IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Tanium Cloud Release Notes Threat Response

From Tanium Knowledge Base
Jump to navigation Jump to search

Release Date: 29 June 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue that could prevent the Threat Response service from starting after an upgrade.
  • Fixed an issue that caused errors when displaying profiles that included TLS-secured syslog stream destinations.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.
  • Live Response collections fail with a FileNotFoundError on any non-Amazon Linux endpoints running on ARM64 (aarch64) architecture. The taniumfiletransfer binary is not deployed to these endpoints.

Release Date: 23 June 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue that could prevent the Threat Response service from starting after an upgrade.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.
  • Live Response collections fail with a FileNotFoundError on any non-Amazon Linux endpoints running on ARM64 (aarch64) architecture. The taniumfiletransfer binary is not deployed to these endpoints.

Release Date: 15 June 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

New Features

  • Added an HTTP/HTTPS destination type for Stream configurations, with support for TLS, GZIP payload encoding, and custom HTTP headers. For more information, see the Create configurations topic of the Threat Response User Guide.
  • Added Run Service Action and Run Service Configuration task options to the Remediate in Enforce workflow, so you can control service state across Windows, Linux, and Mac endpoints and set the Windows service startup type as part of a remediation policy. For more information, see the Managing alerts topic of the Threat Response User Guide.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Added Quarantine support for Ubuntu 26 endpoints.
  • Deep Instinct alerts now display the Advanced Details JSON in the alert Details Drawer, matching the behavior of other alert types.
  • Added an Updated On (UTC) column to the configurations grid, with the grid sorted by this column in descending order by default.
  • Added the ability to sort the MITRE Techniques table by tactic in the Threat Navigator Hypothesis details pane.

Fixes

  • Restored column customization on the Live Connection Recorder grid.
  • Fixed an issue where importing a detection configuration into a different Tanium environment did not resolve intel sources, labels, or computer groups correctly across environments. Detection configuration import now matches sources and labels by name; missing sources are surfaced in the workbench, missing labels are created with no intel documents assigned, and computer groups assigned to profiles are not included in import or export.
  • Fixed an issue on Windows endpoints where Quarantine could fail with a sleep timeout when the IPSec PolicyAgent service needed to be started or stopped.
  • Fixed an issue where Quarantine Profile DAT file import failed when the port value was 0. Imports now accept 0 as a valid port value.
  • Fixed an issue where the Quarantine Rules tab displayed a non-zero item count but no rules in the list. The Rules tab now renders the configured rules.
  • Added a decompression size limit for endpoint-provided Threat Navigator payloads. When a Threat Navigator search or scan returns a payload that exceeds the limit, the response is dropped and surfaced as a new Threat Navigator Decompression Size Error system notification under Modules > Threat Response > Management > Audit > System Notifications.
  • Fixed a Type mismatch: 'CInt' error in the Kill Processes with MD5 Hash package.
  • Fixed an issue where Threat Response logged a generic error in place of the actual error when it contained a percent character (%).
  • Fixed an issue where multiple Reputation malicious hash syncs could run at the same time.
  • Fixed an integer-overflow error when creating a Threat Navigator search that referenced a computer group whose ID exceeded the integer range.
  • Added stricter validation to the File Name field in Stream Local File configurations to prevent invalid file names from being saved.
  • Fixed an issue with direct connections where applying a process tree events filter that returned no results removed the filter UI, preventing further filtering until the process tree was closed and reopened.
  • Fixed an issue where Signal Builder grouping was not consistent with the Text Editor view.
  • Fixed an issue where creating a Threat Navigator search from an existing Signal lost the MITRE Techniques originally associated with the source intel document.
  • Fixed an issue in the Hypothesis detail panel where linked-search rows showed 0 MITRE Techniques due to a mapping error.
  • Fixed an issue where Threat Navigator did not pre-fill the Description field when you created a search from an existing intel document.
  • Fixed an issue where Threat Navigator detail gathers could crash with a duplicate-key database error.
  • Fixed an issue where some sensors did not properly indicate their platform with icons in the Enterprise Hunting section of the Threat Response workbench.
  • Fixed an issue where High Priority Path filter validation incorrectly accepted literal escape characters such as \t in filter strings.
  • Fixed an issue where saving a configuration defaulted the Stream tab order without an explicit sort.
  • Fixed an issue in Response Activity where unsupported operating system types could be selected as targets. Only supported OS types are now selectable.
  • Fixed a service-side issue where a quarantine action without a profile and without custom parameters failed instead of applying the default behavior.
  • Fixed an issue where Live Response stopped working after the diskless mailbox migration due to a script syntax error.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.
  • Live Response collections fail with a FileNotFoundError on any non-Amazon Linux endpoints running on ARM64 (aarch64) architecture. The taniumfiletransfer binary is not deployed to these endpoints.

Release Date: 20 May 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

New Features

  • Adds support for the MITRE ATT&CK framework to threat navigator to help you track threat hunting coverage. Use the MITRE Techniques tab to browse the full ATT&CK matrix and see how your searches, intel documents, and hypotheses map to each technique.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Reduced profile deployment to a single confirmation prompt instead of two.
  • Added the maximum allowed file count (10) to the Max number of Files field in the Local File Stream destination.
  • Updated the Proxy field in Stream configuration to automatically expand when it contains saved content.
  • Changed the Alerts actions menu from submenus to a grouped list.
  • Added a Pivot button to the Process Tree view in Direct Connect.

Fixes

  • Fixed an issue that caused rules to be incorrectly removed from a quarantine profile if the rules results table was filtered during filter creation.
  • Fixed an issue that prevented navigating up the process tree ancestry in Threat Response > Direct Connect.
  • Fixed an issue where profiles would incorrectly show the status "Need Deployment: Tools Change" when profiles did not require a re-deployment.
  • Fixed an issue where the Directory field in the Local File Stream destination accepted values that were not absolute paths.
  • Fixed an issue that caused endpoint search results in Direct Connect to display incorrectly.
  • Fixed an issue where Response Actions displayed an incorrect tooltip when the online status of an endpoint could not be determined.

Known Issues

  • Detection configurations (and exports of profiles that include them) that you export from previous releases of Threat Response include only source and label IDs. When imported to a different environment, such exports map sources and labels incorrectly because IDs differ between environments. This is a known issue.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.
  • Live Response collections fail with a FileNotFoundError on any non-Amazon Linux endpoints running on ARM64 (aarch64) architecture. The taniumfiletransfer binary is not deployed to these endpoints.

Release Date: 13 May 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue that caused rules to be incorrectly removed from a quarantine profile if the rules results table was filtered during filter creation.
  • Fixed an issue where profiles would incorrectly show the status "Need Deployment: Tools Change" when profiles did not require a re-deployment.

Known Issues

  • Detection configurations (and exports of profiles that include them) that you export from previous releases of Threat Response include only source and label IDs. When imported to a different environment, such exports map sources and labels incorrectly because IDs differ between environments. This is a known issue.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Exported Detection configurations do not preserve YARA file and process size settings. This is a known issue that is on the Threat Response roadmap.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 04 May 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 29 April 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

New Features

  • Use threat navigator to run hypothesis-based hunts that use signal and IOC syntax and enable you to refine queries and save items of interest for future reference. Threat navigator enables you to search for artifacts on endpoints and test and develop intel across the following sources without creating alerts:
    • Historical data captured by recorder
    • File index data at rest
    • Live data from the recorder for any legitimate signal or IOC intel document
  • You can tune intel definitions, iterate on search strategies, and eliminate non-interesting results so that you can focus on more interesting findings. For more information, see the Threat Response user guide.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue that prevented navigating up the process tree ancestry in Threat Response > Direct Connect.
  • Made corrections to the Threat Response API documentation for Reactions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 28 April 2026

Security Updates

Release Date: 8 April 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

New Features

  • Threat Response profiles can now include multiple Stream configurations.
  • Added support for JSON over TCP to be natively configured as a Stream destination from within the Threat Response workbench. Previously, this required a custom configuration. The JSON destination can be optionally configured to use a secure connection to transmit data over TLS (Transport Layer Security) to the destination. This ensures that the data is encrypted and authenticated between the sender and the receiver.
  • Added support for Local File to be natively configured as a Stream destination from within the Threat Response workbench. Previously, this required a custom configuration.

Security Updates

Improvements

  • Updated strings in the Threat Response workbench and user guide to reflect updated Tanium Ask terminology.
  • Added Tanium Ask enrichment to DLL and registry data within Threat Response Alert details.
  • Made improvements to the ability of Tanium Ask to find alerts based on event types.
  • Renamed the Status column on the Intel page of the Threat Response workbench to Safeguard Status to properly reflect the status being reported.
  • Made improvements to correct Stream configurations with invalid TLS properties.
  • Made improvements to the Threat Response API documentation.

Fixes

  • Fixed an issue that could cause Saved Evidence to upload multiple times during an error scenario.
  • Fixed an issue where alerts with long process ancestry paths could cause alerts to not display in suppression rule previews.
  • Fixed an issue where clearing the Session Token value for a Dynamic Amazon AWS S3 destination while creating a Live Response Action could prevent the action from successfully creating.
  • Fixed an issue that could cause saved evidence to become corrupted during download when the file size was over certain file limits in Azure environments.
  • Fixed an issue that could cause the Dynamic Amazon AWS S3 Configuration destination option to not be available when creating a Live Response action.
  • Fixed an issue that could prevent the Message Format field of a Syslog Stream configuration from being cleared.
  • Fixed an issue that could cause the Threat Response Workbench to crash if an alert was deleted while the Alert Details side panel was open.
  • Fixed an issue where the Signal Builder would incorrectly display a signal definition originally authored with the Text Editor if the definition contained multiple instances of the same term. For example, process.path.
  • Fixed an issue that could cause the Threat Response workbench to crash while searching for profiles.
  • Fixed an issue that could result in incorrect counts for Alerts if Tanium Ask was queried for Alerts within a defined timeframe.
  • Fixed an issue in Alert Summarization where Tanium Ask would not display the decoded PowerShell parameter.
  • Fixed an issue that could cause a Splunk HEC Stream destination URL to incorrectly fail validation when creating or editing a Stream configuration.
  • Fixed an issue that could allow Alert Enrichment details to appear outside of the Alert details panel in Direct Connect.
  • Fixed an issue where Tanium Ask could unnecessarily attempt to find additional OS categories during Alert Summarization.
  • Fixed an issue that could cause Tanium Ask to fail to get Alerts count by Intel ID.
  • Fixed an issue that could cause Syslog Stream configurations to incorrectly reference TLS parameters when the configuration was not TLS enabled.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 12 March 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

New Features

  • Provides the ability to use Transport Layer Security (TLS) for both Splunk HEC and ELK destinations to use a secure connection to transmit data using Syslog over TLS (Transport Layer Security) to the destination. This ensures that the data is encrypted and authenticated between the sender and the receiver.
  • Added support for TCP Syslog to be natively configured as a Stream destination from within the Threat Response workbench. Previously, this required a custom configuration. The Syslog destination can be optionally configured use a secure connection to transmit data over TLS (Transport Layer Security) to the destination. This ensures that the data is encrypted and authenticated between the sender and the receiver.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Community site, or by contacting support.

Improvements

  • Added the ability to store file version information, signature data, and magic number for indexed files in the Tanium Index database.
  • Added support for the FileItem, PEInfo, VersionInfoList, andVersionInfoItem IOC indicators in the IOC builder.
  • Upgraded various third-party libraries to newer versions.
  • Added support for dns_query.query and updated the intel definition validation in the Threat Response workbench for Signal Editor.
  • Improved visual markers in the IOC and Signal Text Editors for line numbers with invalid syntax.
  • Added a new tooltip to the Details field of Audit Log > System Notifications to properly indicate that utilizing the filter will match any criteria contained within the notification's expanded details.
  • Added additional/retry attempts to ensure that the deletion of saved evidence completed to ensure disk space is properly saved.
  • Made improvements and corrections to the Threat Response API Documentation for Response Actions API routes.

Fixes

  • Updated the "Summarize" button label to "Analyze", and the "Show Insights" button to "Enrich" to better reflect the broad range of Tanium Ask functionality.
  • Updated strings in the Threat Response workbench and user guide to reflect updated Tanium Ask terminology.
  • Fixed an issue where clearing the Session Token value for a Dynamic Amazon AWS S3 destination while creating an Live Response Action could prevent the action from successfully creating.
  • Fixed an issue that could cause the Dynamic Amazon AWS S3 Configuration destination option to not be available when creating a Live Response action.
  • Fixed an issue where alerts with long process ancestry paths could cause alerts to not display in suppression rule previews.
  • Fixed an issue that occurred during the creation and configuration of new Splunk Stream destinations that resulted in an invalid Authorization header and could cause authentication issues for the destination.
  • Fixed an issue that could cause saved evidence to become corrupted during download when the file size was over certain file limits in Azure environments.
  • Fixed an issue that could cause the Threat Response Workbench to crash if an alert was deleted while the Alert Details side panel was open.
  • Fixed an issue where clicking "Generate Packages" in Quarantine workbench could incorrectly overwrite taniumquarantine.dat.
  • Fixed an issue that caused multiple CTRL+Z keyboard actions to be needed before an Undo action would take place in the Signal and IOC Text Editors.
  • Fixed an issue in the Direct Connect > Security tab where the event count would not always properly reflect the correct count.
  • Fixed an issue where the Expanded View for the Signals Text Editor was not displaying initially.
  • Fixed an issue where Magic Number was not being correctly included in an Index configuration when only MD5 hashes were selected.
  • Fixed an issue caused an error when adding a group to an IOC document during creation or when modifying an existing IOC document to add a grouping.
  • Fixed an issue in the Intel > On-Demand Scans tab that could cause custom sorting to be lost during tab navigation.
  • Fixed an issue in the Intel > Suppression Rules tab that could cause custom sorting to be lost during tab navigation.
  • Fixed an issue where the Ask agent would incorrectly inform the user that it was able to group Alerts by timeframe.
  • Fixed an issue where AutoRuns sensors were incorrectly using a case-sensitive lookup causing some data to be excluded.
  • Fixed an issue where Format and Message Format were incorrectly displayed as configuration options for the Sentinel CEF Stream destination type when configuring.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 23 February 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Provides the ability to Continue in Tanium Ask to conduct more research and prompt follow-on questions on the alert artifact enriched within the Threat Response workbench.
  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.


Release Date: 29 January 2026

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

New Features

  • Provides the ability to use Tanium Autonomous IT to generate alert summaries, artifact enrichment, and to streamline the incident response process.
    • You can view contextual content in the Threat Response workbench to minimize the need to conduct external research to gather information about artifacts that are indicated by alerts and their implications or potential impacts. For a given alert and processes in the ancestry for the alert, process path and name, process command line, DLL name, and registry path are fields that can display data enrichment.
    • Click any artifact or event that displays the enrichment icon to view a detailed description, expected uses, functionality, and if there are known malicious uses.
    • Click Explore in Tanium Ask to conduct more research in Tanium Ask and prompt follow-on questions to guide potential actions to take.

Improvements

  • Updated the documentation in the Threat Response to remove references to unsupported IOC Indicators: SystemInfoItem/OS and SystemInfoItem/BuildNumber.
  • Updated the IOC and Signal Builders to support various FileItem/PeInfo/ImportedModules indicators while building intel definitions.
  • Updated the default operator when creating intel via the Signal and IOC Builders to 'AND'.

Fixes

  • Fixed an error that could cause the Process Tree to crash while navigating nodes that were still loading.
  • Fixed an issue where signal definitions could display paths differently than the editor or API.
  • Fixed an issue where validation errors would not properly clear when creating a new Filter Definition.
  • Fixed an issue that could cause Remediate in Enforce actions to be unviewable in the Enforce workbench.
  • Fixed an issue where the Audit Logs export was being limited to 1000 entries when it should have exported all entries.
  • Updated tooltip for On-Demand Scans to properly reflect when a computer group has been deleted.
  • Fixed an issue where some sensors did not properly indicate their platform with icons in the Enterprise Hunting section of the Threat Response workbench.
  • Fixed an issue that could cause the Threat Response workbench to crash while reordering profiles in Profile Prioritization.
  • Fixed an issue where the default filename for audit log exports was incorrect.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.


Release Date: 17 December 2025

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.
  • Removed unexpected fields from the Profiles API. If you require one or more of the fields that were removed, contact Tanium Support. To contact Tanium Support for help, sign in to the [Tanium Customer Community|https://community.tanium.com/s/contactsupport].

Improvements

  • Updated "File Handle Details" sensor to support Linux content.
  • Updated the Signal Editor to now display inline comments within the Editor itself.
  • Improved error messaging when canceling an IOC import.
  • Updated the default behavior when creating IOC documents via the IOC Editor to define Tanium Threat Response as the document author.
  • Updated the process of creating an IOC definition to allow a user to switch to the Text Editor view when there are unsupported indicators in the IOC Builder. Previously, the user was required to remove unsupported indicators and re-add them via the Text Editor.
  • Improved translations in the Threat Response workbench.
  • Added an icon to Intel Documents to indicate that the document is currently set to run in Audit mode.
  • Made an improvement to data tables in Threat Response workbench to prevent visibility changes or positioning of the 'Actions' column for consistency.
  • Removed licensing checks from the Threat Response workbench and service. Licensing is now addressed at a global module level.

Fixes

  • Fixed an issue where Live Response incorrectly required both an account key and a SAS token when creating an Azure destination.
  • Fixed the default sorting and sorting indicators on the Enterprise Hunting table in the Threat Response workbench.
  • Fixed the default sorting and sorting indicators on the Saved Evidence table in the Threat Response workbench.
  • Fixed a compatibility issue with Illumio that affected Linux endpoints and caused the Is Quarantined sensor to generate false tampering alerts in Illumio.
  • Fixed an issue that could cause UTF-8 inputs to fail validation in the Live Response > Create Script modal.
  • Fixed an issue that prevented Saved Evidence from being downloaded without a browser refresh if a snapshot collection finished while the Saved Evidence page was being viewed.
  • Fixed an issue that would cause alert links sent via Connect to occasionally redirect to the Tanium home page rather than the alert details.
  • Fixed an issue that could cause IOC definitions to fail to display in the IOC Builder when certain UTF-8 characters were present in the definition.
  • Fixed an issue that could cause duplicate alerts to be sent out to Connect.
  • Fixed an issue that caused inconsistent display behaviors in the Text Editor view of the Signal Builder.
  • Updated the tooltip and prompt text for the "Trace Registry Keys and Values" sensor to properly reflect the available Operation parameters.
  • Fixed an issue in the Process Tree Event table that incorrectly displayed "Time (UTC)" values with a Z suffix.
  • Updated "Remediate in Enforce" tool tip when Enforce isn't installed.
  • Fixed an issue that would remove the hyperlinks from file names and folders when editing columns in the File Browser table.
  • Improved translations for the Japanese language Intel-Support document.
  • Made improvements to the Threat Response API documentation.
  • Fixed an issue that could cause the page to crash when editing a profile that has no stream configuration.
  • Fixed an issue where the indicator 'UserId' had two selectable options when building a 'ProcessItem' IOC indicator in the IOC builder.
  • Fixed an issue that could prevent the usage of spaces initially when creating Signals using the Text Editor.
  • Fixed an issue that could cause UTF-8 inputs to fail to be decoded in the Decode Editor.
  • Added ability to filter by alert count minimum and maximum when adding labels to intel.
  • Fixed an issue with the GET /profiles route where the data was missing in certain cases.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.
  • Signal definitions can display paths differently than the editor or API. For example, a signal definition tab displays C:\test, but when editing the signal definition, the editor displays C:\\test.

Release Date: 08 December 2025

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue that caused Reputation On-Demand Scans to no longer be configurable. Reputation On-Demand Scan Computer Group and Subscription Interval are now configurable in the Threat Response Overview settings.
  • Fixed an issue that caused network-based alerts to fail to display their details correctly in some cases.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 17 November 2025

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 29 October 2025

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue that required users to expand each row of data individually in the details section of the process tree view to view details.
  • Fixed an issue where YARA and STIX intel documents would incorrectly suggest IOC terms for autocomplete.
  • Fixed an issue where it was not possible to filter data by security events in the details tab of a direct connection.
  • Fixed an issue where when filtering by an empty hash in a Process filter in a direct connection, a value was required before the filter could be applied.
  • Fixed an issue in the API documentation for uploading snapshots.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 15 October 2025

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue where the name of some existing Live Response destinations would not display.
  • Fixed an issue that prevented the duplication of a collection in Live Response.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 15 September 2025

Important Notes

  • The output of the "Recorder - Extension Settings" sensor incorrectly wraps numeric return values so they appear as b'<value>'. In a future release this will be corrected to return the numeric values only. Update any targeting of actions that you have in place to ensure that actions are targeted correctly when this output has been removed.

Fixes

  • Fixed an issue where attempting to duplicate Stream configurations for Chronicle or Splunk HEC destinations would fail.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 09 September 2025

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an error with Stream configurations where when a proxy port was defined it caused an error that prevented the profile from deploying.
  • Fixed an issue where custom Stream configurations cause errors when working with profiles.
  • Fixed an issue where a profile fails to deploy if a custom stream configuration is associated with the profile.
  • Fixed a time conversion error in the created at time for saved evidence.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 27 August 2025

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Community site, or by contacting support.

Improvements

  • Adds additional Deep Instinct data to alert details, including Threat type, Description, Executing user, Raw file type, Inner file type, Script path, Remote process path, Volume ID, Certificate owner, Certificate thumbprint, Logged in user, Process duration, and Ended on to the alerts details views. These fields will show values only if the Alert received from Deep Instinct supplies them.
  • Adds a ransomware section to Deep Instinct alerts details for alerts where such data is available.
  • Adds process tree information for static events in the Deep Instinct alert details if such data is available.
  • Adds MITRE technique and ID data to Deep Instinct alert details for alerts where such data is available.
  • Adds a GUID to Deep Instinct alert details for alerts where such data is available.

Fixes

  • Fixed an issue where saved evidence from a snapshot or live connection would not always save the selected artifacts.
  • Fixed an issue where saving process data as evidence form snapshots or live connections would fail if a pruned or unknown process was included.
  • Fixed the ability to copy MITRE techniques from the alerts grid.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 21 August 2025

Improvements

  • The export limits for recorder events have been raised from 1000 events to 500k for local exports, and 10k events remote exports.
  • The number of events displayed in the combined view of direct connections has been increased to 10k events.
  • Updated API documention to convey updated limits for event exports.

Fixes

  • Fixed an issue in the Threat Response API where the limit parameter was not properly limiting the response when fetching events using the Combined events route.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 18 August 2025

New Features

  • Provides the ability to use Transport Layer Security (TLS) for Sentinel CEF destinations to use a secure connection to transmit data using Syslog over TLS (Transport Layer Security) to the destination. This ensures that the data is encrypted and authenticated between the sender and the receiver.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within [Tanium's Community site](https://community.tanium.com/s/), or by contacting support.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Updates outgoing Stream data to include SHA1 and SHA256 hashes.
  • Added a message to the workbench to indicate when a destination specified for the response action is not supported on the selected platform.
  • Users can no longer change the Live Response Package in a Live Response configuration once a Target has been selected.

Fixes

  • Fixed an issue where YARA Options were included in all configuration type exports as opposed to only in detection configurations.
  • Fixed an issue where any MITRE techniques that you added to a signals intel document did not persist when the intel document was saved.
  • Fixed an issue with the Threat Response API where passing "1" as a GUID was not rejected as invalid for alerts resolution API routes.
  • Fixed an issue where when editing Live Response package parameters the collection name pills did not show the entire string on hover.
  • Fixed an issue where the Created/Updated field in Suppression Rules incorrectly displayed a success indicator when copy action failed.
  • Fixed an issue in Live Response destinations where removing the optional Host value from an existing destination would cause an error when saving.
  • Fixed an issue where the event-evidence API endpoint would return a 500 error if the sort=user or sort=type parameters were provided.
  • Fixed an issue where when editing Signals intel documents the MITRE techniques pills did not show the entire tefchnique name on hover.
  • Fixed an issue with an error message terminology in the IOC editor that mentioned signal as opposed to IOC.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 11 August 2025

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue where any MITRE techniques that you added to a signals intel document did not persist when the intel document was saved.
  • Fixed an issue where the event-evidence API endpoint would return a 500 error if the sort=user or sort=type parameters were provided.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The macOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When an application reads certain files in /sys and /proc filesystems on certain makes and models of Linux servers, it can cause the system to stop responding due to hardware conflicts. This issue can occur in Threat Response if you perform an on-demand scan using YARA intel. The issue does not affect background scans that use YARA intel, because /sys and /proc filesystems are automatically excluded. Do not run on-demand scans using YARA files with a search scope of "/" or any other search scope that includes the /sys or /proc filesystems. In a future version of Endpoint Change Management Toolset, the /sys and /proc filesystems will be automatically excluded from on-demand scans. Because this issue originates outside of Threat Response, it affects this and all previously released versions.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 23 July 2025

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Community site, or by contacting support.

Improvements

  • Updated Live Response to allow S3 buckets in Chinese AWS regions.
  • Updated Quick Add to allow labels to be assigned on intel creation.
  • Added support for assigning MITRE techniques for OpenIOC, Yara, and STIX documents.
  • Added support for assigning MITRE techniques when using Quick IOC.
  • Standardized sections across STIX, Yara, Signals, and IOC intel documents.

Fixes

  • Response Activity logs will now be restricted to each user's own response activities.
  • Fixed an issue where destinations defined with only amazonaws.com would cause Live Response to fail.
  • Fixed an issue where alerts where the IP address was unable to be determined were ignored.
  • Fixed an issue where and invalid icon was temporarily displayed as the loading state for editing Intel documents.
  • Threat Response User and Threat Response Read Only User roles have been restricted from viewing the System Notification and Task audit logs.

Known Issues

  • Any MITRE techniques that you add to a signals intel document do not persist when you save it. As a workaround, you can use the Threat Response API to associate MITRE techniques to signals. This is a known issue and will be resolved in a future release of Threat Response.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.
  • When you edit YARA or STIX intel documents the Threat Response workbench suggests IOC terms for predictive text. This is a known issue and on the Threat Response roadmap.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 09 July 2025

New Features

  • You can now use the IOC editor to create both simple and complex IOCs using AND/OR operators and understand the IOC objects and properties that Threat Response supports. You can edit IOCs that you import to the Threat Response workbench, remove any unsupported objects or properties, and add conditions to fine tune detections. The IOC editor ensures that the syntax is followed and validates that IOCs that you create feature supported terms. Imported IOCs might contain unsupported terms and therefore editing an IOC only enables you to add, modify, or delete terms supported by Threat Response, and to only delete non-supported terms.
  • You can now specify Dynamic AWS S3 Configuration for Response Actions performing Live Response actions. A dynamic AWS S3 configuration enables you to enter dynamic credentials that are used to authenticate with a specific destination you can use in the context of the response action. Additionally, you can now specify multiple collections for Live Response configurations. This functionality is available to users with the Threat Response Operator role, the Threat Response Administrator role, and to users who are assigned custom roles with the required privileges. For more information, see the Requirements topic of the Threat Response User Guide.

