IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 4.6)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 4.6.474

Release Date: 21 January 2025

Improvements

  • Supports the ability to download files larger than 4GB from saved evidence.
  • Upgraded various third-party libraries to newer versions.

Resolved issues

  • Fixes an issue where when sending alert data to Tanium Connect, alerts could be skipped if there are over 1000 to flush.
  • Fixes an issue where the typeId for some process injection related groupings could be stored as a number.

Known issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.6.462

Release Date: 17 December 2024

New features

  • With new feature Reactions, you can automate actions to disrupt and respond to attacks for both on and off-network endpoints and help reduce the time to remediate issues from hours to seconds.
    • Reactions automate one or more actions on an endpoint based on alerts from intel documents. For example: delete one or more files, kill a process, or quarantine an endpoint in response to an alert.
    • Using reactions, define a workflow that will trigger automatically when an intel match occurs on an endpoint. The intel document defines what to act on, and the reaction defines what action(s) to perform.
    • Reactions are defined in the Threat Response workbench and associated with an intel document.
  • Added the ability to add alerts as events in Tanium Investigate.

Important notes

  • Removed the Threat Response Stream - Tools Version sensor.
  • Removed the Threat Response - Status sensor.
  • Threat Response now provides the Linux, Mac, and Windows quarantine packages and does not require the IR Quarantine solution to be imported separately.

Improvements

  • Updated YARA rules to compile on the endpoint to better support multiple YARA versions during endpoint tooling upgrades.
  • Updated the Live Response default file collector for Index to collect the IndexCX database.
  • Updated system notification for “Intel Safeguards: Endpoint”, Threat Response now provides the endpoint name in addition to the Intel document that was disabled on specific endpoints due to a high volume of alerts.
  • Updated some of the language used in the descriptions of Intel Safeguards settings.
  • Updated profile exports and imports for Threat Response to no longer include the Stream Proxy name and password.
  • Updated byte representation to better match endpoint file size format.
  • Provided a bulk delete API route for labels.
  • Increased the limit for the maximum number of lines of the Scheduled Task sensor output.
  • Removed the Intel Status from the Metrics section of the Extended Detections details.
  • Index: Improved performance of directory enumeration on Windows endpoints.
  • Updated the way that reaction data is exported to CSV by including the reaction name in the CSV output.
  • Increased the maximum number of exported filters from 1000 to 10000.
  • Upgraded various third-party libraries to newer versions.

