Managing alerts

When the engine detects a match to intel that you have applied on a computer group, an alert is generated from the endpoint and reported back to Threat Response. You can view alerts in the following locations:

  • The high-level overview on the Threat Response home page
  • An individual intel document
  • The Alerts page

View unresolved alerts

  • On the Threat Response home page, the alert visualization provides a high-level view of alerts. To see a list of the unresolved alerts, click Investigate.
  • On the Threat Response home page, you can also review alerts by label or source type.

View alerts by intel document

From the Threat Response menu, click Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the engine analysis, the MITRE technique ID, and you can edit the definition.

Each Signal can have one or more associated MITRE technique IDs. Technique IDs can categorize Signals to better align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can filter alerts by technique ID.

You can also initiate quick scans for intel documents from the intel page.

Investigate reputation data

Investigating reputation data requires the reputation service to be configured. See Set up the reputation service for more information.

For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, the hashes display with red or yellow status. Any known malicious matches automatically initiate a quick scan on targeted computer groups and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs are listed with Reputation as their source.

When the reputation for a hash changes, the intel is updated. For example, if a hash is no longer considered malicious according to reputation data, the associated intel document is updated so no further alerts are generated. If no malicious hashes exist in an intel document, the document is deleted.

  1. Expand an alert to see the hash indicator. A hash can have one of the following ratings:
    • Non-Malicious (Green)
    • Malicious (Red)
    • Suspicious (Yellow)
    • Unknown (Gray)
    • Pending
  2. Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.

The Threat Response icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. Alerts are generated and gathered asynchronously from the scan. Alerts might be displayed on the Alerts page before the scan completes.

Find similar matches

Limit alerts to those that are similar to a specific alert.

  1. From the Threat Response Menu, click Alerts. Select an alert.
  2. Expand the basic alert details and click Find Similar Matches By Hash. All matches also contain a hash, which is an unsigned 32-bit value to help identify occurrences of the same item across endpoints and across different scans. This calculation is a best-effort hash for this purpose, but in most cases it is adequate.

Investigate alerts

If you have a suspicious alert, you can open a live connection to investigate further.

  1. From the Threat Response Menu, click Alerts. Select the alert that you want to investigate. You can investigate one alert at a time.
  2. Click Actions > Investigate.
  3. Click Start live connection [endpoint name].

The live endpoint page opens, with appropriate filtering for the type of alert you are investigating. Take a snapshot of suspicious endpoints for saved evidence.

Deploy an action to an endpoint

If you have a suspicious alert, you can deploy an action to a single affected endpoint directly from the alert.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action to remediate or perform other action.
  2. Click Actions > Deploy Action.
  3. The Deploy Action page displays and the targeted endpoint is identified.
  4. Select the package that you want to deploy. Depending on the package that you select, you are prompted to provide parameters for the package. If you select a package for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  5. Provide a unique name and description for the action.
  6. If you do not want to deploy the action immediately, specify a start to create a scheduled action. The time refers to the system clock on the Tanium Server, not on the endpoint. For example, if you specify the action to deploy at 1:00 am, it deploys when the Tanium Server system clock time is 1:00 am.
  7. Optionally specify an end time. This is important If you configure reissue intervals for the action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.
  8. You can schedule the action to repeat at intervals. Specifying to reissue an action creates a scheduled action. Specifying a reissue interval is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.

    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.

    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

  9. Click Deploy. Confirm that you want to deploy the action.  Provide administrator credentials and click OK.

Initiate Live Response or Quarantine from an alert

If you have a suspicious alert, you can initiate Live Response or Quarantine to a single affected endpoint directly from the alert. Initiating Live Response or Quarantine deploys a response action. A response action, unlike a scheduled action, runs once during a provided time range and ensures that if an endpoint is not online when you deploy the action, it runs when the endpoint comes online. Once deployed, from the Threat Response Menu click Response Activity to view the status or stop a response action.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action.
  2. Click Actions > Live Response or Actions > Quarantine.
  3. Provide parameters for the package. For example, if you select a package for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection. Ensure that you select a package that corresponds to the target operating system.
  4. Click Run. Confirm that you want to deploy the action.  Provide administrator credentials and click OK.

Delete alerts

You can delete alerts any time. If an alert is matched again later, the alert is generated again.

Suppress alerts

Create suppression rules to prevent the creation of an alert when an intel match occurs for a Signal. Use suppression rules to reduce false positives for Signals that you cannot edit, such as those from the Tanium Signal Feed. Suppression rules are not intended for use as a substitution for properly crafted Signals. You can apply rules that suppress alerts that match Process Path, Process Command Line, Parent Command Line, Process Hash, and User.

