Managing alerts

When the engine detects a match to intel that you have applied on a computer group, an alert is generated from the endpoint and reported back to Threat Response. You can view alerts in the following locations:

  • The high-level overview on the Threat Response home page
  • An individual intel document
  • The Alerts page

View unresolved alerts

  • On the Threat Response home page, the alert visualization provides a high-level view of alerts. To see a list of the unresolved alerts, click Investigate.
  • On the Threat Response home page, you can also review alerts by label or source type.

View alerts by intel document

From the Threat Response menu, click Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the engine analysis, the MITRE technique ID, and you can edit the definition.

Each Signal can have one or more associated MITRE technique IDs. Technique IDs can categorize Signals to better align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can filter alerts by technique ID.

You can also initiate quick scans for intel documents from the intel page.

Investigate reputation data

Investigating reputation data requires the reputation service to be configured. See Set up the reputation service for more information.

For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, the hashes display with red or yellow status. Any known malicious matches automatically initiate a quick scan on targeted computer groups and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs are listed with Reputation as their source.

When the reputation for a hash changes, the intel is updated. For example, if a hash is no longer considered malicious according to reputation data, the associated intel document is updated so no further alerts are generated. If no malicious hashes exist in an intel document, the document is deleted.

  1. Expand an alert to see the hash indicator. A hash can have one of the following ratings:
    • Non-Malicious (Green)
    • Malicious (Red)
    • Suspicious (Yellow)
    • Unknown (Gray)
    • Pending
  2. Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.

The Threat Response icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. Alerts are generated and gathered asynchronously from the scan. Alerts might be displayed on the Alerts page before the scan completes.

Find similar matches

Limit alerts to those that are similar to a specific alert.

  1. From the Threat Response Menu, click Alerts. Select an alert.
  2. Expand the basic alert details and click Find Similar Matches By Hash. All matches also contain a hash, which is an unsigned 32-bit value to help identify occurrences of the same item across endpoints and across different scans. This calculation is a best-effort hash for this purpose, but in most cases it is adequate.

Investigate alerts

If you have a suspicious alert, you can open a live connection to investigate further.

  1. From the Threat Response Menu, click Alerts. Select the alert that you want to investigate. You can investigate one alert at a time.
  2. Click Actions > Investigate.
  3. Click Start live connection [endpoint name].

The live endpoint page opens, with appropriate filtering for the type of alert you are investigating. Take a snapshot of suspicious endpoints for saved evidence.

Deploy an action to an endpoint

If you have a suspicious alert, you can deploy an action to a single affected endpoint directly from the alert.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action to remediate or perform other action.
  2. Click Actions > Deploy Action.
  3. The Deploy Action page displays and the targeted endpoint is identified.
  4. Select the package that you want to deploy. Depending on the package that you select, you are prompted to provide parameters for the package. If you select a package for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  5. Provide a unique name and description for the action.
  6. If you do not want to deploy the action immediately, specify a start to create a scheduled action. The time refers to the system clock on the Tanium Server, not on the endpoint. For example, if you specify the action to deploy at 1:00 am, it deploys when the Tanium Server system clock time is 1:00 am.
  7. Optionally specify an end time. This is important If you configure reissue intervals for the action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.
  8. You can schedule the action to repeat at intervals. Specifying to reissue an action creates a scheduled action. Specifying a reissue interval is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.

    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.

    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

  9. Click Deploy. Confirm that you want to deploy the action.  Provide administrator credentials and click OK.

Initiate a Response Action from an alert

If you have a suspicious alert, you can initiate a response action to a single affected endpoint directly from the alert. Initiating Live Response, Quarantine, or Gather Snapshot deploys a response action. A response action, unlike a scheduled action, runs once during a provided time range and ensures that if an endpoint is not online when you deploy the action, it runs when the endpoint comes online. Once deployed, from the Threat Response Menu click Response Activity to view the status or stop a response action.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action.
  2. Click Actions > Live Response, Actions > Quarantine, Actions > Gather Snapshot, or Actions > Download File.

    When you download a file as a response action, the file is saved as saved evidence. From the Threat Response menu, click Saved Evidence > Files to access the files that you download.

