IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Incident Response (Version 4.0.0)
Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.
Tanium Incident Response 4.0.0
Release Date August 29, 2017
Incident Response Official Version 4.0.0.0009
Features
- New Packages
- Kill Processes with MD5 Hash (Mac/Linux)
- A package for killing processes matching the given MD5 hash for Mac and Linux operating systems.
- Kill Processes with MD5 Hash (Mac/Linux)
- New Sensors
- Command Line with Hash Match
- A parameterized sensor with a dropdown selectable hashing algorithm (e.g. MD5, SHA1, or SHA256) and a textbox that takes a hash. The sensor returns a process, module and command line arguments for any process that matches the given hash.
- Command Line with Hash Match
- Driver Details with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns driver display names, state (stopped or running), driver file path, driver version and the driver's hash.
- Driver Details with Hash
- Established Connections with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns process, hash, process friendly name and target IP address for established network connections.
- Established Connections with Hash
- Listen Ports with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns process, hash, process friendly name, protocol, IP address and port for each listening process.
- Listen Ports with Hash
- Loaded Modules with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns the path to processes and dlls and the corresponding hash.
- Loaded Modules with Hash
- Non-Approved Established Connections with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns process, hash, process friendly name, target IP address and port number for established connections not matching those in an optionally deployed .dat file of approved established connections.
- Non-Approved Established Connections with Hash
- Running Processes with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns the process path and corresponding hash.
- Running Processes with Hash
- Service Status with Hash
- A parameterized sensor with a dropdown selector for hashing algorithm (e.g. MD5, SHA1, or SHA256) that returns the service short name, service long name, status (running or stopped), service account, command line and hash for each service.
- Service Status with Hash
Minor Enhancements and Bug Fixes
- Has Scheduled Task sensor
- A sensor description was added.
- Has Scheduled Task sensor
- Non-Approved Established Connections sensors
- Support for CIDR notation was added.
- Non-Approved Established Connections sensors
- Multiple sensors
- Limits were added to the number of rows that each host may return.
- Multiple sensors
New Known Issues and Workarounds
- No new issues
New Binaries
- No new binaries in this release
Deprecated Content
The following sensors were removed:
- Search for Hex Pattern
- Search for String Pattern
- Running Processes with Yara Match
- Installed Yara Rules
- Alternate Data Streams Job Results
The following package was removed:
- Incident Response - Create Alternate Streams Report
Notes for future releases
- For continued Yara support - inclusive of simple Yara rules to perform hex or string pattern matching - Tanium Threat Response customers should use Detect.
- For Alternate Data Stream use-cases, Tanium Threat Response customers should be aware that the Trace endpoint recorder captures ADS process and file operations using the standard convention
filename:ADSname - For sensors that currently only support MD5 and SHA1 hashing algorithms, new equivalent parameterized sensors will be added that support SHA256.
- Customers with workflows or saved questions that utilize the "standalone" MD5 or SHA1 hashing sensors, such as
Running Processes with MD5 Hash, should replace them with the new parameterized sensors that support multiple hash types. Tanium will remove the older sensors in a future release, with advance notice to be provided in release notes for preceding releases. - TaniumExecWrapper will be updated to the latest version for improved performance.
- TaniumFileInfo will be updated to the latest version with improved support for i18n.