When the engine detects a match to intel that you have applied on a computer group, an alert is generated from the endpoint and reported back to Threat Response. You can view alerts in the following locations:
- The high-level overview on the Threat Response home page
- An individual intel document
- The Alerts page
- On the Threat Response home page, the alert visualization provides a high-level view of alerts. To see a list of the unresolved alerts, click Investigate.
- On the Threat Response home page, you can also review alerts by label or source type.
From the Threat Response menu, click Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the engine analysis, and you can edit the definition.
You can also initiate quick scans for intel documents from the intel page.
Investigating reputation data requires the reputation service to be configured. See Set up the reputation service for more information.
For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, the hashes display with red or yellow status. Any known malicious matches automatically initiate a quick scan on targeted computer groups and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs are listed with Reputation as their source.
When the reputation for a hash changes, the intel is updated. For example, if a hash is no longer considered malicious according to reputation data, the associated intel document is updated so no further alerts are generated. If no malicious hashes exist in an intel document, the document is deleted.
- Expand an alert to see the hash indicator. A hash can have one of the following ratings:
- Non-Malicious (Green)
- Malicious (Red)
- Suspicious (Yellow)
- Unknown (Gray)
- Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.
The Threat Response icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. Alerts are generated and gathered asynchronously from the scan. Alerts might be displayed on the Alerts page before the scan completes.
Limit alerts to those that are similar to a specific alert.
- From the Threat Response Menu, click Alerts. Select an alert.
- Expand the basic alert details and click Find Similar Matches By Hash. All matches also contain a hash, which is a unsigned 32-bit value to help identify occurrences of the same item across endpoints and across different scans. This calculation is a best-effort hash for this purpose, but in most cases it is adequate.
If you have a suspicious alert, you can open a live connection to investigate further.
- From the Threat Response Menu, click Alerts. Select the alert that you want to investigate. You can investigate one alert at a time.
- Click Actions > Investigate.
- Click Start live connection [endpoint name].
The live endpoint page opens, with appropriate filtering for the type of alert you are investigating. Take a snapshot of suspicious endpoints for saved evidence.
You can delete alerts any time. If an alert is matched again later, the alert is generated again.
Create suppression rules to prevent the creation of an alert when an intel match occurs. Use suppression rules to reduce false positives for signals that you cannot edit, such as those from the Tanium Signal Feed. Suppression rules are not intended for use as a substitution for properly crafted signals. You can apply rules that suppress alerts that match Process Path, Process Command Line, Parent Command Line, Process Hash, and User.
- From the Threat Response menu, go to Intel. Select a signal.
- Click Actions > Add Suppression Rule.
- Provide a name and description for the suppression rule.
- Select the fields that you want to use for suppressions:
- Process path: The path in the file system to a specific process. For example, c:\windows\notepad.exe.
- Process command line: Additional parameters that were provided for a process. For example, if a process is wevtutil.exe, a possible process command line is: wevtutil cl Application.
- Parent command line: The full command line of the parent process.
- Process hash: A specific hash value that corresponds to a process.
- User: A specific user on the system that is associated with a process.
If a signal has generated an alert, you can click the Suppress Alert link from an alert page to preview the expected values for each of the fields.
- Specify how you want to compare the field to the alert. You can choose to suppress an alert if a field is a direct match, contains a value, or matches a pattern specified by a regular expression.
- Select Is to suppress an alert when a direct match occurs. For example, a specific hash value or user name matches.
- Select Contains to suppress an alert when a subset of the alert criteria matches. For example, a path that contains "Windows".
- Select Matches to suppress an alert when a pattern matches the criteria. A regular expression needs to match the whole string. If you want to match Win and Windows, the regular expression needs to be .*Win.*. Use of the ^ and $ special characters, and flags are not supported.
Threat Response sends event information to Tanium Connect by default. To save this event information, you must configure Connect for the events to be passed to a destination. If you do not configure a destination, the events are dropped.
You can configure a Connect forwarding connection at any time. If you configure the connection during the installation process, all history is captured.
- From Connect, create a new connection with Event type and Tanium Detect as the event group.
- Select the Threat Response events that you want preserved.
- Match Alerts Raw sends the details of all alerts in JSON format. This selection is intended for destinations that can process JSON data.
- Match Alerts forwards only the events that match a configuration and specific intel, such as that from a specific source, specific type, or signal. Event information is encoded in base64. Review the Intel configurations that are enabled for a profile to identify the types of events that are included when this option is selected.
- All Events includes scan matches and other Threat Response events, such as messages and notifications.
- Configure the destination; such as a SIEM service or Write to File.
When configuring reputation intel for Threat Response, you do not need to configure Tanium Connect as Threat Response inserts data into the reputation database.
For more information see the Tanium Connect User Guide.
To turn off event forwarding, see Troubleshooting.
Last updated: 4/23/2019 6:12 PM | Feedback