Important Notes

  • For any AWS S3 destinations configured with amazonaws.com as the provided host, Live Response will no longer work as intended. Use s3.amazonaws.com as opposed to only amazonaws.com. Live Response now requires that S3 URLs be in the following formats:
    • s3.amazonaws.com
    • s3-[region].amazonaws.com
    • s3.[region].amazonaws.com
  • Any host value not of the above formats will no longer work as intended. For any hostnames that do not end in amazonaws.com, behavior is unchanged.

Improvements

  • Provided the ability to filter intel documents based on alert count.
  • Added copy functionality to Endpoint Reactions column in Quarantine Workbench.
  • Enterprise Hunting dashboard has been updated so that Deploy Action now opens the action status in a new tab.
  • The Intel Metrics have been updated from "Intel Deployed" instead of "Intel Count" to more accuratley reflect the metric.
  • Updated Yara scan documentation to make it clear the the Live Files scope excludes image load events where the image is signed by Microsoft.
  • Updated the Quick Add IOC Modal to accurately represent the search operators.

Fixes

  • Fixed Alert filtering for DNS queries to search the correct response locations.
  • Fixed the copy cabability for configurations and computer groups in THR profiles.
  • Fixed the copy capabiity in Endpoint Reactions to copy the reaction strings, and not the count of reactions.
  • Fixed the ability to sort Context Analyzer Results by Impact rating.
  • Fixed an issue where deleting an empty group in Signal Builder outside of nested terms could cause valid expressions to return as invalid.
  • Fixed an issue where attempting to fetch alert(s) by invalid alert ID(s) would fail incorrectly.
  • Fixed an issue where resizing or adding columns would cause duplicate actions columns to appear in Context Analyzer.
  • Fixed the ability to add a delete file reaction when creating a Quick Add IOC.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 30 June 2025

Improvement

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Sensitive Information for Live Response Destinations is no longer being logged.
  • Fixed an issue that could cause alerts with invalid paths to be ignored.
  • Fixed an issue that could cause slow performance when generating intel for Reputation malicious hashes.
  • Fixed an issue where Live Response destination types could be changed after creation. The Live Response destination type is now fixed once the destination is created.
  • Fixed an issue that could cause alerts with certain unicode characters to be ignored.
  • Fixed an issue where an account key was required in Azure Live Response destinations when a SAS token was provided.
  • Fixed an issue where an error could occur when loading the events page from a direct endpoint connection after filtering for a specific time range.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 11 June 2025

Fixes

  • Fixed an issue where upgrading versions when an environment contained alerts that numbered in the hundreds of thousands could take hours to complete.
  • Fixed an issue where the UI produced a hidden console error due to requesting an invalid resource.
  • Fixed an issue where the buttons for the Threat Response Intel Support: Table of Contents would not correctly navigate to the content section for non-English languages.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 03 June 2025

Improvement

  • Improved logging for multiple API error scenarios.

Fixes

  • Fixed an issue where some alerts in the Threat Response service could not be processed for suppression evaluation. If alerts cannot be processed, they will not be suppressed even if a suppression rule would suppress them.
  • Fixed an issue where calls made to the Reputation service from Threat Response could time out and result in malicious hash synchronization to Threat Response not working.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 21 May 2025

Improvements

  • Added detailed logging for multiple API error scenarios.
  • Improved the workflow when bulk deleting filters to notify users when a filter is read-only and cannot be deleted.
  • Updated API calls to ensure more resilient alert delivery.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 29 April 2025

Important Notes

  • Removed the smss.exe filter from new default stream configurations.
  • Tanium Trends has been removed as an optional dependency of Threat Response. The Trends boards that provide data visualization of Threat Response concepts will be migrated to visualizations in Tanium Reporting.

Improvements

  • Provided localization support for the Threat Response workbench. Select a language from the language selector in the persona preferences, and elements of the Threat Response workbench appear in one of the six supported languages which are English, French, German, Japanese, Latin American Spanish, and Korean. Endpoint data is not translated. For more information refer to the Supported Languages section in the Overview topic of the Threat Response User Guide.
  • Added the availableToDownload property to the /api/v1/snapshot route.
  • Added documentation in the Threat Response User Guide to explain that YARA File Size and YARA Process Size do not apply to on-demand scans. The values you provide in these fields are used by detection configurations for continuous data scanning.
  • Provided the ability for the Threat Response Import Signals API to import signals that contain comments in the signal definition. Comments in signals are denoted as // at the beginning of lines or after the signals content.
  • Sorted the Intel Sources, Quarantine Profiles, and Quarantine Rules by name alphabetically.
  • Made improvements to the user experience of the common configuration workflows for new users on the Overview page of the Threat Response workbench.
  • Updated advanced details for alerts to have Alert and Event timestamps formated as UTC to match Direct Connect.
  • Removed the ability to deploy a profile once a profile is fully disabled.
  • Provided the ability to select multiple alerts from the alerts grid and initiate bulk quarantine or unquarantine response actions.
  • Improved error reporting when trying to access saved evidence while it is still downloading.
  • Updated Direct Connect cell copy to consistently handle quoted strings.
  • Removed the Threat Response Service User READ and WRITE permissions.
  • Added Type and Intel Name to export suppression rules feature.
  • Made improvements to translations in the Threat Response workbench.
  • Added support for default sorting in the response action quarantine modal.
  • Made updates to the THR API Portal documentation.
  • Provided the ability to export all suppression rules to CSV via new public API route.
  • Opened help documentation section links in a new tab.
  • Process injection suppression rules have been updated to only require target or actor.
  • Updated time format in Direct Connect alerts when using copy/paste functionality.
  • Updated the computer group targeting status to indicate that the profile is disabled.
  • Provided a new PATCH API for signal intel documents to enable updates to specific parts of the signal without overwriting it entirely. For more information see the Threat Response API documentation.
  • Provided an alert when gather loop fails more than 10 times in the last 20 minutes.

Fixes

  • When toggling from process injection to signal suppression, suppression criteria is now properly mapped to the selected suppression target.
  • Fixed an issue with managing labels for intel docs where selecting all labels did not accout for any filters that were applied.
  • Fixed an issue where clicking Cancel when editing an intel document caused the Threat Response workbench to navigate to the Intel Definitions tab.
  • Fixed an issue where changes made to labels were not applied correctly when labels are filtered in the Threat Response workbench.
  • Fixed an issue where the Context Analyer Filter did not preserve strings when editing filters.
  • Fixed the File Browser cell copy actions for time and permissions.
  • Fixed filtering for Event modal under the initial configuration overview feature.
  • Fixed the intel safeguards selection to persist during intel creation.
  • Updated alert details to be more accurate for IOC, YARA and STIX.
  • Updated details of extended detections to be more accurate.
  • Updated Direct Connect clear filters to work properly.
  • Fixed the UTC dates to match what appears in the Custom Time Range and Date (UTC) column.
  • Fixed the alerts grouping delays due to difference in createdAt and receivedAt values causing Connect job discrepancies

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 17 April 2025

Improvements

  • Improved string counts when gathering Intel and Reactions to reduce Tanium Server performance impacts.

Fixes

  • Fixed an issue where grouping data was missing and could lead to errors in log files.
  • Fixed an issue where the live-response.ps1 and start-live-response.ps1 scripts were unsigned.
  • Fixed an issue where alerts were not being properly acknowledged if PowerShell Constrained Language mode was enabled.
  • Fixed an issue where decoded output did not display correctly in Chrome or Edge web browsers on Windows endpoints.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Searching for the name of an Intel Document when using Management > Audit > Logs, does not return events related to that intel document.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 20 March 2025

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixed an issue where when selecting the Remediate in Enforce response action, the entire Computer Group was acted upon, not just the single client.
  • Fixed an issue where the Threat Response service failed to suppress process injection alerts.
  • Fixed an issue where filters could be unintentionally deleted in the Advanced Filter Builder of the Context Analyzer.
  • Fixed an issue where when using the PATCH /configs API route, if a description was not provided, any existing descriptions were set to empty as opposed to persisting.
  • Fixed an issue where the custom time filter in the alerts grid defaulted to local time as opposed to UTC.
  • Fixed an issue where the Save and Deploy button on the Profiles page was not enabled after a change was made to the profile.
  • Fixed an issue where the Save and Deploy button on the Profiles page could deploy a profile without passing the profile ID.
  • Fixed an issue where when the Microsoft Defender Process Actions setting was selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender could cause the alerts grid to crash.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Searching for the name of an Intel Document when using Management > Audit > Logs, does not return events related to that intel document.
  • Exported Detection configurations do not preserve YARA file and process size settings. This is a known issue that is on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Settings section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 04 March 2025

Improvements

  • A custom message is displayed when using values other than the defaults for the Index Scan settings in index configurations.
  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixes an issue where the values of the Scan Distribution options for profiles in the Evidence and Telemetry section of the configuration set up on the overview page of the Threat Response workbench did not set correctly.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, YARA memory scanning is limited to processes without hardened runtimes only. This is a known issue.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Exported Detection configurations do not preserve YARA file and process size settings. This is a known issue that is on the Threat Response roadmap.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 24 February 2025

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Disables the download button in the Saved Evidence page for file and snapshots if the item is not available to download.
  • Enables users to select all Computer Groups in the Target Computer Groups modal.
  • Adds additional tooltip content to the common configuration workflows on the overview page of the Threat Response workbench.
  • The Intel Document’s “Updated At” field now shows the date the user last updated the Intel document rather than the last time the Intel was deployed.
  • Adds current YARA support versions in the Intel Support document that is accessible from the Threat Response workbench.
  • Provides read access permission to Reporting Dashboards in the Threat Response content set.

Fixes

  • Fixes an issue where the YARA size limit option settings were not being exported when exporting profiles that still have default values.
  • Fixes an issue where the new deployment status on the Profiles table could mismatch the status displayed in the details drawer.
  • Fixes an issue where filtering alerts by strings that contain underscores did not work correctly.
  • Fixes an issue in quarantine rules where values of 0 for Port (indicating all ports) did not validate.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, YARA memory scanning is limited to processes without hardened runtimes only. This is a known issue.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Exported Detection configurations do not preserve YARA file and process size settings. This is a known issue that is on the Threat Response roadmap.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 30 January 2025

New Features

  • Introduces a new configuration section on the overview page of the Threat Response workbench that provides common configuration workflows to expedite the time to value and to simplify the initial configuration experience. Configuration workflows that target specific end-to-end use cases simplify the implementation of Threat Response without the need for comprehensive knowledge of the full functionality of the module. The new initial configuration is not intended to replace existing workflows but instead provide a path for configuring the operation of Threat Response as quickly as possible without having extensive Tanium experience or subject matter expert guidance. Configuration workflows also provide a sample of the functionality of Threat Response and the different types of use cases that are possible.

Important Notes

  • The default settings for the Threat Response action group are configured as:
    • Restricted targeting disabled (default): All Computers computer group
    • Restricted targeting enabled: No Computers computer group
  • Tanium Managed profiles are provided that contain updated configurations. These profiles are the result of Tanium data and experience and have been designed to use settings that are considered safer and to provide more real-time visibility with Index and Recorder data. You cannot delete Tanium Managed profiles. Tanium Managed profiles are intended to be starting points that you can build from or expand and are initial starting points that are based off Tanium best practices. No existing profiles are changed when you install a version of Threat Response that provides Tanium Managed profiles. This is a new point of departure to accelerate the time for configuring the operation of Threat Response as quickly as possible without having extensive Tanium experience or subject matter expert guidance.

Endpoint Configuration Toolset

Improvements

  • Updates the API documentation for Event Evidence.
  • When forwarding events to Tanium Connect using Match Alerts or Match Alerts Raw, an intel source field has been added that corresponds to what source the intel document that the generated alert is associated with.
  • Provides the ability to send EIDs for alerts to Tanium Connect and provides two new settings to indicate if the Threat Response service should wait and for how long for EIDs to be resolved.
  • Provides the ability to specify file and process size limits for YARA scans in Detection configurations.
  • Adds additional content to the "Recorder Security Event Details" documentation in the Threat Response workbench
  • Provides an indication in the Threat Response workbench if file evidence is ready to download.
  • Shows YARA match details in the Alerts Details for an alert.

Fixes

  • Fixes errors in API documentation.
  • Fixes an issue where bulk deleting many alerts could fail.
  • Fixes an issue where Live Response file collector sets for browser user data collection were configured for incorrect paths.
  • Fixes an issue where Threat Response could push new alerts to Tanium Connect at a slower interval than previous versions of Threat Response.
  • Fixes an issue where bulk updating many alerts could fail due to query param URL length limits.
  • Fixes an issue where the unquarantine response action erroneously showed package options.
  • Fixes an issue where the Quarantine Profile: Details Drawer did not display the Current DNS allowance.
  • Fixes an issue where the page for Stream configurations can become unresponsive after loading.
  • Fixes an issue where users were unable to download recorder snapshots.
  • Fixes an issue where it was not possible to upload files larger than 5GB and keep them available on disk.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, YARA memory scanning is limited to processes without hardened runtimes only. This is a known issue.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Exported Detection configurations do not preserve YARA file and process size settings. This is a known issue that is on the Threat Response roadmap.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • Intel Documents that are not active in a deployed profile will show as Pending and stay in this state until they are deployed.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.
  • When you initiate the download of saved evidence, the initial download can take several minutes to begin and you can not download additional saved evidence until the initial download stops or times out.

Release Date: 13 January 2025

Endpoint Configuration Toolset

Improvements

  • Updates the version of Stream CX.

Fixes

  • Fixes an issue where some of the content on the Alerts Details page could appear as truncated.
  • Fixes an issue where when editing a Stream configuration, the Threat Response workbench could become unresponsive.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 17 December 2024

Endpoint Configuration Toolset

New Features

  • Provides a new Stream destination to send endpoint data from the recorder to Microsoft Sentinel via CEF.
  • Provides the ability to decode encoded text in the Threat Response workbench without having to copy and paste to an external tool. For example, you can decode values for arguments for service alerts, data in alerts details, DNS requests and responses in the Context Analyzer, and other areas in the Threat Response workbench.

Improvements

  • Provides support for Quarantine for RHEL9 endpoints.
  • The Threat Response service copies exclusion definitions and configuration information for existing Index configurations to the Index configuration settings in Tanium Client Management. No computer groups are assigned to the Threat Response configurations that are created in Tanium Client Management. Threat Response Index Exclusions will continue to apply until they are deleted.
  • Surfaces which YARA conditions or rules a match occurred on in the Alert Details that is displayed from the Intel documents page alert list.
  • Makes improvements and adds new content to the API documentation.
  • Improves messages in log files.
  • Provides the ability to export results from the Context Analyzer to a CSV file.
  • Improves the user interface for the filter builder where new rows can be added with a single click.
  • Updated the Threat Response Connect events label from "Tanium Threat Response" to "Tanium Threat Response Alerts".
  • A chart is displayed on the overview page that displays safeguard status counts if intel safeguards are enabled.
  • Paths, process names, and command lines are combined by OS in the Context Analyzer.
  • When direct connecting to an endpoint, the Capture Snapshot option is now disabled when a snapshot capture is in progress.
  • When direct connecting to an endpoint, online or offline status is displayed in the endpoint search results.
  • Improves the descriptions of quarantine profiles that have been migrated.
  • Add rows for process injection suppression rules to display target process related fields.
  • Adds a notification in the intel page to show when an associated quarantine profile is deleted for a reaction.
  • Provides the ability to unquarantine an endpoint with Response Actions.
  • Adds support for Python 3.12.
  • Improves the error messaging in quarantine profiles when package generation starts if an existing package is already in progress.
  • Displays the uncompiled YARA definition for YARA intel in the definition tab in intel documents.
  • The document count in the summary section of the intel page is now clickable to filter intel documents by status.

Fixes

  • Fixes an issue where Threat Response count findings were not respecting action group settings.
  • Fixes an issue where an open Alert Detail section can prevent selection of all other alerts.
  • Fixes an issue where alerts were pruned based on when they were generated on the endpoint instead of when Threat Response gathered them.
  • Fixes an issue where all alerts stopped being gathered after Tanium Server connection errors.
  • Fixes an issue where the Direct Connect modal did not show timeout notification.
  • Fixes an issue where Live Response and Quarantine Response Actions could not be stopped if a targeted endpoint was offline.
  • Fixes an issue where the Threat Response Response Actions permission did not allow issuing of response actions.
  • Fixes an issue where direct connecting to an endpoint could crash while searching for endpoint.
  • Fixes an issue where several sensors could fail to execute Python on Windows endpoints.
  • Fixes an issue where quarantine failed if ServerNameList has priority prefix with underscore.
  • Fixes an issue where deleting a large number of alerts could fail.
  • Fixes an issue where Threat Response upgrades could fail during the migration of the stats table in the Threat Response database.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document.
  • The Get Mac Firewall Settings does not work on MacOS15 endpoints as the plist this sensor uses has been deprecated.
  • Quarantine Package names have been updated as part of this new feature. Quarantine workbench uses the Threat Response - Quarantine Endpoint [OS] packages. The legacy packages - Apply Linux IPTables Quarantine, Apply Mac PF Quarantine, and Apply Windows IPSec Quarantine and Unquarantine packages are deprecated, but remain for backwards compatibility and to preserve any existing taniumquarantine.dat files. Any existing response actions initiated before upgrade will continue to use these legacy packages.
  • Filters that you specify in the advanced filter builder of the context analyzer can disappear if you select a summary value and open the filter or select another summary value. This is a known issue and on the Threat Response roadmap.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 13 November 2024

Endpoint Configuration Toolset

New Features

  • Adds a new Quarantine workbench that enables you to create custom profiles that contain rules that define the parameters to use for quarantining endpoints. After you define rules for quarantine and create a profile, you can generate packages that you can deploy to targeted endpoints to quarantine them. You can also use quarantine profiles to use as part of a response action or reaction. In this case, you can generate quarantine packages that are used when reactions match on an endpoint or as a response action that you initiate as a response to an alert.
    • Quarantine Package names have been updated as part of this new feature. Quarantine workbench uses the Threat Response - Quarantine Endpoint [OS] packages. The legacy packages - Apply Linux IPTables Quarantine, Apply Mac PF Quarantine, and Apply Windows IPSec Quarantine and Unquarantine packages are deprecated, but remain for backwards compatibility and to preserve any existing taniumquarantine.dat files. Any existing response actions initiated before upgrade will continue to use these legacy packages.
  • Adds support for target process suppressions.
  • Adds a Trace Sensor for DNS for Linux endpoints.
  • Reputation has been removed as an intel source and has been added as an extended detection type.
  • Provides the ability to build the Namespace variable into Stream configurations to send data to Chronicle with the Namespace.
  • Provides support for YARA 4.5.0.
  • Provides improvements to the Context Analyzer interface.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Provides the ability to initiate an on-demand scan from the intel document page action menu.
  • Provides quarantine support for Ubuntu 22 endpoints.
  • Provides the ability for Context Analyzer results to be exported to a CSV file.
  • Provides New RBAC permissions for Threat Response Quarantine Packages and Threat Response Quarantine Profile.
  • Provides the ability to pivot to gather a Live Response package from live endpoint view.
  • Provides updated names for the High Priority Path and Index Scan Frequencies fields in Index configurations.
  • Provides a new API route to report if live response packages need to be regenerated.
  • Provides the ability to perform multiple sort on the recorder grid.
  • Deprecates the Distribute Quarantine Tools package.
  • Deprecates the Quarantine Status and Needs Quarantine Tools Pack (Windows XP only) saved questions.

Fixes

  • Fixes an issue where large files could fail to download from saved evidence.
  • Fixes an issue where when editing a recorder configuration, if you filter a list then select items and click remove, all the filters would be removed as opposed to only the selected list of filters.
  • Fixes an issue where Direct Connect downloads were limited by the /tmp disk size.
  • Fixes an issue where the Threat Response Read Only User was unable to view saved snapshots.
  • Fixes an issue where OpenIOC DNS Events did not display the DNS Domain in "Expand Details > Event Information"
  • Fixes an issue where the list of endpoints available for direct connections did not display new connections at the top of the list.
  • Fixes an issue where a significant number of "Getting the global emitter" log entries with null data at Trace level were displayed in log files.
  • Fixes an issue where case-insensitive "matches" comparisons may not evaluate as expected with multi-byte UTF-8 characters.
  • Fixes an issue where response timeouts when querying Index could result in incremental scans skipping candidates.
  • Fixes an issue where registry "permissions" signal events were not scanned correctly.
  • Fixes an issue where process and ancestry details were not returned for network port event alerts.
  • Fixes an issue where RDB migrations could fail.
  • Fixes an issue where empty string values display as empty instead of '--' in alert details.
  • Fixes an issue with the alerts grid where the total count could be smaller than filter count.
  • Fixes an issue where a large number of security events were not able to display properly in the Threat Response workbench.
  • Fixes usability issues with navigating the saved evidence results.
  • Fixes an issue in the direct connect file browser where a service exception could occur when attempting to delete the same file multiple times.
  • Fixes an issue with the Trace sensor Python where the incorrect field for parent_command_line was used.
  • Fixes an issue where when a FilePermissionEvent with Owner property is selected, the advanced details display could crash.
  • Fixes an issue where the update suppression rule modal would not allow empty values when field is unselected.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document. This is a known issue.
  • The Get Mac Firewall Settings does not work on MacOS15 endpoints as the plist this sensor uses has been deprecated. This is a known issue.
  • Quarantine Package names have been updated as part of this new feature. Quarantine workbench uses the Threat Response - Quarantine Endpoint [OS] packages. The legacy packages - Apply Linux IPTables Quarantine, Apply Mac PF Quarantine, and Apply Windows IPSec Quarantine and Unquarantine packages are deprecated, but remain for backwards compatibility and to preserve any existing taniumquarantine.dat files. Any existing response actions initiated before upgrade will continue to use these legacy packages.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 22 October 2024

Important Notes

  • Review the endpoint tool release versions in addition to the Threat Response release notes. This release of Threat Response requires Toolset version 2.x or higher.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixes an issue where upgrading to Threat Response 4.5.181 or 4.6.457 from Threat Response 4.3 versions could fail.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This is a known issue.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 08 October 2024

Important Notes

  • Review the endpoint tool release versions in addition to the Threat Response release notes. This release of Threat Response requires Toolset version 2.x or higher.

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixes an issue where deleting an empty array of suppression rules could cause all suppression rules to be deleted.
  • Fixes an issue where subscribing to the Tanium signals source could fail in Tanium Cloud environments.
  • Fixes an error that could prevent upgrades of Threat Response from 4.3+ from completing.
  • Fixes an issue where when providing configuration data for Elk or Splunk HEC in a Stream configuration, sensitive data could be displayed if a user navigated to other locations and returned to the configuration.
  • Fixes an issue that could cause reactions to not be acknowledged because of a cron job failure.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 29 August 2024

Important Notes

  • Review the endpoint tool release versions in addition to the Threat Response release notes. This release of Threat Response requires Toolset version 2.x or higher.

Improvements

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 1 August 2024

Important Notes

  • Review the endpoint tool release versions in addition to the Threat Response release notes. This release of Threat Response requires Toolset version 2.x or higher.

Fixes

  • Fixes an issue with saved evidence scroll bar.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 16 July 2024

Endpoint Configuration Toolset

Fixes

  • Fixes an issue where some Python-based Threat Response and Incident Response sensors could fail to execute on Windows endpoints.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 01 July 2024

Endpoint Configuration Toolset

Improvements

  • YARA rules are now compiled on the endpoint to better support multiple YARA versions during endpoint tooling upgrades.

Fixes

  • Fixes an issue where Threat Response could fail to gather all alerts after Tanium Server connection errors are encountered.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets.
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name of an Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 11 June 2024

Endpoint Configuration Toolset

Fixes

  • Fixes an issue where Threat Response used MD5 hashes on several tables, which was not compatible with FIPS mode on TanOS Appliances.
  • Fixes an issue with reactions where option labels for some fields were not clearly displaying a disabled status.
  • Fixes an issue where when importing Threat Response, some configurations steps might not complete and Tanium signals might not be imported properly.
  • Resolves an issue reported in limited customer environments related to the installation of Microsoft Patch KB5037771. Please see the article on the Tanium Resource Center for more information.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 29 May 2024

Endpoint Configuration Toolset

Fixes

  • Fixes an issue where Threat Response used MD5 hashes on several tables, which was not compatible with FIPS mode on TanOS Appliances.
  • Fixes an issue with reactions where option labels for some fields were not clearly displaying a disabled status.
  • Fixes an issue where when importing Threat Response, some configurations steps might not complete and Tanium signals might not be imported properly.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 22 May 2024

Endpoint Configuration Toolset

Fixes

  • Fixes an issue with reactions where option labels for some fields were not clearly displaying a disabled status.
  • Fixes an issue where when importing Threat Response, some configurations steps might not complete and Tanium signals might not be imported properly.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 09 May 2024

Endpoint Configuration Toolset

Fixes

  • Fixes an issue where when using quarantine as part of response action, the incorrect expiration time could be displayed.
  • Fixes an issue where a timeout could occur when direct connecting to an endpoint and searching for a path.
  • Increases the maximum number of exported filters from 1000 to 10000.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 24 April 2024

Improvements

  • Updated the way that reaction data is exported to CSV by including the reaction name in the CSV output.
  • Upgraded various third-party libraries to newer versions.

Tools Versions

  • Includes Threat Response Tools: 4.6.395
  • Includes Threat Response CX binary: 1.15.930
  • Includes Recorder Tool (Installer): 3.15.133
  • Includes Recorder binary: 2.12.1946
  • Includes Driver Tool (Installer): 3.15.133
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.6.2490
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.22
  • Includes Quarantine: 3.4.39

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 22 April 2024

New Features

  • Introduces reactions. You can use reactions to automate actions to disrupt and respond to attacks for both on and off-network endpoints and help reduce the time to remediate issues from hours to seconds. Reactions automate one or more actions on an endpoint based on alerts from intel documents (for example, delete one or more files, kill a process, or quarantine an endpoint). Reactions are defined in the Threat Response workbench and associated with an intel document. You can create a reaction to define a workflow that will occur when an intel match occurs on an endpoint. The intel document defines what to act on, and the reaction defines what action or actions to perform.
  • Provides the ability to add alerts as events in Tanium Investigate.

