IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Threat Response (Version 4.0)
Tanium Threat Response 4.0.1116
Release Date: 17 August 2023
Upgrade Notes
- Threat Response 4.0.1116 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- Improves the Tanium Driver's compatibility with Windows 7 SP1 and Windows Server 2008 R2 SP1 systems that may not have all Windows updates installed.
Fixes
- Removed arbitrary limit on the size of the Tanium Signals feed.
- Fixes an issue where updates to the Tanium Signals feed did not properly remove Signals that are no longer provided.
Tools Versions
- Includes Threat Response Tools: 4.0.1116
- Includes Threat Response CX binary: 1.12.923
- Includes Recorder Tool (Installer): 3.12.28
- Includes Recorder binary: 2.10.840
- Includes Driver Tool (Installer): 3.12.28
- Includes Driver binary: 3.2.87
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.31
Known Issues
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.0.1113
Release Date: 7 August 2023
Upgrade Notes
- Threat Response 4.0.1104 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- Improves the Tanium Driver's compatibility with Carbon Black's tamper protection behavior.
Fixes
- Fixes an issue with the Tanium Driver installation process to make upgrades of the Tanium Driver more reliable and prevent partial Tanium Driver upgrades.
- Fixes an issue where intel document definitions were not converted after an upgrade causing intel documents to no longer show as having a definition in the user interface.
- Fixes an issue where long running intel deployment tasks could fail due to session timeouts.
- Fixes an issue that could cause a failure with air-gap installations because ThreatResponse.xml contained unprintable characters.
- Fixes an issue where blank MITRE ATT&CK names or IDs could cause a failed upgrade from Threat Response 3.8 or 3.10 to 4.0+
Security update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM
Tools Versions
- Includes Threat Response CX binary: 1.12.923
- Includes Recorder Tool (Installer): 3.12.27
- Includes Recorder binary: 2.10.840
- Includes Driver Tool (Installer): 3.12.27
- Includes Driver binary: 3.2.84
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.31
Known Issues
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.0.1104
Release Date: 13 June 2023
Upgrade Notes
- Threat Response 4.0.1104 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
Fixes
- Fixes the possibility of a rare Tanium Driver crash on Windows.
- Fixes an issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs may fail to start when Tanium Driver Process Injection Monitoring is enabled.
- Fixes an issue where On-Demand Scans did not search Tanium Recorder and live file data.
- Fixes an issue where when pivoting to a live connection from an alert, the live connection would filter to the latest process to reuse the PID as opposed to the correct process that was alerted on.
- Fixes an issue where unzipping an events export from a Process Tree in a direct connection would result in an empty file.
- Fixes an issue where alert pruning was not turned on by default in Tanium Cloud environments for new Threat Response installations.
- Fixes an issue where Deep Instinct and Defender alerts were incorrectly being throttled by service throttles.
- Fixes an issue where ISO mount registry events on Windows were not recorded.
- Fixes an issue where Recorder on Windows could hold certain binary files open and prevent that file from being deleted.
- Fixes a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled
Security update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM
Tools Versions
- Includes Threat Response CX binary: 1.12.921
- Includes Recorder Tool (Installer): 3.12.23
- Includes Recorder binary: 2.10.840
- Includes Driver Tool (Installer): 3.12.23
- Includes Driver binary: 3.2.76
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.30
Known Issues
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.
- Threat Response installation in TanOS AirGap environments can fail to install due to unprintable characters in the ThreatResponse.xml file. This is fixed in 4.0.1113+ and 4.2.21+
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.0.1088
Release Date: 02 May 2023
Upgrade Notes
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
Tools Versions
- Includes Threat Response CX binary: 1.12.919
- Includes Recorder Tool (Installer): 3.12.18
- Includes Recorder binary: 2.10.839
- Includes Driver Tool (Installer): 3.12.18
- Includes Driver binary: 3.2.63
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.30
Improvements
- Added option to disable tracking of command-lines for forked processes on Linux.
- Added eBPF Support for Oracle Linux 8 & 9 on ARM.
