Managing alerts

When the engine detects a match to intel that you have deployed to a computer group, an alert is generated from the endpoint and reported back to Threat Response. You can view alerts in the following locations:

  • The high-level overview on the Threat Response home page
  • An individual intel document
  • The Alerts page

View alerts

  • On the Threat Response home page, the alert visualization provides a high-level view of alerts. To see a list of the unresolved alerts, click Investigate. On the Threat Response home page, you can also review alerts by label or source type.
  • On the Alerts page, unresolved alerts are displayed by default. You can filter for alerts that meet specific criteria.

From the Threat Response menu, click Alerts. At the top of the page all of the alerts across the endpoints in an environment display ranked by endpoint with most alerts, event type, the intel document that triggered the alert, the path to the file or process that triggered the alert, the status of the alert, and a range of dates were the alert was detected. Click any of the fields in the rankings to create filters that display alerts that match the criteria you selected.

Specify any additional criteria to filter Alerts. For example, create filters to display alerts based on endpoint, event type, path, intel name, label, or MITRE technique. Click Advanced Details to view more information about the endpoint on which the alert occurred, the process that caused the alert, and the intel document that matched the alert.

View alerts by intel document

From the Threat Response menu, click Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the engine analysis, the MITRE technique ID, and you can edit the definition.

Each Signal can have one or more associated MITRE technique IDs. Technique IDs can categorize Signals to better align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can filter alerts by technique ID.

You can also initiate quick scans for intel documents from the intel page.

Windows Defender alerts

Windows Defender is an anti-malware component of Microsoft Windows. Use Windows Defender alerts to gain visibility into common areas of Windows for changes which might have been caused by spyware, malware, and general security events. Windows Defender integration requires enabling the Generate Defender Alerts setting in an engine configuration for a deployed profile. By default, this setting is enabled for new configurations. For existing configurations, this setting needs to be enabled.

When Defender generates an alert on a Windows endpoint, the engine generates an alert in Threat Response that you can view in the alerts page. You can filter the alerts page for Defender alerts.

Assign a status to an alert

Assigning status to an alert enables incident response efforts to identify alerts that are being investigated or remediated. For example if you encounter a suspicious alert and want to take investigative or remediation actions, you can change the status of an alert to In Progress. Available statuses for alerts are:

  • Dismissed
  • In Progress
  • Resolved
  • Unresolved

Additionally when an alert is suppressed by a suppression rule, the status of an alert is Suppressed. This status is removed from a suppressed alert when the suppression rule is removed.

Investigate reputation data

Investigating reputation data requires the reputation service to be configured. See Set up the reputation service for more information.

For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, the hashes display with red or yellow status. Any known malicious matches automatically initiate a quick scan on targeted computer groups and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs are listed with Reputation as their source.

When the reputation for a hash changes, the intel is updated. For example, if a hash is no longer considered malicious according to reputation data, the associated intel document is updated so no further alerts are generated. If no malicious hashes exist in an intel document, the document is deleted.

  1. To view more details about a hash, open the side panel. A hash can have one of the following ratings:
    • Non-Malicious (Green)
    • Malicious (Red)
    • Suspicious (Yellow)
    • Unknown (Gray)
    • Pending
  2. Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.

The Threat Response icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. Alerts are generated and gathered asynchronously from the scan. Alerts might be displayed on the Alerts page before the scan completes.

Investigate alerts

If you have a suspicious alert, you can open a live connection to investigate further.

The way in which Threat Response manages live endpoint connections has changed in Threat Response 2.4. To understand the differences between current and previous Threat Response versions with regard to managing live endpoint connections, see Connecting to live endpoints and exploring data.

  1. From the Threat Response Menu, click Alerts. Select the alert that you want to investigate. You can investigate one alert at a time.
  2. Click Actions > Establish Live Connection.
  3. Click Start live connection.

The live endpoint page opens, with appropriate filtering for the type of alert you are investigating. Take a snapshot of suspicious endpoints for saved evidence.

Deploy an action to an endpoint

If you have a suspicious alert, you can deploy an action to a single affected endpoint directly from the alert.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action to remediate or perform other action.
  2. Click Actions > Deploy Action.
  3. The Deploy Action page displays and the targeted endpoint is identified.
  4. Select the package that you want to deploy. Depending on the package that you select, you are prompted to provide parameters for the package. If you select a package for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  5. Provide a unique name and description for the action.
  6. If you do not want to deploy the action immediately, specify a start to create a scheduled action. The time refers to the system clock on the Tanium Server, not on the endpoint. For example, if you specify the action to deploy at 1:00 am, it deploys when the Tanium Server system clock time is 1:00 am.
  7. Optionally specify an end time. This is important If you configure reissue intervals for the action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.
  8. You can schedule the action to repeat at intervals. Specifying to reissue an action creates a scheduled action. Specifying a reissue interval is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.

    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.

