Managing alerts

When the Threat Response detects a match to intel that you have deployed to a computer group, an alert is generated from the endpoint and reported back to Threat Response. You can view alerts in the following locations:

  • The Alerts page
  • An individual intel document
  • Trends boards that show alert data on the Threat Response overview page

You can view alerts that have been generated from endpoints that belong to computer groups for which you have permissions to access. For example, you can view alerts on endpoints for which the active persona belongs to at least one management rights group to which the endpoint belongs. If the current user belongs to at least one management rights group to which the endpoint is a member of, alerts for that endpoint are visible. The Threat Response Administrator Threat Response Operator role has access to view all alerts. To provide other roles visibility into all alerts, assign the Threat Response Visibility Bypass permission to those roles.

If an endpoint is offline for longer than the configured value of the Max Endpoint Age (Days) setting in Tanium Interact, only the users with the Threat Response Visibility Bypass permission can view alerts and saved evidence for the endpoint. If such an endpoint comes back online, alerts and saved evidence become visible to users with the correct permissions.

Background and On-demand scans, regardless of the intel type, are throttled to ensure they do not overuse endpoint resources. All Tanium Client extensions in total consume no more than 5% of the available CPU resources on each endpoint.

On-demand scans that trigger endpoint throttling cause the endpoint to throttle background scan alerts for the effective period of the throttle, which is one hour by default.

To ensure the performance and health of the detect database, Threat Response prunes the alerts table in the Threat Response database every five minutes. Pruning occurs when the alert.pruning.shouldPrune setting in the API is set. By default, this setting is enabled on Threat Response in Tanium Cloud environments and disabled in on-premises environments. To toggle pruning, use a PATCH method request to /plugin/products/threat-response/api/v1/settings/alert.pruning.shouldPrune with the value set to true to enable.

Pruning removes all alerts except for the latest 100,000 alerts that are not assigned the status of In Progress or Resolved. Alerts that are assigned the status of In Progress or Resolved are never pruned. Threat Response then determines if there are any alerts that are not assigned the status of In Progress or Resolved that are older than 60 days, and prunes them from the database. Finally, Threat Response checks for any intel that has created the vast majority of alerts and deletes 90% of the oldest alerts for that intel and keeps only the newest 10%.

View alerts

From the Threat Response menu, click Alerts. At the top of the page all of the alerts across the endpoints in an environment display ranked by endpoint with most alerts, event type, the intel document that initiated the alert, the path to the file or process that initiated the alert, the status of the alert, and a range of dates were the alert was detected. Click any of the fields in the rankings to create filters that display alerts that match the criteria you selected.

Specify any additional criteria to filter Alerts. For example, create filters to display alerts based on endpoint, event type, path, intel name, label, or MITRE technique. Click Advanced Details to view more information about the endpoint on which the alert occurred, the process that caused the alert, and the intel document that matched the alert.

An alert that results from a Signal that matches signature status can display the following signature status values:

  • Unverified - The signature could not be verified.
  • Verified - The signature was verified and passed policy requirements.
  • No Signature - The file had no signature.
  • Error - There was an error processing the signature. For example, an antivirus solution could be preventing access.
  • Disallowed - The signature was explicitly disallowed by the operating system.
  • Not Trusted - The signature was not from a trusted source.
  • Not Trusted Policy - The signature was disallowed based on policy settings.
  • File Does Not Exist - The file did not exist at the time the check occurred.
  • Checking Disabled - Recorder was configured not to check signature for this file type.
  • Timed Out - The request to check the signature timed out before it could complete.

Assign a status to an alert

Assigning status to an alert enables incident response efforts to identify alerts that are being investigated or remediated. For example if you encounter a suspicious alert and you begin to take investigative actions, you can change the status of an alert to In Progress. Similarly when you have completed the remediation of an alert, you can assign the Resolved status to the alert. The Available statuses for alerts are:

  • Dismissed
  • In Progress
  • Resolved
  • Unresolved
The more quickly you can evaluate the risk associated with a given activity, the more quickly you can begin resolving a threat. Develop a plan for investigating and resolving alerts and be diligent about assigning alert statuses. Alert status dispositions are used to calculate the mean time to investigation and mean time to resolution; both key success metrics for Threat Response.

