IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 4.4)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 4.4.360

Release Date: 05 June 2024

Upgrade Notes

  • Tanium Server version 7.6+ is compatible only with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3 or 4.4

Important Notes

  • Threat Response 4.4.360 is available as XML and not available from the Tanium Solutions page. To upgrade to Threat Response 4.4.360, contact your TAM.

Endpoint Configuration Toolset

Fixes

  • Fixes an issue reported in limited customer environments related to the installation of Microsoft Patch KB5037771. Please refer to the article on the Tanium Resource Center for more information.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to unsigned processes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that Intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.

Tanium Threat Response 4.4.359

Release Date: 28 May 2024

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3 or 4.4

Important Notes

  • Threat Response 4.4.359 is available as XML and not available from the Tanium Solutions page. To upgrade to Threat Response 4.4.359, contact your TAM.

Fixes

  • Fixes an issue where Threat Response could fail to start because of a foreign key issue.
  • Fixes an issue where Threat Response could fail to upgrade because of an RDB migration issue.
  • Fixes an issue where Process Injection alerts were not initiated. NOTE: If you install this version of Threat Response, and later upgrade to SAR 2024H1 or SAR 2024H1 Update 1, the problem where Process Injection alerts were not initiated will resume. The fix contained in this release will be provided in a subsequent SAR release.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to unsigned processes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that Intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.

Tanium Threat Response 4.4.348

Release Date: 19 February 2024

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3 or 4.4

Important Notes

  • Threat Response 4.4.348 is available as XML and not available from the Tanium Solutions page. To upgrade to Threat Response 4.4.348, contact your TAM.

Fixes

  • Fixes an issue where Tanium Signals could fail to import successfully
  • Fixes an issue where when duplicating intel documents, duplicated Tanium signals could be overwritten during signal feed updates.
  • Fixes an issue where uploading or editing some IOC intel documents could fail.
  • Fixes an issue where filtering Alert Content in the Alerts Grid was case sensitive.
  • Fixes an issue with Live Response where Tanium Client\Tools\IR\data\Action_#### folders were created but not cleaned up after the action completed.

Tools Versions

  • Includes Threat Response Tools: 4.4.348
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.14.33
  • Includes Recorder binary: 2.11.1587
  • Includes Driver Tool (Installer): 3.14.33
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.1.1422
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.15

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to unsigned processes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that Intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.

Tanium Threat Response 4.4.332

Release Date: 28 November 2023

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3 or 4.4

New Features

  • Intel Safeguards is a new feature in THR 4.4 that helps reduce alert fatigue and false positive alerts by automatically disabling noisy Intel documents globally or at the endpoint level. Intel Safeguards’ ability to automatically disable Intel documents also helps to improve the performance and resilience of the Threat Response service on the module server by reducing the service work that was previously required to continuously throttle large numbers of alerts. Intel Safeguards provides configurable thresholds at both the global and Intel document level.
  • Provides an interface to view and export audit logs for user interactions in Threat Response. In the Threat Response workbench, select Management > Audit > Logs to view audit events.
  • Starting in Threat Response 4.4, Index exclusions are now centrally managed by Tanium Client Management (TCM) to provide one central location for configuring global Indexing exclusions. You should add new exclusions required by THR in TCM. Exclusions that you add in Tanium Client Management are not visible in the list of exclusions shown in individual Tanium modules; it is important to view the exclusions in both locations to understand the total exclusions that are applied to the Tanium environment. In this release, existing exclusions are maintained, but you can no longer add Index exclusions in an Index configuration in the Threat Response workbench.

