IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 3.8)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 3.8.235

Release Date: 14 February 2023

Improvements

  • Improved behavior to limit memory usage when performing memory scoped YARA scans.

Fixes

  • Fixes an issue where duplicate Threat Response alerts could be sent to Tanium Connect destinations.
  • Fixes an issue where STIX intel documents were not being parsed correctly.
  • Fixes an issue where YARA scans may not scan all search scopes as expected.

Tools Versions

  • Includes core-recorder 3.9.71
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.999
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2058
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Tanium Threat Response 3.8.230

Release Date: 01 November 2022

Fix

  • Fixes an issue to resolve a potential conflict between the Tanium Driver and other 3rd party process injection drivers that could cause Microsoft Windows to become unresponsive when Tanium Process Injection alerts are enabled.

Tools Versions

  • Includes core-recorder 3.9.71
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.990
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2058
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Tanium Threat Response 3.8.226

Release Date: 04 October 2022

Important Notes

  • In Threat Response 3.8, Quick Scans have been replaced with On-Demand scans. If upgrading to Threat Response 3.8 from an earlier version, quick scan history for intel documents is not migrated and is no longer available.
  • On-Demand scans are action-based and now require an approver if action approval is enabled.
  • When upgrading from an existing version of IndexCX to IndexCX 3.2.2762 or higher, the Index database on all endpoints is reset. IndexCX will then perform a rescan to repopulate the Index database. This initial rescan is randomized over 24 hours and follows the same Tanium CX resource throttles as a normal rescan, which occurs every 7 days by default. Until the initial rescan is complete, Index data can be incomplete. This is required due to database schema changes to improve database consistency.
  • System File filters have been renamed to System Filters. These filters will continue to work the same on Linux endpoints. On Windows endpoints, System filters provide the ability to exclude processes from process injection monitoring.
  • The Interact bar on the Enterprise Hunting page has been removed.
  • The Threat Response Health page has been removed.
  • Use the “Client Extensions – Status" sensor as the authoritative resource for what Threat Response components are present and running on an endpoint. The “Threat Response – Status” sensor will be deprecated in a future release.
  • When upgrading from earlier versions of Threat Response, there are differences in Alert Details (and JSON). The differences can be summarized as follows:
    • hash ids were numbers, they are now strings.
    • The source for openioc filename was tanium-index, and is now index.
    • The service id was included in match details, it is no longer included in the latest version.
    • The source for openioc network was tanium-recorder and is now threatresponse_database.
    • The source for openioc process was tanium-recorder and is now live.
    • The source for signals was signals and is now recorder or threatresponse_database.
    • The source for yara was at-rest is now at_rest.
  • Auto deployment of tools might not work after upgrading to Threat Response 3.8 from Threat Response version 2.6. In such cases, you need to deploy profiles to enable endpoint tools upgrade.

New Features

  • Provides support for Amazon Linux 2 (ARM) and macOS endpoints that use M1 ARM processors.
  • Process injection monitoring: Detects when processes have code written and executed in their memory space in a suspicious manner. Process injection monitoring is supported on Windows 10 and Windows Server 2016, and newer. Process injection monitoring is not enabled by default.
  • New Tanium Client Extension version of the Threat Response evaluation engine, which replaces the Tanium Detect Engine.
  • On-demand scans replace Quick Scans. As opposed to legacy Quick Scans which used questions to deliver the Intel document to the endpoint, On-demand scans use an action to deliver the Intel document to the endpoint for immediate matching and alert reporting, and thus no longer have a limit to the number of indicators in an Intel document for On-demand Scans.
  • On-demand scans of Reputation malicious hashes are now supported.
  • The "Engine" and "Intel" configurations in THR have been consolidated into a single simplified "Detection" configuration.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Adds support for Tanium Signals syntax v5, which increases the Signals and filters terms limit from 24 to 55.
  • On-demand scans now support overriding Detection configuration scan blockout windows.
  • Response action targeting now relies on multiple endpoint data points for more specific targeting.
  • Ability to download multiple items of Saved Evidence simultaneously.
  • Improves event export to allow exporting up to 500,000 events from live connections and snapshots.
  • Symbolic links are now visible while file browsing in a live connection. Deleting symbolic links requires Tanium Direct Connect 2.4 or higher.
  • “Global” suppression rules have been renamed to “All Signals”.
  • “Signal-Specific” suppression rules have been renamed to “Intel-Specific”.
  • “Defender Intel” document for Windows Defender alerts is now visible on the Intel page.
  • “Deep Instinct” document for Deep Instinct alerts is now visible on the Intel page.
  • Recorder filters now support Registry “Operation” based filters.
  • Recorder filters now support Network “Operation” based filters.
  • Adds the “Index - List Discovered Volumes” sensor to return the list of filesystem volumes discovered by Tanium Index.
  • Adds "ends with" filtering to Live Connections.
  • Improves File Downloads via Live Connections.
  • Supports importing YARA 4.1 rules.
  • Validation of uploaded snapshots.
  • Improves the display of endpoint data details in table format.
  • Improves Alert Summary Charts.
  • Updated Recorder Sensor Descriptions.
  • Alerts which remain unacknowledged on endpoints will now be removed after 30 days.
  • EID manager logging moved to Trace level.
  • On Unix/Linux, Threat Response's use of the lsof (list open files) command has been deprecated. Threat Response now uses Recorder data.

