IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 4.3)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 4.3.326

Release Date: 17 June 2024

Upgrade Notes

  • Tanium Server version 7.6+ is compatible only with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3

Important Notes

  • Threat Response 4.3.326 is available as XML and not available from the Tanium Solutions page. To upgrade to Threat Response 4.3.326, contact your TAM.

Endpoint Configuration Toolset

Fixes

  • Fixes an issue reported in limited customer environments related to the installation of Microsoft Patch KB5037771. Please refer to the article on the Tanium Resource Center for more information.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to unsigned processes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that Intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Tanium Threat Response 4.3.235

Release Date: 28 May 2024

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3

Important Notes

  • Threat Response 4.3.235 is available as XML and not available from the Tanium Solutions page. To upgrade to Threat Response 4.3.235, contact your TAM.

Fixes

  • Fixes an issue where Threat Response could fail to start because of a foreign key issue.
  • Fixes an issue where Threat Response could fail to upgrade because of an RDB migration issue.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Tanium Threat Response 4.3.219

Release Date: 24 October 2023

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Fixes

  • Fixes an issue with Live Response where AutoRuns collection could fail on macOS 14 endpoints.
  • Fixes an issue where the AutoRuns Sensor was not working correctly for macOS 13 and 14 endpoints.
  • Fixes an issue where migrating database contents from SQLite to RDB can fail if there is a row size that exceeds the maximum of 2712.

Tools Versions

  • Includes Threat Response Tools: 4.3.219
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.955
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Tanium Threat Response 4.3.214

Release Date: 10 October 2023

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Sets the max_string_age_minutes setting to 6 hours for the “Threat Response - Gather Findings”, “Threat Response - Count Findings”, and “Threat Response - Groupings With Findings” sensors.

Fixes

  • Fixes an issue where sorting System Notifications by Event Time was not working correctly.
  • Improves an error message in the suppression rules modal.
  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.
  • Fixes an issue where the Outbound Impact column in the alerts grid was not being populated.
  • Fixes an issue where files with the type of "other" were not displayed in the Direct Connect file browser.
  • Fixes an issue where alerts could be missing the EID value is TDS returned “[hash collision detected]” for Computer ID.
  • Fixes an issue where Threat Response could not import Signals with unknown fields.

Tools Versions

  • Includes Threat Response Tools: 4.3.214
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Tanium Threat Response 4.3.195

Release Date: 19 September 2023

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor is now used to provide detailed endpoint health information and consistent reporting across all Tanium modules.

New Features

  • Provides a new “Context Analyzer” to enable intelligent workflows for learning more about artifacts of interest and it’s most recent activity across your entire environment. Context analyzer provides a better way to view and organize data across Tanium clients and enables you to correlate data points to determine how normal or how much of an outlier certain artifacts and their behavior are.
  • Index scan frequency, High Priority Path scan frequency, and Index first scan distribute over time settings can now be set per Threat Response profile. Index Scan settings have been moved from the top rail service settings to within Index configuration settings.
  • Provides the ability to export alert data from the Threat Response workbench to CSV format for up to 10,000 alerts at a time.
  • The Tanium Persistence Analyzer (TPA) executable has been converted to a client extension (CX) to improve performance. Windows Autoruns are now gathered and cached using Tanium Threat Response CX and CX resource throttling.
  • Provides the ability to view and edit the TPA (Tanium Persistence Analyzer) scan frequency separately in each Threat Response profile.
  • Provides the ability to download locked files from direct connection file browsing on Windows.
  • Provides visibility into quarantined endpoints and the ability to unquarantine endpoints from the Threat Response workbench overview page.
  • Provides eBPF support for Tanium Recorder on Oracle Enterprise Linux 8.7+/9.1+ UEK Kernel on ARM64 endpoints.
  • Provides the ability to have Threat Response automatically create and configure recommended default Saved Questions and Tanium Connect connections to populate Tanium Reputation with hashes from the environment in the settings page.
  • Stream CX has been rewritten from Python to C++ to support future enhancements.