Important Notes

  • Removes the Threat Response Stream - Tools Version sensor.
  • Removes the Threat Response - Status sensor.
  • Threat Response now provides the Linux, Mac, and Windows quarantine packages and does not require the IR Quarantine solution to be imported separately.

Improvements

  • The Live Response default file collector for Index has been updated to collect the IndexCX database.
  • For Intel safeguards, in the system notification for "Intel Safeguards: Endpoint", Threat Response provides the endpoint name in addition to the Intel document that was "disabled on specific endpoints due to a high volume of alerts".
  • Updates some of the language used in the descriptions of Intel Safeguards settings.
  • Threat Response no longer includes Stream Proxy name/password when profiles are exported/imported.
  • Updated byte representation to better match endpoint filesize format.
  • Provides a bulk delete API route for labels.
  • Increases the maximum number of lines limit of the Scheduled Task sensor output.
  • Removes the Intel Status from the Metrics section of the Extended Detections details.
  • Index: Improved performance of directory enumeration on Windows endpoints.

Tools Versions

  • Includes Threat Response Tools: 4.6.385
  • Includes Threat Response CX binary: 1.15.930
  • Includes Recorder Tool (Installer): 3.15.133
  • Includes Recorder binary: 2.12.1946
  • Includes Driver Tool (Installer): 3.15.133
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.6.2490
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.22
  • Includes Quarantine: 3.4.39

Fixes

  • Fixes an issue where you could not delete a large number of intel documents at one time.
  • Fixes an issue where the MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Fixes an issue where the quick filter in the alerts grid could incorrectly show no alerts.
  • Fixes an issue where when exporting events to Tanium Connect, the receivedAt timestamp was used instead of the alertedAt timestamp.
  • Fixes an issue where content in the edit modal of the suppression rules page does not match the content displayed in the suppression rules table.
  • Fixes an issue where when filtering by 'Cmd Line' in the Suppression Rules page could cause the page to crash.
  • Fixes an issue where after loading a product license, access to pages in the console could fail.
  • Fixes an issue where the Tanium Quarantine dat file was deleted with every upgrade of IR Quarantine.
  • Fixes an issue where the Quarantine grid status column icon was not center aligned.
  • Fixes an issue where when you add a new Intel Doc to the list, the Suppression Rule option from the Add menu does not see the new docs until a page refresh.
  • Fixes an issue in the Response Activity page where the Gather snapshot link was not linking correctly to Snapshot in Saved Evidence.
  • Fixes an issue in the alerts grid where an empty onDemandScanId value is displayed as "––" instead of "".
  • Fixes an issue in the Splunk TCP Stream configuration destination where proxy fields data was displayed in the JSON.
  • Fixes an issue where Threat Response was returning a HTTP 500 error when adding TAXII source with a URL that does not resolve and replaced error with HTTP 4xx.
  • Fixes an issue where the Signals builder would suggest syntax inside single quotes.
  • Fixes an issue on the Alert Details page inside the Process information section where under Ancestry the corresponding user information was not displayed when the mouse is hovering over an item.
  • Fixes an issue on the Saved Evidence page where for snapshots Downloaded or Imported db files displayed as a different size than what is shown in the table.
  • Fixes an issue with where the Threat Response workbench did not fully display whitespaces.
  • Fixes an issue in Quarantine where the CIDR was required. This field is no longer required and if a value is not provided it defaults to 32.
  • Updates the description of the Threat Response Visibility Bypass permission in the Tanium Console.
  • Fixes an issue where Threat Response profiles incorrectly notify users to redeploy after tools upgrade in Tanium Cloud.
  • Fixes an issue where Direct Connect > Event Sorting could break after large scroll bar movements.
  • Fixes an issue where users without Snapshot Read or Visibility Bypass Read permissions could see references to snapshots.
  • Fixes an issue where on the Alerts page, alerts for Process Injection and Reputation were not showing the icon for the Intel Name.
  • Fixes an issue where whenever a label or MITRE technique is selected in a filter, the exported CSV was missing Intel Name, Source, and MITRE information.
  • Fixes an issue with Alert Details where the Reputation modal for hashes did not show hashes sometimes when Unknown.
  • Fixes an issue where filtering, clicking select all and deselecting individual suppression rules could incorrectly delete all filtered rules.
  • Fixes an issue where firstDeploymentTimestamp update query could fail with large numbers of intel docs.
  • Fixes an issue where the Import Tanium Signals button was displayed after Tanium Signals were already imported.
  • Fixes an issue where when generating Live Response packages, changes to packages were not preserved after package generation failures.
  • Fixes an issue where a link back to the main list of extended detection types from individual types was not previously provided.
  • Fixes an issue where the loading state was not displayed after clicking the Create Package button for troubleshooting packages.
  • Fixes an issue where the Threat Response file browser displayed sizes using decimal prefixes rather than the typical binary prefixes.
  • Fixes an issue in the exclusions page of the workbench where a link to Client Management was displayed for users who did not have access.
  • Fixes an issue with a broken link where when a file download response action fails it displayed a notification with a broken link to the tasks page.
  • Index: Fixes an issue where CX Restart could cause Index to never finish indexing a directory with a significant number of files.
  • Index: Fixes an issue where Index.db-wal file could consume a large amount of disk space.
  • Fixed an issue where THR-CX could crash on CX shutdown if Recorder CX was disabled.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 09 April 2024

Tools Versions

  • Includes Threat Response Tools: 4.5.138
  • Includes Threat Response CX binary: 1.14.1254
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1753
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.22

Fixes

  • Fixes an issue where the Response action API would not send all fields correctly for Quarantine actions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 27 March 2024

Tools Versions

  • Includes Threat Response Tools: 4.5.135
  • Includes Threat Response CX binary: 1.14.1254
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1753
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.22

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 21 March 2024

Improvements

  • Upgraded various third-party libraries to newer versions.

Tools Versions

  • Includes Threat Response Tools: 4.5.133
  • Includes Threat Response CX binary: 1.14.1254
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1753
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.19

Fixes

  • Fixes an issue where in certain circumstances the Threat Response client extension could crash if the Recorder extension was disabled.
  • Fixes an issue where migrating from some 4.0 versions of Threat Response could fail if Signals have duplicate mitreAttack.techniques defined.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 04 March 2024

Upgrade Notes

  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • This release removes the "Threat Response - Status Gather" Saved Question.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Improvements

  • Upgraded various third-party libraries to newer versions.

Tools Versions

  • Includes Threat Response Tools: 4.5.127
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1753
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.18

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 20 February 2024

Upgrade Notes

  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • This release removes the "Threat Response - Status Gather" Saved Question.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Improvements

  • Recorder: Adds support for macOS Endpoint Security Framework (ESF).
  • Recorder: Adds support for eBPF as an event source on RHEL 9.3 endpoints.
  • Upgraded various third-party libraries to newer versions.

Tools Versions

  • Includes Threat Response Tools: 4.5.125
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1745
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.17

Fixes

  • Fixes an issue that prevented some IR sensors from running correctly on ARM Linux endpoints.
  • Fixes an issue where a negative number of alerts could display for an intel doc.
  • Fixes an issue where macOS 14 Sonoma disables BSM process auditing by default on upgrade and Recorder would not work until BSM audit is re-enabled.
  • Fixes an issue where The MacOS Autoruns Sensor did not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Fixes an issue where the Live Response package files could be left behind on Windows endpoints and not cleaned up after the action completes.
  • Fixes an issue where exporting Signals via the API could cause an error when reimporting the same signals.
  • Fixes an issue where migrating from some 4.0 versions of Threat Response could fail if Signals have mitreAttack.techniques defined.
  • Fixes an issue where Read-Only Users could experience display issues when viewing the On Demand Scans tab in an intel document.
  • Fixes an issue where users without the User without Snapshot Write permission could gather snapshots.
  • Fixes an issue where values added to filters in the Context Analyzer are be added with OR instead of AND.
  • Fixes an issue where exporting a CSV of Reputation based alerts did not contain hash type and hash value.
  • Fixes an issue where Live Response package files were not cleaned up.
  • Fixes an issue where PowerShell Errors were returned when trying to delete items from downloads.
  • Fixes an issue where Linux and Mac profiles unexpectedly displayed as requiring deployment.
  • Fixes an issue where when upgrading from Threat Response versions 4.2.13 and later the Alert page filter "Alert Content" has become case sensitive.
  • Fixes an issue where users could not edit or upload some IOC files.
  • Index: Fixes an issue where High CPU or Disk IO could occur if a directory had a significant number of files.
  • Recorder: Fixes an issue where Process Exits were not being correctly reported from the Tanium BPF Driver in RHEL 9.3.
  • Recorder: Fixes an issue where Recorder could hit a “boost::filesystem::rename: Operation Not Permitted” error.
  • Recorder: Fixes an issue where certain Windows file events could be missed.
  • Recorder: Fixes an issue where Recorder may not start on Linux endpoints if tanium.conf already exists.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 04 December 2023

Upgrade Notes

  • This Threat Response release removes the Threat Response - Tools Version sensor.

Improvements

  • Adds support for Endpoint Change Management. When Endpoint Change Management is enabled, endpoint tools get upgraded according to upgrade workflows defined in Endpoint Change Management and the automatic upgrade option in the Threat Response workbench is not available.

Fixes

  • Fixes an issue with the Context Analyzer where the Start Time now shows the event time, and not the process start time for items.
  • Fixes an issue with Direct Connect where the time filter modal displayed the local time instead of UTC.

Tools Versions

  • Includes Threat Response Tools: 4.5.70
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.14.33
  • Includes Recorder binary: 2.11.1587
  • Includes Driver Tool (Installer): 3.14.33
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.1.1422
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Release Date: 20 November 2023

Important Notes

Improvements

  • Converts the Threat Response - Acknowledge Findings Template [Windows] package, and the: Threat Response - Context Analyzer Details, Threat Response - Context Analyzer Summary, Threat Response - Count Findings, Threat Response - Gather Findings, Threat Response - Groupings With Findings, and Threat Response - Sample Findings sensors from VBS to PowerShell.

Fixes

  • Exporting alerts to CSV now correctly separates alerting by line.
  • Direct Connect times are now correctly treated as UTC instead of browser time.

Tools Versions

  • Includes Threat Response Tools: 4.4.332
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.14.33
  • Includes Recorder binary: 2.11.1587
  • Includes Driver Tool (Installer): 3.14.33
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.1.1422
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.

Release Date: 08 November 2023

Important Notes

Fixes

  • Fixes an issue where the import of an intel document could fail if blank name or id fields exist in MITRE values.
  • Fixed an issue where Threat Response Rest API requests could fail when the Tanium Server is installed in a Windows AIO (All-in-One) environment.
  • Stream: Fixed an issue where Stream could continually try unsuccessfully to resend a large cache file.
  • Stream: Fixed an issue where Stream may not respect the backoff retry interval and try to resend cached data too frequently.

Tools Versions

  • Includes Threat Response Tools: 4.4.327
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.14.33
  • Includes Recorder binary: 2.11.1587
  • Includes Driver Tool (Installer): 3.14.33
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.1.1422
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.

Release Date: 02 November 2023

Important Notes

New Features

  • Intel Safeguards is a new feature in THR 4.4 that helps reduce alert fatigue and false positive alerts by automatically disabling noisy Intel documents globally or at the endpoint level. Intel Safeguards’ ability to automatically disable Intel documents also helps to improve the performance and resilience of the Threat Response service on the module server by reducing the service work that was previously required to continuously throttle large numbers of alerts. Intel Safeguards provides configurable thresholds at both the global and Intel document level.
  • Provides an interface to view and export audit logs for user interactions in Threat Response. In the Threat Response workbench, select Management > Audit > Logs to view audit events.
  • Starting in Threat Response 4.4, Index exclusions are now centrally managed by Tanium Client Management (TCM) to provide one central location for configuring global Indexing exclusions. You should add new exclusions required by THR in TCM. Exclusions that you add in Tanium Client Management are not visible in the list of exclusions shown in individual Tanium modules; it is important to view the exclusions in both locations to understand the total exclusions that are applied to the Tanium environment. In this release, existing exclusions are maintained, but you can no longer add Index exclusions in an Index configuration in the Threat Response workbench.

Improvements

  • Deep Instinct, Microsoft Defender, Process Injection, and Reputation Intel documents are now contained under a new heading named Extended Detections. These Intel documents and all corresponding data and alerts are accessible from the Extended Detections menu item in the Threat Response workbench.
  • Alert data that is sent to Tanium Connect now includes a link to the alert in the Threat Response workbench, which enables quick access to the alert in Threat Response. Alerts can now be directly accessed using the following URL pattern: https://<serverIP>/#/threatresponse/alerts?guid=<alert_guid>.
  • Adds documentation in the User Guide for the alerts schema and provides details on the types of data contained in alerts.
  • Provides the ability to use the filter builder for response actions to specifically target single endpoints based on multiple criteria.
  • Provides the ability to export selected filters.
  • The Context Analyzer now returns matches for live processes in addition to historical process activity.
  • Provides the ability to clone an Intel document in the Threat Response workbench.
  • On the Intel Documents page, for YARA Intel documents, there is a now a description that identifies whether the Intel is for Live Files, Memory, or Paths.
  • Adds workbench documentation accessible from the Help icon > “Recorder Security Events Details” that provides a mapping of Recorder configuration event type checkboxes to related Event IDs which are recorded by that event type on the corresponding OS.
  • Limits the upload of a snapshot if it is over the maximum allowed size of 2.5GB.
  • The name of the Actions button on the Profiles page has been changed to Profile Actions.
  • Windows Defender Intel has been renamed Microsoft Defender and is now located under the Extended Detections menu item.
  • The Unknown Intel source has been renamed Orphaned.
  • On the Intel Labels page, if you select one checkbox an edit icon displays that allows you to edit the selected label.
  • Intel Safeguards attributes are now displayed in the Intel documents page for each Intel document.
  • An Intel Safeguards checkbox appears in the modal for creating or editing a Signal to configure Intel Safeguards functionality on a per-Intel document basis.
  • New notification types are displayed in the System Notifications page for Intel Safeguards data.
  • Provides the ability to enable or disable Intel Safeguards from the Settings > Service > Intel menu.
  • Provides a clone API route to clone Intel documents and enables you to specify a name and ID for the clone and preserve other properties of the original Intel document.
  • In a Connect job that uses the Tanium Threat Response source and the Audit Report type, the user ID of the user who deployed Intel is now displayed.
  • Provides the ability to filter Intel documents by Extended Detections.
  • Adds an online or offline icon to the left of the endpoint name in the "Endpoint" column in the alerts grid. Note: Endpoints that a user does not have management rights on will appear offline.
  • When initiating a Response Action from an alert, the targeting now includes EID (Endpoint ID) in addition to endpoint name.
  • When deploying an action from an alert, the targeting now additionally uses EID.
  • The Alert details flyout now enriches the display of hash data by using Tanium Reputation.
  • In the alerts grid, the name of the endpoint is a link that you can click to initiate a direct connection to the endpoint.
  • Two new labels have been added to the Tanium Signal feed: “Deprecated” - These signals have been replaced by one or more new signals and will be removed in the future. “Marked For Removal” - These signals have been noted for removal in the release notes and will be deleted from the Signals Feed after a minimum of 30 days.
  • Process Injection alerts now use the Target Process PID to deduplicate process injection attempts.
  • Exporting Filters now supports Export Selected in addition to Export All.
  • Adds a copy cell action to the Impact Rating in the context analyzer details and adds Impact Rating to the filtering.
  • A confirmation modal is displayed when a Profile is exported as a CSV.
  • Disables the real-time Deploy Action, Remediate in Enforce, Download File, Gather Snapshot, Live Response, and Quarantine actions for offline endpoints from the alerts grid. Response Actions should be used for Offline Endpoints.
  • Mean time to Remediate and Mean Time to Investigate calculations have been restored.
  • Preserves the filter selections on the On-Demand Scans tab when switching between tabs.
  • Provides the ability to edit the name of an Intel document.
  • Provides the ability to add Context Analyzer results to an investigation in Tanium Investigate.
  • Provides full filter builder support for Context Analyzer results.
  • Provides the ability to filter on multiple labels in the alerts grid.
  • Provides the ability to add artifacts from a direct connection to an investigation in Tanium Investigate.
  • Recorder: Adjust Recorder BPF Support targeting to include OEL 7.9 with UEK 5.4 Kernel.
  • Stream: Added support for Stream to send NAMESPACE data to Google Chronicle.

Fixes

  • Fixes minor UI issues and clarifies several messages that are displayed in the Threat Response workbench.
  • Fixes an issue where when deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted.
  • Fixes an issue where filtering by time range in the alerts view used local browser time rather than UTC.
  • Fixes an issue where the Reputation Intel Document modified time was not changing as new hashes were identified in Reputation.
  • Fixes an issue where Port Number was a required field in Live Response Destinations for S3.
  • Adds a validation message to inform the user that a Signal cannot be saved unless an operating system is selected.
  • Fixes an issue where the default value for "minutes to collect" of 0 in the configuration of the Threat Response audit source results in an THR Audit Report Source error.
  • Fixes an issue where the Intel Source value on the Intel details page would get reset and repopulated on each load of the page.
  • Fixes an issue where you could attempt the /plugin/products/threat-response/api/v1/response-actions route to submit a request to quarantine/unquarantine a computer that is not within your management rights groups without getting an error.
  • Fixes an issue where the name field in the suppressions rule creation modal was not validated by the Threat Response service.
  • Fixes an issue on the alerts page where filtering by Alert Content did not adjust Quick Filters.
  • Fixes an issue where you could not bulk delete system notifications with time range filter applied.
  • Fixes an issue on the System Notifications page where the page could crash when expanding to an unknown notification type.
  • Fixes an issue where the Save button is shown in the Service Settings page when the user is read-only.
  • Fixed an issue with displaying system notifications when all details were not ASCII strings.
  • Fixes an issue where when the context analyzer completed a search, the progress bar continued to be displayed.
  • Fixes an issue where when a user duplicated certain Tanium Signals or documents from the TAXII source, they were moved into the Direct Connect source instead of the Workbench source.
  • Fixes an issue where when creating a suppression rule, the Threat Response workbench does not update automatically to show the status change.
  • Fixes an issue where on the labels page, sorting by description (both ascending and descending) showed blank values at the top of the list.
  • Fixes an issue where the details for the Process Injection document showed Global Suppression Rules. Global Suppression Rules do not apply to the Process Injection and are no longer shown.
  • Fixes an issue on the alerts page where the sort order for Outbound Impact was incorrect.
  • Fixes an issue with the "AutoRun Program Details" sensor where it failed to locate certain drivers.
  • Changes the hint text for TAXII private keys to be a correct example for private keys.
  • Fixes an issue where the Duplicate and Delete buttons were not appropriately enabled for Filters and Exclusions.
  • Fixes an issue where the "Threat Response - Count Findings" sensor used up all inodes on file systems where THR tools were not installed.
  • Updates the API documentation for Bulk Delete Evidence to provide a more complete sample.
  • Fixes an issue in Stream Configurations where filters could fail to save if "Shift - Select" is used to choose filters.
  • Fixes an issue where in the event log event sent from recorder there could be a binary string of multiple category IDs.
  • Fixes an issue on the Saved Evidence: File Download page where items were sorted incorrectly by the Created At heading.
  • Fixes an issue where Live Response does not honor "Ignore Action Lock" in generated packages.
  • Fixes an issue in the Threat Response Alert Grid and Alert Details where the hash type and hash values were blank if the Reputation service was unavailable.
  • Fixes an issue in Live Response where when Generate Package fails, Threat Response did not specify which package was at fault.
  • Fixes an issue where the suppressed and evaluated results were not being stored in the SuppressAlerts task type entry in the Threat Response database.
  • Fixes an issue on the Saved Evidence page, where selecting a type and using exclude mode to select some items to bulk delete resulted in the deleted items totaling more than the selected items.
  • Fixes an issue where the file browser link to Saved Evidence is not setting File filter.
  • Fixes an issue where Read-Only users could view the suppressions.
  • Index: Zip archives over the “MaxZipSizeMB “size limit are no longer rewalked every time.

Tools Versions

  • Includes Threat Response Tools: 4.4.318
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.14.33
  • Includes Recorder binary: 2.11.1587
  • Includes Driver Tool (Installer): 3.14.33
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.1.1420
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • MacOS 14 recorder support currently requires a package to be run to re-enable BSM. This will be addressed in a future recorder update.
  • At this time, the coverage metric does not work and will be fixed or removed in a later release.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.

Release Date: 19 October 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Fixes

  • Fixes an issue with Live Response where AutoRuns collection could fail on macOS 14 endpoints.
  • Fixes an issue where the AutoRuns Sensor was not working correctly for macOS 13 and 14 endpoints.
  • Fixes an issue where migrating database contents from SQLite to RDB can fail if there is a row size that exceeds the maximum of 2712.

Tools Versions

  • Includes Threat Response Tools: 4.3.219
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.955
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.13

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 3 October 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Sets the max_string_age_minutes setting to 6 hours for the “Threat Response - Gather Findings”, “Threat Response - Count Findings”, and “Threat Response - Groupings With Findings” sensors.

Fixes

  • Fixes an issue where sorting System Notifications by Event Time was not working correctly.
  • Improves an error message in the suppression rules modal.
  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.
  • Fixes an issue where the Outbound Impact column in the alerts grid was not being populated.
  • Fixes an issue where files with the type of "other" were not displayed in the Direct Connect file browser.
  • Fixes an issue where alerts could be missing the EID value is TDS returned “[hash collision detected]” for Computer ID.
  • Fixes an issue where Threat Response could not import Signals with unknown fields.

Tools Versions

  • Includes Threat Response Tools: 4.3.214
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.11

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 18 September 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Sets the max_string_age_minutes setting to 6 hours for the “Threat Response - Gather Findings”, “Threat Response - Count Findings”, and “Threat Response - Groupings With Findings” sensors.

Fixes

  • Fixes an issue where sorting System Notifications by Event Time was not working correctly.
  • Improves an error message in the suppression rules modal.
  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.

Tools Versions

  • Includes Threat Response Tools: 4.3.202
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 14 September 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Incorporates minor improvements to the Context Analyzer workbench.

Fixes

  • Fixes an issue where when creating a Download File response action, the Filter Builder did not display the endpoint selection immediately.
  • Fixes an issue where clicking in the Details section of the response action modal reopened the endpoint search list.
  • Fixes an issue where the Engine Analysis view of a YARA intel doc could cause a web browser to crash.
  • Fixes an issue with the alerts grid where the Retroactive Suppressions banner did not clear when a task was complete.
  • Fixes an issue where offline hostnames could not be returned in Response Actions.
  • Fixes an issue where querying the alerts table was slower than expected when many alerts are present.
  • Fixes an issue where the sensors for the Context Analyzer could be quarantined because of running for longer than 60 seconds.

Tools Versions

  • Includes Threat Response Tools: 4.3.195
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.11

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 23 August 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Fixes

  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.

Tools Versions

  • Includes Threat Response Tools: 4.3.184
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.950
  • Includes python38: 3.2.6
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 22 August 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Enables Threat Response Read-Only Users to use the Context Analyzer if they have the Interact Ask Dynamic Question permission.
  • The progress section of the Context Analyzer is no longer displayed when the results have reached 100% completion.
  • When an endpoint has no matches for a Trace Sensor, the endpoint will now return "Search complete, no matches" instead of "No Results".

Fixes

  • Fixes an issue in the alerts grid where removing a quick filter could cause the workbench to crash.
  • Fixes an issue in Index where ZIP archives over the maximum size limit could be reindexed more often than necessary.

Security Updates

  • Upgraded various third-party libraries to newer versions

Tools Versions

  • Includes Threat Response Tools: 4.3.183
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.950
  • Includes python38: 3.2.6
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 15 August 2023

Improvements

  • Improves the Tanium Driver's compatibility with Windows 7 SP1 and Windows Server 2008 R2 SP1 systems that may not have all Windows updates installed.

Tools Versions

  • Includes Threat Response Tools: 4.2.29
  • Includes Threat Response CX binary: 1.12.923
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.31

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 14 August 2023

Improvements

  • Removed arbitrary limit on the size of the Tanium Signals feed.

Fixes

  • Fixes an issue where a large number of throttles alerts could cause alerts to stop being gathered

Tools Versions

  • Includes Threat Response Tools: 4.2.28
  • Includes Threat Response CX binary: 1.12.923
  • Includes Recorder Tool (Installer): 3.14.26
  • Includes Recorder binary: 2.11.1582
  • Includes Driver Tool (Installer): 3.14.26
  • Includes Driver binary: 3.3.27
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.31

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 7 August 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor is now used to provide detailed endpoint health information and consistent reporting across all Tanium modules.

New Features

  • Provides a new “Context Analyzer” to enable intelligent workflows for learning more about artifacts of interest and it’s most recent activity across your entire environment. Context analyzer provides a better way to view and organize data across Tanium clients and enables you to correlate data points to determine how normal or how much of an outlier certain artifacts and their behavior are.
  • Index scan frequency, High Priority Path scan frequency, and Index first scan distribute over time settings can now be set per Threat Response profile. Index Scan settings have been moved from the top rail service settings to within Index configuration settings.
  • Provides the ability to export alert data from the Threat Response workbench to CSV format for up to 10,000 alerts at a time.
  • The Tanium Persistence Analyzer (TPA) executable has been converted to a client extension (CX) to improve performance. Windows Autoruns are now gathered and cached using Tanium Threat Response CX and CX resource throttling.
  • Provides the ability to view and edit the TPA (Tanium Persistence Analyzer) scan frequency separately in each Threat Response profile.
  • Provides the ability to download locked files from direct connection file browsing on Windows.
  • Provides visibility into quarantined endpoints and the ability to unquarantine endpoints from the Threat Response workbench overview page.
  • Provides eBPF support for Tanium Recorder on Oracle Enterprise Linux 8.7+/9.1+ UEK Kernel on ARM64 endpoints.
  • Provides the ability to have Threat Response automatically create and configure recommended default Saved Questions and Tanium Connect connections to populate Tanium Reputation with hashes from the environment in the settings page.
  • Stream CX has been rewritten from Python to C++ to support future enhancements.

