Release Notes Incident Response (Python) (Version 0.0.1)
Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response (Python) module.
Tanium Incident Response (Python)
Release Date May 22, 2018
Incident Response (Python) Official Version 0.0.1.0462
Overview
Incident Response (Python) (version 0.0.1.0462), offered in limited availability, represents the first release of an effort to convert the Incident Response solution to Python. Though only a subset of the content has been rewritten in Python, the Incident Response (Python) solution will otherwise provide all of the sensors, packages, and scheduled actions provided by the Incident Response solution.
Those interested in installing the Incident Response (Python) solution should contact their Technical Account Manager for details.
Important Installation Notes
- Installing the Incident Response (Python) solution will break sensors and packages developed using the APIs provided by the Tanium Python For Endpoints labs solution.
- Incident Response (Python) is meant to replace the Incident Response solution. Installing either solution will replace the content provided by the other.
- Customers wishing to use Autoruns related content will need to go to https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and download and then upload/install SysInternals Autoruns.zip during the import of the Incident Response solution.
Sensors Converted to Python
The following sensors have all been reimplemented using Python for macOS, Windows, and Linux platforms. Solaris and AIX implementations remain in their non-Python form.
- Command Line of Process
- MD5 Hash Match Files Executing
- SHA1 Hash Match Files Executing
- Running Process with Hash
- Running Process with MD5 Hash
- Running Process with SHA1 Hash
- Established Connections with Hash
- Established Connections with MD5 Hash
- Established Connections with SHA1 Hash
- Non-Approved Established Connections with Hash
- Non-Approved Established Connections with MD5 Hash
- Non-Approved Established Connections with SHA1 Hash
Removed Content
Several sensors, packages, and scheduled actions have been removed either due to having been superseded or previously announced as deprecated.
- Sensors - Sensors listed will still appear within the Tanium console, but have been made non-functional.
- deprecated: Has Incident Response Tools
- deprecated: Historical RDP Sessions
- deprecated: Incident Response Job Results
- Packages
- superseded: Distribute Incident Response Tools
- superseded: Distribute IR Tools (Linux)
- superseded: Distribute IR Tools (Mac)
- deprecated: Incident Response - Copy IR Results to Central Location
- deprecated: Incident Response - Search for Files
- deprecated: Incident Response - Search for Recently Created Files
- deprecated: Incident Response - Search for Recently Modified Files
- deprecated: IncidentResponse-non-windows
- Scheduled Actions
- deprecated: Incident Response - Remove Old Incident Response ID Files
- superseded: Distribute Incident Response Tools
- superseded: Distribute IR Tools (Linux)
- superseded: Distribute IR Tools (Mac)
Known Issues
- Installing the Incident Response (Python) solution will break sensors and packages developed using the APIs provided by the Tanium Python For Endpoints labs solution.