You can track the mean time to investigate alerts and the mean time to resolve alerts key performance indicators in Tanium Trends under the Threat Response - Alerts board. The mean time to investigate alerts is the average amount of time alerts are in the In Progress state over the last 7 days. The mean time to resolve alerts is the average amount of time between when alerts are created to when they assigned the Resolved state over the last 7 days.

Additionally when an alert is suppressed by a suppression rule, the status of an alert is Suppressed. This status is removed from a suppressed alert when the suppression rule is removed.

View alerts by intel document

From the Threat Response menu, click Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the MITRE technique ID, and you can edit the definition.

Each Signal can have one or more associated MITRE technique IDs. Technique IDs can categorize Signals to better align with the MITRE Attack Framework and help map coverage to the different tactics and techniques. You can filter alerts by technique ID.

You can also initiate on demand scans for intel documents from the intel page.

Windows Defender alerts

Windows Defender is an anti-malware component of Microsoft Windows. Use Windows Defender alerts to gain visibility into common areas of Windows for changes which might have been caused by spyware, malware, and general security events. Windows Defender integration requires enabling the Consume Defender Alerts setting in a detection configuration for a deployed profile. By default, this setting is enabled for new configurations. For existing configurations, this setting needs to be enabled.

To subscribe to Defender process actions, such as Event ID 1007, go to Settings and click Service > Misc. Select Windows Defender Process Action.

When Defender generates an alert on a Windows endpoint, an alert is generated in Threat Response that you can view in the alerts page. You can filter the alerts page for Defender alerts.

Deep Instinct alerts

Deep Instinct is a solution that applies deep learning to cybersecurity and adds next-generation AV capabilities to Threat Response by integrating the investigative abilities of Threat Response to Deep Instinct alerts. For example, you can use the quarantine, collection, investigation, and remediation capabilities from Deep Instinct Alerts in Threat Response. ​ Deep Instinct alerts that are saved on the Deep Instinct cloud can leverage Tanium roles and permissions to control access to alert data, enabling customers to access Deep Instinct alert data in a GDPR compliant setting.

Deep Instinct integration is available on Windows and macOS endpoints. Deep Instinct integration requires enabling the Generate Deep Instinct Alerts setting in a detection configuration for a deployed profile. By default, this setting is disabled for new configurations. For alerts to be returned from endpoints, the Deep Instinct agent must be running on the endpoint. Deep Instinct alerts are throttled as to not cause performance issues on an endpoint.

When Deep Instinct generates an alert on an endpoint, an alert is generated in Threat Response that you can view in the alerts page. You can filter the alerts page for Deep Instinct alerts. Deep Instinct Alert details contain a Deep Instinct section that shows Event Type, Event Action, File Path, File Type, file Hash, and Signature where applicable.

For the integration to work correctly, you must configure additional flags for the Deep Instinct Agent (D-Client) using the Deep Instinct CLI. For more information refer to the Deep Instinct documentation or contact Deep Instinct support.

Deep Instinct alerts feature a Deep Instinct section in the alerts details section of each Deep Instinct alert. Each alert shows one of the following event types from Deep Instinct:

  • Deep Static Analysis – Detection

  • Ransomware Behavior

  • Arbitrary Shellcode

  • Malicious PowerShell Command Execution

  • Malicious JavaScript Command Execution

  • Remote Code Injection

  • Credential Dumping

  • Suspicious Script Execution

  • Reflective DLL Injection

  • .Net Reflection

  • AMSI Bypass

  • Known Payload Execution

Threat Response does not generate alerts for Deep Instinct “Suspicious Events” events.

In addition to showing the Event Action that Deep Instinct took in response to the alert, You can view the file path and type of the artifact that caused the alert and the probability percentage that the detection was of several types of malware as calculated by Deep Instinct.