  3. Provide parameters for the response action. For example, if you select the response action for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  4. Click Run. Confirm that you want to deploy the response action.  Provide administrator credentials and click OK.

Remediate alerts in Tanium Protect

You can create a remediation policy in Tanium Protect, and specify conditions to enforce that policy from an alert. For example, a remediation policy defines specific actions to perform for an alert, and an enforcement defines the endpoints and schedule for performing the actions defined in the policy. Policies such as deleting files, killing a process, and performing registry tasks are available to perform when an alert is generated. By default, the remediation only targets the endpoint that generated the alert. To create remediation policies from an alert, Tanium Protect must be installed.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to remediate in Tanium Protect.
  2. Select Actions > Remediate in Tanium Protect.

    If an instance of Tanium Protect is not installed, this option is not available from the Actions menu.

  3. In the Policy Details section, provide a name and description for the policy.
  4. In the Tasks section, click Add Tasks to perform as part of the remediation. You can select multiple tasks to add. Each task that you add to the remediation policy requires additional data that is by default populated with the data from the alert. Available tasks are:

    Delete file

    Provide a path to a single file to delete. By default, this path is populated with the data from the alert. Select to continue or exit if an error occurs.

    Kill process

    Select to use the Name, Path, or Hash of the process. Paths support wildcard syntax such as *, !, and ?. Group syntax is also supported. Hashes support an optional maximum file size. Provide any additional command line arguments for a process. Command line arguments support regular expression syntax such as C:\^Win$\.* .

    Provide a timeout value in seconds. If the number of seconds you specify is exceeded without killing the specified process, the kill process task fails. You can additionally provide a number of attempts for the task before the task fails.

    Select to continue or exit if an error occurs.

    Edit Registry Data

    Select a hive in which to edit the registry data:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select the type of the data to edit and provide new data to use to replace the value of the existing data.

    Select if you want to create the value using the data you provided if no value matching the alert is detected. Select to continue or exit if an error occurs.

    Update Registry Value

    Select a hive in which to update the registry data:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select to edit the value with data that you provide, or to delete the current value. Select to continue or exit if an error occurs.

    Delete Registry Key

    Select a hive in which to delete the registry key:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select to continue or exit if an error occurs.

  5. In the Enforcements section, click Add Enforcement. Select Computer Group to target the remediation to an entire computer group. Select Individual Computers to provide one or more endpoints for the remediation to target. Add the fully qualified host name of each endpoint you want the remediation to target. Comma delimit multiple endpoints. Provide a start and end time for when you want to perform the remediation. Select to distribute over time to balance resource use over a time duration that you specify. The duration of the Distribute over time setting must be at least 10 minutes shorter than the Issue time setting. Select if you want to repeat the action and how often.
  6. Click Remediate. The remediation is available in Tanium Protect. From the Main menu, click Protect > Policies > Remediations to view and edit the remediation in Tanium Protect.

Delete alerts

You can delete alerts any time. If an alert is matched again later, the alert is generated again.

Suppress alerts

Create suppression rules to prevent the creation of an alert when an intel match occurs for a Signal. Use suppression rules to reduce false positives for Signals that you cannot edit, such as those from the Tanium Signal Feed. Suppression rules are not intended for use as a substitution for properly crafted Signals. You can apply rules that suppress alerts that match Process Path, Process Command Line, Parent Command Line, Process Hash, and User.

  1. From the Threat Response menu, go to Intel. Click Add > Suppression Rule.
  2. Select the type of suppression rule to create. A global rule applies to all Signals where a match occurs. An intel-specific rule only applies to matches to a specific Signal that you specify. Select Global or Signal-Specific. If you select Signal-Specific, select an available Signal.
  3. Provide a name and description for the suppression rule.
  4. Select the fields that you want to use for suppressions:
    1. Process path: The path in the file system to a specific process. For example, c:\windows\notepad.exe.
    2. Process command line: Additional parameters that were provided for a process. For example, if a process is wevtutil.exe, a possible process command line is: wevtutil cl Application.
    3. Parent command line: The full command line of the parent process.
    4. Process MD5: A specific MD5 hash value that corresponds to a process.
    5. User: A specific user on the system that is associated with a process.

