IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Incident Response (Version 3.2.0)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Incident Response 3.2.0

Incident Response Official Version 3.2.0.0020

Release Date November 23, 2016

Minor Enhancements

  • Moved Processes Using Module sensor from Initial Content to Incident Response
  • Updated Processes Using Module sensor to use ListDlls


Incident Response Official Version 3.2.0.0016

Release Date October 20, 2016

Minor Enhancements

  • Updated Windows Event Log sensors to verify CPUs and Event Log size before running WMI query to prevent endpoint impact


IR Gatherer Official Version 3.2.0.0006

Release Date October 6, 2016

Bug Fixes

  • Removed reference to deprecated content which caused issues on solution import


Incident Response Official Version 3.2.0.0014

IR Gatherer Official Version 3.2.0.0004

Release Date September 15, 2016

Features

  • Process Execution
Linux and OS X sensors that spawn external processes were updated to use a new utility for safe process execution. The utility, TaniumExecWrapper, ensures all processes are spawned and killed safely and within a given timeout period.

New Sensors

  • RDP Client History
Retrieves the list of previously-accessed servers and, where available, usernames used to authenticate, from RDP / Terminal Services client history.
  • PowerForensics MBR Signature
Retrieves the operating system and master boot record code section MD5 hash by utilizing the PowerForensics framework.
  • PowerForensics Prefetch
Identifies prefetch entries for previously executed applications with a path or name matching a user-supplied input value.
  • PowerForensics Recently Opened Office Files by User
Collects Recently Opened OfficeFiles by User and (optionally) by location utilizing the PowerForensics framework.
  • PowerForensics UserAssist Search
Identifies recently executed applications tracked in UserAssist by a specific user.
  • Tanium Tool Hash Check
Returns the name and hash of executable files within the Tanium directory.

IR Gatherer Improvements

  • Added safety checks for applications known to cause issues when enumerating file handles
  • Replaced usage of "find.exe"
  • Deprecated AD logons collection in Gatherer

Minor Enhancements and Bug Fixes

  • Fixed Running Process with MD5 Hash so sensors runs as expected on some AIX and OS X versions
  • Fixed column formatting issue in MD5 Hash of File
  • Fixed condition in MD5 Hash Single File Match for Linux where the sensor did not return the expected result
  • Fixed error in File Handle Details for Windows where an asterisk search could result in an unhandled exception
  • Fixed error Alternate Data Streams Response Job Results for Windows so sensor
  • Fixed a timing issue in Running Processes of Users which could result in an unhandled exception
  • Fixed an array reference bug in the Autoruns by Category sensor
  • Added support for legacy tools that already exist on an endpoint to support legacy operating systems
  • Updated Has IR Tools sensor for Linux and OS X to check tools version
  • Updated Linux and OS X IR Tools Distribution package with new version tag

Known Issues and Workarounds

  • No additional information to communicate at this time

New Binaries

  • TaniumExecWrapper (OS X) - (sha256) 5408718e717c137c472875c0643576401ff1729ddb7a3b686aaaf9b30f78830d
  • TaniumExecWrapper_Linux32 (Linux) - (sha256) 942acdaa68adaf6de40a33b42168182579d70638df8b6462ff4b523f773c364f
  • TaniumExecWrapper_Linux64 (Linux) - (sha256) 22191c8aec65504b06ddc582d05fbdd5719743eb9225abe639bfbea2b08be3a1

Deprecated Content

  • shimcacheparser.exe - (sha256) 6db88d8dd2a55d5a2ace8a6513628423a5f4dd99c115105cc9f0011eaab59e72
  • Shim Cache Parser (sensor) - Has been replaced by “PowerForensics ShimCache”
  • Mutexes (sensor) - Note that parameterized sensors “Mutex Details” and “Mutex Handles of Process” have not been removed
  • Semaphores (sensor)

Notes for future releases

  • In a future release we plan to deprecate the following content: Loaded Modules Matching Exploit List, Search Single File For Hex Pattern, Search Single File For String Pattern. Sensor functionality has been replaced by both Index and IOC Detect.

Additional Information