Improvements

  • Migrates the Threat Response database to the Tanium RDB service.
  • Provides the ability in the Reputation source to automatically run an on-demand scan against a targeted computer group when new Reputation malicious hashes become available.
  • Sets the max_string_age_minutes setting to 6 hours for the “Threat Response - Gather Findings”, “Threat Response - Count Findings”, and “Threat Response - Groupings With Findings” sensors.
  • Tanium Signals from the Tanium Signal feed are now read-only except for label information.
  • Enables Threat Response Read-Only Users to use the Context Analyzer if they have the Interact Ask Dynamic Question permission.
  • The progress section of the Context Analyzer is no longer displayed when the results have reached 100% completion.
  • Upgraded various third-party libraries to newer versions.
  • When an endpoint has no matches for a Trace Sensor, the endpoint will now return "Search complete, no matches" instead of "No Results".
  • System Notifications filter now searches the notification details.
  • Numerous UI (User Interface) improvements for clarity and performance.
  • Adds SHA1 and SHA256 process hash information in the alert fly-out drawer.
  • Provides an online/offline status indication for endpoints on the alerts page.
  • Updates YARA integration to version 4.3.1.
  • Enables On-Demand scans for Tanium Signals that contain ancestry terms.
  • Updates to the Threat Response API documentation to include On-Demand scans.
  • User data has been added to the combined recorder events view in Direct Connections.
  • Process-Item IOC terms are now enhanced with recorder data to expand detections.
  • Updates the user experience to provide a more consistent delivery of alert data in the Threat Response workbench.
  • The side panels in the Threat Response workbench have been updated to be more uniform and consistent in their design patterns and display of data.
  • The configuration of the Reputation service has been added as part of the CMI installation for Threat Response.
  • Provides support for SHA1 and SHA256 hash types in suppression rules.
  • Standardizes terminology used in the Threat Response workbench by changing “Live Endpoints” to “Direct Connect” for live connections to endpoints to reflect that the connection is created by Tanium Direct Connect.
  • Updates the details view of nodes in the Direct Connection view to display all events.
  • Standardizes terminology for malicious files to be consistent with terminology used in the Reputation service.
  • Displays Process Signature Data in the process tree view for live processes in a direct connection to an endpoint.
  • Provides performance improvements for displaying the Pending Approval state on Response Actions.
  • Reduces the number of Direct Connect actions that Threat Response creates when Gather Snapshot is in a "Running" status.
  • When editing a TAXII or iSight source, if the user has changed a sensitive field, all the other secrets fields are cleared out and a "Reset" link appears in the Security form section header that will restore the initial state for the secrets fields and show the dots again.
  • Provides more informative messaging when using the file browser in a Direct Connection.
  • Updates the Intel Support document in the Threat Response workbench with documentation about ProcessItem/UserId.
  • Event notifications are now scoped to the current user.
  • If the Tanium Signals source is deleted, the associated signals are moved to the Unknown source. If the Tanium Signals source is then recreated, the signals are moved back from the Unknown source.
  • You can no longer delete the Tanium Signals source from Intel Sources.
  • Increases the default intel package generation timeout value to 3 hours.
  • The Index First Scan Distribute Over Time now supports a value of 0.
  • Allows Threat Response to subscribe to Windows Event ID 1117 (DefenderMalwareActionV2).
  • Updates labels for Global Events and Windows Events.
  • Actions that target actions or Response Actions on endpoints from alerts now use the EID of the endpoint for targeting to avoid acting on an incorrect endpoint.
  • The Profiles details page now adds a reference to the configured scan blockout window.
  • The /config API now includes the value for profiles.state in the response.
  • Updates Python to support running sensors and packages on RHEL 9 and OEL 9.
  • Index: Newly excluded files will now be removed from the Index database upon the next scan, instead of after 21 days.
  • Index: Provides new Index scan deduplication to improve performance and reduce scan times.
  • Index: Provides a new sensor “Index - Is Path Indexed” to help determining if a specific path is being indexed.
  • Index: Provides 2 new packages that can be used to trigger a 1 time Index scan on a specific path. “Deploy Index - Request Immediate One-Time Scan [Windows]” and “Deploy Index - Request Immediate One-Time Scan [Non-Windows]”.
  • Index: Improvements around automatically recovering corrupt/malformed Index databases.
  • Index: Extends the Index snapshot request timeout to 10 minutes to improve EMG (Endpoint Must Gather) collection reliability for larger Index databases.
  • Index: Removes health_checks around volume scope exceptions when applying volume exclusions on top of a scan all volume configuration.
  • Index: Added a timeout to Index sensor queries to prevent prolonged CPU usage for high cost queries.