Tools Versions

  • Includes core-recorder 3.9.70
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.990
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2053
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Fixes

  • Fixes an issue where the recorder shows some processes with no parent.
  • Fixes an issue where the Intel Name in the Alerts grid can disappear when scrolling.
  • Fixes an issue where endpoints show a recorder health check that states “Failed to create BPF Network event provider. Not receiving file events.”
  • Live Response has been updated to allow memory collection from recent Windows 10 releases.
  • Live Response standard collections with variables have been updated to correctly work on macOS and Linux endpoints.
  • Live Response running process collections have been updated to correctly work on macOS.
  • Fixes an issue where Endpoint Configuration Framework (ECF) would remove Threat Response configurations if ECF could not evaluate an endpoint's computer group membership.
  • Fixes an issue where a profile redeployment was needed after tool reinstallation to enable the recorder subscription.
  • Fixes a file size mismatch between the live connection file browser and actual file size on disk.
  • Fixes an issue where Response Actions and action approval would be recreated after deletion.
  • Firefox is now able to correctly render Threat Response alerts.
  • Fixes an issue where configurations with "Tanium Defaults" in the name would be read-only.
  • Fixes an issue where a user is unable to view Linux alerts using the fly out button properly.
  • Updated Threat Response Default Registry Filters.
  • Threat Response and Reputation no longer alert on hashes on the non-malicious list in Reputation.
  • Fixes an issue where it was not possible to use a space when searching filters and exclusions.
  • Fixes an issue where the Intel Label filter freezes after the first search character input and does not accept additional characters.
  • Fixes an issue where the Live Response “Create” and “Generate” buttons can be scrolled out of view.
  • Fixes an issue with Incident Response Sensors where using GetOSMajorVersion does not work on non-English endpoints.
  • Fixes an issue where the “Network Connections” sensor was not stacking data appropriately.
  • Fixes an issue on the alerts page where the alert count by intel document could be incorrect when filtering.
  • Fixes an issue with Intel configurations where the label selection drop down was limited to 100 labels.
  • Fixes an issue in alerts detail where the Impact section of the alert details drawer refreshes when the main alerts grid updates.
  • Fixes an issue where deploying a response action without a package resulted in a “Cannot read property 'files' of undefined error”.
  • Fixes an issue where a Response Action exception error could occur when removing the expiration date.
  • Fixes an issue where the evidence API doesn't accept a limit parameter.
  • Fixes an issue where the popup window is not honoring a timeout value when making a Live Connection from an alert.
  • Fixes an issue where multiple Signal feed updates could occur for the same version.
  • Fixes an issue where saved evidence snapshot uploads are missing a username.
  • Fixes wording of the delete intel confirmation.
  • Fixes an issue in the alerts details drawer where OS Platform is shown twice.
  • Fixes an issue in Quarantine response actions where the custom configuration checkboxes were not working as expected.
  • Fixes an issue where the "Signed" field in driver event view is inaccurate.
  • Fixes an issue in alert details where clicking section icons scrolled to and collapsed that section.
  • Fixes potential knex errors such as: "Knex: Timeout acquiring a connection". This could cause the Detect service and Threat Response workbench to become unavailable.
  • Fixes a potential page crash when expanding suppression rule previews.
  • Fixes an issue where the process tree view does not open when starting a live connection from some alerts.
  • Fixes an issue where the "Threat Response - Acknowledge Findings" action was not being issued with action approval enabled.
  • Fixes an issue where the Threat Response service could become unresponsive due to multiple SQLite connections.
  • Fixes an issue where the Threat Response service could experience a memory leak during event gathering.
  • Fixes an issue which could cause increased Tanium Server network usage when a large number of Threat Response alerts are being throttled.
  • Fixes on-demand scanning failure for the Threat Response user when a Reveal user is also assigned.
  • Fixes a logging error in the Threat Response logs that creates a Findings gather loop.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • On-premises Threat Response 3.8.226 upgrades might fail during the content import step if the legacy "Historical RDP Sessions" sensor exists. To resolve this issue, delete the "Historical RDP Sessions" sensor and perform a reimport.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.