- Added the option “Deploy as Service Account” in settings to always deploy Threat Response profiles with System User Service (SUS) permissions. This can help ensure systems are always targeted, even if a user’s computer group management rights are removed or restricted in the future. Note: If the “Deploy as Service Account” setting is enabled, all users who deploy profiles must have unrestricted computer group management rights or management rights to “All Computers”. If the “Deploy as Service Account” setting is not enabled, all users who deploy profiles must have unrestricted computer group management rights, management rights to “All Computers”, or management rights to all computer groups in the profile(s) the user is trying to deploy.
Fixes
- Fixes an issue where Threat Response profiles could be set to Not Configured on endpoints if the user that deployed the profile(s) had computer group management rights permissions removed after the profiles were deployed.
- Fixes an issue where a timeout could occur when loading the security events tab in a live connection for an endpoint with a large number of security events.
- Fixes an issue in Connect where the Tanium Detect Event Group has been renamed to Tanium Threat Response.
- Fixes an issue in the API documentation that stated ID is a Number but route returned an error '"id" must be a string.
- Fixes an issue where the AutoRun Program Details sensor does not return all findings for HKCU.
- Fixes an issue where in Connect Events the MITRE Techniques value is empty.
- Fixes an issue where the Time to Remediation Alerts Dashboard Panel was not displaying correctly.
- Fixes an issue where certain registry events were not recorded when mounting an ISO.
Known Issues
- There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.
- Threat Response installation in TanOS AirGap environments can fail to install due to unprintable characters in the ThreatResponse.xml file. This is fixed in 4.0.1113+ and 4.2.21+
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.0.1077
Release Date: 11 April 2023
Upgrade Notes
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- The EID sensor in Tanium Interact "Computer Serial Number" has been replaced with "Endpoint Fingerprint".
- The "stored alert" log has been moved from the debug to trace level to provide more efficient logging.
Fixes
- Fixes an issue where Threat Response failed to delete a response action that was already removed and console users would see repetitive errors for "Task Failed: Response Action" (Unable to Destroy Saved Action).
- Fixes a potential issue with gathering alerts on Windows modules servers when suppression rules were being applied. After upgrading from an older THR 4.0 version to 4.0.1077 or newer, some older alerts may be retroactively gathered for any impacted intel documents.
- Fixes an issue where Deep Instinct Alerts could be ignored for event: Type 1/Cause 46.
- Fixes an issue where Intel is unable to be deployed if a Detection configuration has a Reputation Source added and a label is included.
- Fixes an issue where when deleting filtered lists of System Notifications, the success or failure of the delete notification inaccurately displayed the unfiltered count of system notifications.
- Fixes an issue where documentation for the On-Demand Scan API was missing from 4.0 API Doc.
- Fixes an RBAC issue where Users/personas with the Threat Response Operator Role and explicitly defined computer groups in their management rights are unable to create, edit, or deploy profiles that are within their scope.
- Fixes an RBAC issue where the Threat Response System User Service did not have sufficient privileges to gather findings if Tanium Default Content was moved to a custom content set.
- Fixes an issue where PowerShell scripts in the Threat Response - Live Response [Windows] package are not signed.
- Fixes an issue where false negatives could occur during On-Demand Scans of Signals due to a syntax error.
- Fixes a rare issue with Tanium Driver 3.2 where certain USB devices may stop working.
Tools Versions
- Includes Threat Response CX binary: 1.12.919
- Includes Recorder Tool (Installer): 3.12.16
- Includes Recorder binary: 2.10.829
- Includes Driver Tool (Installer): 3.12.16
- Includes Driver binary: 3.2.63
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.44
- Includes Incident Response: 6.6.22
Known Issues
- There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
- At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
- Threat Response installation in TanOS AirGap environments can fail to install due to unprintable characters in the ThreatResponse.xml file. This is fixed in 4.0.1113+ and 4.2.21+
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.0.1048
Release Date: 14 March 2023
Upgrade Notes
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- High volume log messages have been turned into metrics.