Fixes

  • Fixes an issue where the filters list in the Profiles page returned unpredictable data.
  • Fixes an issue where when using the Network Port Hunting Strategy, recorder queries could fail intermittently with large IOC documents.
  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA Scan Frequency setting is now set to 1 day by default.
  • Fixes an issue where clicking in the Details section of the response action modal, the endpoint search list was reopened.
  • Fixes an issue where when creating a Download File response action, the Filter Builder did not display the endpoint selection immediately.
  • Fixes an issue where clicking in the Details section of the response action modal reopened the endpoint search list.
  • Fixes an issue where the Engine Analysis view of a YARA intel doc could cause a web browser to crash.
  • Fixes an issue with the alerts grid where the Retroactive Suppressions banner did not clear when a task was complete.
  • Fixes an issue where offline hostnames could not be returned in Response Actions.
  • Fixes an issue where querying the alerts table was slower than expected when many alerts are present.
  • Fixes an issue where the sensors for the Context Analyzer could be quarantined because of running for longer than 60 seconds.
  • Fixes an issue in the alerts grid where removing a quick filter could cause the workbench to crash.
  • Fixes an issue during Threat Response upgrades where RBD migrations could fail creating a unique index.
  • Fixes an issue in Index where ZIP archives over the maximum size limit could be reindexed more often than necessary.
  • Fixes an issue where filtering by a path with a backslash did not match alerts as expected.
  • Fixes the wording of the database size error message to eliminate confusion.
  • Fixes an issue where the Alerts Over Time chart on the Threat Response Overview page picks "last 1 day" after upgrade, obscuring prior events.
  • Fixes an issue in Enterprise Hunting so that Threat Response does not show Saved Questions if user does not have permission to view them.
  • Fixes an issue where Live Response S3 and Google Cloud Storage Interoperability did not work correctly when a port of 0 was specified.
  • Fixes an issue where Bypass Action Approval does work correctly for Live Response when deployed via an alert action.
  • Fixes an issue where exporting data from Direct Connection did not include all currently displayed rows.
  • Fixes an issue where the Environment Variable %ProgramFiles(x86)% is not parsed correctly in Ad-hoc File Collectors in Live Response configurations.
  • Updates the label of the Intel documents page from "Intel Updated At" to "Intel Deployed At".
  • Fixes an issue where when a user Quick Adds and creates a new intel document without specifying a custom name, the default name appends UTC date and time in ISO format as opposed to local date and time.
  • Fixes an issue where the Alerts table shows intel information even when user does not have the Intel Read permission.
  • Fixes an issue with On-Demand scans where the Deployment Status is still running even though it claims to be complete.
  • Fixes an issue where the Download File Action is only presented when the selected alert has a file path.
  • Fixes an issue where excessive notifications were being displayed in the Response Activity page that indicated the activity was pending approval.
  • Fixes an issue where Live Response does not work correctly when there is a space in the host name field of a destination.
  • Fixes an issue where in Recorder or Stream Configurations, the Configs column will contain the correct count of configurations when a filter is added as "include", but the "Configurations:" section in the expanded row will not contain the filter if the configuration is using "Include" mode.
  • Fixes an issue where the suppression rule modal no longer allows a user to create retroactive suppressions unless the user has the Alerts Write permission.
  • Fixes an issue where if a user does not have the Intel Write permission, the user cannot not see the Labels dropdown. If a user has the Intel Write, but not the Labels Write permission, the user can see the Labels dropdown but the only option is "Manage Existing Labels".
  • Fixes an issue where a link to alerts for an intel document is no longer displayed to users who do not have the Alerts Read permission.
  • Fixes an issue where the Windows Defender Path is now visible on the Threat Response Alerts page - Alerts group, the quick filters at the top of the page, and is filterable like other paths.
  • Fixes an issue where the UI was making excessive calls to the /eventCounts API.
  • Fixes an issue where in the Saved Evidence: File download page, a task notification shows for another user.
  • Fixes an issue where the name of a registry value that has changed is now correctly shown in Process Information section of the alert for a Signals alert.
  • Fixes an issue where when copying the value of the Connected At time for a Direct Connection, the time is copied as a string.
  • Fixes an issue where when creating or editing a TAXII or iSight source, the subscription interval was required to be minimum of 10 minutes.
  • Fixes an issue where when gathering a snapshot when action approval is turned on, it would not complete due to the pending action approval and you could not delete the pending action.
