IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Threat Response (Version 3.0)
Tanium Threat Response 3.0.159
Release Date: 24 November 2020
Important Notes
- The release of Tanium Threat Response 3.0 uses Tanium Client Management and Tanium Endpoint Configuration (provided by Tanium Client Management) to deliver configuration and tools centrally. This new functionality combines all solution configurations into one distribution mechanism to greatly reduce the complexity of actions and packages that was previously required to configure and deploy Tanium Threat Response. The previously used packages and actions for delivery of tools and configurations will no longer be present. For details of Tanium Client Management and Tanium Endpoint Configuration please refer to the Tanium Endpoint Configuration User Guide at
http://docs.tanium.com/endpoint_configuration/endpoint_configuration/index.html.
- Threat Intelligence packages are currently still delivered in their own package and scheduled action managed by Tanium Threat Response.
- All dependencies are now enforced in the UI. Before you can load the Threat Response workbench, a check for all required Tanium dependencies is performed. If you need to install additional Tanium dependencies, the name and required version is provided in a UI notification.
- Threat Response 3.0 includes upgrades to the endpoint components Tanium Index and Tanium Event Recorder.
- With this release we are ending Tanium Administrative Console and Workbench support for Internet Explorer 11. For the best experience please use a recent version of Google Chrome, Microsoft Edge, or Mozilla Firefox to access the Tanium Console.
Upgrade notes
- Installation or upgrade of Interact, Trends, and Tanium Client Management must be completed prior to installing Threat Response 3.0 or any other module supporting the Endpoint Configuration management framework.
- Tanium Threat Response deprecates support for the legacy Web Socket Client for live endpoint connections. Live Connections to remote endpoints are now performed exclusively with Tanium Direct Connect. For details of installation and configuration of Tanium Direct Connect please consult the Tanium Direct Connect User Guide at
http://docs.tanium.com/direct_connect/direct_connect/index.html
- Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.
- If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. The recommended steps for upgrading are to
- Upgrade from Threat Response 1.x to Threat Response 2.4
- Ensure both the module server and the endpoints are upgraded
- Upgrade from Threat Response 2.4 to Threat Response 3.0
Fixes
- Fixes a state where alerts may not be returned from endpoints.
- Fixes an issue where Stream configurations may not load on MacOS endpoints.
- Fixes an issue where a user is unable to edit an Index configuration from the profile page.
- Fixes an issue where a failed saved evidence migration may cause an upgrade failure due to a service processing error.
- Fixes an issue where Stream filters may not correctly deploy to endpoints.
- Fixes an issue where the Start Index Scheduled Actions are not correctly updated at upgrade.
- Fixes an issue where the Reputation integration fails due to a React transition.
Tanium Threat Response 3.0.135
Release Date: 02 November 2020
Important Notes
- The release of Tanium Threat Response 3.0 uses Tanium Client Management and Tanium Endpoint Configuration (provided by Tanium Client Management) to deliver configuration and tools centrally. This new functionality combines all solution configurations into one distribution mechanism to greatly reduce the complexity of actions and packages that was previously required to configure and deploy Tanium Threat Response. The previously used packages and actions for delivery of tools and configurations will no longer be present. For details of Tanium Client Management and Tanium Endpoint Configuration please refer to the Tanium Endpoint Configuration User Guide at
http://docs.tanium.com/endpoint_configuration/endpoint_configuration/index.html.
- Threat Intelligence packages are currently still delivered in their own package and scheduled action managed by Tanium Threat Response.
- All dependencies are now enforced in the UI. Before you can load the Threat Response workbench, a check for all required Tanium dependencies is performed. If you need to install additional Tanium dependencies, the name and required version is provided in a UI notification.
- Threat Response 3.0 includes upgrades to the endpoint components Tanium Index and Tanium Event Recorder.
- With this release we are ending Tanium Administrative Console and Workbench support for Internet Explorer 11. For the best experience please use a recent version of Google Chrome, Microsoft Edge, or Mozilla Firefox to access the Tanium Console.