Investigate reputation data

Investigating reputation data requires the reputation service to be configured. See Set up the reputation service for more information.

For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, the hashes display with red or yellow status. Any known malicious matches automatically initiate an on-demand scan on targeted computer groups and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs are listed with Reputation as their source.

When the reputation for a hash changes, the intel is updated. For example, if a hash is no longer considered malicious according to reputation data, the associated intel document is updated so no further alerts are generated. If no malicious hashes exist in an intel document, the document is deleted.

  1. To view more details about a hash, open the side panel. A hash can have one of the following ratings:
    • Non-Malicious (Green)
    • Malicious (Red)
    • Suspicious (Yellow)
    • Unknown (Gray)
    • Pending
  2. Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.

The Threat Response icon pulses while the on-demand scan is running. After the on-demand scan completes, you can use the Interact icon to view the detailed results of the scan. Alerts are generated and gathered asynchronously from the scan. Alerts might be displayed on the Alerts page before the scan completes.

Investigate alerts

If you have a suspicious alert, you can open a live connection to investigate further.

  1. From the Threat Response Menu, click Alerts. Select the alert that you want to investigate. You can investigate one alert at a time.
  2. From the alerts results, click the name of the endpoint to which you want to open a live connection.
  3. Click Start live connection.

The live endpoint page opens, with appropriate filtering for the type of alert you are investigating. Take a snapshot of suspicious endpoints for saved evidence.

Deploy an action to an endpoint

If you have a suspicious alert, you can deploy an action to a single affected endpoint directly from the alert.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action to remediate or perform other action.
  2. Click Actions > Deploy Action.
  3. The Deploy Action page appears and the targeted endpoint is identified.
  4. Select the package that you want to deploy. Depending on the package that you select, you are prompted to provide parameters for the package. If you select a package for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  5. Provide a unique name and description for the action.
  6. If you do not want to deploy the action immediately, specify a start to create a scheduled action. The time refers to the system clock on the Tanium Server, not on the endpoint. For example, if you specify the action to deploy at 1:00 am, it deploys when the Tanium Server system clock time is 1:00 am.
  7. Optionally specify an end time. This is important If you configure reissue intervals for the action, unless you are sure it is the type of action that you want to reissue indefinitely. If you are not sure, configuring the schedule to end in six months is better than running indefinitely.

  8. You can schedule the action to repeat at intervals. Specifying to reissue an action creates a scheduled action. Specifying a reissue interval is appropriate when:

    • Action approval is enabled and you are not certain it will be approved before the action expires.

    • You want to be sure software or configuration updates are made not only to the clients currently online but also to those currently offline that will be predictably online within a window that the reissue interval defines.

    • The action is a continual hygiene practice. For example, you want to check periodically that a client service is running or a client configuration has a particular value.

  9. Click Deploy. Confirm that you want to deploy the action.  Provide administrator credentials and click OK.

Initiate a Response Action from an alert

If you have a suspicious alert, you can initiate a response action to a single affected endpoint directly from the alert. Initiating Live Response, Quarantine, or Gather Snapshot deploys a response action. A response action, unlike a scheduled action, runs once during a provided time range and ensures that if an endpoint is not online when you deploy the action, it runs when the endpoint comes online. Once deployed, from the Threat Response Menu click Response Activity to view the status or stop a response action.

  1. From the Threat Response Menu, click Alerts. Select the alert for which you want to deploy an action.
  2. Click Response Actions > Live Response, Response Actions > Quarantine, Response Actions > Gather Snapshot, or Response Actions > Download File.

    When you download a file as a response action, the file is saved as saved evidence. From the Threat Response menu, click Saved Evidence > Files to access the files that you download.

  3. Provide parameters for the response action. For example, if you select the response action for Live Response, you can specify the collection configuration and destination configuration you want to use for Live Response file collection.
  4. Click Run. Confirm that you want to deploy the response action.  Provide administrator credentials and click OK.

