Release Notes Threat Response (Version 1.4)
Threat Response 1.4.2.0003
Release Date: 10/01/2019
The new Tanium Threat Response module combines the functionality of Tanium Detect and Tanium Trace with the content of Tanium Index and Tanium Incident Response.
Migration from existing installations of the these modules is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
RedHat Enterprise Linux 8 is not supported by Threat Response 1.4.2
macOS 10.10 (and earlier) is not supported by Threat Response 1.4.2
Fixes
- Fixed an issue to ensure the enablement of the recorder when pushing Threat Response profiles to endpoints
- Fixed an issue that caused process ancestry to be missing from long-running parent processes
- Fixed an issue to ensure proper migration of Detect configurations for deleted computer groups
Threat Response 1.4.1.0021
Release Date: 09/17/2019
The new Tanium Threat Response module combines the functionality of Tanium Detect and Tanium Trace with the content of Tanium Index and Tanium Incident Response.
Migration from existing installations of the these modules is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
RedHat Enterprise Linux 8 is not supported by Threat Response 1.4.1
macOS 10.10 (and earlier) is not supported by Threat Response 1.4.1
Changes
- Removed interactivity in API documentation
- Includes Sysmon 10.4 and 10.41 support
- Profile revision numbers are included on the profile summary page
- Includes Index 2.4.5.0009
Fixes
- Fixed max depth settings for Live Response File Collectors
- Fixed issue with temporary intel databases not being cleaned up when deploying intel
- Fixed handling of escaped characters in signals
- Fixed bug with response action expiration
- Fixed handling of proxy settings on TS 7.3
- Fixed OpenIOC 1.1 definition view in workbench
Recorder Fixes
- Fix to correctly respect the 'contains not' condition
- Fixed handling of double byte hostnames
Security
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Threat Response 1.4.0.0096
Release Date: 08/06/2019
The new Tanium Threat Response module combines the functionality of Tanium Detect and Tanium Trace with the content of Tanium Index and Tanium Incident Response.
Migration from existing installations of the these modules is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
RedHat Enterprise Linux 8 is not supported by Threat Response 1.4.
macOS 10.10 (and earlier) is not supported by Threat Response 1.4.
Enhancements
- Import and export Signals to move them from one platform to another. For example, you can export Signals from a test system and import them to a production system. Signals are imported and exported as JSON files and have a file size limit of 1 MB.
- Import and export global suppression rules to move them from one platform to another. For example, you can export global suppression rules from a test system and import them to a production system. Global suppression rules are imported and exported as JSON files and have a file size limit of 1 MB.
- Signals can have one or more associated MITRE technique IDs. Technique IDs can categorize Signals to better align with the MITRE Attack Framework and help map coverage to the different tactics and techniques.
- Initiate Live Response or Quarantine to a single affected endpoint directly from an alert. Initiating Live Response or Quarantine deploys a response action. A response action, unlike a scheduled action, runs once during a provided time range and ensures that if an endpoint is not online when you deploy the action, it runs when the endpoint comes online.
- Default configurations are provided for engine, index, and recorder configurations as well as filters and exclusions. You cannot edit default configurations, but can copy them to use as a template for creating custom configurations.
- Threat Response Audit logs now include a specific actions for live file browsing.
- Sysmon v10 support.
Known Issues
- Exporting signals that include MITRE technique IDs and importing them into an environment where the same Signals exist without associated MITRE technique IDs results in a new Signal with the same content and the addition of MITRE technique ID information. The result is that two Signals exist; one with MITRE technique information, and one without.