Upgrade notes
- Installation or upgrade of Interact, Trends, and Tanium Client Management must be completed prior to installing Threat Response 3.0 or any other module supporting the Endpoint Configuration management framework.
- Tanium Threat Response deprecates support for the legacy Web Socket Client for live endpoint connections. Live Connections to remote endpoints are now performed exclusively with Tanium Direct Connect. For details of installation and configuration of Tanium Direct Connect please consult the Tanium Direct Connect User Guide at
http://docs.tanium.com/direct_connect/direct_connect/index.html
- Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.
- If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. To target endpoints where Client Recorder Extension version 1.x exists, ask the Legacy - Recorder Installed sensor. In the results of this sensor If the Supported Endpoints column displays “No”, you must remove Client Recorder Extension version 1.x from the endpoint before you can install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.
New Features
- This release includes a new endpoint configuration framework, replacing the actions and packages formerly used to configure endpoint tooling.
- This release includes a refreshed user experience, bringing more reporting, consistency, and configurability to the forefront.
- This release adds support for recording of HTTP header events on Windows endpoints via Tanium Recorder.
- This release includes support for file read events with new recorder updates.
- This release provides the capability to send Mitre ATT&CK techniques associated with signals in match events sent through Tanium Connect to external destinations.
Improvements
- Provides more detailed information on the Threat Response home page to quickly visualize Threat Response indicators and view metrics across an entire enterprise.
- Home page includes configurable quick links to redirect users to regularly used locations.
- Usability improvements have been made across the Threat Response workbench. This includes improved filtering and sorting in addition to improved workflows.
- Adds the ability to more intuitively navigate from the Process Tree view back to list view when exploring processes.
- Adds usability improvements to provide sorting on the Outbound Impact column of the alerts view.
- Add usability improvements to the alerts workflow by adding a link to configure Reputation from the alert details.
- Adds the ability to upload custom Stream configuration data.
- Adds updates to the Health Status page to more easily troubleshoot - and to quickly resolve - issues on managed endpoints.
- Provides visibility into the count of undeployed profiles by adding this level of information to the profiles summary.
Fixes
- Fixes an issue where when deleting single intel doc alerts, it deletes all alerts.
- Fixes an issue where Alerts not being generated even though signals are matching.
- Fixes an issue with intel where the Local Directory Source would not populate new intel.
- Fixes an issue where the Suppressions tab of an Intel document does not list the suppression name.
- Fixes an issue where OpenIOC EventLog-based alerts could have incorrect and incomplete data.
- Fixes an issue where the Saving Evidence progress spinner sometimes is shown indefinitely.
- Fixes an issue so that options listed in dropdown menus are alphabetically sorted.
- Fixes an issue where Intel document sorting is not preserved after applying a label.
- Fixes an issue where Detect service intel sources can unexpectedly run in parallel immediately after creating them.
- Fixes an issue with the Health Check where Incorrect Counting of Endpoints could occur.
- Fixes an issue where some links between processes in live view show "NaN W" instead of a time.
- Fixes an issue where it was not possible to add Image Filters to a recorder configuration.
- Fixes an issue where the Common Module Import for Threat Response doesn't set the quickscan computer group.
- Fixes an issue where Threat Response alert action buttons inappropriately display when no alerts selected.
- Fixes an issue where quick scan collecting coverage never completes.
- Fixes an issue with filters where there was not clearing of a selection when switching the filter.
- Fixes an issue where the Threat Response Status sensor does not include a Stream section.
- Fixes an issue with Health Status so that all default roles can see results in this page.
- Fixes an issue where the ability to export events to CSV was missing.
- Fixes an issue with browsing live endpoints where it might be unable to expand the process tree when the user is SYSTEM.
- Fixes an issue with browsing live endpoints where there could be a failure to connect or delete when targeting deep path structures.
- Fixes interface issues with the details drawer of the profiles details page.
- Fixes interface issues with the filters page.
- Adds improved messaging about Names that exceed max length in configurations.
- Fixes an issue where an invalid alert detail will trigger an error screen when it is selected.
