Succeeding with Threat Response

Download Checklist
Download Checklist

Follow these best practices to achieve maximum value and success with Tanium Threat Response. These steps align with the key benchmark metrics: increasing the Threat Response coverage across endpoints and reducing the mean times to investigate and remediate threats.

steps to succeeding with Threat Responsesteps to succeed with Thjreat Response

Step 1: Gain organizational effectiveness

Complete the key organizational governance steps to maximize Threat Response value. For more information about each task, see Gaining organizational effectiveness.

Develop a dedicated change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional organizational alignment.

Track operational metrics.

Step 2: Install Tanium modules

Install Tanium Threat Response. See Installing Threat Response.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Install Tanium Reputation. See Tanium Reputation User Guide: Installing Reputation.

Install Tanium Enforce. See Tanium Enforce User Guide: Installing Enforce.

Install Tanium Connect. See Tanium Connect User Guide: Installing Connect.

Install Tanium Direct Connect. See Tanium Direct Connect User Guide: Installing Direct Connect.

Install Tanium Impact. See Tanium Impact User Guide: Installing Impact.

Install Tanium Client Management, which provides Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing Client Management.

Step 3: Configure Threat Response

Create computer groups for use in Threat Response profiles. See Tanium Console User Guide: Create a computer group.

Import Threat Response with custom settings.

Modify module configurations to suit deployment schedules and requirements. See Creating configurations.

Configure Threat Intelligence sources. See Adding intel.

Import Intel documents. See Create intel documents.

Label Intel documents for inclusion in Threat Response configurations. See Label intel.

Create Intel configurations. See Creating configurations.

Configure filters and exclusions. See Create indexing exclusions.

Create Engine configurations. See Creating configurations.

Create Recorder configurations. See Create recorder configurations.

Create Index configurations. See Create index configurations.

Create Stream configurations. See Create stream configurations.

Create profiles. See Creating profiles.

Step 4: Deploy profiles

Threat Response Tools and intel deploy automatically on a schedule when you deploy profiles to endpoints. See Deploy a profile.

Step 5: Configure Live Response

Create Live Response destinations. See Collecting data from endpoints with Live Response.

Create Live Response collections. See Collecting files from endpoints: Collections.

Generate Live Response packages. See Collecting files from endpoints: Collect data from endpoints.

Step 6: Configure Direct Connect for live connections

Connect to live endpoints. See Connecting to live endpoints and exploring data.

Browse the file system on endpoints. See Browse the file system on connected endpoints.

Collect snapshots and download saved evidence. See Manage snapshots.

Step 7: Configure Connect for reputation questions

Configure reputation data in Connect. See Set up the reputation service.

Step 8: Monitor Threat Response metrics

Review recorded data for tuning and performance improvements.  For more information see Create filters

Step 9: Review operational metrics from alerts and intel and tune settings as required

Modify signals for performance. See Testing Signals.

Create suppression rules to minimize false positives. See Suppress alerts.

Step 10: Review Trends metrics

From the Trends menu, click Boards and then click Threat Response to view the Threat Response - Alerts and Threat Response - Deployment boards.

The next steps become cyclical where the advised actions are either hunting for indicators of compromise or responding to existing events.

Step 11: Use Enterprise Hunting dashboard or Interact questions to perform searches through the environment

Identify outliers or events of interest. See Searching across the enterprise.

Use live connections or Live Response to gather evidence and verify suspicious activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Enforce and Initiate a Response Action from an alert.

Review findings from threat hunting exercises.

Step 12: Review generated alerts from deployed intelligence

Confirm the validity of an alert.

Use live connections or Live Response to gather evidence and verify the suspiciousness of activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Enforce and Initiate a Response Action from an alert.

Review findings from alert-based investigation. Modify existing intel to increase detection fidelity, codify findings into new intelligence to allow ongoing automated detections, generate saved questions to enable future searches, and configure Connect to output relevant data to SIEM for ongoing analysis.

Step 1: Gain organizational effectiveness

Complete the key organizational governance steps to maximize Threat Response value. For more information about each task, see Gaining organizational effectiveness.

Develop a dedicated change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional organizational alignment.

Track operational metrics.

Step 2: Configure Threat Response

Create computer groups for use in Threat Response profiles. See Tanium Console User Guide: Create a computer group.

Import Threat Response with custom settings.

Modify module configurations to suit deployment schedules and requirements. See Creating configurations.

Configure Threat Intelligence sources. See Adding intel.

Import Intel documents. See Create intel documents.

Label Intel documents for inclusion in Threat Response configurations. See Label intel.

Create Detection configurations. See Create detection configurations.

Configure filters and exclusions. See Create indexing exclusions.

Create Recorder configurations. See Create recorder configurations.

Create Stream configurations. See Create stream configurations.

Create Index configurations. See Create index configurations.

Create profiles. See Creating profiles.

Step 3: Deploy profiles

Threat Response Tools and intel deploy automatically on a schedule when you deploy profiles to endpoints. See Deploy a profile.

Step 4: Configure Live Response

Create Live Response destinations. See Collecting data from endpoints with Live Response.

Create Live Response collections. See Collecting files from endpoints: Collections.

Generate Live Response packages. See Collecting files from endpoints: Collect data from endpoints.

Step 5: Configure Direct Connect for live connections

Connect to live endpoints. See Connecting to live endpoints and exploring data.

Browse the file system on endpoints. See Browse the file system on connected endpoints.

Collect snapshots and download saved evidence. See Manage snapshots.

Step 6: Configure Connect for reputation questions

Configure reputation data in Connect. See Set up the reputation service.

Step 7: Monitor Threat Response metrics

Review recorded data for tuning and performance improvements.  For more information see Create filters.

Step 8: Review operational metrics from alerts and intel and tune settings as required

Modify signals for performance. See Testing Signals.

Create suppression rules to minimize false positives. See Suppress alerts.

Step 9: Review Trends metrics

From the Trends menu, click Boards and then click Threat Response to view the Threat Response - Alerts and Threat Response - Deployment boards.

The next steps become cyclical where the advised actions are either hunting for indicators of compromise or responding to existing events.

Step 10: Use Enterprise Hunting dashboard or Interact questions to perform searches through the environment

Identify outliers or events of interest. See Searching across the enterprise.

Use live connections or Live Response to gather evidence and verify suspicious activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Enforce and Initiate a Response Action from an alert.

Review findings from threat hunting exercises.

Step 11: Review generated alerts from deployed intelligence

Confirm the validity of an alert.

Use live connections or Live Response to gather evidence and verify the suspiciousness of activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Enforce and Initiate a Response Action from an alert.

Review findings from alert-based investigation. Modify existing intel to increase detection fidelity, codify findings into new intelligence to allow ongoing automated detections, generate saved questions to enable future searches, and configure Connect to output relevant data to SIEM for ongoing analysis.