    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

  9. Click Deploy. Confirm that you want to deploy the action.  Provide administrator credentials and click OK.

Initiate a Response Action from an alert

If you have a suspicious alert, you can initiate a response action to a single affected endpoint directly from the alert. Initiating Live Response, Quarantine, or Gather Snapshot deploys a response action. A response action, unlike a scheduled action, runs once during a provided time range and ensures that if an endpoint is not online when you deploy the action, it runs when the endpoint comes online. Once deployed, from the Threat Response Menu click Response Activity to view the status or stop a response action.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action.
  2. Click Response Actions > Live Response, Response Actions > Quarantine, Response Actions > Gather Snapshot, or Response Actions > Download File.

    When you download a file as a response action, the file is saved as saved evidence. From the Threat Response menu, click Saved Evidence > Files to access the files that you download.

  3. Provide parameters for the response action. For example, if you select the response action for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  4. Click Run. Confirm that you want to deploy the response action.  Provide administrator credentials and click OK.

Remediate alerts in Tanium Protect

You can create a remediation policy in Tanium Protect, and specify conditions to enforce that policy from an alert. For example, a remediation policy defines specific actions to perform for an alert, and an enforcement defines the endpoints and schedule for performing the actions defined in the policy. Policies such as deleting files, killing a process, and performing registry tasks are available to perform when an alert is generated. By default, the remediation only targets the endpoint that generated the alert. To create remediation policies from an alert, Tanium Protect must be installed.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to remediate in Tanium Protect.
  2. Select Actions > Remediate in Protect.

    If an instance of Tanium Protect is not installed, this option is not available from the Actions menu.

  3. In the Policy Details section, provide a name and description for the policy.
  4. In the Tasks section, click Add Tasks to perform as part of the remediation. You can select multiple tasks to add. Each task that you add to the remediation policy requires additional data that is by default populated with the data from the alert. Available tasks are:

    Delete file

    Provide a path to a single file to delete. By default, this path is populated with the data from the alert. Select to continue or exit if an error occurs.

    Kill process

    Select to use the Name, Path, or Hash of the process. Paths support wildcard syntax such as *, !, and ?. Group syntax is also supported. Hashes support an optional maximum file size. Provide any additional command line arguments for a process. Command line arguments support regular expression syntax such as C:\^Win$\.* .

    Provide a timeout value in seconds. If the number of seconds you specify is exceeded without killing the specified process, the kill process task fails. You can additionally provide a number of attempts for the task before the task fails.

    Select to continue or exit if an error occurs.

    Edit Registry Data

    Select a hive in which to edit the registry data:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select the type of the data to edit and provide new data to use to replace the value of the existing data.

    Select if you want to create the value using the data you provided if no value matching the alert is detected. Select to continue or exit if an error occurs.

    Update Registry Value

    Select a hive in which to update the registry data:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select to edit the value with data that you provide, or to delete the current value. Select to continue or exit if an error occurs.

    Delete Registry Key

    Select a hive in which to delete the registry key:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select to continue or exit if an error occurs.

  5. In the Enforcements section, click Add Enforcement. Select Computer Group to target the remediation to an entire computer group. Select Individual Computers to provide one or more endpoints for the remediation to target. Add the fully qualified host name of each endpoint you want the remediation to target. Comma delimit multiple endpoints. Provide a start and end time for when you want to perform the remediation. Select to distribute over time to balance resource use over a time duration that you specify. The duration of the Distribute over time setting must be at least 10 minutes shorter than the Issue time setting. Select if you want to repeat the action and how often.
  6. Click Remediate. The remediation is available in Tanium Protect. From the Main menu, click Modules >Protect > Policies > Remediations to view and edit the remediation in Tanium Protect.

Delete alerts

You can delete alerts any time. If an alert is matched again later, the alert is generated again.

Suppress alerts

Create suppression rules to prevent the creation of an alert when an intel match occurs for a Signal. Use suppression rules to reduce false positives for Signals that you cannot edit, such as those from the Tanium Signal Feed. Suppression rules are not intended for use as a substitution for properly crafted Signals. You can apply rules that suppress alerts that match Process Path, Process Command Line, Parent Command Line, Process Hash, and User.

  1. From the Threat Response menu, go to Alerts. Select an alert. Click Suppress.
  2. Select the type of suppression rule to create. A global rule applies to all Signals where a match occurs. An intel-specific rule only applies to matches to a specific Signal that you specify. Select Global or Signal-Specific. If you select Signal-Specific, select an available Signal.
  3. Provide a name and description for the suppression rule.
  4. Select the fields that you want to use for suppressions:
    1. Process path: The path in the file system to a specific process. For example, c:\windows\notepad.exe.
    2. Process command line: Additional parameters that were provided for a process. For example, if a process is wevtutil.exe, a possible process command line is: wevtutil cl Application.
    3. Parent command line: The full command line of the parent process.
    4. Parent path: The path in the file system to a parent process. For example, c:\windows\system32\cmd.exe.
    5. Ancestry command line: Additional parameters that were provided for a parent process.
    6. Ancestry path: The path in the file system to a process more remote than a parent process.
    7. Process MD5: A specific MD5 hash value that corresponds to a process.
    8. User: A specific user on the system that is associated with a process.