- Fixes an issue where an Unresolved filter on Intel Document Alert Grid would not work on page load.
- Fixes an issue where Auto Upgrade Tools actions are created and run without being enabled in service settings.
- Fixes an issue where suppression rules could return a "Failed to create suppression rule: internal server error."
- Fixes an issue where Registry based Signals could fail with - ERROR:internal-error:Illegal result_type filter specified.
- Fixes an issue where it was not possible to add Recorder Process and File Filters in some cases.
- Fixes an issue where a file-based Signal could trigger mistakenly.
- Fixes an issue in the Suppression Rule Preview where truncation is needed for long endpoint names.
- Fixes an issue where Intel Documents sorted by Unresolved Alerts did not behave as expected.
- Fixes an issue where detached processes that are coming from Tanium Processes are not filtered out.
- Fixes an issue where Impact Details are not displayed correctly in the Alert details.
- Fixes an issue where All suppression rules were deleted when one rule was deleted.
- Fixes an issue where not all endpoints are being updated with impact data.
- Fixes an issue with Evidence Based IOC where it was not possible to Save any new entries.
- Fixes an issue where the health Check returns "no results" on Debian-based distributions.
- Fixes an issue where initiating response actions from alerts returns a "DatePicker" error.
- Fixes an issue where the "Hash Of File" sensor returns a Traceback message for large file sizes.
- Fixes an issue where alert hover-over views flicker.
- Fixes an issue where the Threat Response - Status sensor reports that a detect package is required.
- Fixes an issue where the profile page was polling the entire page to reload, degrading performance.
- Fixes an issue where the Threat Response User did not have permissions to perform QuickScans.
- Fixes an issue where Trace Logon Events did not filter by Username, Domain, or Source Host parameters for Windows
- Fixes an issue where Quick Scan collection could end too quickly to get results.
- Fixes an issue where editing profiles requires a password confirmation to save.
- Fixes an error with the Threat Response - Status sensor returning an error with get_all_profiles().
- Fixes an issue where snapshots could fail on new deployments.
- Fixes performance issues with the Threat Response home page.
- Fixes an issue where the live connection start time filter does not work correctly.
- Fixes an issue where scrolling could remove suppression rule filters.
- Fixes an issue where GUID was not searchable in the alerts table.
- Fixes an issue where the hash of a process in live connection process details was not always present.
- Fixes an issue where adding a suppression rule from the intel document view did not auto select the intel document.
- Fixes an issue where creating a suppression rule from an alert did not show all Signal options.
- Fixes an issue to make the Live Connect history sortable by last date connected endpoints.
- Fixes an issue where it was not possible to sort by OS in the alerts page.
- Fixes an issue where intel and manage filter lists filtered counts could be incorrect.
- Fixes an issue where network filters did not allow for 'operation type' selection in the filter builder.
- Fixes an issue where the Endpoint Must Gather could fail if directories are missing on endpoints.
- Fixes an issue where deleting a profile was not displayed in the Tasks page.
- Fixes an issue with Health Check where error messages are hidden when packages are not cached.
- Fixes an issue where the Threat Response - Status sensor could not see tools deployed on Linux.
- Fixes an issue where after deleting an intel document, the fetched data is not sorted or filtered.
- Fixes an issue where incident response was not bundling TaniumExecWrapper in Tools.
- Fixes an issue where applying a label to intel with "select all" also displays an error about removing intel.
- Fixes an issue with incorrect arrow directions on live connections data grid.
- Fixes an issue where the "Disconnect" option is greyed out when selecting a live connected endpoint.
- Fixes an issue where OpenIOC EventLog-based alerts have incorrect and incomplete data.
Security Updates
- This release includes security updates. Details of the issues, including affected versions and mitigation information, can be obtained within Tanium's Support Portal or by contacting your TAM.
Known Issues
- When viewing stacked lists in Threat Response using the Safari browser some pages may display no rows in the table. Using an alternate browser will resolve the issue.
- The home page confirmation wizard may show that Tanium Signals require importing when the action has already been performed.