Remediate alerts in Tanium Enforce

You can create a remediation policy in Tanium Enforce, and specify conditions to enforce that policy from an alert. For example, a remediation policy defines specific actions to perform for an alert, and an enforcement defines the endpoints and schedule for performing the actions defined in the policy. Policies such as deleting files, killing a process, and performing registry tasks are available to perform when an alert is generated. By default, the remediation only targets the endpoint that generated the alert. To create remediation policies from an alert, Tanium Enforce must be installed available in your Tanium environment. Additionally, to create remediation policies in Tanium Enforce, the Enforce Create Enforcement permission must be granted.

  1. From the Threat Response Menu, click Alerts. Select the alert that you want to remediate in Tanium Enforce.
  2. Select Actions > Remediate in Enforce.

    If an instance Tanium Enforce is not installed, this option is not available from the Actions menu.

  3. In the Policy Details section, provide a name and description for the policy.
  4. In the Tasks section, click Add Tasks to perform as part of the remediation. You can select multiple tasks to add. Each task that you add to the remediation policy requires additional data that is by default populated with the data from the alert. Available tasks are:

    Delete file

    Provide a path to a single file to delete. By default, this path is populated with the data from the alert. Select to continue or exit if an error occurs.

    Kill process

    Select to use the Name, Path, or Hash of the process. Paths support wildcard syntax such as *, !, and ?. Group syntax is also supported. Hashes support an optional maximum file size. Provide any additional command line arguments for a process. Command line arguments support regular expression syntax such as C:\^Win$\.* .

    Provide a timeout value in seconds. If the number of seconds you specify is exceeded without killing the specified process, the kill process task fails. You can additionally provide a number of attempts for the task before the task fails.

    Select to continue or exit if an error occurs.

    Edit Registry Data

    Select a hive in which to edit the registry data:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select the type of the data to edit and provide new data to use to replace the value of the existing data.

    Select if you want to create the value using the data you provided if no value matching the alert is detected. Select to continue or exit if an error occurs.

    Update Registry Value

    Select a hive in which to update the registry data:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select to edit the value with data that you provide, or to delete the current value. Select to continue or exit if an error occurs.

    Delete Registry Key

    Select a hive in which to delete the registry key:

    HKEY_CLASSES_ROOT
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_CONFIG
    HKEY_USERS

    Additionally provide the path relative to the hive you select. For example, System\CurrentControlSet\Hardware Profiles\Current

    Select to continue or exit if an error occurs.

  5. In the Enforcements section, click Add Enforcement. Select Computer Group to target the remediation to an entire computer group. Select Individual Computers to provide one or more endpoints for the remediation to target. Add the fully qualified host name of each endpoint you want the remediation to target. Comma delimit multiple endpoints. Provide a start and end time for when you want to perform the remediation. Select to distribute over time to balance resource use over a time duration that you specify. The duration of the Distribute over time setting must be at least 10 minutes shorter than the Issue time setting. Select if you want to repeat the action and how often.
  6. Click Remediate. The remediation is available in Tanium Enforce. From the Main menu, click Modules > Enforce > Policies > Remediations to view and edit the remediation in Tanium Enforce.

Export alerts

Export alerts to a CSV file.

  1. From the Threat Response Menu, click Alerts. Select the alerts that you want to export.

    Note: You can export up to 10,000 alerts.

  2. Click Actions > Export to CSV.
  3. Alert data is exported to a CSV file with the following data (if available) for each alert:
  • Date
  • Endpoint
  • Event Type
  • Hash
  • Hash Type
  • Intel Name
  • Intel Source
  • MITRE Technique(s)
  • Outbound Impact
  • On-Demand Scan ID
  • OS
  • Path
  • Platform
  • Status

The CSV file download is managed through the web browser. All exports are exported to the downloads directory of the web browser that initiated the export.

Delete alerts

You can delete alerts any time. If an alert is matched again later, the alert is generated again.