Improvements

  • Deep Instinct, Microsoft Defender, Process Injection, and Reputation Intel documents are now contained under a new heading named Extended Detections. These Intel documents and all corresponding data and alerts are accessible from the Extended Detections menu item in the Threat Response workbench.
  • Alert data that is sent to Tanium Connect now includes a link to the alert in the Threat Response workbench, which enables quick access to the alert in Threat Response. Alerts can now be directly accessed using the following URL pattern: https://<serverIP>/#/threatresponse/alerts?guid=<alert_guid>.
  • Adds documentation in the User Guide for the alerts schema and provides details on the types of data contained in alerts.
  • Provides the ability to use the filter builder for response actions to specifically target single endpoints based on multiple criteria.
  • Provides the ability to export selected filters.
  • The Context Analyzer now returns matches for live processes in addition to historical process activity.
  • Provides the ability to clone an Intel document in the Threat Response workbench.
  • On the Intel Documents page, for YARA Intel documents, there is a now a description that identifies whether the Intel is for Live Files, Memory, or Paths.
  • Adds workbench documentation accessible from the Help icon > “Recorder Security Events Details” that provides a mapping of Recorder configuration event type checkboxes to related Event IDs which are recorded by that event type on the corresponding OS.
  • Limits the upload of a snapshot if it is over the maximum allowed size of 2.5GB.
  • The name of the Actions button on the Profiles page has been changed to Profile Actions.
  • Windows Defender Intel has been renamed Microsoft Defender and is now located under the Extended Detections menu item.
  • The Unknown Intel source has been renamed Orphaned.
  • On the Intel Labels page, if you select one checkbox an edit icon displays that allows you to edit the selected label.
  • Intel Safeguards attributes are now displayed in the Intel documents page for each Intel document.
  • An Intel Safeguards checkbox appears in the modal for creating or editing a Signal to configure Intel Safeguards functionality on a per-Intel document basis.
  • New notification types are displayed in the System Notifications page for Intel Safeguards data.
  • Provides the ability to enable or disable Intel Safeguards from the Settings > Service > Intel menu.
  • Provides a clone API route to clone Intel documents and enables you to specify a name and ID for the clone and preserve other properties of the original Intel document.
  • In a Connect job that uses the Tanium Threat Response source and the Audit Report type, the user ID of the user who deployed Intel is now displayed.
  • Provides the ability to filter Intel documents by Extended Detections.
  • Adds an online or offline icon to the left of the endpoint name in the "Endpoint" column in the alerts grid. Note: Endpoints that a user does not have management rights on will appear offline.
  • When initiating a Response Action from an alert, the targeting now includes EID (Endpoint ID) in addition to endpoint name.
  • When deploying an action from an alert, the targeting now additionally uses EID.
  • The Alert details flyout now enriches the display of hash data by using Tanium Reputation.
  • In the alerts grid, the name of the endpoint is a link that you can click to initiate a direct connection to the endpoint.
  • Two new labels have been added to the Tanium Signal feed: “Deprecated” - These signals have been replaced by one or more new signals and will be removed in the future. “Marked For Removal” - These signals have been noted for removal in the release notes and will be deleted from the Signals Feed after a minimum of 30 days.
  • Process Injection alerts now use the Target Process PID to deduplicate process injection attempts.
  • Exporting Filters now supports Export Selected in addition to Export All.
  • Adds a copy cell action to the Impact Rating in the context analyzer details and adds Impact Rating to the filtering.
  • A confirmation modal is displayed when a Profile is exported as a CSV.
  • Disables the real-time Deploy Action, Remediate in Enforce, Download File, Gather Snapshot, Live Response, and Quarantine actions for offline endpoints from the alerts grid. Response Actions should be used for Offline Endpoints.
  • Mean time to Remediate and Mean Time to Investigate calculations have been restored.
  • Preserves the filter selections on the On-Demand Scans tab when switching between tabs.
  • Provides the ability to edit the name of an Intel document.
  • Provides the ability to add Context Analyzer results to an investigation in Tanium Investigate.
  • Provides full filter builder support for Context Analyzer results
  • Provides the ability to filter on multiple labels in the alerts grid.
  • Provides the ability to add artifacts from a direct connection to an investigation in Tanium Investigate.
  • Recorder: Adjust Recorder BPF Support targeting to include OEL 7.9 with UEK 5.4 Kernel.
  • Stream: Added support for Stream to send NAMESPACE data to Google Chronicle.
  • Converts the Threat Response - Acknowledge Findings Template [Windows] package, and the: Threat Response - Context Analyzer Details, Threat Response - Context Analyzer Summary, Threat Response - Count Findings, Threat Response - Gather Findings, Threat Response - Groupings With Findings, and Threat Response - Sample Findings sensors from VBS to PowerShell.