Improvements

  • Migrates the Threat Response database to the Tanium RDB service.
  • Provides the ability in the Reputation source to automatically run an on-demand scan against a targeted a computer group when new Reputation malicious hashes become available.
  • Tanium Signals from the Tanium Signal feed are now read-only except for label information.
  • System Notifications filter now searches the notification details.
  • Numerous UI (User Interface) improvements for clarity and performance.
  • Adds SHA1 and SHA256 process hash information in the alert fly-out drawer.
  • Provides an online/offline status indication for endpoints on the alerts page.
  • Updates YARA integration to version 4.3.1.
  • Enables On-Demand scans for Tanium Signals that contain ancestry terms.
  • Updates to the Threat Response API documentation to include On-Demand scans.
  • User data has been added to the combined recorder events view in Direct Connections.
  • Process-Item IOC terms are now enhanced with recorder data to expand detections.
  • Updates the user experience to provide a more consistent delivery of alert data in the Threat Response workbench.
  • The side panels in the Threat Response workbench have been updated to be more uniform and consistent in their design patterns and display of data.
  • The configuration of the Reputation service has been added as part of the CMI installation for Threat Response.
  • Provides support for SHA1 and SHA256 hash types in suppression rules.
  • Standardizes terminology used in the Threat Response workbench by changing “Live Endpoints” to “Direct Connect” for live connections to endpoints to reflect that the connection is created by Tanium Direct Connect.
  • Updates the details view of nodes in the Direct Connection view to display all events.
  • Standardizes terminology for malicious files to be consistent with terminology used in the Reputation service.
  • Displays Process Signature Data in the process tree view for live processes in a direct connection to an endpoint.
  • Provides performance improvements for displaying the Pending Approval state on Response Actions.
  • Reduces the number of Direct Connect actions that Threat Response creates when Gather Snapshot is in a "Running" status.
  • When editing a TAXII or iSight source, if the user has changed a sensitive field, all the other secrets fields are cleared out and a "Reset" link appears in the Security form section header that will restore the initial state for the secrets fields and show the dots again.
  • Provides more informative messaging when using the file browser in a Direct Connection.
  • Updates the Intel Support document in the Threat Response workbench with documentation about ProcessItem/UserId.
  • Event notifications are now scoped to the current user.
  • If the Tanium Signals source is deleted, the associated signals are moved to the Unknown source. If the Tanium Signals source is then recreated, the signals are moved back from the Unknown source.
  • You can no longer delete the Tanium Signals source from Intel Sources.
  • Increases the default intel package generation timeout value to 3 hours.
  • The Index First Scan Distribute Over Time now supports a value of 0.
  • Allows Threat Response to subscribe to Windows Event ID 1117 (DefenderMalwareActionV2).
  • Updates labels for Global Events and Windows Events.
  • Actions that target actions or Response Actions on endpoints from alerts now use the EID of the endpoint for targeting to avoid acting on an incorrect endpoint.
  • The Profiles details page now adds a reference to the configured scan blockout window.
  • The /config API now includes the value for profiles.state in the response.
  • Updates Python to support running sensors and packages on RHEL 9 and OEL 9.
  • Index: Newly excluded files will now be removed from the Index database upon the next scan, instead of after 21 days.
  • Index: Provides new Index scan deduplication to improve performance and reduce scan times.
  • Index: Provides a new sensor “Index - Is Path Indexed” to help determining if a specific path is being indexed.
  • Index: Provides 2 new packages that can be used to trigger a 1 time Index scan on a specific path. “Deploy Index - Request Immediate One-Time Scan [Windows]” and “Deploy Index - Request Immediate One-Time Scan [Non-Windows]”.
  • Index: Improvements around automatically recovering corrupt/malformed Index databases.
  • Index: Extends the Index snapshot request timeout to 10 minutes to improve EMG (Endpoint Must Gather) collection reliability for larger Index databases.
  • Index: Removes health_checks around volume scope exceptions when applying volume exclusions on top of a scan all volume configuration.
  • Index: Added a timeout to Index sensor queries to prevent prolonged CPU usage for high cost queries.

Fixes

  • Fixes an issue where the filters list in the Profiles page returned unpredictable data.
  • Fixes an issue where when using the Network Port Hunting Strategy, recorder queries could fail intermittently with large IOC documents.
  • Fixes an issue where filtering by a path with a backslash did not match alerts as expected.
  • Fixes the wording of the database size error message to eliminate confusion.
  • Fixes an issue where the Alerts Over Time chart on the Threat Response Overview page picks "last 1 day" after upgrade, obscuring prior events.
  • Fixes an issue in Enterprise Hunting so that Threat Response does not show Saved Questions if user does not have permission to view them.
  • Fixes an issue where Live Response S3 and Google Cloud Storage Interoperability did not work correctly when a port of 0 was specified.
  • Fixes an issue where Bypass Action Approval does work correctly for Live Response when deployed via an alert action.
  • Fixes an issue where exporting data from Direct Connection did not include all currently displayed rows.
  • Fixes an issue where the Environment Variable %ProgramFiles(x86)% is not parsed correctly in Ad-hoc File Collectors in Live Response configurations.
  • Updates the label of the Intel documents page from "Intel Updated At" to "Intel Deployed At".
  • Fixes an issue where when a user Quick Adds and creates a new intel document without specifying a custom name, the default name appends UTC date and time in ISO format as opposed to local date and time.
  • Fixes an issue where the Alerts table shows intel information even when user does not have the Intel Read permission.
  • Fixes an issue with On-Demand scans where the Deployment Status is still running even though it claims to be complete.
  • Fixes an issue where the Download File Action is only presented when the selected alert has a file path.
  • Fixes an issue where excessive notifications were being displayed in the Response Activity page that indicated the activity was pending approval.
  • Fixes an issue where Live Response does not work correctly when there is a space in the host name field of a destination.
  • Fixes an issue where in Recorder or Stream Configurations, the Configs column will contain the correct count of configurations when a filter is added as "include", but the "Configurations:" section in the expanded row will not contain the filter if the configuration is using "Include" mode.
  • Fixes an issue where the suppression rule modal no longer allows a user to create retroactive suppressions unless the user has the Alerts Write permission.
  • Fixes an issue where if a user does not have the Intel Write permission, the user cannot not see the Labels dropdown. If a user has the Intel Write, but not the Labels Write permission, the user can see the Labels dropdown but the only option is "Manage Existing Labels".
  • Fixes an issue where a link to alerts for an intel document is no longer displayed to users who do not have the Alerts Read permission.
  • Fixes an issue where the Windows Defender Path is now visible on the Threat Response Alerts page - Alerts group, the quick filters at the top of the page, and is filterable like other paths.
  • Fixes an issue where the UI was making excessive calls to the /eventCounts API.
  • Fixes an issue where in the Saved Evidence: File download page, a task notification shows for another user.
  • Fixes an issue where the name of a registry value that has changed is now correctly shown in Process Information section of the alert for a Signals alert.
  • Fixes an issue where when copying the value of the Connected At time for a Direct Connection, the time is copied as a string.
  • Fixes an issue where when creating or editing a TAXII or iSight source, the subscription interval was required to be minimum of 10 minutes.
  • Fixes an issue where when gathering a snapshot when action approval is turned on, it would not complete due to the pending action approval and you could not delete the pending action.
  • Fixes an issue where when a user clicks the Date or Endpoint header from the alerts page twice so that it is sorted descending and then clicks the details icon, the details panel displays empty.
  • Fixes an issue in Live Response where Destinations and Script Sets tabs delete all when filtered.
  • Fixes an issue where snapshot downloads could fail with a promise timeout.
  • Fixes an issue where the alert details could be missing process hash information.
  • Fixes an issue where when searching for a specific Name and Value in the Threat Response workbench matches were required to be case sensitive. They are now case insensitive.
  • Fixes an issue where a user should only see the Create and Edit buttons for Configurations if the user has the Configuration Write privilege.
  • Fixes an issue where importing an invalid file as an IOC could cause the import to become unresponsive.
  • Fixes an issue in the Response Activity and Alerts modals where pressing Enter on the modal closes it instead of submitting it.
  • Fixes an issue where when attempting to import a signal that contains a suppression rule with a description more than 255 characters, the entire import will fail.
  • Fixes an issue where Signals with a label and blank description can be exported but not imported.
  • Fixes an issue where when viewing events in the combined events view of the process tree, events could be missing.
  • Fixes an issue where old alerts were gathered from endpoints, added to the real-time event Connect job, then immediately pruned from the console.
  • Fixes an issue with the “Threat Response - Groupings With Findings” and “Threat Response - Count Findings” that iterated over an incorrect variable.
  • Fixes an issue where a user could be unable to delete System Notifications with bulk delete.
  • Fixes an issue where if a user has a Detection configuration where the Reputation Source and a Label has been added, the user is unable to deploy intel.
  • Fixes an issue where it was possible to create a High Priority Path filter in Threat Response with invalid syntax due to the filter syntax being case sensitive but not enforced in the editor.
  • Fixes an issue where when creating a Response Action, the list of endpoints when you search could contain duplicate entries.
  • Fixes an issue where a warning appears in the browser console when capturing a snapshot and viewing the capture status.
  • Fixes an issue where the Type and OS filter buttons do not work as expected.
  • Fixes an issue where AutoRuns was incorrectly filtering Microsoft related registry keys.
  • Fixes an issue where the number displayed in the notifications is the total number of profiles (not the filtered count) when exporting profiles.
  • Fixes an API issue where when calling /v1/exports with a filter for the detail column, it should return only those rows matching the details.
  • Fixes an issue where a Direct Connection from alert to most recent process with that PID is not the right process that it alerted from.
  • Fixes an issue where the source and destination paths for files moves were swapped in Signal results.
  • Fixes an issue where the magic number details should show the value of magic_number_hex, not the deprecated magic_number for the alert details of a file event.
  • Fixes an issue where the export of Signals was not an audited event.
  • Fixes an issue where the filter with regular expression option did not work properly for the sensor "Threat Response - Security Events"
  • Fixes an issue where the Threat Response API documentation mislabeled the API Export Signal Names call as deprecated.
  • Fixes an issue where YARA scans could max out CPU resources for extended periods on endpoints with 1 CPU core.
  • Fixes an issue where suppression rules with a match operator does not match when using "." or "[eè]" against accented characters on Endpoint Side(Boost) library.
  • Fixes an issue where when creating a suppression rule and only selecting "User" makes it so you cannot save or preview the suppression rule.
  • Fixes an issue where Declare Time filter sets invalid date and time value in Direct Connection view.
  • Fixes an issue where certain STIX intel documents were not being parsed correctly.
  • Fixes an issue where intel changes between hunts are optimized to ensure a complete search of previous findings.
  • Fixes an issue where the YARA pe module might not fully parse files.
  • Fixes an issue where Quarantine automatic proxy rule generation fails when using “<IP>:<Port>” for the Tanium Client configuration “ProxySetting”.
  • Renames Process Information to Event Information for several event types.
  • Fixes an issue where Signals can match on incorrect events when using groupings.
  • Fixes an issue where Google Chronicle was unable to ingest Tanium Stream events if the Event ID ended with a “.0”.
  • Index: Fixes an issue where Index could take a long time to resolve volumes on Linux.
  • Index: Multiple fixes for CPU utilization being higher than intended.
  • Index: Fixed an issue where Index blockout windows were not being respected for Local timezones.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.

Tools Versions

  • Includes Threat Response Tools: 4.3.164
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.27
  • Includes Recorder binary: 2.11.1583
  • Includes Driver Tool (Installer): 3.14.27
  • Includes Driver binary: 3.3.27
  • Includes Index binary: 3.5.1725
  • Includes Stream: 2.0.949
  • Includes python38: 3.2.6
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.

Release Date: 27 July 2023

Improvements

  • Improves the Tanium Driver's compatibility with Carbon Black's tamper protection behavior.

Fixes

  • Fixes an issue with the Tanium Driver installation process to make upgrades of the Tanium Driver more reliable and prevent partial Tanium Driver upgrades.

Tools Versions

  • Includes Threat Response Tools: 4.2.25
  • Includes Threat Response CX binary: 1.12.923
  • Includes Recorder Tool (Installer): 3.14.26
  • Includes Recorder binary: 2.11.1582
  • Includes Driver Tool (Installer): 3.14.26
  • Includes Driver binary: 3.3.27
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.31

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: 26 June 2023

Fixes

  • Fixes an issue where intel document definitions were not converted after an upgrade causing intel documents to no longer show as having a definition in the user interface.
  • Fixes an issue where long running intel deployment tasks could fail due to session timeouts.
  • Fixes an issue that could cause a failure with air-gap installations because ThreatResponse.xml contained unprintable characters.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.19
  • Includes Recorder binary: 2.11.1576
  • Includes Driver Tool (Installer): 3.14.19
  • Includes Driver binary: 3.3.18
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: 16 June 2023

Fixes

  • Blank MITRE Attack Framework fields will no longer cause Threat Response upgrades to fail.
  • Fixed an issue where alerts with a NULL OS field would cause the Alerts page to crash.
  • Fixed an issue where Live Endpoint View time filters would sometimes cause an invalid time filter.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.19
  • Includes Recorder binary: 2.11.1576
  • Includes Driver Tool (Installer): 3.14.19
  • Includes Driver binary: 3.3.18
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: June 07, 2023

Fixes

  • Fixes the possibility of a rare Tanium Driver crash on Windows.
  • Fixes an issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs may fail to start when Tanium Driver Process Injection Monitoring is enabled.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.19
  • Includes Recorder binary: 2.11.1576
  • Includes Driver Tool (Installer): 3.14.19
  • Includes Driver binary: 3.3.18
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: June 06, 2023

Improvements

  • Enables support for Windows 11 (ARM) endpoints running in emulation mode. The following are areas where Windows 11 (ARM) running in emulation mode are not supported:
    • Deep Instinct alert integration.
    • Process Injection monitoring.
    • Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • Added the option “Deploy as Service Account” in settings to always deploy Threat Response profiles with System User Service (SUS) permissions. This can help ensure systems are always targeted, even if a user’s computer group management rights are removed or restricted in the future. Note: If the “Deploy as Service Account” setting is enabled, all users who deploy profiles must have unrestricted computer group management rights or management rights to “All Computers”. If the “Deploy as Service Account” setting is not enabled, all users who deploy profiles must have unrestricted computer group management rights, management rights to “All Computers”, or management rights to all computer groups in the profile(s) the user is trying to deploy.

Fixes

  • Fixes an issue where On-Demand Scans did not search Tanium Recorder and live file data.
  • Fixes an issue where when pivoting to a live connection from an alert, the live connection would filter to the latest process to reuse the PID as opposed to the correct process that was alerted on.
  • Fixes an issue where unzipping an events export from a Process Tree in a direct connection would result in an empty file.
  • Fixes an issue where alert pruning was not turned on by default in Tanium Cloud environments for new Threat Response installations.
  • Fixes an issue where ISO mount registry events on Windows were not recorded.
  • Fixes an issue where Recorder on Windows could hold certain binary files open and prevent that file from being deleted.
  • Fixes a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled.
  • Fixes an issue where Deep Instinct and Defender alerts were incorrectly being throttled by service throttles.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.17
  • Includes Recorder binary: 2.11.1571
  • Includes Driver Tool (Installer): 3.14.17
  • Includes Driver binary: 3.3.12
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30


Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM


Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: May 15, 2023

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.12.22
  • Includes Recorder binary: 2.10.840
  • Includes Driver Tool (Installer): 3.12.22
  • Includes Driver binary: 3.2.70
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Fixes

  • Fixes an issue where On-Demand Scans did not search Tanium Recorder and live file data.
  • Fixes an issue where when pivoting to a live connection from an alert, the live connection would filter to the latest process to reuse the PID as opposed to the correct process that was alerted on.
  • Fixes an issue where unzipping an events export from a Process Tree in a direct connection would result in an empty file.
  • Fixes an issue where alert pruning was not turned on by default in Tanium Cloud environments for new Threat Response installations.
  • Fixes an issue where Deep Instinct and Defender alerts were incorrectly being throttled by service throttles.
  • Fixes an issue where ISO mount registry events on Windows were not recorded.
  • Fixes an issue where Recorder on Windows could hold certain binary files open and prevent that file from being deleted.
  • Fixes a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: April 27, 2023

Tools Versions

  • Includes Threat Response CX binary: 1.12.919
  • Includes Recorder Tool (Installer): 3.12.18
  • Includes Recorder binary: 2.10.839
  • Includes Driver Tool (Installer): 3.12.18
  • Includes Driver binary: 3.2.63
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.11
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Improvements

  • Added the option “Deploy as Service Account” in settings to always deploy Threat Response profiles with System User Service (SUS) permissions. This can help ensure systems are always targeted, even if a user’s computer group management rights are removed or restricted in the future. Note: If the “Deploy as Service Account” setting is enabled, all users who deploy profiles must have unrestricted computer group management rights or management rights to “All Computers”. If the “Deploy as Service Account” setting is not enabled, all users who deploy profiles must have unrestricted computer group management rights, management rights to “All Computers”, or management rights to all computer groups in the profile(s) the user is trying to deploy.
  • Added option to disable tracking of command-lines for forked processes on Linux.
  • Added eBPF Support for Oracle Linux 8 & 9 on ARM.

Fixes

  • Fixes an issue where Threat Response profiles could be set to Not Configured on endpoints if the user that deployed the profile(s) had computer group management rights permissions removed after the profiles were deployed.
  • Fixes an issue where a timeout could occur when loading the security events tab in a live connection for an endpoint with a large number of security events.
  • Fixes an issue in Connect where the Tanium Detect Event Group has been renamed to Tanium Threat Response.
  • Fixes an issue in the API documentation that stated ID is a Number but route returned an error '"id" must be a string.
  • Fixes an issue where the AutoRun Program Details sensor does not return all findings for HKCU.
  • Fixes an issue where in Connect Events the MITRE Techniques value is empty.
  • Fixes an issue where the Time to Remediation Alerts Dashboard Panel was not displaying correctly.
  • Fixes an issue where certain registry events were not recorded when mounting an ISO.

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: April 4, 2023

Improvements

  • The EID sensor in Tanium Interact "Computer Serial Number" has been replaced with "Endpoint Fingerprint".
  • The "stored alert" log has been moved from the debug to trace level to provide more efficient logging.

Fixes

  • Fixes an issue where Threat Response failed to delete a response action that was already removed and console users would see repetitive errors for "Task Failed: Response Action" (Unable to Destroy Saved Action).
  • Fixes a potential issue with gathering alerts on Windows modules servers when suppression rules were being applied. After upgrading from an older THR 4.0 version to 4.0.1077 or newer, some older alerts may be retroactively gathered for any impacted intel documents.
  • Fixes an issue where Deep Instinct Alerts could be ignored for event: Type 1/Cause 46.
  • Fixes an issue where Intel is unable to be deployed if a Detection configuration has a Reputation Source added and a label is included.
  • Fixes an issue where when deleting filtered lists of System Notifications, the success or failure of the delete notification inaccurately displayed the unfiltered count of system notifications.
  • Fixes an issue where documentation for the On-Demand Scan API was missing from 4.0 API Doc.
  • Fixes an RBAC issue where Users/personas with the Threat Response Operator Role and explicitly defined computer groups in their management rights are unable to create, edit, or deploy profiles that are within their scope.
  • Fixes an RBAC issue where the Threat Response System User Service did not have sufficient privileges to gather findings if Tanium Default Content was moved to a custom content set.
  • Fixes an issue where PowerShell scripts in the Threat Response - Live Response [Windows] package are not signed.
  • Fixes an issue where false negatives could occur during On-Demand Scans of Signals due to a syntax error.
  • Fixes a rare issue with Tanium Driver 3.2 where certain USB devices may stop working.

Tools Versions

  • Includes Threat Response CX binary: 1.12.919
  • Includes Recorder Tool (Installer): 3.12.16
  • Includes Recorder binary: 2.10.829
  • Includes Driver Tool (Installer): 3.12.13
  • Includes Driver binary: 3.2.63
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.44
  • Includes Incident Response: 6.6.22


Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: March 9, 2023

Improvements

  • High volume log messages have been turned into metrics.
  • Snapshot capture reliability has been increased.
  • Increase reliability Intel Database Generation.

Fixes

  • Fixes an issue with YARA scans on macOS for live files or memory.
  • Regex Matches on suppressions rules have been fixed.
  • Fixes upgrade failing due to corrupt Intel documents.
  • Fixes an issue where recorder could cause high memory or CPU utilization on RHEL 7 systems when tracking large numbers of ephemeral threads.
  • Fixes an issue where on Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events.
  • Fixes an issue where recorder database views may not be created

Tools Versions

  • Includes Threat Response CX binary: 1.12.915.0
  • Includes Recorder Tool (Installer): 3.12.15.0
  • Includes Recorder binary: 2.10.829
  • Includes Driver Tool (Installer): 3.12.13
  • Includes Driver binary: 3.2.57
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10.0
  • Includes core-python: 2.5.1019.0
  • Includes Incident Response: 6.6.22.0

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.

Known Issues

  • There is a rare issue with Tanium Driver 3.2 where certain USB devices may stop working. This is fixed in Threat Response 4.0.1077+
  • There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: February 16, 2023

Fixes

  • Fixes an issue where importing intel with improper fields using the API could cause the service to fail during Threat Response upgrades.

Tools Versions

  • Includes Threat Response CX binary: 1.12.900
  • Includes Recorder Tool (Installer): 3.12.13
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.12.13
  • Includes Driver binary: 3.2.57
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.9
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • There is a rare issue with Tanium Driver 3.2 where certain USB devices may stop working. This is fixed in Threat Response 4.0.1077+
  • There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: February 2, 2023

Fixes

  • Adds documentation for the registry operation and network operation Signal terms in the Tanium Threat Response Intel Support document.
  • Fixes an issue where alerts with responsible process did not automatically open the responsible process as the default process tree.
  • Fixes an issue where Connect jobs using the Threat Response event source would stop sending alerts due to an out-of-scope timestamp.
  • Fixes an issue where when editing suppression rules from an Intel document, they could unintentionally be deleted when using Filters and the Select All checkbox.

Tools Versions

  • Includes Threat Response CX binary: 1.12.900
  • Includes Recorder Tool (Installer): 3.11.25
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.11.25
  • Includes Driver binary: 3.1.2058
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.4
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: January 23, 2023

Improvements

  • Improved behavior to limit memory usage when performing memory scoped YARA scans.

Fixes

  • Fixes an issue where the Threat Response - Acknowledge Findings package could use excessive CPU and timeout when running on endpoints with a large number of findings.

Tools Versions

  • Includes Threat Response CX binary: 1.12.900
  • Includes Recorder Tool (Installer): 3.11.25
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.11.25
  • Includes Driver binary: 3.1.2058
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.4
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: January 16, 2023

Important Notes

  • This Threat Response release is focused on Detect end of life.

Upgrade Notes

  • This version of Tanium Threat Response deprecates support for the legacy Detect service and database.
  • In this release of Threat Response, the Detect and Event services are deprecated and replaced by the Threat Response service. The integration with the Threat Response service and the Threat Response Client Extension on the endpoints provides performance improvements and provides a platform for future capability, intelligence, and workflows around intel and alerting.
  • This release of Threat Response includes API changes that require customers and partners to reconfigure API integrations. The API data format may be changed for many existing routes. Most of these changes have been made for consistency in what each API returns. From the Threat Response Workbench, click Help > API > See API documentation to review the Threat Response 4.0 API documentation to adjust your integrations appropriately.
  • Threat Response Audit data has been consolidated and updated to use the Connect Source: "Tanium Threat Response" - Type: "Audit Report".

New Features

  • Threat Response now uses the System User Service to manage service credentials.
  • Provides the ability for a user to take action (For example, Delete, Export, or Assign to Workbench Source) on multiple applicable items in the Intel Document list.
  • Provides numerous improvements with the performance of Threat Response sensors on endpoints.
  • Profiles can now handle deleted computer groups.

Tools Versions

  • Includes Threat Response CX binary: 1.12.898
  • Includes Recorder Tool (Installer): 3.11.25
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.11.25
  • Includes Driver binary: 3.1.2058
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.4
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Improvements

  • After Threat Response upgrades, users are no longer prompted to redeploy profiles unless there are undeployed profile configuration changes since the last Threat Response upgrade. On-Premise environments are still required to redeploy profiles after Threat Response upgrades if automatic tools deployment is turned off.
  • The Threat Response service now pushes new alerts to Tanium Connect in batches every five minutes.
  • Provides more verbose messaging when Threat Response profiles cannot be deployed.
  • Provides numerous improvements with the performance of Threat Response sensors on endpoints.
  • In the saved evidence page, snapshots in progress are no longer visible for computer groups that the current persona does not have access to.
  • Tanium Yara scans have been improved to review both resident and paged memory sizes. The maximum size of processes to scan has been increased to 256MB from 64MB. This ensures processes with significant memory mapped to disk, but that have small active footprints, do not flood endpoint resources by paging in all mapped memory from large latent processes.
  • Threat Response audit data has been consolidated to the Threat Response Connect Audit Feed. The "All Events" source is no longer used for Threat Response audit data.
  • The intel documents page is improved to restrict any workflows that are unactionable by the user.
  • Makes the labels and intel counts links on the profiles page more intuitive.
  • Adds Threat Response audit report events to identify when an Intel document label was modified.
  • Increases the size of the Computer Group filters field on the On-Demand scans page.
  • The Endpoint Throttling notification now shows the Intel document name.
  • Removes the Threat Response Health Check Saved Questions and Sensor.
  • Adds support for a Registry operation property in Signal definitions.
  • Updates the Tanium Default macOS Symantec Filter.
  • Identifies profiles that have deleted computer groups assigned and provides the ability for a user to fix a profile that refers to deleted computer groups.
  • Adds Asset Criticality information to Threat Response alerts.
  • The Threat Response status sensor now includes sensor definitions for AIX and Solaris.
  • Adds a pending approval state to response actions.
  • Removes the "Top 5 Endpoints with the Highest Number of Unresolved Alerts" section of the overview page.
  • Adjusts the retention time for unacknowledged alerts to one year.
  • Improves Reputation Alerts to handle scenarios where certain hash algorithms match.
  • Provides a new Index sensor that returns the top directories that are indexed by count across the environment.
  • Improves Index to query the disk after deduplicating file events from Recorder when High Priority paths are in use.
  • Adds SHA1 and SHA256 hash support to Recorder Process and Library Events.
  • Adds ProcessItem/UserID terms to OpenIOC support.
  • Updates the CX Status Sensor to display Threat Response Profiles ID and Revision output grouped together.
  • Displays the applied Theat Response profile in the default Threat Response client extension log level.
  • Displays container information for Index results in ZIP files in advanced details of Threat Response alerts.

