Release Notes Threat Response (Version 2.4)
Important Notes
The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.x versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.
The Threat Response module combines the functionality of the Detect and Trace modules and the Index and Incident Response content.
Migration from existing installations of the aforementioned modules and content is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
7.4 clients are not supported on versions of Threat Response versions earlier than 2.1.0.
This release includes Recorder Client Extension 2.2, which is the first release to include Linux Netlink support.
Recorder Client Extension installations on Linux Kernels >3.16 automatically use Netlink after a client reset. Recorder Client Extension 2.2 on Linux will fall back to auditd if Netlink is not available.
Raw logging on Linux systems is changed. The Recorder Client Extension will no longer load the Tanium auditd rules by default if raw logging is enabled. Recorder Client Extension 2.2+ installations and upgrades stop with an error message if auditd raw logging is on. You can override this, but running auditd with raw logging is highly discouraged. Overriding the safety check that stops Recorder Client Extension 2.2 from installing or upgrading over raw auditd logging is not encouraged.
To review system status, ask:
Get CX - Status from all machines with (is Linux equals true and running processes equals auditd)
If Recorder Client Extension cannot use Netlink, a health_check entry in the results displays.
If you are also using Integrity Monitor, it should be upgraded to at least Integrity Monitor 2.5.2.0003 before Threat Response is upgraded in order to reduce chances of missing events. For more information, please contact your TAM.
Threat Response 2.4.2.0003
Release Date: 2020-05-19
Fixes
- Fixes an issue where connections to CentOS version 7 endpoints could be reset when making connections using Tanium Direct Connect and clicking a process in the process tree visualization.
- Updates the versions of core-recorder to 3.2.9 and CX core to cx-core 1.2.14.
- New recorder features include a setting to force netlink unicast, and a new version of the Tanium Driver that adds registry recording support.
- CX-core includes a fix where a file usage tally could cause high spikes in VDI.
Known Issues
- When upgrading to Threat Response 2.4.2, tools upgrade does not upgrade the version of the Tanium Driver.
Threat Response 2.4.1.0006
Release Date: 2020-05-05
Enhancements
- Adds a max string age for the Detect Alerts sensor.
- Tanium Recorder 2.2.1.1004 included.
Fixes
- Fixes an issue where exports from Saved Evidence fail to download when the file is in Japanese.
- Fixes an issue where Windows endpoints running Symantec Endpoint Encryption (SEE) can become unresponsive when using IOC with a "ProcessItem/HandleList/Handle/Name" term.
- Fixes an issue deploying intel during the initial import process.
- Fixes an issue with the Threat Response Status Sensor error returns "Failed to connect to Windows Defender Provider" on Windows 2008R2 and Windows Server 2012R2.
Threat Response 2.4.0.0161
Release Date: 2020-04-28
Enhancements
- Provides performance improvements when recording Network information on Linux servers.
- Tanium Direct Connect is used to manage Live Endpoint Connections. You can enable Direct Connect to manage live endpoint connections for performance improvements when connecting to live endpoints and exploring data. If you choose not to use Direct Connect to manage live endpoint connections, you can use the Web Socket Client for an experience that is consistent with previous Threat Response releases.
- Displays the last date a live connection was established.
- Provides the ability to download multiple files from live endpoint connections.
- Provides typeahead suggestions for available endpoints.
- Allows deletion of folders in live connection.
- Provides an enhanced process tree visualization to enable deeper understanding of event history and ancestry on endpoints. The new process tree view is scrollable to provide visibility into sibling and ancestor processes. The events distribution visualization has not been included in this new process tree visualization.
- Provides an enhanced Alerts page to enable more intuitive filtering of alerts and pivoting to exploring the environments where alerts have been detected and deploying actions based on alerts.
- Provides the ability to use Live Response to capture recorder database snapshots when the Threat Response profile has enabled database encryption.
- Provides performance enhancements when installing Threat Response using Automatic configuration with default settings.
- Provides performance improvements of Incident Response sensors that perform Event Log Searches.
- Fixes an issue where Live Response did not collect Scheduled Tasks.
- Fixes an issue where the deployment of multiple Threat Response profiles were not metered.
- Includes additional macOS Collection Artifacts in Live Response.
- Adds an enterprise hunting technique for Trace Questions.
- Tanium Recorder 2.2.0.1528 included.
- Tanium Incident Response 5.6.0.0020 included. This release is available as a standalone offering, however it is also included in Threat Response 2.4.0.0161
- Tanium Index Index 2.5.5.0006 included.
Upgrade Notes
- Threat Response 2.4.0 will not support Windows 2008 R2 (bare). You must have at least installed Service Pack 1 (circa 2011) for Threat Response's python sensors to execute on a Win2008R2 endpoint.
- Tanium Direct Connect version 1.4.3 or later is required if using Direct Connect for Live Endpoint Connections. Please refer to the Tanium Direct Connect and Tanium Threat Response User Guides for AV exclusion information.
- The recorder does not support CentOS versions 5.3 and earlier.
Known Issues
- Tools upgrades to Threat Response 2.4.0 fails after upgrading the Tanium Client 7.2 to 7.4 on Debian-based Linux distributions.
- A Threat Response Status Sensor error returns "Failed to connect to Windows Defender Provider" on Windows 2008R2 and Windows Server 2012R2. This will be addressed in a later version of Threat Response.
- A workflow change has been introduced in Threat Response 2.4.0 where it is no longer possible to establish a live connection to an endpoint from the Intel page.
- Exports from Saved Evidence fail to download when the file is in Japanese. This has been addressed in Threat Response 2.4.1.0006.
- It is possible that importing Threat Response can fail with a "non-AIO environment" error on non-English operating systems. This will be addressed in a future version of Threat Response. If you encounter this error, add the following registry key on the Tanium Module Server: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tanium\Tanium Server] "Version"="7.X.XXX"
Security Update
This release includes security updates. For details, including affected versions and mitigation information, see the Tanium Support Portal, or contact your TAM.