    If a Signal has generated an alert, you can click the Suppress Alert link from an alert page to preview the expected values for each of the fields.

  5. Specify how you want to compare the field to the alert. You can choose to suppress an alert if a field is a direct match, contains a value, or matches a pattern specified by a regular expression.
    1. Select Is to suppress an alert when a direct match occurs. For example, a specific hash value or user name matches.
    2. Select Contains to suppress an alert when a subset of the alert criteria matches. For example, a path that contains "Windows".
    3. Select Matches to suppress an alert when a pattern matches the criteria. A regular expression needs to match the whole string. If you want to match Win and Windows, the regular expression needs to be .*Win.*. Use of the ^ and $ special characters, and flags are not supported.
  6. Select Retroactive to run the suppression rule against all existing alerts that have not been resolved. If unselected, the rule does not apply to existing unresolved alerts, but applies to future Signal matches.
  7. Click Preview to view a list of existing unresolved alerts that match the criteria you specify in the suppression rule. Threat Response evaluates 1000 alerts at a time until at least 100 alerts match the suppression rule, or until 10,000 alerts have been evaluated. Click Save.

Suppress an alert

You can create a suppression rule directly from an alert. From the Threat Response menu, click Alerts. Expand the alert details and Click Suppress Alert. The suppression rule page displays and features all of the values that are required to suppress the alert. Provide a name and description for the suppression rule and select Retroactive if you want to apply the suppression rule against all existing alerts that have not been resolved. Click Save.

Edit and delete suppression rules

You can edit or delete existing suppression rules. From the Threat Response menu, click Intel > Suppression Rules. Select a suppression rule that you want to edit. Click Actions > Edit.

To delete a suppression rule, select the suppression rules that you want to delete. Click Actions > Delete.

View the status of a retroactive task

If you edit a suppression rule and select Retroactive to run the suppression rule against all existing alerts that have not been resolved, you can view the status of how that rule is retroactively applied. From the Threat Response menu, click Intel > Suppression Rules. Click Retroactive Tasks. View the status column to see if the retroactive task is Not Started, Incomplete, Completed, or has resulted in an error.

Import and export global suppression rules

Import and export global suppression rules to move them from one platform to another. For example, you can export global suppression rules from a test system and import them to a production system. Global suppression rules are imported and exported as JSON files and have a file size limit of 1 MB.

Export global suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules.
  2. Select the global suppression rules that you want to export. Click Actions > Export. If you select suppression rules that are specific to a signal, they are omitted from the export.
  3. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import global suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules. Click Import and browse to a JSON file that you want to import. Click OK.
  2. Review the global suppression rules to be imported. Click OK. You can Skip a global suppression that is conflicting with one that already has the same name or Import and Rename to apply a suffix of Duplicate <time stamp> to the suppression. For example, if a suppression is named test and you select Import and Rename, the resulting imported rule would be named test Duplicate <time stamp>.
  3. From the summary window that displays the global suppression rules that have been imported, click Finish.
  4. Refresh the list of suppression rules to view the global suppression rules that have been imported.

Set up Tanium Connect forwarding

Threat Response sends event information to Tanium Connect by default. To save this event information, you must configure Connect for the events to be passed to a destination. If you do not configure a destination, the events are dropped.

You can configure a Connect forwarding connection at any time. If you configure the connection during the installation process, all history is captured.

  1. From Connect, create a new connection with Event type and Tanium Detect as the event group.
  2. Select the Threat Response events that you want preserved.
    • Match Alerts Raw sends the details of all alerts in JSON format. This selection is intended for destinations that can process JSON data.
    • Match Alerts forwards only the events that match a configuration and specific intel, such as that from a specific source, specific type, or Signal. Event information is encoded in base64. Review the Intel configurations that are enabled for a profile to identify the types of events that are included when this option is selected.
    • All Events includes scan matches and other Threat Response events, such as messages and notifications.
  3. Configure the destination; such as a SIEM service or Write to File.
  4. When configuring reputation intel for Threat Response, you do not need to configure Tanium Connect as Threat Response inserts data into the reputation database.

    For more information see the Tanium Connect User Guide.

Last updated: 3/26/2020 9:27 AM | Feedback