Maintaining Threat Response

Perform monthly maintenance tasks to ensure that Threat Response successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Threat Response is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting for related procedures.

Review and remediate Tanium Threat Response issues

1. From the Main menu, go to Administration > Shared Services > Client Management.

2. From the Client Management menu, select Client Health and click the Deployment tab.
3. Review the Health Failures panel for issues that relate to Threat Response domains:

• dec (Direct Connect)

• index (Tanium Index)
• recorder (Tanium Recorder)
• stream (Tanium™ Stream)
• threatresponse (Tanium™ Threat Response Client Extension)
4. Investigate health failures and review the status and configurations of endpoint tools for Threat Response, including:
   • Non-default configuration settings on clients
   • Tools versions
   • Client extension versions
   • (Windows only) Tanium™ Driver status and version
   • Berkeley Packet Filter (BPF) support

   For the specific steps, see Troubleshooting.

5. From the Main menu, go to Modules > Threat Response > Overview.

6. Scroll to the Metrics panel and check the Threat Response Coverage.
7. If the Coverage is lower than expected, investigate and remediate coverage as described under Troubleshooting. If coverage issues might result from missing or misconfigured Threat Response profiles, click the Coverage value to open the Profiles page and review profile configurations. For details about profile issues, see My device has no profile or the wrong profile.
8. To investigate and remediate other Threat Response issues, see:
• Troubleshooting
• Reference: Common health check issues

Get Threat Response endpoint tools status and configurations

Ask the question: Get Client Extensions - Status from all machines.

This retrieves the status of Client Extensions (such as Threat Response, Index, Recorder), Threat Response profile status, and any client extensions health issues.

The following domains are Threat Response related:

• dec
• index
• recorder
• stream
• threatresponse

Domain	Key	Value	Explanation
[Any]	health_check	[Any value]	For more information, seeTanium Client Management User Guide: Monitor the client health overview in Client Management and take corrective actions to ensure Threat Response is healthy in your environment.
recorder	has_event_source	[Multiple]	This displays which event sources the Tanium Recorder is using.
recorder	has_subscription	[Multiple]	This displays which Tanium components are consuming events from the Tanium Recorder process.
recorder	is_using_tanium_driver	True | False	(Windows Only) This displays if the Tanium Recorder Process is consuming events from the Tanium Driver.
recorder	min_requirements_met	True | False	This displays if the system meets the minimum CPU requirements for the Tanium Recorder to run. Two or more CPU cores are required.
threatresponse	applied_intel_revision	[Any]	This value identifies the version of Threat Response intel currently installed on the endpoint.
threatresponse	applied_profile applied_profile_id applied_profile_revision	[Multiple]	These keys return information about which Threat Response profile name, profile unique ID, and profile revision is currently in use on the endpoint.

Ask the question: Get Client Health – Client Settings from all machines.

This question returns any non-default configuration settings that are set explicitly on the clients. If settings are not explicitly set, no results are displayed for that setting. It is useful to review these settings for any non-default settings which you can set on Threat Response or Tanium Client components and causing unexpected behavior.

The following domains are Threat Response related:

• dec
• index
• recorder
• stream
• threatresponse

Ask the question: Get Endpoint Configuration - Tools Status from all machines.

This returns the Threat Response tools versions targeted and installed to verify the correct endpoint tools are installed. Current tools versions can be referenced in the Threat Response release notes: https://kb.tanium.com/Category:Tanium_Threat_Response

The following Tool Names are Threat Response related:

• Threat Response

• Threat-response-cx

• Threat Response Stream

• cx-stream

• Incident Response

• index-cx

• Direct Connect

• dec-cx

• Driver

• Recorder

• Recorder BPF Support

Ask the question: Get Client Extensions - Installed Extensions from all machines.

This returns the installed Threat Response client extension binary versions. Current client extension binary versions can be referenced in the Threat Response release notes: https://kb.tanium.com/Category:Tanium_Threat_Response

The following Domains are Threat Response related:

• index
• recorder
• stream
• threatresponse

Ask the question: Get Tanium Driver Status from all machines with Is Windows matches true.

This returns the installed Tanium Driver Status from all Windows machines (Tanium Driver is supported on Windows only). The following tables include some common Tanium Driver Status results:

Successful installation
Tanium Driver Status Results that indicate it is properly installed and running	Service Status: SERVICE_RUNNING Driver install path: \SystemRoot\System32\drivers\TaniumRecorderDrv.sys

Errors to look for
Tanium Driver	Install Recommended
Tanium Driver Service is not installed	Service Installation: Not installed
Tanium Driver Service is present but not running	Service Status: Not started Service Status: SERVICE_STOPPED
Tanium Driver is not installed	Driver Location: Not installed Driver Version N/A Driver Controller Version N/A

Ask the question: Get Tanium Driver Version from all machines with Is Windows matches true.

This returns the installed Tanium Driver Version of the binary on disk from all Windows endpoints (Tanium Driver is supported on Windows only). This can be useful to verify that the correct version of the Tanium Driver is installed.

Tanium Driver Versions by Threat Response release: https://kb.tanium.com/Category:Tanium_Threat_Response

Use the following sensors to help troubleshoot and determine if eBPF is supported and available for use by Tanium Recorder on Linux systems.

Sensor	Results
Recorder - Is BPF BCC Supported	Returns True if BPF BCC is supported on the endpoint.
Recorder - Is BPF CO-RE Supported	Returns True if BPF CO-RE (Compile Once Run Everywhere) is supported on the endpoint.
Recorder - Is BPF Supported Details	Returns details about whether or not BPF is supported on the endpoint.

For more information, see Tanium Interact User Guide: Asking questions.

Monitor and troubleshoot Threat Response coverage

The following table lists contributing factors into why the Threat Response coverage metric might be lower than expected, and corrective actions you can make.

Contributing factor	Corrective action
Tools not deployed	Ensure the Threat Response Action Group is set to All Computers. Ensure the Trends Action Group is set to All Computers. Ensure that all endpoints belong to a computer group that is defined in a Threat Response profile.
Tools in an unhealthy state	Refer to the client health features in Client Management. For more information, seeTanium Client Management User Guide: Monitor the client health overview in Client Management and take corrective actions to ensure Threat Response is healthy in your environment.

Monitor and troubleshoot mean time to investigate threats

The following table lists contributing factors into why the mean time to investigate threats metric might be higher than expected, and corrective actions you can make.

Contributing factor	Corrective action
Alert status not being properly updated in the Threat Response workbench	Ensure analysts are accurately updating alerts from New to In Progress and then from In Progress to Resolved. If alerts are sent to a SIEM or another location, ensure that your workflow uses the Tanium Threat Response API to appropriately set alert state in Tanium to be able to track this metric correctly.

Monitor and troubleshoot mean time to remediate threats

The following table lists contributing factors into why the mean time to investigate threats metric might be higher than expected, and corrective actions you can make.

Contributing factor	Corrective action
Alert status not being properly updated in the Threat Response workbench	Ensure analysts are accurately updating alerts from New to In Progress and then from In Progress to Resolved. If alerts are sent to a SIEM or another location, ensure that your workflow uses the Tanium Threat Response API to appropriately set alert state in Tanium to be able to track this metric correctly.