium Client Management User Guide: Monitor the client health overview in Client Management and take corrective actions to ensure Threat Response is healthy in your environment. |
| recorder |
has_event_source |
[Multiple] | This displays which event sources the Tanium Recorder is using. |
| recorder | has_subscription | [Multiple] | This displays which Tanium components are consuming events from the Tanium Recorder process. |
| recorder | is_using_tanium_driver | True | False | (Windows Only) This displays if the Tanium Recorder Process is consuming events from the Tanium Driver. |
| recorder | min_requirements_met | True | False | This displays if the system meets the minimum CPU requirements for the Tanium Recorder to run. Two or more CPU cores are required. |
| threatresponse | applied_intel_revision | [Any] | This value identifies the version of Threat Response intel currently installed on the endpoint. |
| threatresponse |
applied_profile applied_profile_id applied_profile_revision |
[Multiple] | These keys return information about which Threat Response profile name, profile unique ID, and profile revision is currently in use on the endpoint. |
Ask the question: Get Client Health – Client Settings from all machines.
This question returns any non-default configuration settings that are set explicitly on the clients. If settings are not explicitly set, no results are displayed for that setting. It is useful to review these settings for any non-default settings which you can set on Threat Response or Tanium Client components and causing unexpected behavior.
The following domains are Threat Response related:
- dec
- index
- recorder
- stream
- threatresponse
Ask the question: Get Endpoint Configuration - Tools Status from all machines.
This returns the Threat Response tools versions targeted and installed to verify the correct endpoint tools are installed. Current tools versions can be referenced in the Threat Response release notes: https://kb.tanium.com/Category:Tanium_Threat_Response
The following Tool Names are Threat Response related:
-
Threat Response
-
Threat-response-cx
-
Threat Response Stream
-
cx-stream
-
Incident Response
-
index-cx
-
Direct Connect
-
dec-cx
-
Driver
-
Recorder
-
Recorder BPF Support
Ask the question: Get Client Extensions - Installed Extensions from all machines.
This returns the installed Threat Response client extension binary versions. Current client extension binary versions can be referenced in the Threat Response release notes: https://kb.tanium.com/Category:Tanium_Threat_Response
The following Domains are Threat Response related:
- index
- recorder
- stream
- threatresponse
Ask the question: Get Tanium Driver Status from all machines with Is Windows matches true.
This returns the installed Tanium Driver Status from all Windows machines (Tanium Driver is supported on Windows only). The following tables include some common Tanium Driver Status results:
| Successful installation | |
|---|---|
| Tanium Driver Status Results that indicate it is properly installed and running |
Service Status: SERVICE_RUNNING Driver install path: \SystemRoot\System32\drivers\TaniumRecorderDrv.sys |
| Errors to look for | |
|---|---|
| Tanium Driver |
Install Recommended |
| Tanium Driver Service is not installed | Service Installation: Not installed |
| Tanium Driver Service is present but not running |
Service Status: Not started Service Status: SERVICE_STOPPED |
| Tanium Driver is not installed |
Driver Location: Not installed Driver Version N/A Driver Controller Version N/A |
Ask the question: Get Tanium Driver Version from all machines with Is Windows matches true.
This returns the installed Tanium Driver Version of the binary on disk from all Windows endpoints (Tanium Driver is supported on Windows only). This can be useful to verify that the correct version of the Tanium Driver is installed.
Tanium Driver Versions by Threat Response release: https://kb.tanium.com/Category:Tanium_Threat_Response
Use the following sensors to help troubleshoot and determine if eBPF is supported and available for use by Tanium Recorder on Linux systems.
| Sensor | Results |
|---|---|
| Recorder - Is BPF BCC Supported |
Returns True if BPF BCC is supported on the endpoint. |
| Recorder - Is BPF CO-RE Supported |
Returns True if BPF CO-RE (Compile Once Run Everywhere) is supported on the endpoint. |
| Recorder - Is BPF Supported Details | Returns details about whether or not BPF is supported on the endpoint. |
For more information, see Tanium Interact User Guide: Asking questions.
Monitor and troubleshoot Threat Response coverage
The following table lists contributing factors into why the Threat Response coverage metric might be lower than expected, and corrective actions you can make.
| Contributing factor | Corrective action |
|---|---|
| Tools not deployed |
Ensure the Threat Response Action Group is set to All Computers. Ensure the Trends Action Group is set to All Computers. Ensure that all endpoints belong to a computer group that is defined in a Threat Response profile. |
| Tools in an unhealthy state |
Refer to the client health features in Client Management. For more information, seeTanium Client Management User Guide: Monitor the client health overview in Client Management and take corrective actions to ensure Threat Response is healthy in your environment. |
Monitor and troubleshoot mean time to investigate threats
The following table lists contributing factors into why the mean time to investigate threats metric might be higher than expected, and corrective actions you can make.
| Contributing factor | Corrective action |
|---|---|
| Alert status not being properly updated in the Threat Response workbench |
Ensure analysts are accurately updating alerts from New to In Progress and then from In Progress to Resolved. If alerts are sent to a SIEM or another location, ensure that your workflow uses the Tanium Threat Response API to appropriately set alert state in Tanium to be able to track this metric correctly. |
Monitor and troubleshoot mean time to remediate threats
The following table lists contributing factors into why the mean time to investigate threats metric might be higher than expected, and corrective actions you can make.
| Contributing factor | Corrective action |
|---|---|
| Alert status not being properly updated in the Threat Response workbench |
Ensure analysts are accurately updating alerts from New to In Progress and then from In Progress to Resolved. If alerts are sent to a SIEM or another location, ensure that your workflow uses the Tanium Threat Response API to appropriately set alert state in Tanium to be able to track this metric correctly. |
Last updated: 9/25/2023 11:32 AM | Feedback