Resolved issues

  • Fixed an issue where you could not delete a large number of intel documents at one time.
  • Fixed an issue where the MacOS Autoruns sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Fixed an issue where the quick filter in the alerts grid could incorrectly show no alerts.
  • Fixed an issue where when exporting events to Tanium Connect, the receivedAt timestamp was used instead of the alertedAt timestamp.
  • Fixed an issue where content in the edit modal of the suppression rules page does not match the content displayed in the suppression rules table.
  • Fixed an issue where when filtering by Cmd Line in the Suppression Rules page could cause the page to crash.
  • Fixed an issue where after loading a product license, access to pages in the console could fail.
  • Fixed an issue where the Tanium Quarantine dat file was deleted with every upgrade of IR Quarantine.
  • Fixed an issue where the Quarantine grid status column icon was not center aligned.
  • Fixed an issue where when you add a new Intel Doc to the list, the Suppression Rule option from the Add menu does not see the new documents until the page refreshes.
  • Fixed an issue in the Response Activity page where the Gather snapshot link was not linking correctly to Snapshot in Saved Evidence.
  • Fixed an issue in the alerts grid where an empty onDemandScanId value is displayed as “––” instead of “”.
  • Fixed an issue in the Splunk TCP Stream configuration destination where proxy fields data was displayed in the JSON.
  • Fixed an issue where Threat Response was returning a HTTP 500 error when adding a TAXII source with a URL that does not resolve and replaced error with HTTP 4xx.
  • Fixed an issue where the Signals builder would suggest syntax inside single quotes.
  • Fixed an issue on the Alert Details page inside the Process information section where under Ancestry the corresponding user information was not displayed when the mouse is hovering over an item.
  • Fixed an issue on the Saved Evidence page where for snapshots Downloaded or Imported db files displayed as a different size than what is shown in the table.
  • Fixed an issue with where the Threat Response workbench did not fully display whitespaces.
  • Fixed an issue in Quarantine where the CIDR was required. This field is no longer required and if a value is not provided it defaults to 32.
  • Updated the description of the Threat Response Visibility Bypass permission in the Tanium Console.
  • Fixed an issue where Direct Connect > Event Sorting could break after large scroll bar movements.
  • Fixed an issue where users without Snapshot Read or Visibility Bypass Read permissions could see references to snapshots.
  • Fixed an issue where on the Alerts page, alerts for Process Injection and Reputation were not showing the icon for the Intel Name.
  • Fixed an issue where whenever a label or MITRE technique is selected in a filter, the exported CSV was missing Intel Name, Source, and MITRE information.
  • Fixed an issue with Alert Details where the Reputation modal for hashes did not show hashes sometimes when Unknown.
  • Fixed an issue where filtering, clicking select all, and deselecting individual suppression rules could incorrectly delete all filtered rules.
  • Fixed an issue where firstDeploymentTimestamp update query could fail with large numbers of intel docs.
  • Fixed an issue where the Import Tanium Signals button was displayed after Tanium Signals were already imported.
  • Fixed an issue where when generating Live Response packages, changes to packages were not preserved after package generation failures.
  • Fixed an issue where a link back to the main list of extended detection types from individual types was not previously provided.
  • Fixed an issue where the loading state was not displayed after clicking the Create Package button for troubleshooting packages.
  • Fixed an issue where the Threat Response file browser displayed sizes using decimal prefixes rather than the typical binary prefixes.
  • Fixed an issue in the exclusions page of the workbench where a link to Client Management was displayed for users who did not have access.
  • Fixed an issue with a broken link where when a file download response action fails it displayed a notification with a broken link to the tasks page.
  • Index: Fixed an issue where CX Restart could cause Index to never finish indexing a directory with a significant number of files.
  • Index: Fixed an issue where Index.db-wal file could consume a large amount of disk space.
  • Fixed an issue where THR-CX could crash on CX shutdown if Recorder CX was disabled.
  • Fixed an issue where when using quarantine as part of response action, the incorrect expiration time could be displayed.
  • Fixed an issue where a timeout could occur when direct connecting to an endpoint and searching for a path.
  • Fixed an issue with reactions where option labels for some fields were not clearly displaying a disabled status.
  • Fixed an issue where when importing Threat Response, some configurations steps might not complete and Tanium signals might not be imported properly.
  • Fixed an issue where Threat Response used MD5 hashes on several tables, which was not compatible with FIPS mode on TanOS Appliances.
  • Resolved an issue reported in limited customer environments related to the installation of Microsoft Patch KB5037771. See the article on the Tanium Resource Center for more information.
  • Fixed an issue where Threat Response could fail to gather all alerts after Tanium Server connection errors are encountered.
  • Fixed an issue where some Python-based Threat Response and Incident Response sensors could fail to execute on Windows endpoints.
  • Fixed an issue with saved evidence scroll bar.
  • Fixed an issue where deleting an empty array of suppression rules could cause all suppression rules to be deleted.
  • Fixed an error that could prevent upgrades of Threat Response from 4.3+ from completing.
  • Fixed an issue where when providing configuration data for Elk or Splunk HEC in a Stream configuration, sensitive data could be displayed if a user navigated to other locations and returned to the configuration.
  • Fixed an issue that could cause reactions to not be acknowledged because of a cron job failure.
  • Fixed an issue where upgrading to Threat Response 4.5.181 or 4.6.457 from Threat Response 4.3 versions could fail.

Known issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.