IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Incident Response (Version 3.2.0)
Tanium Incident Response 3.2.0
Incident Response Official Version 3.2.0.0020
Release Date November 23, 2016
Minor Enhancements
- Moved Processes Using Module sensor from Initial Content to Incident Response
- Updated Processes Using Module sensor to use ListDlls
Incident Response Official Version 3.2.0.0016
Release Date October 20, 2016
Minor Enhancements
- Updated Windows Event Log sensors to verify CPUs and Event Log size before running WMI query to prevent endpoint impact
IR Gatherer Official Version 3.2.0.0006
Release Date October 6, 2016
Bug Fixes
- Removed reference to deprecated content which caused issues on solution import
Incident Response Official Version 3.2.0.0014
IR Gatherer Official Version 3.2.0.0004
Release Date September 15, 2016
Features
- Process Execution
- Linux and OS X sensors that spawn external processes were updated to use a new utility for safe process execution. The utility, TaniumExecWrapper, ensures all processes are spawned and killed safely and within a given timeout period.
New Sensors
- RDP Client History
- Retrieves the list of previously-accessed servers and, where available, usernames used to authenticate, from RDP / Terminal Services client history.
- PowerForensics MBR Signature
- Retrieves the operating system and master boot record code section MD5 hash by utilizing the PowerForensics framework.
- PowerForensics Prefetch
- Identifies prefetch entries for previously executed applications with a path or name matching a user-supplied input value.
- PowerForensics Recently Opened Office Files by User
- Collects Recently Opened OfficeFiles by User and (optionally) by location utilizing the PowerForensics framework.
- PowerForensics UserAssist Search
- Identifies recently executed applications tracked in UserAssist by a specific user.
- Tanium Tool Hash Check
- Returns the name and hash of executable files within the Tanium directory.
IR Gatherer Improvements
- Added safety checks for applications known to cause issues when enumerating file handles
- Replaced usage of "find.exe"
- Deprecated AD logons collection in Gatherer
Minor Enhancements and Bug Fixes
- Fixed Running Process with MD5 Hash so sensors runs as expected on some AIX and OS X versions
- Fixed column formatting issue in MD5 Hash of File
- Fixed condition in MD5 Hash Single File Match for Linux where the sensor did not return the expected result
- Fixed error in File Handle Details for Windows where an asterisk search could result in an unhandled exception
- Fixed error Alternate Data Streams Response Job Results for Windows so sensor
- Fixed a timing issue in Running Processes of Users which could result in an unhandled exception
- Fixed an array reference bug in the Autoruns by Category sensor
- Added support for legacy tools that already exist on an endpoint to support legacy operating systems
- Updated Has IR Tools sensor for Linux and OS X to check tools version
- Updated Linux and OS X IR Tools Distribution package with new version tag
Known Issues and Workarounds
- No additional information to communicate at this time
New Binaries
- TaniumExecWrapper (OS X) - (sha256) 5408718e717c137c472875c0643576401ff1729ddb7a3b686aaaf9b30f78830d
- TaniumExecWrapper_Linux32 (Linux) - (sha256) 942acdaa68adaf6de40a33b42168182579d70638df8b6462ff4b523f773c364f
- TaniumExecWrapper_Linux64 (Linux) - (sha256) 22191c8aec65504b06ddc582d05fbdd5719743eb9225abe639bfbea2b08be3a1
Deprecated Content
- shimcacheparser.exe - (sha256) 6db88d8dd2a55d5a2ace8a6513628423a5f4dd99c115105cc9f0011eaab59e72
- Shim Cache Parser (sensor) - Has been replaced by “PowerForensics ShimCache”
- Mutexes (sensor) - Note that parameterized sensors “Mutex Details” and “Mutex Handles of Process” have not been removed
- Semaphores (sensor)
Notes for future releases
- In a future release we plan to deprecate the following content: Loaded Modules Matching Exploit List, Search Single File For Hex Pattern, Search Single File For String Pattern. Sensor functionality has been replaced by both Index and IOC Detect.