Fixes

  • Fixes an issue where the intel document definition for existing alerts is changed when the source intel definition is changed.
  • Fixes an issue where filter counts for Intel documents were not updated when filtering by platform or time range.
  • Fixes an issue where multiple levels of sorting did not work correctly when browsing live file events.
  • Fixes an issue where time zones were being used inconsistently on the Intel documents page.
  • Fixes an issue where the Threat Response workbench could allow the creation of an invalid IOC normalized tree.
  • Fixes an issue where the alerts count in the system notifications page did not display plural counts.
  • Fixes an issue where an error could occur while writing Reputation hashes to the database.
  • Fixes an issue where Threat Response could generate alerts on hashes that are included in the allow list in Reputation.
  • Fixes an issue where links to Intel documents are not fully underlined in the Intel documents view.
  • Fixes an issue where a collapsed section was not displayed in the advanced details section for alerts.
  • Fixes an issue in the API documentation where the call to Reputation integration was incorrect.
  • Fixes an issue where a Read Only user could ask questions in Enterprise Hunting.
  • Fixes an issue where the technique for Process Injection was being rendered as the Intel document name.
  • Fixes help text in a Live Connection dialog that referenced an incorrect button.
  • Fixes an issue with the alerts page that could load all intel when no alerts were being viewed.
  • Fixes an issue where a user could select an intel-specific supression rule without selecting an intel document, and click save.
  • Fixes an issue in the filters page where the Select All button would prompt to delete all filters when a grid filter was applied.
  • Fixes an issue in the filters page where the Delete button only deletes a maximum of 100 filters when a higher number of filters is selected.
  • Fixes a display issue in the Saved Evidence page where the username and actions content could overlap.
  • Fixes a typo in the output of the Generate Autorun Cache package script.
  • Fixes an issue where the live connection combined search results could be incorrect if a filter was applied before the results were loaded.
  • Fixes an issue in the API documentation where the overrideScanBlockout documentation was incorrect.
  • Fixes an issue with the Configurations and Profiles pages to reposition the Use UTC checkbox above the scan blockout control.
  • Fixes an issue where the name of the Enforcement created in the Remediate in Enforce response actions is left blank.
  • Fixes an issue where the Trace Logon Events sensor applies filter parameters to the wrong query column.
  • Fixes an issue where the Trace Loaded Drivers sensor uses the wrong string table in the CTE filter for the DriverPath parameter.
  • Fixes an issue where the Trace Network Connections sensor did not always return the maximum results when "Make Stackable" was selected.
  • Fixes a display issue with the way target and actor processes are displayed in process injection alerts.
  • Fixes an issue with alert details where file events could be duplicated in the alert details.
  • Fixes an issue with the Trace Loaded Drivers sensor that used an invalid CTE filter when only filtering on signature status.
  • Fixes an issue with the Trace Registry sensor where it filtered username against the wrong column when using the CTE filter.
  • Fixes an issue with the Trace Network Connections sensor where it could return duplicate results when MakeStackable is selected.
  • Fixes an issue with the Trace Executed Process Trees where it did not return a Yes or No result when "Output only yes or no" is selected
  • Fixes an issue where removing a label from all shown results from a different filtered label will only remove 100 labels.
  • Fixes an issue where the description of the Workbench intel source mentioned the Detect workbench.
  • Fixes an issue in the alerts results where single line ancestry is not visible.
  • Clarifies computer group targeting information in the On-Demand scan information dialog.
  • Fixes an issue where the Threat Response EID (Endpoint ID) manager becomes unresponsive after an error.
  • Fixes an issue where the singal grouping syntax could become incorrect when modifying Signals or filters.
  • Fixes an error where saved action exports could fail because Theat Response created hourly Saved Actions for: Threat Response - Acknowledge Findings
  • Fixes an issue where Impact Details information was missing from process injection alerts.
  • Fixes an issue where alerts were not returned for live processes.
  • Fixes a display issue where download buttons were shown inconsistently in the Saved Evidence page.
  • Fixes an issue where OneDrive remote files could be erroneously marked as local and indexed on macOS
  • Fixes an issue where the Index database could become corrupted and not recover automatically.
  • Fixes an issue where when using the Index - File Details sensor to retrieve the contents of a directory a result of "No Results Found" could be returned.
  • Fixes an issue where the recorder could display blank processes for system (PID 4) processes on Windows
  • Fixes an issue where the recorder could record invalid user IDs on Windows endpoints.
  • Fixes an issue where the recorder could record file event timestamps out of sync from macOS endpoints.
  • Fixes an issue where there could be a delay in updating the index initial scan complete value until the client was reset on the endpoint.
  • Fixes an issue where there could be an error starting a continuous hunt.
  • Fixes an issue where an incorrect Signal term property was expected for a group name.
  • Fixes an issue where endpoint must gather collections encountered errors when attempting to collect legacy index data.
  • Fixes an issue where Threat Response did not alert on Live Processes by nested properties
  • Fixes an issue where profiles did not apply if the Windows PATHEXT environment variable was missing the .bat extension.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: January 06, 2023

Fixes

  • Fixes an issue where YARA search scopes (Live File, Memory, and Path) may not be scanned as expected.

Tools Versions

  • Includes core-recorder 3.10.75
  • Includes Recorder 2.9.1334
  • Includes Driver Tool Version 3.10.75
  • Includes Driver binary version 3.1.2058
  • Includes THR-CX 1.11.2959
  • Includes Stream 1.7.4
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.23

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: October 27, 2022

Improvements

  • The version of Tanium Index that is provided with this version of Threat Response returns the files that are contained in zip archives, including JAR files.

Fixes

  • Fixes an issue to resolve a potential conflict between the Tanium Driver and other 3rd party process injection drivers that could cause Microsoft Windows to become unresponsive when Tanium Process Injection alerts are enabled.
  • Fixes a potential for a crash in Threat Response CX related to Signal Matches
  • Fixes an issue where the Recorder database SQLite cache size was not set correctly.
  • Fixes an issue where Index could consume a large amount of RAM when indexing nested ZIP files.

Tools Versions

  • Includes core-recorder 3.10.75
  • Includes recorder 2.9.1334
  • Includes THR-CX 1.11.2952
  • Includes Stream 1.7.4
  • Includes Driver 3.1.2058
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.21

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: October 19, 2022

Important Note

  • This release is focused on further expansion of the existing integration with Deep Instinct (DI).

New Features

  • Provides support for the Threat Response and Deep Instinct integration on macOS.
  • Supports additional Deep Instinct event types which allow consumption of the full breadth of Deep Instinct alerts in the Threat Response console.

Improvements

  • Deep Instinct Alert details contain a new section called “Deep Instinct” that shows Event Type, Event Action, File Path, File Type, file Hash, and Signature where applicable.
  • A new "Malware Probability" section is included with types such as backdoor, virus, worm, etc.
  • Tanium Driver process injection monitoring exclusions for Deep Instinct are included by default.
  • EID manager logging moved to Trace level.
  • Updated Alert Throttling for the Deep Instinct Integration.
  • Support for permission changes to registry keys, subkeys, values, and hives in Recorder.
  • Improved performance for Trace Logon Events sensor queries.
  • Improved load times when browsing the Combined View in Live Connections.
  • Improved load times when viewing Driver events in Live Connections.
  • Endpoint troubleshooting bundles now include the entire IndexCX directory.

Tools Versions

  • Includes core-recorder 3.10.73
  • Includes recorder 2.9.1333
  • Includes THR-CX 1.11.2949
  • Includes Stream 1.7.4
  • Includes Driver 3.1.2056
  • Includes Index 3.3.2604
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.21

Fixes

  • Fixes an issue where in the alert details panel, there is an errant entry in between the sections of 'Bystander' and 'Security Event'.
  • Fixes an On-Demand scanning failure for the Threat Response User role when the Reveal User role is also assigned.
  • Fixes Response Activity status change to "Stopped" after approval even though the action executes.
  • Fixes an issue where Defender alerts were not loading the details panel.
  • Fixes Defender Alert Details in the UI which show unknown under fields such as Detection Type and Process Ancestry.
  • Fixes an issue where the service continues to make requests when TDS is down.
  • Fixes an issue where the AutoRun Sensors description has misspelled reference to a package.
  • Fixes an issue where filters using network.port were not filtering disconnects with matching local ports.
  • Fixes an issue where Stream output would incorrectly grow the file size of extensions-stdout.txt.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: September 27, 2022

Improvements

  • EID manager logging moved to Trace level.
  • Recorder includes new driver version 3.1.2053.

Fixes

  • Fixes on-demand scanning failure for the Threat Response user when a Reveal user is also assigned.
  • Fixes a logging error in the Threat Response logs that creates a Findings gather loop.

Tools Versions

  • Includes core-recorder 3.9.70
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.990
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2053
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: September 15, 2022

Improvements

  • Alerts which remain unacknowledged on endpoints will now be removed after 30 days.

Fixes

  • Fixes an issue where the "Threat Response - Acknowledge Findings" action was not being issued with action approval enabled.
  • Fixes an issue where the Threat Response service could become unresponsive due to multiple SQLite connections.
  • Fixes an issue where the Threat Response service could experience a memory leak during event gathering.
  • Fixes an issue which could cause increased Tanium Server network usage when a large number of Threat Response alerts are being throttled.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: August 29, 2022

Improvement

  • Unacknowledged alerts now remain on the endpoint for up to 30 days.

Fixes

  • Fixes potential knex errors such as: "Knex: Timeout acquiring a connection". This could cause the Detect service and Threat Response workbench to become unavailable.
  • Fixes a potential page crash when expanding suppression rule previews.
  • Fixes an issue where the process tree view does not open when starting a live connection from some alerts.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: August 23, 2022

Important Notes

  • In Threat Response 3.8, Quick Scans have been replaced with On-Demand scans. If upgrading to Threat Response 3.8 from an earlier version, quick scan history for intel documents is not migrated and is no longer available.
  • On-Demand scans are action-based and now require an approver if action approval is enabled.
  • When upgrading from an existing version of IndexCX to IndexCX 3.2.2762 or higher, the Index database on all endpoints is reset. IndexCX will then perform a rescan to repopulate the Index database. This initial rescan is randomized over 24 hours and follows the same Tanium CX resource throttles as a normal rescan, which occurs every 7 days by default. Until the initial rescan is complete, Index data can be incomplete. This is required due to database schema changes to improve database consistency.
  • System File filters have been renamed to System Filters. These filters will continue to work the same on Linux endpoints. On Windows endpoints, System filters provide the ability to exclude processes from process injection monitoring.
  • The Interact bar on the Enterprise Hunting page has been removed.
  • The Threat Response Health page has been removed. Use the “Client Extensions – Status" sensor as the authoritative resource for what Threat Response components are present and running on an endpoint. The “Threat Response – Status” sensor will be deprecated in a future release.
  • When upgrading from earlier versions of Threat Response, there are differences in Alert Details (and JSON). The differences can be summarized as follows:
    • hash ids were numbers, they are now strings.
    • The source for openioc filename was tanium-index, and is now index.
    • The service id was included in match details, it is no longer included in the latest version.
    • The source for openioc network was tanium-recorder and is now threatresponse_database.
    • The source for openioc process was tanium-recorder and is now live.
    • The source for signals was signals and is now recorder or threatresponse_database.
    • The source for yara was at-rest is now at_rest.

New Features

  • Provides support for Amazon Linux 2 (ARM) and macOS endpoints that use M1 ARM processors.
  • Process injection monitoring: Detects when processes have code written and executed in their memory space in a suspicious manner. Process injection monitoring is supported on Windows 10 and Windows Server 2016, and newer. Process injection monitoring is not enabled by default.
  • New Tanium Client Extension version of the Threat Response evaluation engine, which replaces the Tanium Detect Engine.
  • On-demand scans replace Quick Scans. As opposed to legacy Quick Scans which used questions to deliver the Intel document to the endpoint, On-demand scans use an action to deliver the Intel document to the endpoint for immediate matching and alert reporting, and thus no longer have a limit to the number of indicators in an Intel document for On-demand Scans.
  • On-demand scans of Reputation malicious hashes are now supported.
  • The "Engine" and "Intel" configurations in THR have been consolidated into a single simplified "Detection" configuration.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Adds support for Tanium Signals syntax v5, which increases the Signals and filters terms limit from 24 to 55.
  • On-demand scans now support overriding Detection configuration scan blockout windows.
  • Response action targeting now relies on multiple endpoint data points for more specific targeting.
  • Ability to download multiple items of Saved Evidence simultaneously.
  • Improves event export to allow exporting up to 500,000 events from live connections and snapshots.
  • Symbolic links are now visible while file browsing in a live connection. Deleting symbolic links requires Tanium Direct Connect 2.4 or higher.
  • “Global” suppression rules have been renamed to “All Signals”.
  • “Signal-Specific” suppression rules have been renamed to “Intel-Specific”.
  • “Defender Intel” document for Windows Defender alerts is now visible on the Intel page.
  • “Deep Instinct” document for Deep Instinct alerts is now visible on the Intel page.
  • Recorder filters now support Registry “Operation” based filters.
  • Recorder filters now support Network “Operation” based filters.
  • Adds the “Index - List Discovered Volumes” sensor to return the list of filesystem volumes discovered by Tanium Index.
  • Adds "ends with" filtering to Live Connections.
  • Improves File Downloads via Live Connections.
  • Supports importing YARA 4.1 rules.
  • Validation of uploaded snapshots.
  • Improves the display of endpoint data details in table format.
  • Improves Alert Summary Charts.
  • Updated Recorder Sensor Descriptions.
  • On Unix/Linux, Threat Response's use of the lsof (list open files) command has been deprecated. Threat Response now uses Recorder data.

Tools Versions

  • Includes core-recorder 3.9.68
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.990
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2042
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Fixes

  • Fixes an issue where the recorder shows some processes with no parent.
  • Fixes an issue where the Intel Name in the Alerts grid can disappear when scrolling.
  • Fixes an issue where endpoints show a recorder health check that states “Failed to create BPF Network event provider. Not receiving file events.”
  • Live Response has been updated to allow memory collection from recent Windows 10 releases.
  • Live Response standard collections with variables have been updated to correctly work on macOS and Linux endpoints.
  • Live Response running process collections have been updated to correctly work on macOS.
  • Fixes an issue where Endpoint Configuration Framework (ECF) would remove Threat Response configurations if ECF could not evaluate an endpoint's computer group membership.
  • Fixes an issue where a profile redeployment was needed after tool reinstallation to enable the recorder subscription.
  • Fixes a file size mismatch between the live connection file browser and actual file size on disk.
  • Fixes an issue where Response Actions and action approval would be recreated after deletion.
  • Firefox is now able to correctly render Threat Response alerts.
  • Fixes an issue where configurations with "Tanium Defaults" in the name would be read-only.
  • Fixes an issue where a user is unable to view Linux alerts using the fly out button properly.
  • Updated Threat Response Default Registry Filters.
  • Threat Response and Reputation no longer alert on hashes on the non-malicious list in Reputation.
  • Fixes an issue where it was not possible to use a space when searching filters and exclusions.
  • Fixes an issue where the Intel Label filter freezes after the first search character input and does not accept additional characters.
  • Fixes an issue where the Live Response “Create” and “Generate” buttons can be scrolled out of view.
  • Fixes an issue with Incident Response Sensors where using GetOSMajorVersion does not work on non-English endpoints.
  • Fixes an issue where the “Network Connections” sensor was not stacking data appropriately.
  • Fixes an issue on the alerts page where the alert count by intel document could be incorrect when filtering.
  • Fixes an issue with Intel configurations where the label selection drop down was limited to 100 labels.
  • Fixes an issue in alerts detail where the Impact section of the alert details drawer refreshes when the main alerts grid updates.
  • Fixes an issue where deploying a response action without a package resulted in a “Cannot read property 'files' of undefined error”.
  • Fixes an issue where a Response Action exception error could occur when removing the expiration date.
  • Fixes an issue where the evidence API doesn't accept a limit parameter.
  • Fixes an issue where the popup window is not honoring a timeout value when making a Live Connection from an alert.
  • Fixes an issue where multiple Signal feed updates could occur for the same version.
  • Fixes an issue where saved evidence snapshot uploads are missing a username.
  • Fixes wording of the delete intel confirmation.
  • Fixes an issue in the alerts details drawer where OS Platform is shown twice.
  • Fixes an issue in Quarantine response actions where the custom configuration checkboxes were not working as expected.
  • Fixes an issue where the "Signed" field in driver event view is inaccurate.
  • Fixes an issue in alert details where clicking section icons scrolled to and collapsed that section.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Alerts which remain unacknowledged on endpoints will be removed after 7 days. This will be updated to 30 days in a future release of Threat Response.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Release Date: August 08, 2022

Improvement

  • Upgraded various third-party libraries to newer versions.

Release Date: July 13, 2022

Fixes

  • Fixes an issue where the recorder shows some processes with no parent.
  • Fixes an issue where endpoints show a recorder health check that states “Failed to create BPF Network event provider. Not receiving file events.”

Tools versions

  • Includes Recorder 2.7.1482
  • Includes Core-Recorder 3.8.106

Release Date: June 30, 2022

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Release Date: June 16, 2022

Change

  • Upgrades Tanium interface to latest version.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Release Date: May 16, 2022

Fix

  • Fixes an issue where a failed profile application required a profile revision change and redeployment of the profile.

Tools versions

  • Includes Driver 3.1.2040
  • Includes Core-Recorder 3.8.103

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: April 21, 2022

Fix

  • Fixes an issue where Remediate in Enforce actions would not work with Enforce versions 1.9 or later.

Tools versions

  • Includes Driver 3.1.2036
  • Includes Recorder 2.7.1475
  • Includes Core-Recorder 3.8.101
  • Includes Index 3.2.2733

Improvement

  • The events of a signal match are always written to the database, and override any filters that are included in a recorder configuration.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: April 6, 2022

Fixes

  • Improves Tanium Index database read performance.
  • Improves Tanium Recorder database read performance.
  • Improves Tanium Index database performance by increasing SQLite cache size.

Tools versions

  • Includes Core Recorder 3.7.156
  • Includes Recorder 2.6.1286
  • Includes Index 3.1.966

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: March 4, 2022

Fixes

  • Fixes an issue where the size of a file appears incorrectly in the file browser in a live endpoint connection.
  • Fixes an issue where the alert dates displayed on the Threat Response home page start with the date of the Threat Response installation.
  • Fixes a memory leak with event detection.

Tools versions

  • Includes Core Recorder 3.7.155
  • Includes Recorder 2.6.1285

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: February 14, 2022

Improvement

  • Threat Response CX has been updated to cache autorun persistent data every 24 hours by default.

Fix

  • Fixes an issue where the detect engine fails to query Index when checking for file names and hashes.

Tools versions

  • Includes Driver: 3.0.1300
  • Includes Core Recorder 3.7.154
  • Includes Index 3.1.963

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: January 10, 2022

Improvement

  • Improved alert storm protection by extending pruning to the event service.

Fixes

  • Resolved the inability to delete signal suppression rules in some cases.
  • Removed several overly verbose debug log messages causing the event service log to roll over too frequently.
  • Resolved issue where event service would fail due to KNEX SQLite errors.
  • Resolved issue where event service metrics were not registering successfully in Grafana.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: December 20, 2021

Important notes

  • Features Deep Instinct integration for alerts. Deep Instinct incorporates advanced artificial intelligence to prevent and detect malware. Deep Instinct integration allows customers access to the full list of Threat Response remediation actions when handling Deep Instinct alerts. The Deep Instinct integration requires enabling the “Generate Deep Instinct Alerts” setting in an engine configuration for a deployed profile. Once enabled, Threat Response will display Deep Instinct alerts in the Threat Response workbench. By default, this setting is disabled for new configurations. For alerts to be returned from endpoints, the Deep Instinct agent must be running on the endpoint.
  • The Tanium Event Recorder Driver is required and installed for all Windows deployments. The Tanium Driver no longer has a version requirement for Windows 10 and will install on any version of Windows 10. Driver 3.0 introduces a new service on Windows endpoints named TaniumDriverSvc.

Upgrade Recommendations

  • Customers who have saved questions using the Autorun Files / Autoruns By Category / Autorun Program Details sensors will need to recreate the saved questions to take advantage of improvements in the autoruns implementation.
  • The following additional security exclusions have been added for the latest version of the Tanium driver. Refer to the Threat Response User Guide for a complete list of required security exclusions.

C:\Windows\SysWOW64\TaniumProcessMonitor.dll

C:\Windows\system32\drivers\TaniumProcessMonitor.dll

<Tanium Client>\tools\driver\TaniumDriverCtl.exe

<Tanium Client>\tools\driver\TaniumDriverCtl64.exe

<Tanium Client>\tools\driver\TaniumDriverSvc.exe

<Tanium Client>\tools\driver\TaniumDriverSvc64.exe

<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe

<Tanium Client>\tools\driver\service\TaniumDriverSvc64.exe

Improvements

  • Adds endpoint Integration with Deep Instinct (DI) with the ability to use Deep Instinct Alerts in Threat Response.
  • Tanium Driver updated to version 3.0.
  • Autoruns Content has been migrated to Action/Sensor Content for improved performance.
  • Includes a new sensor: Threat Response - Security Events.
  • Includes Live Endpoint UI and feature enhancements.
  • Adds more clearer alert source details.
  • Improves alert filtering.
  • Improves the logging of saved evidence.
  • Improves Tanium process filtering.
  • Allows Intel to bypass Endpoint Configuration Approval.
  • UUID is now part of the Saved Evidence API.
  • Includes a Download File link for file Items.
  • Includes stream improvements to Windows security events only configurations.
  • Includes Stream improvements for Library Loads.
  • Features a Trends update to correct permissions and remove legacy boards.
  • Standardizes process ancestry across alert views.
  • Adds support for diffie-hellman-group-exchange-sha256 keys in TaniumFileTransfer.
  • Includes file collector sets for Edge and IE browser data.
  • Recording of DNS events is now supported on Linux endpoints that have eBPF enabled.

Tools versions

  • Includes Recorder: 2.6.1280.0
  • Includes Index: 3.1.955.0
  • Includes Driver: 3.0.1288.0
  • Includes Core-python (python38): 2.1.39.0
  • Includes THR-CX: 1.7.67.0
  • Includes Detect Engine 3.20.2.0
  • Includes Incident Response: 6.4.6.0
  • Includes Stream: 1.6.8.0

Fixes

  • Fixes malformed Detect Gather with EID sensors.
  • Allows Index configurations without hashing.
  • Fixes download file response actions failing for offline endpoints.
  • Increased snapshot upload max size to 2.5 GB.
  • Fixes file browser breadcrumb navigation.
  • Supports filtering on Windows Defender alerts.
  • Fixes an issue where the base64 checkbox under Services >Misc did not function properly.
  • Fixes Live Response PowerShell's ability to run with various GPO settings.
  • Features updates to Trends boards.
  • Fixes the support for the LogPath variable.
  • Updates Threat Response Read Only User Permissions.
  • Removes TrustedCertPath log spam.
  • Fixes Signal validation in the text editor and filter builder.
  • Importing intel from a local directory now works correctly with subdirectories.
  • Fixes timestamps in response actions.
  • Removes extraneous "k" from UI display.
  • Updates DNS resolver cache hosts to support Japanese character sets.
  • Fixes "Uninstall Threat Response" to no longer leave entry in module dropdown.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: November 5, 2021

Fixes

  • Fixes an issue where OpenIOC failed to detect files that contain multi-byte characters in FileName or FilePath.
  • Fixes an issue in the recorder where the SELinux policy could prevent the new Installed Applications sensor from executing.
  • Fixes an issue where a response action can result in failure rather than running the expected duration.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: September 28, 2021

Fixes

  • Fixes an issue where Quick Links may not maintain changes in the user console.
  • Fixes the default verbosity of console.log to make problem resolution easier.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: September 17, 2021

Fixes

  • Fixes an issue with the recorder where 3rd party installations could hang when the Tanium client is running.
  • Fixes an issue where the Recorder process on Linux may continually increase in usage over time.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: August 9, 2021

Fixes

  • Fixes an issue where after using quick add to create a FileName or FilePath in addition to a FileHash IOC, no alerts are generated during Quick Scans.
  • Fixes an issue where upgrading to the latest version of Threat Response from Threat Response version 3.3.33 could cause the workbench to become unusable.
  • Fixed an issue where the intel.db might not be generated after upgrading from early versions of Threat Response.
  • Fixed an issue where auto pruning of alerts could cause the Threat Response console to not be able to retrieve pages in the workbench.
  • Fixed an issue where Index exclusions may not apply correctly due to case sensitivity.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: July 27, 2021

Important Notes

  • Threat Response now has the ability to auto-prune alerts that are in the “Unresolved” state. It will auto-prune alerts to the last 100,000 “Unresolved” alerts and any “Unresolved” alert older than 60 days. Alerts in the “In-Progress” or “Resolved” state will NOT be auto-deleted. This feature will be automatically turned on in TaaS, but will be disabled for on-premise installations. Contact your support service for details on how to enable this feature for on-premise customers.
  • IndexCX provides significant performance improvements for endpoints allowing for the efficient searching of hashes and file meta-data. These changes include a slow walk of the disk and high-priority paths where more frequent updates are required. Please see our online documentation for more details about the benefits and configuration of IndexCX.
  • Reputation now uses IndexCX to allow for the efficient searching of large numbers of hashes with minimal endpoint impact. For 3.4 this change means that malicious hashes found by reputation are now scanned upon intel deployment. You may want to adjust your intel deployment frequency to account for this.
  • Index-CX now uses new sensors that start with 'Index File ...' instead of 'Index File Query ...'. You will need to update any Saved Questions and Connect jobs (for example those used by Reputation) to these new sensors in order to maintain functionality with Index-CX.

