Release Notes Threat Response (Version 2.2)
Important Notes
The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.0 versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.
The Threat Response module combines the functionality of the Detect and Trace modules and the Index and Incident Response content.
Migration from existing installations of the aforementioned modules is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
7.4 clients are not supported on versions of Threat Response versions earlier than 2.1.0.
Threat Response 2.2.1.0003
Release Date: 2020-02-27
Enhancements
- Fixed an issue around Live Response file collection in Raw mode on Windows.
- Fixed an issue around Live Response alternate data stream collection in Raw mode on Windows.
- Fixed an issue with multibyte characters in Trace sensor output.
Known Issues
- Windows Tanium 6.0.314.1540 clients have been shown to perform poorly with Threat Response sensors, and should be upgraded to the latest 7.2 Tanium Clients
- A known issue exists with uploading snapshots using version 11 of the Internet Explorer Web browser. This will be addressed in a future version of Threat Response.
- When a Download File response action is initiated from an Alert, Threat Response issues the "Trace - Start Session*" action every 6 minutes to ensure that the file is downloaded the system comes back online. This happens until the file completes the intended download. If it doesn't finish the download, it keeps issuing the actions to attempt to complete the download. This will be addressed in a future version of Threat Response.
- Live Response fails to collect files that have double byte characters in the filename.
- The "Threat Response - Remove Tools" package may not remove all of the files that were installed as part of the Threat Response tools.
- A known issue exists where erroneous signal hits pertaining to image.signature_status and image.path when used in a group. This will be addressed in a future version of Threat Response.
Threat Response 2.2.0.0094
Release Date: 2020-02-25
Enhancements
- Import and automatically configure default settings and dependencies for Threat Response with Tanium Core Platform 7.4.2 or later.
- New supported signal terms for process user, process ancestry, process signature, and image signature.
- A Tanium Recorder Driver configuration and deployment to supported endpoints has been added to Recorder configurations.
- Sysmon as a supported event source has been deprecated in favor of the Tanium Event Recorder Driver.
- Reputation Intel Source improvements (requires Reputation 5.0.0+) including Saved Questions for reputation hashes must now be configured and managed entirely within Tanium Connect. The naming convention of Reputation THR Intel has changed from Malicious Files $Date:$Time to Reputation Malicious Files $Date:$Time. Additionally, any Reputation intel that has existed before an upgrade is renamed with the date and time of the upgrade appended to the signal name.
- Tanium Recorder 2.1.0.1679 included.
- Tanium Index 2.5.3.0005 included.
- Tanium IR 5.4.0.0023 included.
Known Issues
- Windows Tanium 6.0.314.1540 clients have been shown to perform poorly with Threat Response sensors, and should be upgraded to the latest 7.2 Tanium Clients
- A known issue exists with uploading snapshots using version 11 of the Internet Explorer Web browser. This will be addressed in a future version of Threat Response.
- When a Download File response action is initiated from an Alert, Threat Response issues the "Trace - Start Session*" action every 6 minutes to ensure that the file is downloaded the system comes back online. This happens until the file completes the intended download. If it doesn't finish the download, it keeps issuing the actions to attempt to complete the download. This will be addressed in a future version of Threat Response.
- Live Response fails to collect files that have double byte characters in the filename.
- The "Threat Response - Remove Tools" package may not remove all of the files that were installed as part of the Threat Response tools.
- A known issue exists where erroneous signal hits pertaining to image.signature_status and image.path when used in a group. This will be addressed in a future version of Threat Response.
- A known issue exists where Live Response file collectors don't work on Windows unless you have Alternate Data Streams. This will be addressed with a 2.2.1 hotfix.
Security
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.