IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 3.1)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 3.1.328

Release Date: 23 March 2021

Important Notes

The release of Tanium Threat Response 3.1 continues the migration to Tanium Client Management’s Endpoint Configuration service. The Threat Intelligence database is now also distributed to endpoints as part of the central tools and configuration management capability. This new functionality combines all solution configurations into one distribution mechanism, reducing the complexity required to configure and deploy Tanium Threat Response.

The previously used packages and actions for Threat Intelligence delivery will no longer be present. For details of Endpoint Configuration please refer to the Endpoint Configuration User Guide:

http://docs.tanium.com/endpoint_configuration/endpoint_configuration/

Threat Response 3.1 includes updated versions of the endpoint components Tanium Index, Tanium Event Recorder, and Tanium Stream.

Changes

  • Fixes an issue where Response Actions could be continuously issued every few hours for manually created Response Actions.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Tanium Threat Response 3.1.325

Release Date: 16 February 2021

Important Notes

The release of Tanium Threat Response 3.1 continues the migration to Tanium Client Management’s Endpoint Configuration service. The Threat Intelligence database is now also distributed to endpoints as part of the central tools and configuration management capability. This new functionality combines all solution configurations into one distribution mechanism, reducing the complexity required to configure and deploy Tanium Threat Response.

The previously used packages and actions for Threat Intelligence delivery will no longer be present. For details of Endpoint Configuration please refer to the Endpoint Configuration User Guide:

http://docs.tanium.com/endpoint_configuration/endpoint_configuration/

Threat Response 3.1 includes updated versions of the endpoint components Tanium Index, Tanium Event Recorder, and Tanium Stream.

Support

This release of Threat Response brings full feature parity with the legacy Trace service and Trace product. This release marks the end of life of all Trace versions and Threat Response versions 1.x, which will be August 1, 2021.

Upgrade notes

Tanium Threat Response 3.1 removes the legacy Trace service hosted on the Tanium module server. All UI and API functionality previously provided by this service have been migrated to the Threat Response service. For details of API changes please refer to the UI provided API documentation.

Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.

If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. To target endpoints where Client Recorder Extension version 1.x exists, ask the Recorder - Legacy Installed sensor. In the results of this sensor If the Supported Endpoints column displays “Yes”, you must remove Client Recorder Extension version 1.x from the endpoint before you can install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the appropriate Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints. If this has not been done and the endpoint is targeted for tools, the installation will not proceed.

Tanium recommends systems with at least two cores for Recorder installs, and has required this configuration from Threat Response 2.6 to Threat Response 3.0. Beginning with this release, you may set an option to allow Recorder to run on a single core system. The Recorder CPU setting is modified via content and defaults to the recommended setting of ON (meaning that 2 CPU cores are required to run Recorder). Memory and CPU usage can increase to higher than normal levels when running the Recorder on a single CPU core endpoint. For more information, see:

http://docs.tanium.com/threat_response/threat_response/requirements.html#Endpoint_hardware_requirements

Normally memory and CPU usage average less than 1% over time, with periods of higher activity. System resource usage can increase as workload on an endpoint increases. Under certain workloads, such as long lived processes with multiple forked child processes, memory and CPU usage can become high.

If you are upgrading from a version of Threat Response earlier than 2.4, you must upgrade to 2.4 first and then upgrade to 3.1.

New Features

  • Retirement of the legacy Trace module server service
  • Completion of the migration to new UI framework
  • Ability to create response actions without alerts in THR
  • Support for Mitre ATT&CK sub-techniques in signals
  • Add ability to filter alerts by GUID
  • Utilise Endpoint Configuration Service for threat intel deployment
  • Support Include filters for Recorder and Stream configurations
  • Integration with Enforce module for remediation actions

Improvements

  • Support for token based authentication in Threat Response API
  • Combined API route for new saved evidence page
  • Increased information in the saved evidence page
  • Enterprise hunting page redesign
  • Filter by username in saved evidence page
  • Redesign of live response page
  • Include Threat Intel revision details on Intel page
  • Improved error messages in the signal builder
  • New recorder configuration to disable dual cpu requirement

Fixes

  • Resolved stack trace on Linux for "Service Process Details" sensor
  • Resolve issue where Intel deployment can fail on an endpoint when Windows endpoints have certain hotfixes installed and no internet access
  • Refactored Live Connection page to prevent the grid bottom being beyond end of page
  • Resolved issue where copying the Defender intel document name did not copy to clipboard
  • Resolved issue where Safari did not render tables in the Intel and Management pages
  • Refactored Intel documents page where suppress option was not available
  • Resolved issue where snapshot date and time does not represent the actual creation time
  • Refactored Response Activity page to ensure sorting worked as expected
  • Resolved issue where retroactive suppressions only work on unresolved alerts
  • Resolved issue where process information in the side panel is not consistent
  • Corrected file operation types in Enterprise Hunting questions
  • Resolved an issue where the UI presented an error when trying to pivot from an alert to a live connection where the event has been pruned from the recorder database
  • Corrected issue with using “does not contain” and “does not equal” in Live Connection filtering
  • Remove timestamps from Trace Logon Events Sensor to allow “make stackable” to function
  • Resolved issue where edited signals did not display properly in the intel page
  • Resolved issue where sorting of impact rating on home page was incorrect
  • Resolved issue with intelDocs API to ensure existing documents are updated as expected
  • Resolved issue Yara search scope allowed duplicates or blanks
  • Resolved issue where dates are not validated in live connection filters
  • Resolved issue where alerts generated by OpenIOC documents may display the incorrect field data
  • Resolved issue where an IOC with no name could be uploaded in the UI
  • Resolved issue that caused temporary intel database files to not be deleted
  • Resolved issue with signals builder that allowed group() syntax to be used with process terms
  • Resolved issue where filtering the Live Connection view with SQLite terms can cause unusual search results
  • Intel Document ID page blank with an invalid signal
  • Resolved issue where quickscan results could show no systems but increase alerts count
  • Resolved issue where some computer groups could show twice in the Quickscan UI
  • Resolved issue where incorrect parsing of filters or signals can cause filter or alerts page to not render
  • Resolved an issue that prevented the sorting of the Response activity page correctly
  • Resolved stack trace issue with the Service Process Details sensor when executed on Linux systems
  • Resolved issue where applying a filter to the top panel does not accurately change the other displayed results


Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM

Known Issues

  • Trace DNS query sensor can return incorrect results on Windows 7 systems
  • Changing the status on a very large number of alerts can fail silently
  • Live response actions submitted to a system where the hostname changes after initial submission can cause the action to reissue multiple times