Improvements

  • Alert Pruning - For TaaS customers alert auto pruning will occur. See Need to Know for details.
  • IndexCX - better performance and granular control
  • Reputation now uses IndexCX to allow for the efficient scanning for larger numbers of hashes.
  • Local Drive selection and visibility from Live File Browsing
  • Impact details are now included in alerts
  • Add proxy settings to Stream configuration via the UI
  • Ability to export all event related to a specific process
  • Added SRUM data collection via live response
  • Provide a summary of live response changes when generating packages
  • Include content to help remediate alert storms
  • Support TAXII feed from IntSight
  • Support for sending Windows Security events via Stream
  • Help text provided for creating suppression rules
  • THR Trends boards respect RBAC2 permissions
  • Implement persistent query filters
  • Saved Evidence dates will no longer be changed on upgrade
  • Square brackets are now allowed in Live Response names
  • A banner will now be displayed when the THR license has expired
  • Health check remediation re-issue now issues correctly
  • Fixed issue where DB locks were not allowing Alert state changes
  • Detect will no longer try to parse all old quickscan files simultaneously
  • Fixed issue with poor Alert grid performance on Intel pages
  • Column changes are now persisted when opening the Alert details drawer
  • Fixed issue where search for an Index exclusion will deselect all currently selected exclusions
  • Fixed issue where filter builder interpreted the work ‘and’ in a signal incorrectly
  • Updated PowerForensic Prefetch sensor description
  • Added pop-up text to enterprise-pivot icon
  • Fixed issue where clicking Alerts would cause page to temporarily disappear
  • Increased Live Connection initiation timeout
  • Fixed text display under Saved Evidence Page

Fixes

  • Quarantine config file now works with non-standard Tanium Client directories on Linux/Mac
  • Updated Reputation Intel Documents to allow for THR quick scanning
  • Improve TAXII feed http/https attempts
  • Fixed false positives in quick scans due to percent characters
  • Live Response now supports multiple environment variables
  • Improved suppressions matching for Linux group/user fields
  • Update to the Mac Autoruns sensor
  • Help ensure wal file do not grow without bound on the module server
  • Quick scans now properly handle process signatures
  • Support Azure blobs as a live response destination
  • Improved import of signals with group terms in the signal
  • Fixed viewing profiles with deleted computer groups
  • Fixed "Assign to workbench" action
  • Upgrading will no longer modify the date of saved evidence
  • Square brackets no longer cause errors in live response
  • Fixed license requirements for legacy licenses
  • Fixed remediation action reissue time
  • Fixed alert status changes
  • Remediation of orphaned quick scans
  • Improve alert page performance
  • Fixed data grid customizations
  • Fixed searching/selecting exclusions
  • Fixed signal filter builder that had an "AND" in the context
  • Corrected description of powerforensics prefetch sensor
  • Fix display of text on saved evidence page
  • Remove PWC as an IOC provider
  • Quickscan for signal will no longer treat % as a wildcard
  • Fixed unicode character parsing in event service
  • Added ability to impact previous signals where the process terms are grouped
  • Image filters are now included in filter exports
  • Fixed issue where moving a single intel to workbench would move all intel documents form that source


Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: July 06, 2021

Fix

  • This release contains performance and stability fixes for the recorder.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • Memory Collection on MacOS may fail to load the osxpmem kernel extension and fail to collect a memory snapshot.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: June 11, 2021

Improvement

  • Sets the default maximum number of values to 12 full reputation reports in an Intel document to ensure a safe quick scan size.

Fixes

  • This release contains fixes for applying SELinux policies for the Linux recorder on Red Hat Enterprise Linux.
  • This release contains fixes for Recorder filters for the /dev/shm path on Linux systems running eBPF recorder.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM

Release Date: May 13, 2021

Important Notes

This Threat Response release adds the capability to use eBPF (extended Berkeley Packet Filter) as the source for the Tanium Recorder on supported RHEL/CentOS and Oracle Linux endpoints. The Tanium Recorder defaults to this mode if an endpoint has the correct requirements.

New Features

  • Support for the use of eBPF on RHEL 7.8+ and Oracle Linux 7.8+ endpoints with proper dependencies and kernel versions.
  • RHEL 7.8 - 8.1 DO require kernel-headers and kernel-devel that match the running kernel in order to be able to use eBPF.
  • Oracle Linux 7.8-8.2 DO require kernel-headers and kernel-devel that match the running kernel in order to be able to use eBPF.
  • Oracle Linux UEK kernel 7.8+ DOES require the kernel-uek-devel package.

Improvements

  • Support for the .yar file extension when uploading YARA rules.
  • Improved Quick Scan coverage messaging.
  • Added capability to filter alerts by intel source.
  • Adds support for setting backlog_wait_time on OEL7 endpoints.

Fixes

  • Improved TAXII feed discovery routes for HTTP/HTTPS.
  • Fixed non-existent file name errors when live browsing.
  • Allow for mass deletion of system notifications.
  • Signal feed will now follow Tanium Module Server Proxy Settings.
  • Updated API documentation around alert deletion.
  • Fixed icons when browsing a file with insufficient permissions.
  • Updated column sorting while file browsing.
  • Improvements to SELinux handling for the Tanium Recorder.
  • Fixed an issue where OEL endpoints running in unicast mode could cause endpoints to be unresponsive.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies may fail installation on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: May 11, 2021

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Release Date: April 6, 2021

Important Notes

The primary improvements in Threat Response 3.2 are the ability to use RBAC to limit alerts and saved evidence that a user can view to only those that are associated with endpoints that user can view, and the ability to use Chronicle go-location URLs in stream configurations.

Support

This previous release of Threat Response 3.1 brings full feature parity with the legacy Trace service and Trace product. This 3.1 release marked the end of life of all Trace versions and Threat Response versions 1.x, which will be August 1, 2021.

Upgrade notes

Tanium Threat Response 3.2 provides RBAC capabilities for Alerts and Saved evidence based on users computer group access. This functionality has dependencies on the version of Interact (version 2.6.30 or higher) and Direct Connect (version 1.9.1 or higher).

Users will NOT be able to see old alerts after upgrade unless the RBAC permission Threat Response Visibility Bypass is granted to them. Once you go to 3.2, new Alerts and Saved Evidence will have an EID attached which is what the new visibility is based on. A full THR administrator will also be able to see the historical alert data.

New Features

  • Improved RBAC for alerts and saved evidence based on computer management rights of each user.
  • The ability to use geo-location based URLs in Stream for Chronicle.

Improvements

  • Improvement to Live Response to omit sparse data from Use.Jrnl collection to speed up collections.
  • Improvements to Mac sensors to now return shell history details.

Fixes

  • Autorun program details will no longer generate network connections to domain controllers.
  • An incorrect stream config will no longer cause profile deployment to fail.
  • Ensured that Threat Response will not get into a state where two alert gathering questions are running simultaneously.
  • HandleDetails-results.txt results are no longer truncated.
  • FIPS enforcement will no longer break Live Response collections.
  • Running Process with Parent now handles exceptions properly.
  • Fixed an issue where recent live connections would fail if the endpoint IP changed.
  • Live Response file collector max depth is now honored correctly.
  • Response actions fixed to fire properly.
  • Upgrade from 2.6.7 now correctly adds signals.
  • DNS sensors now return correctly on Windows 64 bit machines.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.


  • Saved Evidence dates collected by the legacy Trace service may be changed to the upgrade date when migrated to the new Threat Response service. (NOTE: The collection date is retained in the file download title/name).

Release Date: March 16, 2021

Change

  • Fixes an issue where Response Actions could be continuously issued every few hours for manually created Response Actions.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.


Release Date: February 8, 2021

Important Notes

The release of Tanium Threat Response 3.1 continues the migration to Tanium Client Management’s Endpoint Configuration service. The Threat Intelligence database is now also distributed to endpoints as part of the central tools and configuration management capability. This new functionality combines all solution configurations into one distribution mechanism, reducing the complexity required to configure and deploy Tanium Threat Response.

The previously used packages and actions for Threat Intelligence delivery will no longer be present. For details of Endpoint Configuration please refer to the Endpoint Configuration User Guide:

http://docs.tanium.com/endpoint_configuration/endpoint_configuration/

Threat Response 3.1 includes updated versions of the endpoint components Tanium Index, Tanium Event Recorder, and Tanium Stream.

Support

This release of Threat Response brings full feature parity with the legacy Trace service and Trace product. This release marks the end of life of all Trace versions and Threat Response versions 1.x, which will be August 1, 2021.

Upgrade notes

Tanium Threat Response 3.1 removes the legacy Trace service hosted on the Tanium module server. All UI and API functionality previously provided by this service have been migrated to the Threat Response service. For details of API changes please refer to the UI provided API documentation.

Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.

If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. To target endpoints where Client Recorder Extension version 1.x exists, ask the Legacy - Recorder Installed sensor. In the results of this sensor If the Supported Endpoints column displays “Yes”, you must remove Client Recorder Extension version 1.x from the endpoint before you can install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the appropriate Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints. If this has not been done and the endpoint is targeted for tools, the installation will not proceed.

Tanium recommends systems with at least two cores for Recorder installs, and has required this configuration from Threat Response 2.6 to Threat Response 3.0. Beginning with this release, you may set an option to allow Recorder to run on a single core system. The Recorder CPU setting is modified via content and defaults to the recommended setting of ON (meaning that 2 CPU cores are required to run Recorder). Memory and CPU usage can increase to higher than normal levels when running the Recorder on a single CPU core endpoint. For more information, see:

http://docs.tanium.com/threat_response/threat_response/requirements.html#Endpoint_hardware_requirements

Normally memory and CPU usage average less than 1% over time, with periods of higher activity. System resource usage can increase as workload on an endpoint increases. Under certain workloads, such as long lived processes with multiple forked child processes, memory and CPU usage can become high.

New Features

  • Retirement of the legacy Trace module server service
  • Completion of the migration to new UI framework
  • Ability to create response actions without alerts in THR
  • Support for Mitre ATT&CK sub-techniques in signals
  • Add ability to filter alerts by GUID
  • Utilise Endpoint Configuration Service for threat intel deployment
  • Support Include filters for Recorder and Stream configurations
  • Integration with Enforce module for remediation actions

Improvements

  • Support for token based authentication in Threat Response API
  • Combined API route for new saved evidence page
  • Increased information in the saved evidence page
  • Enterprise hunting page redesign
  • Filter by username in saved evidence page
  • Redesign of live response page
  • Include Threat Intel revision details on Intel page
  • Improved error messages in the signal builder
  • New recorder configuration to disable dual cpu requirement

Fixes

  • Resolved stack trace on Linux for "Service Process Details" sensor
  • Resolve issue where Intel deployment can fail on an endpoint when Windows endpoints have certain hotfixes installed and no internet access
  • Refactored Live Connection page to prevent the grid bottom being beyond end of page
  • Resolved issue where copying the Defender intel document name did not copy to clipboard
  • Resolved issue where Safari did not render tables in the Intel and Management pages
  • Refactored Intel documents page where suppress option was not available
  • Resolved issue where snapshot date and time does not represent the actual creation time
  • Refactored Response Activity page to ensure sorting worked as expected
  • Resolved issue where retroactive suppressions only work on unresolved alerts
  • Resolved issue where process information in the side panel is not consistent
  • Corrected file operation types in Enterprise Hunting questions
  • Resolved an issue where the UI presented an error when trying to pivot from an alert to a live connection where the event has been pruned from the recorder database
  • Corrected issue with using “does not contain” and “does not equal” in Live Connection filtering
  • Remove timestamps from Trace Logon Events Sensor to allow “make stackable” to function
  • Resolved issue where edited signals did not display properly in the intel page
  • Resolved issue where sorting of impact rating on home page was incorrect
  • Resolved issue with intelDocs API to ensure existing documents are updated as expected
  • Resolved issue Yara search scope allowed duplicates or blanks
  • Resolved issue where dates are not validated in live connection filters
  • Resolved issue where alerts generated by OpenIOC documents may display the incorrect field data
  • Resolved issue where an IOC with no name could be uploaded in the UI
  • Resolved issue that caused temporary intel database files to not be deleted
  • Resolved issue with signals builder that allowed group() syntax to be used with process terms
  • Resolved issue where filtering the Live Connection view with SQLite terms can cause unusual search results
  • Intel Document ID page blank with an invalid signal
  • Resolved issue where quickscan results could show no systems but increase alerts count
  • Resolved issue where some computer groups could show twice in the Quickscan UI
  • Resolved issue where incorrect parsing of filters or signals can cause filter or alerts page to not render
  • Resolved an issue that prevented the sorting of the Response activity page correctly
  • Resolved stack trace issue with the Service Process Details sensor when executed on Linux systems
  • Resolved issue where applying a filter to the top panel does not accurately change the other displayed results

Known Issues

  • Trace DNS query sensor can return incorrect results on Windows 7 systems
  • Changing the status on a very large number of alerts can fail silently
  • Live response actions submitted to a system where the hostname changes after initial submission can cause the action to reissue multiple times

Release Date: November 24, 2020

Important Notes

  • The release of Tanium Threat Response 3.0 uses Tanium Client Management and Tanium Endpoint Configuration (provided by Tanium Client Management) to deliver configuration and tools centrally. This new functionality combines all solution configurations into one distribution mechanism to greatly reduce the complexity of actions and packages that was previously required to configure and deploy Tanium Threat Response. The previously used packages and actions for delivery of tools and configurations will no longer be present. For details of Tanium Client Management and Tanium Endpoint Configuration please refer to the Tanium Endpoint Configuration User Guide at

http://docs.tanium.com/endpoint_configuration/endpoint_configuration/index.html.

  • Threat Intelligence packages are currently still delivered in their own package and scheduled action managed by Tanium Threat Response.
  • Tanium Core Platform 7.4 or later is required to be installed to support the use of Threat Response 3.0 and other modules relying on the Tanium Endpoint Configuration. All dependencies are now enforced in the UI. Before you can load the Threat Response workbench, a check for all required Tanium dependencies is performed. If you need to install additional Tanium dependencies, the name and required version is provided in a UI notification.
  • Threat Response 3.0 includes upgrades to the endpoint components Tanium Index and Tanium Event Recorder.
  • With this release we are ending Tanium Administrative Console and Workbench support for Internet Explorer 11. For the best experience please use a recent version of Google Chrome, Microsoft Edge, or Mozilla Firefox to access the Tanium Console.


Upgrade notes

  • Installation or upgrade of Interact, Trends, and Tanium Client Management must be completed prior to installing Threat Response 3.0 or any other module supporting the Endpoint Configuration management framework.
  • When using Tanium Client Management it is a requirement to ensure that the service account for the Threat Response module includes the role Endpoint Configuration Service Account role.
  • Tanium Threat Response deprecates support for the legacy Web Socket Client for live endpoint connections. Live Connections to remote endpoints are now performed exclusively with Tanium Direct Connect. For details of installation and configuration of Tanium Direct Connect please consult the Tanium Direct Connect User Guide at

http://docs.tanium.com/direct_connect/direct_connect/index.html

  • Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.
  • If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. *If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. The recommended steps for upgrading are to
  1. Upgrade from Threat Response 1.x to Threat Response 2.4
  2. Ensure both the module server and the endpoints are upgraded
  3. Upgrade from Threat Response 2.4 to Threat Response 3.0

Fixes

  • Fixes a state where alerts may not be returned from endpoints.
  • Fixes an issue where Stream configurations may not load on MacOS endpoints.
  • Fixes an issue where a user is unable to edit an Index configuration from the profile page.
  • Fixes an issue where a failed saved evidence migration may cause an upgrade failure due to a service processing error.
  • Fixes an issue where Stream filters may not correctly deploy to endpoints.
  • Fixes an issue where the Start Index Scheduled Actions are not correctly updated at upgrade.
  • Fixes an issue where the Reputation integration fails due to a React transition.

Release Date: October 13, 2020

Important notes

  • The release of Tanium Threat Response 3.0 uses Tanium Client Management and Tanium Endpoint Configuration (provided by Tanium Client Management) to deliver configuration and tools centrally. This new functionality combines all solution configurations into one distribution mechanism to greatly reduce the complexity of actions and packages that was previously required to configure and deploy Tanium Threat Response. The previously used packages and actions for delivery of tools and configurations will no longer be present. For details of Tanium Client Management and Tanium Endpoint Configuration please refer to the Tanium Endpoint Configuration User Guide at http://docs.tanium.com/endpoint_configuration/endpoint_configuration/index.html. Threat Intelligence packages are currently still delivered in their own package and scheduled action managed by Tanium Threat Response.
  • Tanium dependencies are now enforced. Before you can load the Threat Response workbench, a check for all required Tanium dependencies is performed. If you need to install additional Tanium dependencies, the name and required version is provided in a UI notification.


Upgrade notes

  • Tanium Threat Response deprecates support for the legacy Web Socket Client for live endpoint connections. Live Connections to remote endpoints are now performed exclusively with Tanium Direct Connect. For details of installation and configuration of Tanium Direct Connect please consult the Tanium Direct Connect User Guide at http://docs.tanium.com/direct_connect/direct_connect/index.html
  • Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.

New Features

  • This release includes a new endpoint configuration framework, replacing the actions and packages formerly used to configure endpoint tooling.
  • This release includes a refreshed user experience, bringing more reporting, consistency, and configurability to the forefront.
  • This release adds support for recording of HTTP header events on Windows endpoints via Tanium Recorder.
  • This release includes support for file read events with new recorder updates.
  • This release provides the capability to send Mitre ATT&CK techniques associated with signals in match events sent through Tanium Connect to external destinations.

Improvements

  • Provides more detailed information on the Threat Response home page to quickly visualize Threat Response indicators and view metrics across an entire enterprise.
  • Home page includes configurable quick links to redirect users to regularly used locations.
  • Usability improvements have been made across the Threat Response workbench. This includes improved filtering and sorting in addition to improved workflows.
  • Adds the ability to more intuitively navigate from the Process Tree view back to list view when exploring processes.
  • Adds usability improvements to provide sorting on the Outbound Impact column of the alerts view.
  • Add usability improvements to the alerts workflow by adding a link to configure Reputation from the alert details.
  • Adds the ability to upload custom Stream configuration data.
  • Adds updates to the Health Status page to more easily troubleshoot - and to quickly resolve - issues on managed endpoints.
  • Provides visibility into the count of undeployed profiles by adding this level of information to the profiles summary.

Fixes

  • Fixes an issue where when deleting single intel doc alerts, it deletes all alerts.
  • Fixes an issue where Alerts not being generated even though signals are matching
  • Fixes an issue with intel where the Local Directory Source would not populate new intel
  • Fixes an issue where the Suppressions tab of an Intel document does not list the suppression name
  • Fixes an issue where OpenIOC EventLog-based alerts could have incorrect and incomplete data
  • Fixes an issue where the Saving Evidence progress spinner sometimes is shown indefinitely
  • Fixes an issue so that options listed in dropdown menus are alphabetically sorted
  • Fixes an issue where Intel document sorting is not preserved after applying a label
  • Fixes an issue where Detect service intel sources can unexpectedly run in parallel immediately after creating them
  • Fixes an issue with the Health Check where Incorrect Counting of Endpoints could occur
  • Fixes an issue where some links between processes in live view show "NaN W" instead of a time
  • Fixes an issue where it was not possible to add Image Filters to a recorder configuration
  • Fixes an issue where the Common Module Import for Threat Response doesn't set the quickscan computer group.
  • Fixes an issue where Threat Response alert action buttons inappropriately display when no alerts selected.
  • Fixes an issue where quick scan collecting coverage never completes.
  • Fixes an issue with filters where there was not clearing of a selection when switching the filter.
  • Fixes an issue where the Threat Response Status sensor does not include a Stream section.
  • Fixes an issue with Health Status so that all default roles can see results in this page.
  • Fixes an issue where the ability to export events to CSV was missing.
  • Fixes an issue with browsing live endpoints where it might be unable to expand the process tree when the user is SYSTEM.
  • Fixes an issue with browsing live endpoints where there could be a failure to connect or delete when targeting deep path structures.
  • Fixes interface issues with the details drawer of the profiles details page
  • Fixes interface issues with the filters page
  • Adds improved messaging about Names that exceed max length in configurations
  • Fixes an issue where an invalid alert detail will trigger an error screen when it is selected
  • Fixes an issue where an Unresolved filter on Intel Document Alert Grid would not work on page load
  • Fixes an issue where Auto Upgrade Tools actions are created and run without being enabled in service settings
  • Fixes an issue where suppression rules could return a "Failed to create suppression rule: internal server error."
  • Fixes an issue where Registry based Signals could fail with - ERROR:internal-error:Illegal result_type filter specified
  • Fixes an issue where it was not possible to add Recorder Process and File Filters in some cases
  • Fixes an issue where a file-based Signal could trigger mistakenly
  • Fixes an issue in the Suppression Rule Preview where truncation is needed for long endpoint names
  • Fixes an issue where Intel Documents sorted by Unresolved Alerts did not behave as expected
  • Fixes an issue where detached processes that are coming from Tanium Processes are not filtered out
  • Fixes an issue where Impact Details are not displayed correctly in the Alert details
  • Fixes an issue where All suppression rules were deleted when one rule was deleted
  • Fixes an issue where not all endpoints are being updated with impact data.
  • Fixes an issue with Evidence Based IOC where it was not possible to Save any new entries.
  • Fixes an issue where the health Check returns "no results" on Debian-based distributions.
  • Fixes an issue where initiating response actions from alerts returns a "DatePicker" error.
  • Fixes an issue where the "Hash Of File" sensor returns a Traceback message for large file sizes.
  • Fixes an issue where alert hover-over views flicker.
  • Fixes an issue where the Threat Response - Status sensor reports that a detect package is required.
  • Fixes an issue where the profile page was polling the entire page to reload, degrading performance.
  • Fixes an issue where the Threat Response User did not have permissions to perform QuickScans.
  • Fixes an issue where Trace Logon Events did not filter by Username, Domain, or Source Host parameters for Windows
  • Fixes an issue where Quick Scan collection could end too quickly to get results
  • Fixes an issue where editing profiles requires a password confirmation to save
  • Fixes an error with the Threat Response - Status sensor returning an error with get_all_profiles()
  • Fixes an issue where snapshots could fail on new deployments
  • Fixes performance issues with the Threat Response home page
  • Fixes an issue where the live connection start time filter does not work correctly.
  • Fixes an issue where scrolling could remove suppression rule filters.
  • Fixes an issue where GUID was not searchable in the alerts table.
  • Fixes an issue where the hash of a process in live connection process details was not always present.
  • Fixes an issue where adding a suppression rule from the intel document view did not auto select the intel document.
  • Fixes an issue where creating a suppression rule from an alert did not show all Signal options.
  • Fixes an issue to make the Live Connect history sortable by last date connected endpoints.
  • Fixes an issue where it was not possible to sort by OS in the alerts page.
  • Fixes an issue where intel and manage filter lists filtered counts could be incorrect.
  • Fixes an issue where network filters did not allow for 'operation type' selection in the filter builder.
  • Fixes an issue where the Endpoint Must Gather could fail if directories are missing on endpoints.
  • Fixes an issue where deleting a profile was not displayed in the Tasks page.
  • Fixes an issue with Health Check where error messages are hidden when packages are not cached.
  • Fixes an issue where the Threat Response - Status sensor could not see tools deployed on Linux.
  • Fixes an issue where after deleting an intel document, the fetched data is not sorted or filtered.
  • Fixes an issue where incident response was not bundling TaniumExecWrapper in Tools.
  • Fixes an issue where applying a label to intel with "select all" also displays an error about removing intel.
  • Fixes an issue with incorrect arrow directions on live connections data grid.
  • Fixes an issue where the "Disconnect" option is greyed out when selecting a live connected endpoint.
  • Fixes an issue where OpenIOC EventLog-based alerts have incorrect and incomplete data.

Known Issues

  • When viewing stacked lists in Threat Response using the Safari browser some pages may display no rows in the table. Using an alternate browser will resolve the issue.
  • The home page confirmation wizard may show that Tanium Signals require importing when the action has already been performed.


TaaS Release Date: August 30, 2020

Changes

  • Adds an updated version of the recorder that:
    • Performs a vacuum on the recorder.db when the DB is two times the chunk size over the max DB size.
    • Improves process table id lookup performance for large security events tables.
    • Fixes an issue with high CPU that might be recorded in the extensions log showing 'a sealed resource is missing or invalid'.
    • Fixes an issue where the recorder might not initialize with IPv6 TCP disabled.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.


Release Date: 18 September 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Sets the max_string_age_minutes setting to 6 hours for the “Threat Response - Gather Findings”, “Threat Response - Count Findings”, and “Threat Response - Groupings With Findings” sensors.

Fixes

  • Fixes an issue where sorting System Notifications by Event Time was not working correctly.
  • Improves an error message in the suppression rules modal.
  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.

Tools Versions

  • Includes Threat Response Tools: 4.3.202
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.

Release Date: 14 September 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Incorporates minor improvements to the Context Analyzer workbench.

Fixes

  • Fixes an issue where when creating a Download File response action, the Filter Builder did not display the endpoint selection immediately.
  • Fixes an issue where clicking in the Details section of the response action modal reopened the endpoint search list.
  • Fixes an issue where the Engine Analysis view of a YARA intel doc could cause a web browser to crash.
  • Fixes an issue with the alerts grid where the Retroactive Suppressions banner did not clear when a task was complete.
  • Fixes an issue where offline hostnames could not be returned in Response Actions.
  • Fixes an issue where querying the alerts table was slower than expected when many alerts are present.
  • Fixes an issue where the sensors for the Context Analyzer could be quarantined because of running for longer than 60 seconds.

Tools Versions

  • Includes Threat Response Tools: 4.3.195
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.952
  • Includes python38: 3.2.6
  • Includes Incident Response: 6.7.11

Security Updates

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 23 August 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Fixes

  • Fixes an issue where the TPA (Tanium Persistence Analyzer) Scan Frequency setting defaulted to 1 hour. The TPA scan frequency is now set to 1 day by default.

Tools Versions

  • Includes Threat Response Tools: 4.3.184
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.950
  • Includes python38: 3.2.6
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 22 August 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor to provide detailed endpoint health information and potential remediation steps.

Improvements

  • Enables Threat Response Read-Only Users to use the Context Analyzer if they have the Interact Ask Dynamic Question permission.
  • The progress section of the Context Analyzer is no longer displayed when the results have reached 100% completion.
  • When an endpoint has no matches for a Trace Sensor, the endpoint will now return "Search complete, no matches" instead of "No Results".

Fixes

  • Fixes an issue in the alerts grid where removing a quick filter could cause the workbench to crash.
  • Fixes an issue in Index where ZIP archives over the maximum size limit could be reindexed more often than necessary.

Security Updates

  • Upgraded various third-party libraries to newer versions

Tools Versions

  • Includes Threat Response Tools: 4.3.183
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1727
  • Includes Stream: 2.0.950
  • Includes python38: 3.2.6
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 15 August 2023

Improvements

  • Improves the Tanium Driver's compatibility with Windows 7 SP1 and Windows Server 2008 R2 SP1 systems that may not have all Windows updates installed.

Tools Versions

  • Includes Threat Response Tools: 4.2.29
  • Includes Threat Response CX binary: 1.12.923
  • Includes Recorder Tool (Installer): 3.14.28
  • Includes Recorder binary: 2.11.1584
  • Includes Driver Tool (Installer): 3.14.28
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.31

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 14 August 2023

Improvements

  • Removed arbitrary limit on the size of the Tanium Signals feed.

Fixes

  • Fixes an issue where a large number of throttles alerts could cause alerts to stop being gathered

Tools Versions

  • Includes Threat Response Tools: 4.2.28
  • Includes Threat Response CX binary: 1.12.923
  • Includes Recorder Tool (Installer): 3.14.26
  • Includes Recorder binary: 2.11.1582
  • Includes Driver Tool (Installer): 3.14.26
  • Includes Driver binary: 3.3.27
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.31

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 7 August 2023

Important Notes

  • The “Threat Response – Status" sensor is now deprecated and will no longer be supported in future versions of Threat Response. The “Threat Response – Status" sensor has been replaced with the “Client Extensions – Status" sensor is now used to provide detailed endpoint health information and consistent reporting across all Tanium modules.