Suppress alerts

Create suppression rules to prevent the creation of an alert when an intel match occurs. Use suppression rules to reduce false positives for Signals that you cannot edit, such as those from the Tanium Signal Feed. You can also add suppression rules for custom Tanium Detection types, like Process Injection. Suppression rules are not intended for use as a substitution for properly crafted Signals; if you are suppressing alerts consistently due to a Signal not matching as intended, it is a good indication that the Signal should be revised to more accurately match. By thoughtfully analyzing alerts you can tune the Signals that generate them optimally. See Authoring Signals: Testing Signals for more information.

Suppressed alerts are removed from the database after seven days by default. You can edit the number of days to wait after an alert is suppressed before removing it from the database in Settings from the Threat Response overview page.

You can apply rules that suppress alerts that match Process Path, Process Command Line, Parent Command Line, Process Hash, Parent Process Path, Ancestry Path, Ancestry Command Line, and User.

All of the selected suppression fields are required to match before the alert is suppressed.

  1. From the Threat Response menu, go to Intel > Suppression Rules and click Add Rule.
  2. Select the type of suppression rule to create. All Signals rules apply to all Signals where a match occurs. An intel-specific rule only applies to matches to a specific intel document that you specify. Select All Signals or Intel-Specific. If you select Intel-Specific, select an available intel type.
  3. Provide a name and description for the suppression rule.
  4. Select the fields that you want to use for suppression rules. For process injection suppression rules, the suppression rules that you specify identify the artifact that is the actor process of process injection.:
    1. Process Path: The path in the file system to a specific process. For example, c:\windows\notepad.exe.
    2. Process Command Line: Additional parameters that were provided for a process. For example, if a process is wevtutil.exe, a possible process command line is: wevtutil cl Application.
    3. Parent Command Line: The full command line of the parent process.
    4. Parent Process Path: The path in the file system to a parent process. For example, c:\windows\system32\cmd.exe.
    5. Ancestry Command Line: Additional parameters that were provided for a parent process.
    6. Ancestry Path: The path in the file system to a process more remote than a parent process.
    7. Process MD5/SHA1/SHA256: A specific MD5, SHA1, or SHA256 hash value that corresponds to a process.
    8. User: A specific user on the system that is associated with a process.

    If a Signal has generated an alert, you can click the Suppress Alert link from an alert page to preview the expected values for each of the fields.

  5. Specify how you want to compare the field to the alert. You can choose to suppress an alert if a field is a direct match, contains a value, or matches a pattern specified by a regular expression.
    1. Select Is to suppress an alert when a direct match occurs. For example, a specific hash value or user name matches.
    2. Select Contains to suppress an alert when a subset of the alert criteria matches. For example, a path that contains "Windows".
    3. Select Matches to suppress an alert when a pattern matches the criteria. A regular expression needs to match the whole string. If you want to match Win and Windows, the regular expression needs to be .*Win.*. By default, regular expressions in suppression rules are case insensitive. Use of ^ and $ and flags are not supported.
  6. Select Retroactive to run the suppression rule against all existing alerts that have not been resolved. If unselected, the rule does not apply to existing unresolved alerts, but applies to future Signal matches.
  7. Click Preview to view a list of existing unresolved alerts that match the criteria you specify in the suppression rule. Threat Response evaluates 1000 alerts at a time until all applicable alerts have been evaluated, or until 10,000 alerts have been evaluated. Click Save. Preview is not available for process injection suppression rules.

Suppress an alert

You can create a suppression rule directly from an alert. From the Threat Response menu, click Alerts. Select an alert and click Actions > Suppress. The suppression rule page appears and features all of the values that are required to suppress the alert. Provide a name and description for the suppression rule and select Retroactive if you want to apply the suppression rule against all existing alerts that have not been resolved. Click Save.

Edit and delete suppression rules

You can edit or delete existing suppression rules. From the Threat Response menu, click Intel > Suppression Rules. Select a suppression rule that you want to edit. Click Actions > Edit.

To delete a suppression rule, select the suppression rules that you want to delete. Click Actions > Delete.

View the status of a retroactive task

If you edit a suppression rule and select Retroactive to run the suppression rule against all existing alerts that have not been resolved, you can view the status of how that rule is retroactively applied. From the Threat Response menu, click Intel > Suppression Rules. Click Retroactive Tasks. View the status column to see if the retroactive task is Not Started, Incomplete, Completed, or has resulted in an error.