- Snapshot capture reliability has been increased.
- Increase reliability Intel Database Generation.
Fixes
- Fixes an issue with YARA scans on macOS for live files or memory.
- Regex Matches on suppressions rules have been fixed.
- Fixes upgrade failing due to corrupt Intel documents.
- Fixes an issue where recorder could cause high memory or CPU utilization on RHEL 7 systems when tracking large numbers of ephemeral threads.
- Fixes an issue where on Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events.
- Fixes an issue where recorder database views may not be created
Tools Versions
- Includes Threat Response CX binary: 1.12.915
- Includes Recorder Tool (Installer): 3.12.15
- Includes Recorder binary: 2.10.829
- Includes Driver Tool (Installer): 3.12.13
- Includes Driver binary: 3.2.57
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.44
- Includes Incident Response: 6.6.22
Security update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.
Known Issues
- There is a rare issue with Tanium Driver 3.2 where certain USB devices may stop working. This is fixed in Threat Response 4.0.1077+
- There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
- At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
- Threat Response installation in TanOS AirGap environments can fail to install due to unprintable characters in the ThreatResponse.xml file. This is fixed in 4.0.1113+ and 4.2.21+
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.0.1033
Release Date: 28 February 2023
Important Notes
- This Threat Response release is focused on Detect end of life.
Upgrade Notes
- When upgrading to Threat Response 4.0 it is only possible to upgrade from 3.8 or 3.10 to 4.0. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0, the upgrade will fail, and you will need to recover Threat Response from a backup.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- This version of Tanium Threat Response deprecates support for the legacy Detect service and database.
- In this release of Threat Response, the Detect and Event services are deprecated and replaced by the Threat Response service. The integration with the Threat Response service and the Threat Response Client Extension on the endpoints provides performance improvements and provides a platform for future capability, intelligence, and workflows around intel and alerting.
- This release of Threat Response includes API changes that require customers and partners to reconfigure API integrations. The API data format may be changed for many existing routes. Most of these changes have been made for consistency in what each API returns. From the Threat Response Workbench, click Help > API > See API documentation to review the Threat Response 4.0 API documentation to adjust your integrations appropriately.
- Threat Response 4.0 API Migration Community Article: https://community.tanium.com/s/article/Threat-Response-THR-Version-4-0-API-Changes
- Threat Response Audit data has been consolidated and updated to use the Connect Source: "Tanium Threat Response" - Type: "Audit Report".
- Threat Response 4.0 requires Secrets 1.0.185 or later.
New Features
- Threat Response now uses the System User Service to manage service credentials.
- Provides the ability for a user to take action (For example, Delete, Export, or Assign to Workbench Source) on multiple applicable items in the Intel Document list.
- Provides numerous improvements with the performance of Threat Response sensors on endpoints.
- Profiles can now handle deleted computer groups.
Tools Versions
- Includes Threat Response CX binary: 1.12.900
- Includes Recorder Tool (Installer): 3.12.13
- Includes Recorder binary: 2.10.822
- Includes Driver Tool (Installer): 3.12.13
- Includes Driver binary: 3.2.57
- Includes Index binary: 3.3.2623
- Includes Stream: 1.7.9
- Includes core-python: 2.2.23
- Includes Incident Response: 6.6.22
Improvements
- After Threat Response upgrades, users are no longer prompted to redeploy profiles unless there are undeployed profile configuration changes since the last Threat Response upgrade. On-Premise environments are still required to redeploy profiles after Threat Response upgrades if automatic tools deployment is turned off.
- The Threat Response service now pushes new alerts to Tanium Connect in batches every five minutes.
- Improved behavior to limit memory usage when performing memory scoped YARA scans.
- Provides more verbose messaging when Threat Response profiles cannot be deployed.
- Provides numerous improvements with the performance of Threat Response sensors on endpoints.
- In the saved evidence page, snapshots in progress are no longer visible for computer groups that the current persona does not have access to.