New Features

  • Provides a new “Context Analyzer” to enable intelligent workflows for learning more about artifacts of interest and it’s most recent activity across your entire environment. Context analyzer provides a better way to view and organize data across Tanium clients and enables you to correlate data points to determine how normal or how much of an outlier certain artifacts and their behavior are.
  • Index scan frequency, High Priority Path scan frequency, and Index first scan distribute over time settings can now be set per Threat Response profile. Index Scan settings have been moved from the top rail service settings to within Index configuration settings.
  • Provides the ability to export alert data from the Threat Response workbench to CSV format for up to 10,000 alerts at a time.
  • The Tanium Persistence Analyzer (TPA) executable has been converted to a client extension (CX) to improve performance. Windows Autoruns are now gathered and cached using Tanium Threat Response CX and CX resource throttling.
  • Provides the ability to view and edit the TPA (Tanium Persistence Analyzer) scan frequency separately in each Threat Response profile.
  • Provides the ability to download locked files from direct connection file browsing on Windows.
  • Provides visibility into quarantined endpoints and the ability to unquarantine endpoints from the Threat Response workbench overview page.
  • Provides eBPF support for Tanium Recorder on Oracle Enterprise Linux 8.7+/9.1+ UEK Kernel on ARM64 endpoints.
  • Provides the ability to have Threat Response automatically create and configure recommended default Saved Questions and Tanium Connect connections to populate Tanium Reputation with hashes from the environment in the settings page.
  • Stream CX has been rewritten from Python to C++ to support future enhancements.

Improvements

  • Migrates the Threat Response database to the Tanium RDB service.
  • Provides the ability in the Reputation source to automatically run an on-demand scan against a targeted a computer group when new Reputation malicious hashes become available.
  • Tanium Signals from the Tanium Signal feed are now read-only except for label information.
  • System Notifications filter now searches the notification details.
  • Numerous UI (User Interface) improvements for clarity and performance.
  • Adds SHA1 and SHA256 process hash information in the alert fly-out drawer.
  • Provides an online/offline status indication for endpoints on the alerts page.
  • Updates YARA integration to version 4.3.1.
  • Enables On-Demand scans for Tanium Signals that contain ancestry terms.
  • Updates to the Threat Response API documentation to include On-Demand scans.
  • User data has been added to the combined recorder events view in Direct Connections.
  • Process-Item IOC terms are now enhanced with recorder data to expand detections.
  • Updates the user experience to provide a more consistent delivery of alert data in the Threat Response workbench.
  • The side panels in the Threat Response workbench have been updated to be more uniform and consistent in their design patterns and display of data.
  • The configuration of the Reputation service has been added as part of the CMI installation for Threat Response.
  • Provides support for SHA1 and SHA256 hash types in suppression rules.
  • Standardizes terminology used in the Threat Response workbench by changing “Live Endpoints” to “Direct Connect” for live connections to endpoints to reflect that the connection is created by Tanium Direct Connect.
  • Updates the details view of nodes in the Direct Connection view to display all events.
  • Standardizes terminology for malicious files to be consistent with terminology used in the Reputation service.
  • Displays Process Signature Data in the process tree view for live processes in a direct connection to an endpoint.
  • Provides performance improvements for displaying the Pending Approval state on Response Actions.
  • Reduces the number of Direct Connect actions that Threat Response creates when Gather Snapshot is in a "Running" status.
  • When editing a TAXII or iSight source, if the user has changed a sensitive field, all the other secrets fields are cleared out and a "Reset" link appears in the Security form section header that will restore the initial state for the secrets fields and show the dots again.
  • Provides more informative messaging when using the file browser in a Direct Connection.
  • Updates the Intel Support document in the Threat Response workbench with documentation about ProcessItem/UserId.
  • Event notifications are now scoped to the current user.
  • If the Tanium Signals source is deleted, the associated signals are moved to the Unknown source. If the Tanium Signals source is then recreated, the signals are moved back from the Unknown source.
  • You can no longer delete the Tanium Signals source from Intel Sources.
  • Increases the default intel package generation timeout value to 3 hours.
  • The Index First Scan Distribute Over Time now supports a value of 0.
  • Allows Threat Response to subscribe to Windows Event ID 1117 (DefenderMalwareActionV2).
  • Updates labels for Global Events and Windows Events.
  • Actions that target actions or Response Actions on endpoints from alerts now use the EID of the endpoint for targeting to avoid acting on an incorrect endpoint.
  • The Profiles details page now adds a reference to the configured scan blockout window.
  • The /config API now includes the value for profiles.state in the response.
  • Updates Python to support running sensors and packages on RHEL 9 and OEL 9.
  • Index: Newly excluded files will now be removed from the Index database upon the next scan, instead of after 21 days.
  • Index: Provides new Index scan deduplication to improve performance and reduce scan times.
  • Index: Provides a new sensor “Index - Is Path Indexed” to help determining if a specific path is being indexed.
  • Index: Provides 2 new packages that can be used to trigger a 1 time Index scan on a specific path. “Deploy Index - Request Immediate One-Time Scan [Windows]” and “Deploy Index - Request Immediate One-Time Scan [Non-Windows]”.
  • Index: Improvements around automatically recovering corrupt/malformed Index databases.
  • Index: Extends the Index snapshot request timeout to 10 minutes to improve EMG (Endpoint Must Gather) collection reliability for larger Index databases.
  • Index: Removes health_checks around volume scope exceptions when applying volume exclusions on top of a scan all volume configuration.
  • Index: Added a timeout to Index sensor queries to prevent prolonged CPU usage for high cost queries.

Fixes

  • Fixes an issue where the filters list in the Profiles page returned unpredictable data.
  • Fixes an issue where when using the Network Port Hunting Strategy, recorder queries could fail intermittently with large IOC documents.
  • Fixes an issue where filtering by a path with a backslash did not match alerts as expected.
  • Fixes the wording of the database size error message to eliminate confusion.
  • Fixes an issue where the Alerts Over Time chart on the Threat Response Overview page picks "last 1 day" after upgrade, obscuring prior events.
  • Fixes an issue in Enterprise Hunting so that Threat Response does not show Saved Questions if user does not have permission to view them.
  • Fixes an issue where Live Response S3 and Google Cloud Storage Interoperability did not work correctly when a port of 0 was specified.
  • Fixes an issue where Bypass Action Approval does work correctly for Live Response when deployed via an alert action.
  • Fixes an issue where exporting data from Direct Connection did not include all currently displayed rows.
  • Fixes an issue where the Environment Variable %ProgramFiles(x86)% is not parsed correctly in Ad-hoc File Collectors in Live Response configurations.
  • Updates the label of the Intel documents page from "Intel Updated At" to "Intel Deployed At".
  • Fixes an issue where when a user Quick Adds and creates a new intel document without specifying a custom name, the default name appends UTC date and time in ISO format as opposed to local date and time.
  • Fixes an issue where the Alerts table shows intel information even when user does not have the Intel Read permission.
  • Fixes an issue with On-Demand scans where the Deployment Status is still running even though it claims to be complete.
  • Fixes an issue where the Download File Action is only presented when the selected alert has a file path.
  • Fixes an issue where excessive notifications were being displayed in the Response Activity page that indicated the activity was pending approval.
  • Fixes an issue where Live Response does not work correctly when there is a space in the host name field of a destination.
  • Fixes an issue where in Recorder or Stream Configurations, the Configs column will contain the correct count of configurations when a filter is added as "include", but the "Configurations:" section in the expanded row will not contain the filter if the configuration is using "Include" mode.
  • Fixes an issue where the suppression rule modal no longer allows a user to create retroactive suppressions unless the user has the Alerts Write permission.
  • Fixes an issue where if a user does not have the Intel Write permission, the user cannot not see the Labels dropdown. If a user has the Intel Write, but not the Labels Write permission, the user can see the Labels dropdown but the only option is "Manage Existing Labels".
  • Fixes an issue where a link to alerts for an intel document is no longer displayed to users who do not have the Alerts Read permission.
  • Fixes an issue where the Windows Defender Path is now visible on the Threat Response Alerts page - Alerts group, the quick filters at the top of the page, and is filterable like other paths.
  • Fixes an issue where the UI was making excessive calls to the /eventCounts API.
  • Fixes an issue where in the Saved Evidence: File download page, a task notification shows for another user.
  • Fixes an issue where the name of a registry value that has changed is now correctly shown in Process Information section of the alert for a Signals alert.
  • Fixes an issue where when copying the value of the Connected At time for a Direct Connection, the time is copied as a string.
  • Fixes an issue where when creating or editing a TAXII or iSight source, the subscription interval was required to be minimum of 10 minutes.
  • Fixes an issue where when gathering a snapshot when action approval is turned on, it would not complete due to the pending action approval and you could not delete the pending action.
  • Fixes an issue where when a user clicks the Date or Endpoint header from the alerts page twice so that it is sorted descending and then clicks the details icon, the details panel displays empty.
  • Fixes an issue in Live Response where Destinations and Script Sets tabs delete all when filtered.
  • Fixes an issue where snapshot downloads could fail with a promise timeout.
  • Fixes an issue where the alert details could be missing process hash information.
  • Fixes an issue where when searching for a specific Name and Value in the Threat Response workbench matches were required to be case sensitive. They are now case insensitive.
  • Fixes an issue where a user should only see the Create and Edit buttons for Configurations if the user has the Configuration Write privilege.
  • Fixes an issue where importing an invalid file as an IOC could cause the import to become unresponsive.
  • Fixes an issue in the Response Activity and Alerts modals where pressing Enter on the modal closes it instead of submitting it.
  • Fixes an issue where when attempting to import a signal that contains a suppression rule with a description more than 255 characters, the entire import will fail.
  • Fixes an issue where Signals with a label and blank description can be exported but not imported.
  • Fixes an issue where when viewing events in the combined events view of the process tree, events could be missing.
  • Fixes an issue where old alerts were gathered from endpoints, added to the real-time event Connect job, then immediately pruned from the console.
  • Fixes an issue with the “Threat Response - Groupings With Findings” and “Threat Response - Count Findings” that iterated over an incorrect variable.
  • Fixes an issue where a user could be unable to delete System Notifications with bulk delete.
  • Fixes an issue where if a user has a Detection configuration where the Reputation Source and a Label has been added, the user is unable to deploy intel.
  • Fixes an issue where it was possible to create a High Priority Path filter in Threat Response with invalid syntax due to the filter syntax being case sensitive but not enforced in the editor.
  • Fixes an issue where when creating a Response Action, the list of endpoints when you search could contain duplicate entries.
  • Fixes an issue where a warning appears in the browser console when capturing a snapshot and viewing the capture status.
  • Fixes an issue where the Type and OS filter buttons do not work as expected.
  • Fixes an issue where AutoRuns was incorrectly filtering Microsoft related registry keys.
  • Fixes an issue where the number displayed in the notifications is the total number of profiles (not the filtered count) when exporting profiles.
  • Fixes an API issue where when calling /v1/exports with a filter for the detail column, it should return only those rows matching the details.
  • Fixes an issue where a Direct Connection from alert to most recent process with that PID is not the right process that it alerted from.
  • Fixes an issue where the source and destination paths for files moves were swapped in Signal results.
  • Fixes an issue where the magic number details should show the value of magic_number_hex, not the deprecated magic_number for the alert details of a file event.
  • Fixes an issue where the export of Signals was not an audited event.
  • Fixes an issue where the filter with regular expression option did not work properly for the sensor "Threat Response - Security Events"
  • Fixes an issue where the Threat Response API documentation mislabeled the API Export Signal Names call as deprecated.
  • Fixes an issue where YARA scans could max out CPU resources for extended periods on endpoints with 1 CPU core.
  • Fixes an issue where suppression rules with a match operator does not match when using "." or "[eè]" against accented characters on Endpoint Side(Boost) library.
  • Fixes an issue where when creating a suppression rule and only selecting "User" makes it so you cannot save or preview the suppression rule.
  • Fixes an issue where Declare Time filter sets invalid date and time value in Direct Connection view.
  • Fixes an issue where certain STIX intel documents were not being parsed correctly.
  • Fixes an issue where intel changes between hunts are optimized to ensure a complete search of previous findings.
  • Fixes an issue where the YARA pe module might not fully parse files.
  • Fixes an issue where Quarantine automatic proxy rule generation fails when using “<IP>:<Port>” for the Tanium Client configuration “ProxySetting”.
  • Renames Process Information to Event Information for several event types.
  • Fixes an issue where Signals can match on incorrect events when using groupings.
  • Fixes an issue where Google Chronicle was unable to ingest Tanium Stream events if the Event ID ended with a “.0”.
  • Index: Fixes an issue where Index could take a long time to resolve volumes on Linux.
  • Index: Multiple fixes for CPU utilization being higher than intended.
  • Index: Fixed an issue where Index blockout windows were not being respected for Local timezones.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.

Tools Versions

  • Includes Threat Response Tools: 4.3.164
  • Includes Threat Response CX binary: 1.13.1153
  • Includes Recorder Tool (Installer): 3.14.27
  • Includes Recorder binary: 2.11.1583
  • Includes Driver Tool (Installer): 3.14.27
  • Includes Driver binary: 3.3.27
  • Includes Index binary: 3.5.1725
  • Includes Stream: 2.0.949
  • Includes python38: 3.2.6
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.7.11

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 27 July 2023

Improvements

  • Improves the Tanium Driver's compatibility with Carbon Black's tamper protection behavior.

Fixes

  • Fixes an issue with the Tanium Driver installation process to make upgrades of the Tanium Driver more reliable and prevent partial Tanium Driver upgrades.

Tools Versions

  • Includes Threat Response Tools: 4.2.25
  • Includes Threat Response CX binary: 1.12.923
  • Includes Recorder Tool (Installer): 3.14.26
  • Includes Recorder binary: 2.11.1582
  • Includes Driver Tool (Installer): 3.14.26
  • Includes Driver binary: 3.3.27
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.31

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: 26 June 2023

Fixes

  • Fixes an issue where intel document definitions were not converted after an upgrade causing intel documents to no longer show as having a definition in the user interface.
  • Fixes an issue where long running intel deployment tasks could fail due to session timeouts.
  • Fixes an issue that could cause a failure with air-gap installations because ThreatResponse.xml contained unprintable characters.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.19
  • Includes Recorder binary: 2.11.1576
  • Includes Driver Tool (Installer): 3.14.19
  • Includes Driver binary: 3.3.18
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.


Release Date: 16 June 2023

Fixes

  • Blank MITRE Attack Framework fields will no longer cause Threat Response upgrades to fail.
  • Fixed an issue where alerts with a NULL OS field would cause the Alerts page to crash.
  • Fixed an issue where Live Endpoint View time filters would sometimes cause an invalid time filter.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.19
  • Includes Recorder binary: 2.11.1576
  • Includes Driver Tool (Installer): 3.14.19
  • Includes Driver binary: 3.3.18
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: June 07, 2023

Fixes

  • Fixes the possibility of a rare Tanium Driver crash on Windows.
  • Fixes an issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs may fail to start when Tanium Driver Process Injection Monitoring is enabled.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.19
  • Includes Recorder binary: 2.11.1576
  • Includes Driver Tool (Installer): 3.14.19
  • Includes Driver binary: 3.3.18
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: June 06, 2023

Improvements

  • Enables support for Windows 11 (ARM) endpoints running in emulation mode. The following are areas where Windows 11 (ARM) running in emulation mode are not supported:
    • Deep Instinct alert integration.
    • Process Injection monitoring.
    • Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
  • Added the option “Deploy as Service Account” in settings to always deploy Threat Response profiles with System User Service (SUS) permissions. This can help ensure systems are always targeted, even if a user’s computer group management rights are removed or restricted in the future. Note: If the “Deploy as Service Account” setting is enabled, all users who deploy profiles must have unrestricted computer group management rights or management rights to “All Computers”. If the “Deploy as Service Account” setting is not enabled, all users who deploy profiles must have unrestricted computer group management rights, management rights to “All Computers”, or management rights to all computer groups in the profile(s) the user is trying to deploy.

Fixes

  • Fixes an issue where On-Demand Scans did not search Tanium Recorder and live file data.
  • Fixes an issue where when pivoting to a live connection from an alert, the live connection would filter to the latest process to reuse the PID as opposed to the correct process that was alerted on.
  • Fixes an issue where unzipping an events export from a Process Tree in a direct connection would result in an empty file.
  • Fixes an issue where alert pruning was not turned on by default in Tanium Cloud environments for new Threat Response installations.
  • Fixes an issue where ISO mount registry events on Windows were not recorded.
  • Fixes an issue where Recorder on Windows could hold certain binary files open and prevent that file from being deleted.
  • Fixes a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled.
  • Fixes an issue where Deep Instinct and Defender alerts were incorrectly being throttled by service throttles.

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.14.17
  • Includes Recorder binary: 2.11.1571
  • Includes Driver Tool (Installer): 3.14.17
  • Includes Driver binary: 3.3.12
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30


Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM


Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.

Release Date: May 15, 2023

Tools Versions

  • Includes Threat Response CX binary: 1.12.921
  • Includes Recorder Tool (Installer): 3.12.22
  • Includes Recorder binary: 2.10.840
  • Includes Driver Tool (Installer): 3.12.22
  • Includes Driver binary: 3.2.70
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Fixes

  • Fixes an issue where On-Demand Scans did not search Tanium Recorder and live file data.
  • Fixes an issue where when pivoting to a live connection from an alert, the live connection would filter to the latest process to reuse the PID as opposed to the correct process that was alerted on.
  • Fixes an issue where unzipping an events export from a Process Tree in a direct connection would result in an empty file.
  • Fixes an issue where alert pruning was not turned on by default in Tanium Cloud environments for new Threat Response installations.
  • Fixes an issue where Deep Instinct and Defender alerts were incorrectly being throttled by service throttles.
  • Fixes an issue where ISO mount registry events on Windows were not recorded.
  • Fixes an issue where Recorder on Windows could hold certain binary files open and prevent that file from being deleted.
  • Fixes a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.

Release Date: April 27, 2023

Tools Versions

  • Includes Threat Response CX binary: 1.12.919
  • Includes Recorder Tool (Installer): 3.12.18
  • Includes Recorder binary: 2.10.839
  • Includes Driver Tool (Installer): 3.12.18
  • Includes Driver binary: 3.2.63
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.11
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.24
  • Includes Incident Response: 6.6.30

Improvements

  • Added the option “Deploy as Service Account” in settings to always deploy Threat Response profiles with System User Service (SUS) permissions. This can help ensure systems are always targeted, even if a user’s computer group management rights are removed or restricted in the future. Note: If the “Deploy as Service Account” setting is enabled, all users who deploy profiles must have unrestricted computer group management rights or management rights to “All Computers”. If the “Deploy as Service Account” setting is not enabled, all users who deploy profiles must have unrestricted computer group management rights, management rights to “All Computers”, or management rights to all computer groups in the profile(s) the user is trying to deploy.
  • Added option to disable tracking of command-lines for forked processes on Linux.
  • Added eBPF Support for Oracle Linux 8 & 9 on ARM.

Fixes

  • Fixes an issue where Threat Response profiles could be set to Not Configured on endpoints if the user that deployed the profile(s) had computer group management rights permissions removed after the profiles were deployed.
  • Fixes an issue where a timeout could occur when loading the security events tab in a live connection for an endpoint with a large number of security events.
  • Fixes an issue in Connect where the Tanium Detect Event Group has been renamed to Tanium Threat Response.
  • Fixes an issue in the API documentation that stated ID is a Number but route returned an error '"id" must be a string.
  • Fixes an issue where the AutoRun Program Details sensor does not return all findings for HKCU.
  • Fixes an issue where in Connect Events the MITRE Techniques value is empty.
  • Fixes an issue where the Time to Remediation Alerts Dashboard Panel was not displaying correctly.
  • Fixes an issue where certain registry events were not recorded when mounting an ISO.

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) endpoints. Memory collection and Live Response is not supported. This support will be provided in a future version of Threat Response.

Release Date: April 4, 2023

Improvements

  • The EID sensor in Tanium Interact "Computer Serial Number" has been replaced with "Endpoint Fingerprint".
  • The "stored alert" log has been moved from the debug to trace level to provide more efficient logging.

Fixes

  • Fixes an issue where Threat Response failed to delete a response action that was already removed and console users would see repetitive errors for "Task Failed: Response Action" (Unable to Destroy Saved Action).
  • Fixes a potential issue with gathering alerts on Windows modules servers when suppression rules were being applied. After upgrading from an older THR 4.0 version to 4.0.1077 or newer, some older alerts may be retroactively gathered for any impacted intel documents.
  • Fixes an issue where Deep Instinct Alerts could be ignored for event: Type 1/Cause 46.
  • Fixes an issue where Intel is unable to be deployed if a Detection configuration has a Reputation Source added and a label is included.
  • Fixes an issue where when deleting filtered lists of System Notifications, the success or failure of the delete notification inaccurately displayed the unfiltered count of system notifications.
  • Fixes an issue where documentation for the On-Demand Scan API was missing from 4.0 API Doc.
  • Fixes an RBAC issue where Users/personas with the Threat Response Operator Role and explicitly defined computer groups in their management rights are unable to create, edit, or deploy profiles that are within their scope.
  • Fixes an RBAC issue where the Threat Response System User Service did not have sufficient privileges to gather findings if Tanium Default Content was moved to a custom content set.
  • Fixes an issue where PowerShell scripts in the Threat Response - Live Response [Windows] package are not signed.
  • Fixes an issue where false negatives could occur during On-Demand Scans of Signals due to a syntax error.
  • Fixes a rare issue with Tanium Driver 3.2 where certain USB devices may stop working.

Tools Versions

  • Includes Threat Response CX binary: 1.12.919
  • Includes Recorder Tool (Installer): 3.12.16
  • Includes Recorder binary: 2.10.829
  • Includes Driver Tool (Installer): 3.12.13
  • Includes Driver binary: 3.2.63
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10
  • Includes pycx: 2.5.1019
  • Includes python38: 3.1.43
  • Includes python27: 2.1.44
  • Includes Incident Response: 6.6.22


Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.

Release Date: March 9, 2023

Improvements

  • High volume log messages have been turned into metrics.
  • Snapshot capture reliability has been increased.
  • Increase reliability Intel Database Generation.

Fixes

  • Fixes an issue with YARA scans on macOS for live files or memory.
  • Regex Matches on suppressions rules have been fixed.
  • Fixes upgrade failing due to corrupt Intel documents.
  • Fixes an issue where recorder could cause high memory or CPU utilization on RHEL 7 systems when tracking large numbers of ephemeral threads.
  • Fixes an issue where on Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events.
  • Fixes an issue where recorder database views may not be created

Tools Versions

  • Includes Threat Response CX binary: 1.12.915.0
  • Includes Recorder Tool (Installer): 3.12.15.0
  • Includes Recorder binary: 2.10.829
  • Includes Driver Tool (Installer): 3.12.13
  • Includes Driver binary: 3.2.57
  • Includes Index binary: 3.3.2634
  • Includes Stream: 1.7.10.0
  • Includes core-python: 2.5.1019.0
  • Includes Incident Response: 6.6.22.0

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium’s Support Portal, or by contacting your TAM.

Known Issues

  • There is a rare issue with Tanium Driver 3.2 where certain USB devices may stop working. This is fixed in Threat Response 4.0.1077+
  • There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.

Release Date: February 16, 2023

Fixes

  • Fixes an issue where importing intel with improper fields using the API could cause the service to fail during Threat Response upgrades.

Tools Versions

  • Includes Threat Response CX binary: 1.12.900
  • Includes Recorder Tool (Installer): 3.12.13
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.12.13
  • Includes Driver binary: 3.2.57
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.9
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • There is a rare issue with Tanium Driver 3.2 where certain USB devices may stop working. This is fixed in Threat Response 4.0.1077+
  • There is currently a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled. This issue is fixed in Threat Response 4.0.1099+
  • There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
  • There is a rare issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs could fail to start when Process Injection detection is enabled. This is fixed in Threat Response 4.0.1104+
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.

Release Date: February 2, 2023

Fixes

  • Adds documentation for the registry operation and network operation Signal terms in the Tanium Threat Response Intel Support document.
  • Fixes an issue where alerts with responsible process did not automatically open the responsible process as the default process tree.
  • Fixes an issue where Connect jobs using the Threat Response event source would stop sending alerts due to an out-of-scope timestamp.
  • Fixes an issue where when editing suppression rules from an Intel document, they could unintentionally be deleted when using Filters and the Select All checkbox.

Tools Versions

  • Includes Threat Response CX binary: 1.12.900
  • Includes Recorder Tool (Installer): 3.11.25
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.11.25
  • Includes Driver binary: 3.1.2058
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.4
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.

Release Date: January 23, 2023

Improvements

  • Improved behavior to limit memory usage when performing memory scoped YARA scans.

Fixes

  • Fixes an issue where the Threat Response - Acknowledge Findings package could use excessive CPU and timeout when running on endpoints with a large number of findings.

Tools Versions

  • Includes Threat Response CX binary: 1.12.900
  • Includes Recorder Tool (Installer): 3.11.25
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.11.25
  • Includes Driver binary: 3.1.2058
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.4
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.

Release Date: January 16, 2023

Important Notes

  • This Threat Response release is focused on Detect end of life.

Upgrade Notes

  • This version of Tanium Threat Response deprecates support for the legacy Detect service and database.
  • In this release of Threat Response, the Detect and Event services are deprecated and replaced by the Threat Response service. The integration with the Threat Response service and the Threat Response Client Extension on the endpoints provides performance improvements and provides a platform for future capability, intelligence, and workflows around intel and alerting.
  • This release of Threat Response includes API changes that require customers and partners to reconfigure API integrations. The API data format may be changed for many existing routes. Most of these changes have been made for consistency in what each API returns. From the Threat Response Workbench, click Help > API > See API documentation to review the Threat Response 4.0 API documentation to adjust your integrations appropriately.
  • Threat Response Audit data has been consolidated and updated to use the Connect Source: "Tanium Threat Response" - Type: "Audit Report".

New Features

  • Threat Response now uses the System User Service to manage service credentials.
  • Provides the ability for a user to take action (For example, Delete, Export, or Assign to Workbench Source) on multiple applicable items in the Intel Document list.
  • Provides numerous improvements with the performance of Threat Response sensors on endpoints.
  • Profiles can now handle deleted computer groups.

