IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Incident Response (Version 4.0.0)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.

Tanium Incident Response 4.0.0

Release Date August 29, 2017

Incident Response Official Version 4.0.0.0009

Features

New Packages
Kill Processes with MD5 Hash (Mac/Linux)
A package for killing processes matching the given MD5 hash for Mac and Linux operating systems.


New Sensors
Command Line with Hash Match
A parameterized sensor with a dropdown selectable hashing algorithm (e.g. MD5, SHA1, or SHA256) and a textbox that takes a hash. The sensor returns a process, module and command line arguments for any process that matches the given hash.
Driver Details with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns driver display names, state (stopped or running), driver file path, driver version and the driver's hash.
Established Connections with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns process, hash, process friendly name and target IP address for established network connections.
Listen Ports with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns process, hash, process friendly name, protocol, IP address and port for each listening process.
Loaded Modules with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns the path to processes and dlls and the corresponding hash.
Non-Approved Established Connections with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns process, hash, process friendly name, target IP address and port number for established connections not matching those in an optionally deployed .dat file of approved established connections.
Running Processes with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns the process path and corresponding hash.
Service Status with Hash
A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns the service short name, service long name, status (running or stopped), service account, command line and hash for each service.


Minor Enhancements and Bug Fixes

Has Scheduled Task sensor
A sensor description was added.
Non-Approved Established Connections sensors
Support for CIDR notation was added.
Multiple sensors
Limits were added to the number of rows that each host may return.


New Known Issues and Workarounds

No new issues

New Binaries

No new binaries in this release

Deprecated Content

The following sensors were removed:

Search for Hex Pattern
Search for String Pattern
Running Processes with Yara Match
Installed Yara Rules
Alternate Data Streams Job Results

The following package was removed:

Incident Response - Create Alternate Streams Report

Notes for future releases

  • For continued Yara support - inclusive of simple Yara rules to perform hex or string pattern matching - Tanium Threat Response customers should use Detect.
  • For Alternate Data Stream use-cases, Tanium Threat Response customers should be aware that the Trace endpoint recorder captures ADS process and file operations using the standard convention filename:ADSname
  • For sensors that currently only support MD5 and SHA1 hashing algorithms, new equivalent parameterized sensors will be added that support SHA256.
  • Customers with workflows or saved questions that utilize the "standalone" MD5 or SHA1 hashing sensors, such as Running Processes with MD5 Hash, should replace them with the new parameterized sensors that support multiple hash types. Tanium will remove the older sensors in a future release, with advance notice to be provided in release notes for preceding releases.
  • TaniumExecWrapper will be updated to the latest version for improved performance.
  • TaniumFileInfo will be updated to the latest version with improved support for i18n.

Additional Information