IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 2.5)

From Tanium Knowledge Base
Jump to navigation Jump to search

Important Notes

The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.x versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.

The Threat Response module combines the functionality of the Detect and Trace modules and the Index and Incident Response content.

Migration from existing installations of the aforementioned modules and content is possible in the Threat Response module.

The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.

Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.

7.4 clients are not supported on versions of Threat Response versions earlier than 2.1.0.

This release includes Recorder Client Extension 2.2, which is the first release to include Linux Netlink support.

Recorder Client Extension installations on Linux Kernels >3.16 automatically use Netlink after a client reset. Recorder Client Extension 2.2 on Linux will fall back to auditd if Netlink is not available.

Raw logging on Linux systems is changed. The Recorder Client Extension will no longer load the Tanium auditd rules by default if raw logging is enabled. Recorder Client Extension 2.2+ installations and upgrades stop with an error message if auditd raw logging is on. You can override this, but running auditd with raw logging is highly discouraged. Overriding the safety check that stops Recorder Client Extension 2.2 from installing or upgrading over raw auditd logging is not encouraged.

To review system status, ask:

Get CX - Status from all machines with (is Linux equals true and running processes equals auditd)

If Recorder Client Extension cannot use Netlink, a health_check entry in the results displays.

If you are also using Integrity Monitor, it should be upgraded to at least Integrity Monitor 2.5.2.0003 before Threat Response is upgraded in order to reduce chances of missing events. For more information, please contact your TAM.

Tanium Threat Response 2.5.3.0004

Release Date: 16 June 2020

Changes

  • Added an improvement where the Health Check sensor returns all check states as opposed to only the health checks that failed to provide users with a better understanding of what is and is not healthy in their environment.
  • Features updates to the Recorder and Client Extensions framework.

Fixes

  • Fixes an issue where a required file was not being installed on upgrades that resulted in endpoints not being able to generate Windows Defender alerts.
  • Fixes an issue where the common module import process could fail to populate action groups correctly.
  • Fixes an issue where incorrect reputation permissions were used.
  • Fixes an issue where the VirusTotal link was missing from the Reputation data when clicking a hash from an alert or a live connection.
  • Fixes an issue in Live Response where a destination could not be edited after it was created and saved.
  • Fixes an issue where ActiveDirectory information from Tanium Impact was not being displayed in alert details.
  • Fixes an issue where the snapshots page would not load with only "Threat Response Snapshot Write" role assigned. "Threat Response Snapshot Read" needed to be assigned as well.
  • Fixes an issue where the roles User and Operator could not display the management section of the Threat Response workbench.
  • Fixes an issue with an incompatibility with the Tanium Recorder Driver and other system components that could cause a system to hang on reboot.

Tanium Threat Response 2.5.1.0082

Release Date: 02 June 2020

Changes

  • Provides a single interface to identify, investigate, scope, and remediate detection and prevention events generated by Windows Defender.
  • Made the Threat Response status intuitive and easy to use to troubleshoot by adding a Health and Status page to display the health of Threat Response components and to initiate a remediation action where issues are detected.
  • Provides signals based filters and corresponding filter builder for recorder events. The import/export format for filters has changed as part of this update; you cannot export filters from Threat Response versions earlier than 2.5 and import them on Threat Response versions equal to or greater than Threat Response 2.5. Similarly, you cannot export filters from Threat Response versions equal to or greater than Threat Response 2.5 and import them on Threat Response versions earlier than 2.5.
  • Provides the ability to enable the recorder to capture only driver loads, and exclude other image loads.
  • Reordered the Threat Response Home page to move reports and actionable data to the top of the home page.
  • Adds support for macOS to the Trace Logon Events sensor.
  • Adds support for deleting folders in a live connection.
  • Features new React versions of the intel page and associated modals.
  • Features an integration with Tanium Impact to manage the impact of lateral movement.
  • Includes extra system information in match alerts through Connect to external destinations
  • The Threat Response Operator role was added.
  • Includes core python 1.4.0.45.
  • Adds Core-Recorder 3.2.10.

