Release Notes Threat Response (Version 2.6)
Important Notes
The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.x versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.
The Threat Response module combines the functionality of the Detect and Trace modules and the Index and Incident Response content.
Migration from existing installations of the aforementioned modules and content is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
7.4 clients are not supported on versions of Threat Response versions earlier than 2.1.0.
Recorder Client Extension installations on Linux Kernels >3.16 automatically use Netlink after a client reset. Recorder Client Extension 2.2 on Linux will fall back to auditd if Netlink is not available.
Raw logging on Linux systems is changed. The Recorder Client Extension will no longer load the Tanium auditd rules by default if raw logging is enabled. Recorder Client Extension 2.2+ installations and upgrades stop with an error message if auditd raw logging is on. You can override this, but running auditd with raw logging is highly discouraged. Overriding the safety check that stops Recorder Client Extension 2.2 from installing or upgrading over raw auditd logging is not encouraged.
To review system status, ask:
Get CX - Status from all machines with (is Linux equals true and running processes equals auditd)
If Recorder Client Extension cannot use Netlink, a health_check entry in the results displays.
If you are also using Integrity Monitor, it should be upgraded to at least Integrity Monitor 2.5.2.0003 before Threat Response is upgraded in order to reduce chances of missing events. For more information, please contact your TAM.
Tanium Threat Response 2.6.10.0001
Release Date: 06 July 2021
Security Updates
- This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.
Tanium Threat Response 2.6.9.0001
Release Date: 23 March 2021
Security Updates
- This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.
Tanium Threat Response 2.6.7.0022
Release Date: 27 October 2020
Important Notes
- Threat Response Release 2.6.7 builds on the functionality provided in the previous 2.6 versions and has been released to provide support for custom Stream configurations https://docs.tanium.com/pdf/threat_response/Tanium_Threat_Response_2.6.7_ug.pdf
- If this feature or any of the resolved issues are not a strict requirement for your environment it is not recommended to install this version.
New Features
- Support for upload of custom Stream configurations.
- Support for the addition of custom Audit rules in Tanium Recorder client extension configurations.
Enhancements
- Addition of Stream reporting in the Threat Response health page.
Fixes
- Changes to resolve detect engine crashing when retrieving specific alert details
- Scrolling through intel documents freezes some rows
- Scrolling through intel documents causes duplicates to appear
- Infinite scrolling broken on filters list
- Intel list not filtered or sorted after deleting objects
- Intel document list sorting incorrect
- Inclusion of Stream details in Threat Response - Status sensor
- Incorrect count of intel documents returned
- Threat Response tools installations failed with error “Fatal error executing step < CXInstallPythonExtensionStep “
- Failure in some circumstances to install new tools when previous version of tools already exists
Security Updates
- This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.
Upgrade Notes
- The next planned major release of Threat Response will no longer support the Web Socket Client for making connections to remote endpoints. The Web Socket client will be fully deprecated. Direct Connect for live endpoint connections will be required in future releases for all live endpoint connections. Please refer to the Tanium Direct Connect and Tanium Threat Response User Guides for setup instructions and AV exclusion information.
Tanium Threat Response 2.6.6.0001
Release Date: 08 September 2020
Changes
- Adds an updated version of the recorder that:
- Performs a vacuum on the recorder.db when the DB is two times the chunk size over the max DB size.
- Improves process table id lookup performance for large security events tables.
- Fixes an issue with high CPU that might be recorded in the extensions log showing 'a sealed resource is missing or invalid'.
- Fixes an issue where the recorder might not initialize with IPv6 TCP disabled.
Security Update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Upgrade Notes
- The next planned major release of Threat Response will no longer support the Web Socket Client for making connections to remote endpoints. The Web Socket client will be fully deprecated. Direct Connect for live endpoint connections will be required in future releases for all live endpoint connections. Please refer to the Tanium Direct Connect and Tanium Threat Response User Guides for setup instructions and AV exclusion information.
Tanium Threat Response 2.6.4.0005
Release Date: 28 July 2020
Fixes
- Fixes an issue where if one suppression rule was deleted, all suppression rules would be inadvertently deleted.
- Fixes an issue in live endpoint connection file system browsing where failure to connect or delete when targeting deep path structure could occur.
- Fixes an issue where registry-based Signals could fail with an error.
- Fixes an issue in live endpoint connection where the visualization could not expand the process tree when the user is SYSTEM.
- Fixes an issue where selecting an alert's details could cause an error to display in the Alert Workbench when it is selected.
- Fixes an issue where Auto Upgrade Tools actions are created and run without being enabled in service settings.
- Fixes an issue where Threat Response tools would not install on Windows Server Core due to missing components.
Tanium Threat Response 2.6.3.0002 (DQ)
This version has been removed due to an issue with unintended deleting of all suppression rules when one suppression rule was deleted.
If you installed Threat Response version 2.6.3.0002, please consult your Technical Account Manager.
Release Date: 09 July 2020
Fixes
- Fixes an issue where when deleting an alert from a single intel doc, all alerts are deleted.
- Fixes an issue where the Live Response link on management pages was incorrect.
- Fixes an issue where selections in configuration settings are not cleared when switching the filter before saving.