  • Fixes an issue where when a user clicks the Date or Endpoint header from the alerts page twice so that it is sorted descending and then clicks the details icon, the details panel displays empty.
  • Fixes an issue in Live Response where Destinations and Script Sets tabs delete all when filtered.
  • Fixes an issue where snapshot downloads could fail with a promise timeout.
  • Fixes an issue where the alert details could be missing process hash information.
  • Fixes an issue where when searching for a specific Name and Value in the Threat Response workbench matches were required to be case sensitive. They are now case insensitive.
  • Fixes an issue where a user should only see the Create and Edit buttons for Configurations if the user has the Configuration Write privilege.
  • Fixes an issue where importing an invalid file as an IOC could cause the import to become unresponsive.
  • Fixes an issue in the Response Activity and Alerts modals where pressing Enter on the modal closes it instead of submitting it.
  • Fixes an issue where when attempting to import a signal that contains a suppression rule with a description more than 255 characters, the entire import will fail.
  • Fixes an issue where Signals with a label and blank description can be exported but not imported.
  • Fixes an issue where when viewing events in the combined events view of the process tree, events could be missing.
  • Fixes an issue where old alerts were gathered from endpoints, added to the real-time event Connect job, then immediately pruned from the console.
  • Fixes an issue with the “Threat Response - Groupings With Findings” and “Threat Response - Count Findings” that iterated over an incorrect variable.
  • Fixes an issue where a user could be unable to delete System Notifications with bulk delete.
  • Fixes an issue where if a user has a Detection configuration where the Reputation Source and a Label has been added, the user is unable to deploy intel.
  • Fixes an issue where it was possible to create a High Priority Path filter in Threat Response with invalid syntax due to the filter syntax being case sensitive but not enforced in the editor.
  • Fixes an issue where when creating a Response Action, the list of endpoints when you search could contain duplicate entries.
  • Fixes an issue where a warning appears in the browser console when capturing a snapshot and viewing the capture status.
  • Fixes an issue where the Type and OS filter buttons do not work as expected.
  • Fixes an issue where AutoRuns was incorrectly filtering Microsoft related registry keys.
  • Fixes an issue where the number displayed in the notifications is the total number of profiles (not the filtered count) when exporting profiles.
  • Fixes an API issue where when calling /v1/exports with a filter for the detail column, it should return only those rows matching the details.
  • Fixes an issue where a Direct Connection from alert to most recent process with that PID is not the right process that it alerted from.
  • Fixes an issue where the source and destination paths for files moves were swapped in Signal results.
  • Fixes an issue where the magic number details should show the value of magic_number_hex, not the deprecated magic_number for the alert details of a file event.
  • Fixes an issue where the export of Signals was not an audited event.
  • Fixes an issue where the filter with regular expression option did not work properly for the sensor "Threat Response - Security Events"
  • Fixes an issue where the Threat Response API documentation mislabeled the API Export Signal Names call as deprecated.
  • Fixes an issue where YARA scans could max out CPU resources for extended periods on endpoints with 1 CPU core.
  • Fixes an issue where suppression rules with a match operator does not match when using "." or "[eè]" against accented characters on Endpoint Side(Boost) library.
  • Fixes an issue where when creating a suppression rule and only selecting "User" makes it so you cannot save or preview the suppression rule.
  • Fixes an issue where Declare Time filter sets invalid date and time value in Direct Connection view.
  • Fixes an issue where certain STIX intel documents were not being parsed correctly.
  • Fixes an issue where intel changes between hunts are optimized to ensure a complete search of previous findings.
  • Fixes an issue where the YARA pe module might not fully parse files.
  • Fixes an issue where Quarantine automatic proxy rule generation fails when using “<IP>:<Port>” for the Tanium Client configuration “ProxySetting”.
  • Rename Process Information to Event Information for several event types.
  • Fixes an issue where Signals can match on incorrect events when using groupings.
  • Fixes an issue where Google Chronicle was unable to ingest Tanium Stream events if the Event ID ended with a “.0”.
  • Index: Fixes an issue where Index could take a long time to resolve volumes on Linux.
  • Index: Multiple fixes for CPU utilization being higher than intended.
  • Index: Fixed an issue where Index blockout windows were not being respected for Local timezones.
  • Fixes an issue where sorting System Notifications by Event Time was not working correctly.
  • Improves an error message in the suppression rules modal.
  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.

Tools Versions

  • Includes Threat Response Tools: 4.3.195
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Incident Response: 6.7.11
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.