Fixes

  • Fixed an issue where hostnames with colons cause issues with Threat Response Direct Connections.
  • Fixed an issue where on reconnection to an endpoint with a process tree view in focus, the view changed from the current process to the parent process.
  • Fixed an issue where the Alerts side panel truncated command lines.
  • Fixed an issue where Direct Connect Live Connections did not show the full path in the driver tab.
  • Fixed an issue where the live connect filter does not search when mouse clicks outside of filter.
  • Fixed an issue where the Trace Executed Process Tree sensor was functioning as case-sensitive when not using regular expressions.
  • Fixed an issue where suppression rules applied retroactively did not refresh list automatically.
  • Fixed an issue where the current workbench status remediation action for missing intel was to send the latest sync package as opposed to the most recent package.
  • Fixed an issue where "Failed to fetch alerts" was displayed on the alerts page when sorting by Outbound impact.
  • Removed the filter column in recent connections view and replaced it with info icon with the same tooltip with the endpoint name if there is filter data about that endpoint.
  • Fixed an issue where the Threat Response Service does not exit on start up error.
  • Fixed an issue with the Threat Response workbench not loading in Internet Explorer.
  • Fixed an issue where the Live Endpoints link to endpoints could be broken.
  • Fixed an issue where tools upgrade to THR 2.4.0 fails after upgrading Tanium Client 7.2 to 7.4 on Debian based Linux distributions.
  • Fixed an issue where an upgrade times out.
  • Fixed an issue where the Process Exploration view dialog box does not allow drag or click in scroll bar box.
  • Fixed an issue with downloading files from within Live Connection Main View or Tree View Event Viewer.
  • Fixed an issue where clicking the side panel icon does not close the side panel.
  • Fixed an issue where clicking on an alert with no source crashes the alerts page.
  • Fixes an issue where a warning was shown incorrectly when connecting to endpoint
  • Fixes an issue where the Health Check page results table disappears over time
  • Fixed an issue where an initial connection to a live endpoint shows the tools missing banner incorrectly.
  • Fixed an issue where a query of the process tree visualization timed out and closed the Tanium Direct Connect connection to the endpoint on CenOS endpoints.
  • Fixed an issue where Tanium processes and content are being detected by background scans when the option to exclude them is selected.
  • Fixed an issue with an initial configuration failure on TanOS 1.5.6 where endpoints did not have a configuration applied to do a live connection and an error was displayed in the Tasks view.
  • Fixed an issue that made it so users could not use `disable_process_group_protection` in dist-tools to safeguard against disruptions and unintended behavior.
  • Fixed an issue where the common module import log level wasn’t set to trace as was expected.
  • Fixed an issue where subscriptions for signals are either not found or not created on endpoints after using Common Module Import to install Tanium Threat Response.
  • Fixed an issue where an error was erroneously displayed reporting that Threat Response Tools are Currently Not Available until a Direct Connection was closed and re-established.
  • Fixed an issue where Live Connections to endpoints would fail from the investigations page.
  • Fixed an issue where a yellow banner related to package caching appears and then disappears.
  • Fixed an issue where Threat Response CX returns a Failed to receive outbox response on time error on deployments.

Known Issues

  • Errors occur when deploying Linux IPTable Quarantine package to CentOS7. This will be fixed in a future version of Threat Response.
  • Connecting to an endpoint using the Direct Connect filter builder, disconnecting, and reconnecting via the grid, causes the filter to be removed. This will be fixed in a future version of Threat Response.

Upgrade Notes

  • The changes to the match alerts for additional system information modifies the contents of the JSON output sent from Connect to external systems. Systems utilising legacy static pattern matching capabilities to parse the JSON events may need to modify their configurations to support the new content

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Additional Information

Product Documentation and Resources