  1. From the Threat Response menu, go to Intel. Click Add > Suppression Rule.
  2. Select the type of suppression rule to create. A global rule applies to all Signals where a match occurs. An intel-specific rule only applies to matches to a specific Signal that you specify. Select Global or Signal-Specific. If you select Signal-Specific, select an available Signal.
  3. Provide a name and description for the suppression rule.
  4. Select the fields that you want to use for suppressions:
    1. Process path: The path in the file system to a specific process. For example, c:\windows\notepad.exe.
    2. Process command line: Additional parameters that were provided for a process. For example, if a process is wevtutil.exe, a possible process command line is: wevtutil cl Application.
    3. Parent command line: The full command line of the parent process.
    4. Process MD5: A specific MD5 hash value that corresponds to a process.
    5. User: A specific user on the system that is associated with a process.

    If a Signal has generated an alert, you can click the Suppress Alert link from an alert page to preview the expected values for each of the fields.

  5. Specify how you want to compare the field to the alert. You can choose to suppress an alert if a field is a direct match, contains a value, or matches a pattern specified by a regular expression.
    1. Select Is to suppress an alert when a direct match occurs. For example, a specific hash value or user name matches.
    2. Select Contains to suppress an alert when a subset of the alert criteria matches. For example, a path that contains "Windows".
    3. Select Matches to suppress an alert when a pattern matches the criteria. A regular expression needs to match the whole string. If you want to match Win and Windows, the regular expression needs to be .*Win.*. Use of the ^ and $ special characters, and flags are not supported.
  6. Select Retroactive to run the suppression rule against all existing alerts that have not been resolved. If unselected, the rule does not apply to existing unresolved alerts, but applies to future Signal matches.
  7. Click Preview to view a list of existing unresolved alerts that match the criteria you specify in the suppression rule. Threat Response evaluates 1000 alerts at a time until at least 100 alerts match the suppression rule, or until 10,000 alerts have been evaluated. Click Save.

Suppress an alert

You can create a suppression rule directly from an alert. From the Threat Response menu, click Alerts. Expand the alert details and Click Suppress Alert. The suppression rule page displays and features all of the values that are required to suppress the alert. Provide a name and description for the suppression rule and select Retroactive if you want to apply the suppression rule against all existing alerts that have not been resolved. Click Save.

Edit and delete suppression rules

You can edit or delete existing suppression rules. From the Threat Response menu, click Intel > Suppression Rules. Select a suppression rule that you want to edit. Click Actions > Edit.

To delete a suppression rule, select the suppression rules that you want to delete. Click Actions > Delete.

View the status of a retroactive task

If you edit a suppression rule and select Retroactive to run the suppression rule against all existing alerts that have not been resolved, you can view the status of how that rule is retroactively applied. From the Threat Response menu, click Intel > Suppression Rules. Click Retroactive Tasks. View the status column to see if the retroactive task is Not Started, Incomplete, Completed, or has resulted in an error.

Import and export global suppression rules

Import and export global suppression rules to move them from one platform to another. For example, you can export global suppression rules from a test system and import them to a production system. Global suppression rules are imported and exported as JSON files and have a file size limit of 1 MB.

Export global suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules.
  2. Select the global suppression rules that you want to export. Click Actions > Export. If you select suppression rules that are specific to a signal, they are omitted from the export.
  3. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import global suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules. Click Import and browse to a JSON file that you want to import. Click OK.
  2. Review the global suppression rules to be imported. Click OK. You can Skip a global suppression that is conflicting with one that already has the same name or Import and Rename to apply a suffix of Duplicate <time stamp> to the suppression. For example, if a suppression is named test and you select Import and Rename, the resulting imported rule would be named test Duplicate <time stamp>.
  3. From the summary window that displays the global suppression rules that have been imported, click Finish.
  4. Refresh the list of suppression rules to view the global suppression rules that have been imported.

Set up Tanium Connect forwarding

Threat Response sends event information to Tanium Connect by default. To save this event information, you must configure Connect for the events to be passed to a destination. If you do not configure a destination, the events are dropped.

You can configure a Connect forwarding connection at any time. If you configure the connection during the installation process, all history is captured.

  1. From Connect, create a new connection with Event type and Tanium Detect as the event group.
  2. Select the Threat Response events that you want preserved.
    • Match Alerts Raw sends the details of all alerts in JSON format. This selection is intended for destinations that can process JSON data.
    • Match Alerts forwards only the events that match a configuration and specific intel, such as that from a specific source, specific type, or Signal. Event information is encoded in base64. Review the Intel configurations that are enabled for a profile to identify the types of events that are included when this option is selected.
    • All Events includes scan matches and other Threat Response events, such as messages and notifications.
  3. Configure the destination; such as a SIEM service or Write to File.
  4. When configuring reputation intel for Threat Response, you do not need to configure Tanium Connect as Threat Response inserts data into the reputation database.

    For more information see the Tanium Connect User Guide.

    To turn off event forwarding, see Troubleshooting.

Last updated: 8/23/2019 10:44 AM | Feedback