Fixes

  • Fixes minor UI issues and clarifies several messages that are displayed in the Threat Response workbench.
  • Fixes an issue where when deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted.
  • Fixes an issue where filtering by time range in the alerts view used local browser time rather than UTC.
  • Fixes an issue where the Reputation Intel Document modified time was not changing as new hashes were identified in Reputation.
  • Fixes an issue where Port Number was a required field in Live Response Destinations for S3.
  • Adds a validation message to inform the user that a Signal cannot be saved unless an operating system is selected.
  • Fixes an issue where the default value for "minutes to collect" of 0 in the configuration of the Threat Response audit source results in an THR Audit Report Source error.
  • Fixes an issue where the Intel Source value on the Intel details page would get reset and repopulated on each load of the page.
  • Fixes an issue where you could attempt the /plugin/products/threat-response/api/v1/response-actions route to submit a request to quarantine/unquarantine a computer that is not within your management rights groups without getting an error.
  • Fixes an issue where the name field in the suppressions rule creation modal was not validated by the Threat Response service.
  • Fixes an issue on the alerts page where filtering by Alert Content did not adjust Quick Filters.
  • Fixes an issue where you could not bulk delete system notifications with time range filter applied.
  • Fixes an issue on the System Notifications page where the page could crash when expanding to an unknown notification type.
  • Fixes an issue where the Save button is shown in the Service Settings page when the user is read-only.
  • Fixed an issue with displaying system notifications when all details were not ASCII strings.
  • Fixes an issue where when the context analyzer completed a search, the progress bar continued to be displayed.
  • Fixes an issue where when a user duplicated certain Tanium Signals or documents from the TAXII source, they were moved into the Direct Connect source instead of the Workbench source.
  • Fixes an issue where when creating a suppression rule, the Threat Response workbench does not update automatically to show the status change.
  • Fixes an issue where on the labels page, sorting by description (both ascending and descending) showed blank values at the top of the list.
  • Fixes an issue where the details for the Process Injection document showed Global Suppression Rules. Global Suppression Rules do not apply to the Process Injection and are no longer shown.
  • Fixes an issue on the alerts page where the sort order for Outbound Impact was incorrect.
  • Fixes an issue with the "AutoRun Program Details" sensor where it failed to locate certain drivers.
  • Changes the hint text for TAXII private keys to be a correct example for private keys.
  • Fixes an issue where the Duplicate and Delete buttons were not appropriately enabled for Filters and Exclusions.
  • Fixes an issue where the "Threat Response - Count Findings" sensor used up all inodes on file systems where THR tools were not installed.
  • Updates the API documentation for Bulk Delete Evidence to provide a more complete sample.
  • Fixes an issue in Stream Configurations where filters could fail to save if "Shift - Select" is used to choose filters.
  • Fixes an issue where in the event log event sent from recorder there could be a binary string of multiple category IDs.
  • Fixes an issue on the Saved Evidence: File Download page where items were sorted incorrectly by the Created At heading.
  • Fixes an issue where Live Response does not honor "Ignore Action Lock" in generated packages.
  • Fixes an issue in the Threat Response Alert Grid and Alert Details where the hash type and hash values were blank if the Reputation service was unavailable.
  • Fixes an issue in Live Response where when Generate Package fails, Threat Response did not specify which package was at fault.
  • Fixes an issue where the suppressed and evaluated results were not being stored in the SuppressAlerts task type entry in the Threat Response database.
  • Fixes an issue on the Saved Evidence page, where selecting a type and using exclude mode to select some items to bulk delete resulted in the deleted items totaling more than the selected items.
  • Fixes an issue where the file browser link to Saved Evidence is not setting File filter.
  • Fixes an issue where Read-Only users could view the suppressions.
  • Index: Zip archives over the “MaxZipSizeMB “size limit are no longer rewalked every time.
  • Stream: Fixed an issue where Stream could continually try unsuccessfully to resend a large cache file.
  • Stream: Fixed an issue where Stream may not respect the backoff retry interval and try to resend cached data too frequently.

Tools Versions

  • Includes Threat Response Tools: 4.4.332
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.14.33
  • Includes Recorder binary: 2.11.1587
  • Includes Driver Tool (Installer): 3.14.33
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.1.1422
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to unsigned processes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that Intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.