    If a Signal has generated an alert, you can click the Suppress Alert link from an alert page to preview the expected values for each of the fields.

  5. Specify how you want to compare the field to the alert. You can choose to suppress an alert if a field is a direct match, contains a value, or matches a pattern specified by a regular expression.
    1. Select Is to suppress an alert when a direct match occurs. For example, a specific hash value or user name matches.
    2. Select Contains to suppress an alert when a subset of the alert criteria matches. For example, a path that contains "Windows".
    3. Select Matches to suppress an alert when a pattern matches the criteria. A regular expression needs to match the whole string. If you want to match Win and Windows, the regular expression needs to be .*Win.*. By default, regular expressions in suppression rules are case insensitive. Use of ^ and $ and flags are not supported.
  6. Select Retroactive to run the suppression rule against all existing alerts that have not been resolved. If unselected, the rule does not apply to existing unresolved alerts, but applies to future Signal matches.
  7. Click Preview to view a list of existing unresolved alerts that match the criteria you specify in the suppression rule. Threat Response evaluates 1000 alerts at a time until all applicable alerts have been evaluated, or until 10,000 alerts have been evaluated. Click Save.

Suppress an alert

You can create a suppression rule directly from an alert. From the Threat Response menu, click Alerts. Select an alert and click Actions > Suppress. The suppression rule page displays and features all of the values that are required to suppress the alert. Provide a name and description for the suppression rule and select Retroactive if you want to apply the suppression rule against all existing alerts that have not been resolved. Click Save.

Edit and delete suppression rules

You can edit or delete existing suppression rules. From the Threat Response menu, click Intel > Suppression Rules. Select a suppression rule that you want to edit. Click Actions > Edit.

To delete a suppression rule, select the suppression rules that you want to delete. Click Actions > Delete.

View the status of a retroactive task

If you edit a suppression rule and select Retroactive to run the suppression rule against all existing alerts that have not been resolved, you can view the status of how that rule is retroactively applied. From the Threat Response menu, click Intel > Suppression Rules. Click Retroactive Tasks. View the status column to see if the retroactive task is Not Started, Incomplete, Completed, or has resulted in an error.

Import and export global suppression rules

Import and export global suppression rules to move them from one platform to another. For example, you can export global suppression rules from a test system and import them to a production system. Global suppression rules are imported and exported as JSON files and have a file size limit of 1 MB.

Export global suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules.
  2. Select the global suppression rules that you want to export. Click Actions > Export. If you select suppression rules that are specific to a signal, they are omitted from the export.
  3. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import global suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules. Click Import and browse to a JSON file that you want to import. Click OK.
  2. Review the global suppression rules to be imported. Click OK. You can Skip a global suppression that is conflicting with one that already has the same name or Import and Rename to apply a suffix of Duplicate <time stamp> to the suppression. For example, if a suppression is named test and you select Import and Rename, the resulting imported rule would be named test Duplicate <time stamp>.
  3. From the summary window that displays the global suppression rules that have been imported, click Finish.
  4. Refresh the list of suppression rules to view the global suppression rules that have been imported.

Manage the impact of lateral movement with Tanium Impact

If you installed Tanium Impact, and are assigned the Impact Asset Items Read and Impact Asset Details Read permissions, an Outbound Impact column displays in the alerts results grid. The value in the Outbound Impact column quantifies the number of user accounts and endpoints that can be reached from the corresponding Windows endpoint. Click the alert to view the alert details. In the Impact Details section of the alert details you can view data to better understand the lateral impact the endpoint has in an environment should it become compromised to help prioritize alert remediation.

Click Explore in Impact to view more detailed information about how the Windows endpoint fits into a larger topology. For more information, ask your TAM.

Set up Tanium Connect forwarding

Threat Response sends event information to Tanium Connect by default. To save this event information, you must configure Connect for the events to be passed to a destination. If you do not configure a destination, the events are dropped.

You can configure a Connect forwarding connection at any time. If you configure the connection during the installation process, all history is captured.

  1. From Connect, create a new connection with Event type and Tanium Detect as the event group.
  2. Select the Threat Response events that you want preserved.
    • Match Alerts Raw sends the details of all alerts in JSON format. This selection is intended for destinations that can process JSON data.
    • Match Alerts forwards only the events that match a configuration and specific intel, such as that from a specific source, specific type, or Signal. Event information is encoded in base64. Review the Intel configurations that are enabled for a profile to identify the types of events that are included when this option is selected.
    • All Events includes scan matches and other Threat Response events, such as messages and notifications.
  3. Configure the destination; such as a SIEM service or Write to File.
  4. When configuring reputation intel for Threat Response, you do not need to configure Tanium Connect as Threat Response inserts data into the reputation database.

    For more information see the Tanium Connect User Guide.

Last updated: 7/2/2020 9:44 AM | Feedback