- Tanium Yara scans have been improved to review both resident and paged memory sizes. The maximum size of processes to scan has been increased to 256MB from 64MB. This ensures processes with significant memory mapped to disk, but that have small active footprints, do not flood endpoint resources by paging in all mapped memory from large latent processes.
- Threat Response audit data has been consolidated to the Threat Response Connect Audit Feed. The "All Events" source is no longer used for Threat Response audit data.
- The intel documents page is improved to restrict any workflows that are unactionable by the user.
- Makes the labels and intel counts links on the profiles page more intuitive.
- Adds Threat Response audit report events to identify when an Intel document label was modified.
- Increases the size of the Computer Group filters field on the On-Demand scans page.
- The Endpoint Throttling notification now shows the Intel document name.
- Removes the Threat Response Health Check Saved Questions and Sensor.
- Adds support for a Registry operation property in Signal definitions.
- Updates the Tanium Default macOS Symantec Filter.
- Identifies profiles that have deleted computer groups assigned and provides the ability for a user to fix a profile that refers to deleted computer groups.
- Adds Asset Criticality information to Threat Response alerts.
- The Threat Response status sensor now includes sensor definitions for AIX and Solaris.
- Adds a pending approval state to response actions.
- Removes the "Top 5 Endpoints with the Highest Number of Unresolved Alerts" section of the overview page.
- Adjusts the retention time for unacknowledged alerts to one year.
- Improves Reputation Alerts to handle scenarios where certain hash algorithms match.
- Provides a new Index sensor that returns the top directories that are indexed by count across the environment.
- Improves Index to query the disk after deduplicating file events from Recorder when High Priority paths are in use.
- Adds SHA1 and SHA256 hash support to Recorder Process and Library Events.
- Adds ProcessItem/UserID terms to OpenIOC support.
- Updates the CX Status Sensor to display Threat Response Profiles ID and Revision output grouped together.
- Displays the applied Theat Response profile in the default Threat Response client extension log level.
- Displays container information for Index results in ZIP files in advanced details of Threat Response alerts.
Fixes
- Adds documentation for the registry operation and network operation Signal terms in the Tanium Threat Response Intel Support document.
- Fixes an issue where alerts with responsible process did not automatically open the responsible process as the default process tree.
- Fixes an issue where Connect jobs using the Threat Response event source would stop sending alerts due to an out-of-scope timestamp.
- Fixes an issue where when editing suppression rules from an Intel document, they could unintentionally be deleted when using Filters and the Select All checkbox.
- Fixes an issue where the Threat Response - Acknowledge Findings package could use excessive CPU and timeout when running on endpoints with a large number of findings.
- Fixes an issue where the intel document definition for existing alerts is changed when the source intel definition is changed.
- Fixes an issue where filter counts for Intel documents were not updated when filtering by platform or time range.
- Fixes an issue where multiple levels of sorting did not work correctly when browsing live file events.
- Fixes an issue where time zones were being used inconsistently on the Intel documents page.
- Fixes an issue where the Threat Response workbench could allow the creation of an invalid IOC normalized tree.
- Fixes an issue where the alerts count in the system notifications page did not display plural counts.
- Fixes an issue where an error could occur while writing Reputation hashes to the database.
- Fixes an issue where Threat Response could generate alerts on hashes that are included in the allow list in Reputation.
- Fixes an issue where links to Intel documents are not fully underlined in the Intel documents view.
- Fixes an issue where a collapsed section was not displayed in the advanced details section for alerts.
- Fixes an issue in the API documentation where the call to Reputation integration was incorrect.
- Fixes an issue where a Read Only user could ask questions in Enterprise Hunting.
- Fixes an issue where the technique for Process Injection was being rendered as the Intel document name.
- Fixes help text in a Live Connection dialog that referenced an incorrect button.
- Fixes an issue with the alerts page that could load all intel when no alerts were being viewed.
- Fixes an issue where a user could select an intel-specific supression rule without selecting an intel document, and click save.
- Fixes an issue in the filters page where the Select All button would prompt to delete all filters when a grid filter was applied.