Tanium Threat Response 2.6.2.0005 (DQ)
This version has been removed.
If you installed Threat Response version 2.6.2.0005, please consult your Technical Account Manager.
Release Date: 06 July 2020
Improvements
- Provides the ability to stream Recorder telemetry direct from endpoints to external destinations such as Splunk, Elastic Logstash, or Chronicle.
- Adds a Trends board to capture and track metrics for the status of Threat Response deployments across an enterprise.
- Adds a Trends board to capture and track metrics for the mean time to investigate threats.
- Adds a Trends board to capture and track metrics for the mean time to resolve threats.
- Adds a Trends board to capture and track metrics for the overall healthy/unhealthy state for endpoints.
- Improves usability by updating several panels in the Threat Response workbench in React.
- Provides the ability to download a snapshot database or evidence to save from the Threat Response workbench.
- Deletes suppressed alerts after 7 days or after a user-specified period of time to improve performance.
- Threat response tools packages have been refactored to reduce the total size and number of files.
Fixes
- Fixes an issue where the client recorder extension stopped recording registry data.
- Fixes an issue where Tanium Direct connect could time out connected sessions incorrectly.
- Fixes an issue where the alert details within an intel document could produce an error.
- Changes the encoding of the Elastic Logstash configuration for Stream Configurations.
- Fixes an issue where not all default roles could view Health Status.
- Fixes an issue where profiles might not deploy correctly using Common Module Import.
- Fixes an issue where Trace Logon Events did not return all data when filtering.
- Fixes an issue where the Detect workbench used incorrect Reputation permissions.
- Fixes an issue where a column with no name was displayed in the Alerts page.
- Fixes an issue where process information for IOC alerts was missing when a port event match was detected.
- Fixes an issue where stale live connections were not deleted.
- Fixes an issue where the VirusTotal link was missing from the Reputation pop up page.
- Fixes an issue where Live Response was unable to save a destination configuration.
- Fixes an issue where ActiveDirectory information from Impact was not displayed.
- Fixes an issue where The Intel definition tab was not displayed correctly for non-signal intel documents.
- Fixes an issue where the event grid failed to properly update in Live Connection or Snapshot views.
- Fixes an issue snapshots failed to load in the saved evidence view.
System Requirement Enforcements
- For full-functionality a minimum of two CPUs per endpoint is required. The recorder will not run on systems with less than two logical cores. This will impact the ability to review historical data and use signals on these endpoints.
- Includes recorder updates that self-installs a recorder.system-events subscription. This is to provide common CX infrastructure to other Tanium modules to notify them when a user logs in or off. This has the effect of the recorder pipeline being ‘on’ by default on windows (connecting to ETW). Events are not stored in the recorder database without a Threat Response database configuration.
Security Update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Tanium Threat Response 2.6.1.0001 (DQ)
This version has been removed due to an issue with the Client Recorder Extension component recording registry events.
If you installed Threat Response version 2.6.1.0001, please consult your Technical Account Manager.
Release Date: 30 June 2020
Improvements
- Provides the ability to stream Recorder telemetry direct from endpoints to external destinations such as Splunk, Elastic Logstash, or Chronicle.
- Adds a Trends board to capture and track metrics for the status of Threat Response deployments across an enterprise.
- Adds a Trends board to capture and track metrics for the mean time to investigate threats.
- Adds a Trends board to capture and track metrics for the mean time to resolve threats.
- Adds a Trends board to capture and track metrics for the overall healthy/unhealthy state for endpoints.
- Improves usability by updating several panels in the Threat Response workbench in React.
- Provides the ability to download a snapshot database or evidence to save from the Threat Response workbench.
- Deletes suppressed alerts after 7 days or after a user-specified period of time to improve performance.
- Threat response tools packages have been refactored to reduce the total size and number of files.
Fixes
- Fixes an issue where profiles might not deploy correctly using Common Module Import.
- Fixes an issue where Trace Logon Events did not return all data when filtering.
- Fixes an issue where the Detect workbench used incorrect Reputation permissions.
- Fixes an issue where a column with no name was displayed in the Alerts page.
- Fixes an issue where process information for IOC alerts was missing when a port event match was detected.
- Fixes an issue where stale live connections were not deleted.
- Fixes an issue where the VirusTotal link was missing from the Reputation pop up page.
- Fixes an issue where Live Response was unable to save a destination configuration.
- Fixes an issue where ActiveDirectory information from Impact was not displayed.
- Fixes an issue where The Intel definition tab was not displayed correctly for non-signal intel documents.
- Fixes an issue where the event grid failed to properly update in Live Connection or Snapshot views.
- Fixes an issue snapshots failed to load in the saved evidence view.
System Requirement Enforcements
- For full-functionality a minimum of two CPUs per endpoint is required. The recorder will not run on systems with less than two logical cores. This will impact the ability to review historical data and use signals on these endpoints.
- Includes recorder updates that self-installs a recorder.system-events subscription. This is to provide common CX infrastructure to other Tanium modules to notify them when a user logs in or off. This has the effect of the recorder pipeline being ‘on’ by default on windows (connecting to ETW). Events are not stored in the recorder database without a Threat Response database configuration.
Security Update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.