Import and export suppression rules

Import and export suppression rules to move them from one platform to another. For example, you can export All Signals suppression rules from a test system and import them to a production system. All Signals type suppression rules are imported and exported as JSON files and have a file size limit of 1 MB.

Export suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules.
  2. Select the suppression rules that you want to export. Click Actions > Export. If you select suppression rules that are specific to a signal, they are omitted from the export.
  3. A JSON file is created for the export. Provide a name for the JSON file and click Export.

Import suppression rules

  1. From the Threat Response menu, click Intel > Suppression Rules. Click Import and browse to a JSON file that you want to import. Click OK.
  2. Review the suppression rules to be imported. Click OK. You can Skip a suppression that is conflicting with one that already has the same name or Import and Rename to apply a suffix of Duplicate <time stamp> to the suppression. For example, if a suppression is named test and you select Import and Rename, the resulting imported rule would be named test Duplicate <time stamp>.
  3. From the summary window that displays the suppression rules that have been imported, click Finish.
  4. Refresh the list of suppression rules to view the suppression rules that have been imported.

Manage the impact of lateral movement with Tanium Impact

If you installed Tanium Impact, and are assigned the Impact Asset Items Read and Impact Asset Details Read permissions, an Outbound Impact column appears in the alerts results grid. The value in the Outbound Impact column quantifies the number of user accounts and endpoints that can be reached from the corresponding Windows endpoint. Click the alert to view the alert details. In the Impact Details section of the alert details you can view data to better understand the lateral impact the endpoint has in an environment should it become compromised to help prioritize alert remediation.

Click Explore in Impact to view more detailed information about how the Windows endpoint fits into a larger topology. For more information, see Contact Tanium Support.

Set up Tanium Connect forwarding

Threat Response sends event information to Tanium Connect by default. To save this event information, you must configure Connect for the events to be passed to a destination. If you do not configure a destination, the events are dropped.

You can configure a Connect forwarding connection at any time. If you configure the connection during the installation process, all history is captured.

  1. From Connect, create a new connection with Event as the source and Tanium Threat Response as the event group.
  2. Select the Threat Response events that you want preserved.
    • Match Alerts Raw sends alert details in JSON format. Match alerts are generated when intel deployed in a profile matches an event on an endpoint.
    • Match Alerts sends alert details as strings. Strings can be encoded in Base64 if the Base64 encode events sent to Connect setting is enabled. Match alerts are generated when intel deployed in a profile matches an event on an endpoint.
    • All Events includes scan matches. When you select All Events, audit events and deleted alerts are not sent to the destination as part of the All Events information. Audit events and deleted alerts are included in the Tanium Audit Report. For more information, see Export audit data.

      In Threat Response 4.0, All Events is effectively the same as Match Events; it does not send messages and notifications. Messages and notifications have been converted to audit messages in Threat Response 4.0 and are sent with the Audit source. If you have configured All Events enable the Audit Report type in Connect to continue receiving the same messages you expect.

      .

    If you want to Base64 encode event details that are sent to Connect, from the Threat Response overview page, click Settings , click Service > Misc, and enable Base64 encode events sent to Connect. For Match Alerts andAll Events, enabling this setting encodes the details field of the sent data. The following table details the type of data for the details field of event details when this setting is enabled or disabled.

    Setting state on Threat Response versionMatch Alerts RawMatch AlertsAll Events
    Enabled on Threat Response version 3.10JSONB64B64
    Disabled on Threat Response version 3.10JSONSTRINGSTRING
    Enabled on Threat Response version 4.0 and laterJSONB64B64
    Disabled on Threat Response version 4.0 and laterJSONSTRINGSTRING
  3. Configure the destination; such as a SIEM service or Write to File.

    4. When configuring reputation intel for Threat Response, you do not need to configure Tanium Connect as Threat Response inserts data into the reputation database.

    For more information see the Tanium Connect User Guide.