- Fixes an issue in the filters page where the Delete button only deletes a maximum of 100 filters when a higher number of filters is selected.
- Fixes a display issue in the Saved Evidence page where the username and actions content could overlap.
- Fixes a typo in the output of the Generate Autorun Cache package script.
- Fixes an issue where the live connection combined search results could be incorrect if a filter was applied before the results were loaded.
- Fixes an issue in the API documentation where the overrideScanBlockout documentation was incorrect.
- Fixes an issue with the Configurations and Profiles pages to reposition the Use UTC checkbox above the scan blockout control.
- Fixes an issue where the name of the Enforcement created in the Remediate in Enforce response actions is left blank.
- Fixes an issue where the Trace Logon Events sensor applies filter parameters to the wrong query column.
- Fixes an issue where the Trace Loaded Drivers sensor uses the wrong string table in the CTE filter for the DriverPath parameter.
- Fixes an issue where the Trace Network Connections sensor did not always return the maximum results when "Make Stackable" was selected.
- Fixes a display issue with the way target and actor processes are displayed in process injection alerts.
- Fixes an issue with alert details where file events could be duplicated in the alert details.
- Fixes an issue with the Trace Loaded Drivers sensor that used an invalid CTE filter when only filtering on signature status.
- Fixes an issue with the Trace Registry sensor where it filtered username against the wrong column when using the CTE filter.
- Fixes an issue with the Trace Network Connections sensor where it could return duplicate results when MakeStackable is selected.
- Fixes an issue with the Trace Executed Process Trees where it did not return a Yes or No result when "Output only yes or no" is selected
- Fixes an issue where removing a label from all shown results from a different filtered label will only remove 100 labels.
- Fixes an issue where the description of the Workbench intel source mentioned the Detect workbench.
- Fixes an issue in the alerts results where single line ancestry is not visible.
- Clarifies computer group targeting information in the On-Demand scan information dialog.
- Fixes an issue where the Threat Response EID (Endpoint ID) manager becomes unresponsive after an error.
- Fixes an issue where the singal grouping syntax could become incorrect when modifying Signals or filters.
- Fixes an error where saved action exports could fail because Theat Response created hourly Saved Actions for: Threat Response - Acknowledge Findings
- Fixes an issue where Impact Details information was missing from process injection alerts.
- Fixes an issue where alerts were not returned for live processes.
- Fixes a display issue where download buttons were shown inconsistently in the Saved Evidence page.
- Fixes an issue where OneDrive remote files could be erroneously marked as local and indexed on macOS
- Fixes an issue where the Index database could become corrupted and not recover automatically.
- Fixes an issue where when using the Index - File Details sensor to retrieve the contents of a directory a result of "No Results Found" could be returned.
- Fixes an issue where the recorder could display blank processes for system (PID 4) processes on Windows
- Fixes an issue where the recorder could record invalid user IDs on Windows endpoints.
- Fixes an issue where the recorder could record file event timestamps out of sync from macOS endpoints.
- Fixes an issue where there could be a delay in updating the index initial scan complete value until the client was reset on the endpoint.
- Fixes an issue where there could be an error starting a continuous hunt.
- Fixes an issue where an incorrect Signal term property was expected for a group name.
- Fixes an issue where endpoint must gather collections encountered errors when attempting to collect legacy index data.
- Fixes an issue where Threat Response did not alert on Live Processes by nested properties
- Fixes an issue where profiles did not apply if the Windows PATHEXT environment variable was missing the .bat extension.
Security update
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Known Issues
- There is a rare issue with Tanium Driver 3.2 where certain USB devices may stop working. This is fixed in Threat Response 4.0.1077+
- There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 will not complete successfully.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
- Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
- On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
- Threat Response installation in TanOS AirGap environments can fail to install due to unprintable characters in the ThreatResponse.xml file. This is fixed in 4.0.1113+ and 4.2.21+
- Upgrades to Threat Response version 4.0 will not completely update if the version of the Tanium Server is 7.5.6.1067.
- At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.