Tools Versions

  • Includes Threat Response CX binary: 1.12.898
  • Includes Recorder Tool (Installer): 3.11.25
  • Includes Recorder binary: 2.10.822
  • Includes Driver Tool (Installer): 3.11.25
  • Includes Driver binary: 3.1.2058
  • Includes Index binary: 3.3.2623
  • Includes Stream: 1.7.4
  • Includes core-python: 2.2.23
  • Includes Incident Response: 6.6.22

Improvements

  • After Threat Response upgrades, users are no longer prompted to redeploy profiles unless there are undeployed profile configuration changes since the last Threat Response upgrade. On-Premise environments are still required to redeploy profiles after Threat Response upgrades if automatic tools deployment is turned off.
  • Provides more verbose messaging when Threat Response profiles cannot be deployed.
  • Provides numerous improvements with the performance of Threat Response sensors on endpoints.
  • In the saved evidence page, snapshots in progress are no longer visible for computer groups that the current persona does not have access to.
  • Tanium Yara scans have been improved to review both resident and paged memory sizes. The maximum size of processes to scan has been increased to 256MB from 64MB. This ensures processes with significant memory mapped to disk, but that have small active footprints, do not flood endpoint resources by paging in all mapped memory from large latent processes.
  • Threat Response audit data has been consolidated to the Threat Response Connect Audit Feed. The "All Events" source is no longer used for Threat Response audit data.
  • The intel documents page is improved to restrict any workflows that are unactionable by the user.
  • Makes the labels and intel counts links on the profiles page more intuitive.
  • Adds Threat Response audit report events to identify when an Intel document label was modified.
  • Increases the size of the Computer Group filters field on the On-Demand scans page.
  • The Endpoint Throttling notification now shows the Intel document name.
  • Removes the Threat Response Health Check Saved Questions and Sensor.
  • Adds support for a Registry operation property in Signal definitions.
  • Updates the Tanium Default macOS Symantec Filter.
  • Identifies profiles that have deleted computer groups assigned and provides the ability for a user to fix a profile that refers to deleted computer groups.
  • Adds Asset Criticality information to Threat Response alerts.
  • The Threat Response status sensor now includes sensor definitions for AIX and Solaris.
  • Adds a pending approval state to response actions.
  • Removes the "Top 5 Endpoints with the Highest Number of Unresolved Alerts" section of the overview page.
  • Adjusts the retention time for unacknowledged alerts to one year.
  • Improves Reputation Alerts to handle scenarios where certain hash algorithms match.
  • Provides a new Index sensor that returns the top directories that are indexed by count across the environment.
  • Improves Index to query the disk after deduplicating file events from Recorder when High Priority paths are in use.
  • Adds SHA1 and SHA256 hash support to Recorder Process and Library Events.
  • Adds ProcessItem/UserID terms to OpenIOC support.
  • Updates the CX Status Sensor to display Threat Response Profiles ID and Revision output grouped together.
  • Displays the applied Theat Response profile in the default Threat Response client extension log level.
  • Displays container information for Index results in ZIP files in advanced details of Threat Response alerts.

Fixes

  • Fixes an issue where the intel document definition for existing alerts is changed when the source intel definition is changed.
  • Fixes an issue where filter counts for Intel documents were not updated when filtering by platform or time range.
  • Fixes an issue where multiple levels of sorting did not work correctly when browsing live file events.
  • Fixes an issue where time zones were being used inconsistently on the Intel documents page.
  • Fixes an issue where the Threat Response workbench could allow the creation of an invalid IOC normalized tree.
  • Fixes an issue where the alerts count in the system notifications page did not display plural counts.
  • Fixes an issue where an error could occur while writing Reputation hashes to the database.
  • Fixes an issue where Threat Response could generate alerts on hashes that are included in the allow list in Reputation.
  • Fixes an issue where links to Intel documents are not fully underlined in the Intel documents view.
  • Fixes an issue where a collapsed section was not displayed in the advanced details section for alerts.
  • Fixes an issue in the API documentation where the call to Reputation integration was incorrect.
  • Fixes an issue where a Read Only user could ask questions in Enterprise Hunting.
  • Fixes an issue where the technique for Process Injection was being rendered as the Intel document name.
  • Fixes help text in a Live Connection dialog that referenced an incorrect button.
  • Fixes an issue with the alerts page that could load all intel when no alerts were being viewed.
  • Fixes an issue where a user could select an intel-specific supression rule without selecting an intel document, and click save.
  • Fixes an issue in the filters page where the Select All button would prompt to delete all filters when a grid filter was applied.
  • Fixes an issue in the filters page where the Delete button only deletes a maximum of 100 filters when a higher number of filters is selected.
  • Fixes a display issue in the Saved Evidence page where the username and actions content could overlap.
  • Fixes a typo in the output of the Generate Autorun Cache package script.
  • Fixes an issue where the live connection combined search results could be incorrect if a filter was applied before the results were loaded.
  • Fixes an issue in the API documentation where the overrideScanBlockout documentation was incorrect.
  • Fixes an issue with the Configurations and Profiles pages to reposition the Use UTC checkbox above the scan blockout control.
  • Fixes an issue where the name of the Enforcement created in the Remediate in Enforce response actions is left blank.
  • Fixes an issue where the Trace Logon Events sensor applies filter parameters to the wrong query column.
  • Fixes an issue where the Trace Loaded Drivers sensor uses the wrong string table in the CTE filter for the DriverPath parameter.
  • Fixes an issue where the Trace Network Connections sensor did not always return the maximum results when "Make Stackable" was selected.
  • Fixes a display issue with the way target and actor processes are displayed in process injection alerts.
  • Fixes an issue with alert details where file events could be duplicated in the alert details.
  • Fixes an issue with the Trace Loaded Drivers sensor that used an invalid CTE filter when only filtering on signature status.
  • Fixes an issue with the Trace Registry sensor where it filtered username against the wrong column when using the CTE filter.
  • Fixes an issue with the Trace Network Connections sensor where it could return duplicate results when MakeStackable is selected.
  • Fixes an issue with the Trace Executed Process Trees where it did not return a Yes or No result when "Output only yes or no" is selected
  • Fixes an issue where removing a label from all shown results from a different filtered label will only remove 100 labels.
  • Fixes an issue where the description of the Workbench intel source mentioned the Detect workbench.
  • Fixes an issue in the alerts results where single line ancestry is not visible.
  • Clarifies computer group targeting information in the On-Demand scan information dialog.
  • Fixes an issue where the Threat Response EID (Endpoint ID) manager becomes unresponsive after an error.
  • Fixes an issue where the singal grouping syntax could become incorrect when modifying Signals or filters.
  • Fixes an error where saved action exports could fail because Theat Response created hourly Saved Actions for: Threat Response - Acknowledge Findings
  • Fixes an issue where Impact Details information was missing from process injection alerts.
  • Fixes an issue where alerts were not returned for live processes.
  • Fixes a display issue where download buttons were shown inconsistently in the Saved Evidence page.
  • Fixes an issue where OneDrive remote files could be erroneously marked as local and indexed on macOS
  • Fixes an issue where the Index database could become corrupted and not recover automatically.
  • Fixes an issue where when using the Index - File Details sensor to retrieve the contents of a directory a result of "No Results Found" could be returned.
  • Fixes an issue where the recorder could display blank processes for system (PID 4) processes on Windows
  • Fixes an issue where the recorder could record invalid user IDs on Windows endpoints.
  • Fixes an issue where the recorder could record file event timestamps out of sync from macOS endpoints.
  • Fixes an issue where there could be a delay in updating the index initial scan complete value until the client was reset on the endpoint.
  • Fixes an issue where there could be an error starting a continuous hunt.
  • Fixes an issue where an incorrect Signal term property was expected for a group name.
  • Fixes an issue where endpoint must gather collections encountered errors when attempting to collect legacy index data.
  • Fixes an issue where Threat Response did not alert on Live Processes by nested properties
  • Fixes an issue where profiles did not apply if the Windows PATHEXT environment variable was missing the .bat extension.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • Suppression rules that use regular expressions to match Process MD5 do not work correctly. This is a known issue and will be addressed in a future version of Threat Response.
  • On Linux endpoints using audispd as the event source, TaniumAuditPipe is unable to load audit events. This is a known issue and will be addressed in a future version of Threat Response. For more information about how to determine which endpoints use audispd as an event source, see the flowchart for Linux endpoints at https://docs.tanium.com/recorder/recorder/overview.html.
  • At this time, Threat Response is not supported on RHEL/OEL 9.x (ARM and x86) endpoints. This support will be provided in a future version of Threat Response.

Release Date: January 06, 2023

Fixes

  • Fixes an issue where YARA search scopes (Live File, Memory, and Path) may not be scanned as expected.

Tools Versions

  • Includes core-recorder 3.10.75
  • Includes Recorder 2.9.1334
  • Includes Driver Tool Version 3.10.75
  • Includes Driver binary version 3.1.2058
  • Includes THR-CX 1.11.2959
  • Includes Stream 1.7.4
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.23

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: October 27, 2022

Improvements

  • The version of Tanium Index that is provided with this version of Threat Response returns the files that are contained in zip archives, including JAR files.

Fixes

  • Fixes an issue to resolve a potential conflict between the Tanium Driver and other 3rd party process injection drivers that could cause Microsoft Windows to become unresponsive when Tanium Process Injection alerts are enabled.
  • Fixes a potential for a crash in Threat Response CX related to Signal Matches
  • Fixes an issue where the Recorder database SQLite cache size was not set correctly.
  • Fixes an issue where Index could consume a large amount of RAM when indexing nested ZIP files.

Tools Versions

  • Includes core-recorder 3.10.75
  • Includes recorder 2.9.1334
  • Includes THR-CX 1.11.2952
  • Includes Stream 1.7.4
  • Includes Driver 3.1.2058
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.21

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: October 19, 2022

Important Note

  • This release is focused on further expansion of the existing integration with Deep Instinct (DI).

New Features

  • Provides support for the Threat Response and Deep Instinct integration on macOS.
  • Supports additional Deep Instinct event types which allow consumption of the full breadth of Deep Instinct alerts in the Threat Response console.

Improvements

  • Deep Instinct Alert details contain a new section called “Deep Instinct” that shows Event Type, Event Action, File Path, File Type, file Hash, and Signature where applicable.
  • A new "Malware Probability" section is included with types such as backdoor, virus, worm, etc.
  • Tanium Driver process injection monitoring exclusions for Deep Instinct are included by default.
  • EID manager logging moved to Trace level.
  • Updated Alert Throttling for the Deep Instinct Integration.
  • Support for permission changes to registry keys, subkeys, values, and hives in Recorder.
  • Improved performance for Trace Logon Events sensor queries.
  • Improved load times when browsing the Combined View in Live Connections.
  • Improved load times when viewing Driver events in Live Connections.
  • Endpoint troubleshooting bundles now include the entire IndexCX directory.

Tools Versions

  • Includes core-recorder 3.10.73
  • Includes recorder 2.9.1333
  • Includes THR-CX 1.11.2949
  • Includes Stream 1.7.4
  • Includes Driver 3.1.2056
  • Includes Index 3.3.2604
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.21

Fixes

  • Fixes an issue where in the alert details panel, there is an errant entry in between the sections of 'Bystander' and 'Security Event'.
  • Fixes an On-Demand scanning failure for the Threat Response User role when the Reveal User role is also assigned.
  • Fixes Response Activity status change to "Stopped" after approval even though the action executes.
  • Fixes an issue where Defender alerts were not loading the details panel.
  • Fixes Defender Alert Details in the UI which show unknown under fields such as Detection Type and Process Ancestry.
  • Fixes an issue where the service continues to make requests when TDS is down.
  • Fixes an issue where the AutoRun Sensors description has misspelled reference to a package.
  • Fixes an issue where filters using network.port were not filtering disconnects with matching local ports.
  • Fixes an issue where Stream output would incorrectly grow the file size of extensions-stdout.txt.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: September 27, 2022

Improvements

  • EID manager logging moved to Trace level.
  • Recorder includes new driver version 3.1.2053.

Fixes

  • Fixes on-demand scanning failure for the Threat Response user when a Reveal user is also assigned.
  • Fixes a logging error in the Threat Response logs that creates a Findings gather loop.

Tools Versions

  • Includes core-recorder 3.9.70
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.990
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2053
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: September 15, 2022

Improvements

  • Alerts which remain unacknowledged on endpoints will now be removed after 30 days.

Fixes

  • Fixes an issue where the "Threat Response - Acknowledge Findings" action was not being issued with action approval enabled.
  • Fixes an issue where the Threat Response service could become unresponsive due to multiple SQLite connections.
  • Fixes an issue where the Threat Response service could experience a memory leak during event gathering.
  • Fixes an issue which could cause increased Tanium Server network usage when a large number of Threat Response alerts are being throttled.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: August 29, 2022

Improvement

  • Unacknowledged alerts now remain on the endpoint for up to 30 days.

Fixes

  • Fixes potential knex errors such as: "Knex: Timeout acquiring a connection". This could cause the Detect service and Threat Response workbench to become unavailable.
  • Fixes a potential page crash when expanding suppression rule previews.
  • Fixes an issue where the process tree view does not open when starting a live connection from some alerts.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: August 23, 2022

Important Notes

  • In Threat Response 3.8, Quick Scans have been replaced with On-Demand scans. If upgrading to Threat Response 3.8 from an earlier version, quick scan history for intel documents is not migrated and is no longer available.
  • On-Demand scans are action-based and now require an approver if action approval is enabled.
  • When upgrading from an existing version of IndexCX to IndexCX 3.2.2762 or higher, the Index database on all endpoints is reset. IndexCX will then perform a rescan to repopulate the Index database. This initial rescan is randomized over 24 hours and follows the same Tanium CX resource throttles as a normal rescan, which occurs every 7 days by default. Until the initial rescan is complete, Index data can be incomplete. This is required due to database schema changes to improve database consistency.
  • System File filters have been renamed to System Filters. These filters will continue to work the same on Linux endpoints. On Windows endpoints, System filters provide the ability to exclude processes from process injection monitoring.
  • The Interact bar on the Enterprise Hunting page has been removed.
  • The Threat Response Health page has been removed. Use the “Client Extensions – Status" sensor as the authoritative resource for what Threat Response components are present and running on an endpoint. The “Threat Response – Status” sensor will be deprecated in a future release.
  • When upgrading from earlier versions of Threat Response, there are differences in Alert Details (and JSON). The differences can be summarized as follows:
    • hash ids were numbers, they are now strings.
    • The source for openioc filename was tanium-index, and is now index.
    • The service id was included in match details, it is no longer included in the latest version.
    • The source for openioc network was tanium-recorder and is now threatresponse_database.
    • The source for openioc process was tanium-recorder and is now live.
    • The source for signals was signals and is now recorder or threatresponse_database.
    • The source for yara was at-rest is now at_rest.

New Features

  • Provides support for Amazon Linux 2 (ARM) and macOS endpoints that use M1 ARM processors.
  • Process injection monitoring: Detects when processes have code written and executed in their memory space in a suspicious manner. Process injection monitoring is supported on Windows 10 and Windows Server 2016, and newer. Process injection monitoring is not enabled by default.
  • New Tanium Client Extension version of the Threat Response evaluation engine, which replaces the Tanium Detect Engine.
  • On-demand scans replace Quick Scans. As opposed to legacy Quick Scans which used questions to deliver the Intel document to the endpoint, On-demand scans use an action to deliver the Intel document to the endpoint for immediate matching and alert reporting, and thus no longer have a limit to the number of indicators in an Intel document for On-demand Scans.
  • On-demand scans of Reputation malicious hashes are now supported.
  • The "Engine" and "Intel" configurations in THR have been consolidated into a single simplified "Detection" configuration.

Improvements

  • Upgraded various third-party libraries to newer versions.
  • Adds support for Tanium Signals syntax v5, which increases the Signals and filters terms limit from 24 to 55.
  • On-demand scans now support overriding Detection configuration scan blockout windows.
  • Response action targeting now relies on multiple endpoint data points for more specific targeting.
  • Ability to download multiple items of Saved Evidence simultaneously.
  • Improves event export to allow exporting up to 500,000 events from live connections and snapshots.
  • Symbolic links are now visible while file browsing in a live connection. Deleting symbolic links requires Tanium Direct Connect 2.4 or higher.
  • “Global” suppression rules have been renamed to “All Signals”.
  • “Signal-Specific” suppression rules have been renamed to “Intel-Specific”.
  • “Defender Intel” document for Windows Defender alerts is now visible on the Intel page.
  • “Deep Instinct” document for Deep Instinct alerts is now visible on the Intel page.
  • Recorder filters now support Registry “Operation” based filters.
  • Recorder filters now support Network “Operation” based filters.
  • Adds the “Index - List Discovered Volumes” sensor to return the list of filesystem volumes discovered by Tanium Index.
  • Adds "ends with" filtering to Live Connections.
  • Improves File Downloads via Live Connections.
  • Supports importing YARA 4.1 rules.
  • Validation of uploaded snapshots.
  • Improves the display of endpoint data details in table format.
  • Improves Alert Summary Charts.
  • Updated Recorder Sensor Descriptions.
  • On Unix/Linux, Threat Response's use of the lsof (list open files) command has been deprecated. Threat Response now uses Recorder data.

Tools Versions

  • Includes core-recorder 3.9.68
  • Includes recorder 2.8.1047
  • Includes THR-CX 1.10.990
  • Includes Stream 1.7.3
  • Includes Driver 3.1.2042
  • Includes index-cx 3.2.2774
  • Includes core-python 2.2.18
  • Includes Incident Response 6.5.21

Fixes

  • Fixes an issue where the recorder shows some processes with no parent.
  • Fixes an issue where the Intel Name in the Alerts grid can disappear when scrolling.
  • Fixes an issue where endpoints show a recorder health check that states “Failed to create BPF Network event provider. Not receiving file events.”
  • Live Response has been updated to allow memory collection from recent Windows 10 releases.
  • Live Response standard collections with variables have been updated to correctly work on macOS and Linux endpoints.
  • Live Response running process collections have been updated to correctly work on macOS.
  • Fixes an issue where Endpoint Configuration Framework (ECF) would remove Threat Response configurations if ECF could not evaluate an endpoint's computer group membership.
  • Fixes an issue where a profile redeployment was needed after tool reinstallation to enable the recorder subscription.
  • Fixes a file size mismatch between the live connection file browser and actual file size on disk.
  • Fixes an issue where Response Actions and action approval would be recreated after deletion.
  • Firefox is now able to correctly render Threat Response alerts.
  • Fixes an issue where configurations with "Tanium Defaults" in the name would be read-only.
  • Fixes an issue where a user is unable to view Linux alerts using the fly out button properly.
  • Updated Threat Response Default Registry Filters.
  • Threat Response and Reputation no longer alert on hashes on the non-malicious list in Reputation.
  • Fixes an issue where it was not possible to use a space when searching filters and exclusions.
  • Fixes an issue where the Intel Label filter freezes after the first search character input and does not accept additional characters.
  • Fixes an issue where the Live Response “Create” and “Generate” buttons can be scrolled out of view.
  • Fixes an issue with Incident Response Sensors where using GetOSMajorVersion does not work on non-English endpoints.
  • Fixes an issue where the “Network Connections” sensor was not stacking data appropriately.
  • Fixes an issue on the alerts page where the alert count by intel document could be incorrect when filtering.
  • Fixes an issue with Intel configurations where the label selection drop down was limited to 100 labels.
  • Fixes an issue in alerts detail where the Impact section of the alert details drawer refreshes when the main alerts grid updates.
  • Fixes an issue where deploying a response action without a package resulted in a “Cannot read property 'files' of undefined error”.
  • Fixes an issue where a Response Action exception error could occur when removing the expiration date.
  • Fixes an issue where the evidence API doesn't accept a limit parameter.
  • Fixes an issue where the popup window is not honoring a timeout value when making a Live Connection from an alert.
  • Fixes an issue where multiple Signal feed updates could occur for the same version.
  • Fixes an issue where saved evidence snapshot uploads are missing a username.
  • Fixes wording of the delete intel confirmation.
  • Fixes an issue in the alerts details drawer where OS Platform is shown twice.
  • Fixes an issue in Quarantine response actions where the custom configuration checkboxes were not working as expected.
  • Fixes an issue where the "Signed" field in driver event view is inaccurate.
  • Fixes an issue in alert details where clicking section icons scrolled to and collapsed that section.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • Alerts which remain unacknowledged on endpoints will be removed after 7 days. This will be updated to 30 days in a future release of Threat Response.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • BeyondTrust/Avecto Privilege Guard Software has an incompatibility with Tanium Driver Process Injection that can cause Microsoft Windows to become unresponsive. If BeyondTrust/Avecto Privilege Guard Software is installed, it is recommended not to enable Tanium Process Injection alerts.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.

Release Date: August 08, 2022

Improvement

  • Upgraded various third-party libraries to newer versions.

Release Date: July 13, 2022

Fixes

  • Fixes an issue where the recorder shows some processes with no parent.
  • Fixes an issue where endpoints show a recorder health check that states “Failed to create BPF Network event provider. Not receiving file events.”

Tools versions

  • Includes Recorder 2.7.1482
  • Includes Core-Recorder 3.8.106

Release Date: June 30, 2022

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Release Date: June 16, 2022

Change

  • Upgrades Tanium interface to latest version.

Security update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Release Date: May 16, 2022

Fix

  • Fixes an issue where a failed profile application required a profile revision change and redeployment of the profile.

Tools versions

  • Includes Driver 3.1.2040
  • Includes Core-Recorder 3.8.103

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: April 21, 2022

Fix

  • Fixes an issue where Remediate in Enforce actions would not work with Enforce versions 1.9 or later.

Tools versions

  • Includes Driver 3.1.2036
  • Includes Recorder 2.7.1475
  • Includes Core-Recorder 3.8.101
  • Includes Index 3.2.2733

Improvement

  • The events of a signal match are always written to the database, and override any filters that are included in a recorder configuration.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: April 6, 2022

Fixes

  • Improves Tanium Index database read performance.
  • Improves Tanium Recorder database read performance.
  • Improves Tanium Index database performance by increasing SQLite cache size.

Tools versions

  • Includes Core Recorder 3.7.156
  • Includes Recorder 2.6.1286
  • Includes Index 3.1.966

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: March 4, 2022

Fixes

  • Fixes an issue where the size of a file appears incorrectly in the file browser in a live endpoint connection.
  • Fixes an issue where the alert dates displayed on the Threat Response home page start with the date of the Threat Response installation.
  • Fixes a memory leak with event detection.

Tools versions

  • Includes Core Recorder 3.7.155
  • Includes Recorder 2.6.1285

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: February 14, 2022

Improvement

  • Threat Response CX has been updated to cache autorun persistent data every 24 hours by default.

Fix

  • Fixes an issue where the detect engine fails to query Index when checking for file names and hashes.

Tools versions

  • Includes Driver: 3.0.1300
  • Includes Core Recorder 3.7.154
  • Includes Index 3.1.963

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: January 10, 2022

Improvement

  • Improved alert storm protection by extending pruning to the event service.

Fixes

  • Resolved the inability to delete signal suppression rules in some cases.
  • Removed several overly verbose debug log messages causing the event service log to roll over too frequently.
  • Resolved issue where event service would fail due to KNEX SQLite errors.
  • Resolved issue where event service metrics were not registering successfully in Grafana.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: December 20, 2021

Important notes

  • Features Deep Instinct integration for alerts. Deep Instinct incorporates advanced artificial intelligence to prevent and detect malware. Deep Instinct integration allows customers access to the full list of Threat Response remediation actions when handling Deep Instinct alerts. The Deep Instinct integration requires enabling the “Generate Deep Instinct Alerts” setting in an engine configuration for a deployed profile. Once enabled, Threat Response will display Deep Instinct alerts in the Threat Response workbench. By default, this setting is disabled for new configurations. For alerts to be returned from endpoints, the Deep Instinct agent must be running on the endpoint.
  • The Tanium Event Recorder Driver is required and installed for all Windows deployments. The Tanium Driver no longer has a version requirement for Windows 10 and will install on any version of Windows 10. Driver 3.0 introduces a new service on Windows endpoints named TaniumDriverSvc.

Upgrade Recommendations

  • Customers who have saved questions using the Autorun Files / Autoruns By Category / Autorun Program Details sensors will need to recreate the saved questions to take advantage of improvements in the autoruns implementation.
  • The following additional security exclusions have been added for the latest version of the Tanium driver. Refer to the Threat Response User Guide for a complete list of required security exclusions.

C:\Windows\SysWOW64\TaniumProcessMonitor.dll

C:\Windows\system32\drivers\TaniumProcessMonitor.dll

<Tanium Client>\tools\driver\TaniumDriverCtl.exe

<Tanium Client>\tools\driver\TaniumDriverCtl64.exe

<Tanium Client>\tools\driver\TaniumDriverSvc.exe

<Tanium Client>\tools\driver\TaniumDriverSvc64.exe

<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe

<Tanium Client>\tools\driver\service\TaniumDriverSvc64.exe

Improvements

  • Adds endpoint Integration with Deep Instinct (DI) with the ability to use Deep Instinct Alerts in Threat Response.
  • Tanium Driver updated to version 3.0.
  • Autoruns Content has been migrated to Action/Sensor Content for improved performance.
  • Includes a new sensor: Threat Response - Security Events.
  • Includes Live Endpoint UI and feature enhancements.
  • Adds more clearer alert source details.
  • Improves alert filtering.
  • Improves the logging of saved evidence.
  • Improves Tanium process filtering.
  • Allows Intel to bypass Endpoint Configuration Approval.
  • UUID is now part of the Saved Evidence API.
  • Includes a Download File link for file Items.
  • Includes stream improvements to Windows security events only configurations.
  • Includes Stream improvements for Library Loads.
  • Features a Trends update to correct permissions and remove legacy boards.
  • Standardizes process ancestry across alert views.
  • Adds support for diffie-hellman-group-exchange-sha256 keys in TaniumFileTransfer.
  • Includes file collector sets for Edge and IE browser data.
  • Recording of DNS events is now supported on Linux endpoints that have eBPF enabled.

Tools versions

  • Includes Recorder: 2.6.1280.0
  • Includes Index: 3.1.955.0
  • Includes Driver: 3.0.1288.0
  • Includes Core-python (python38): 2.1.39.0
  • Includes THR-CX: 1.7.67.0
  • Includes Detect Engine 3.20.2.0
  • Includes Incident Response: 6.4.6.0
  • Includes Stream: 1.6.8.0

Fixes

  • Fixes malformed Detect Gather with EID sensors.
  • Allows Index configurations without hashing.
  • Fixes download file response actions failing for offline endpoints.
  • Increased snapshot upload max size to 2.5 GB.
  • Fixes file browser breadcrumb navigation.
  • Supports filtering on Windows Defender alerts.
  • Fixes an issue where the base64 checkbox under Services >Misc did not function properly.
  • Fixes Live Response PowerShell's ability to run with various GPO settings.
  • Features updates to Trends boards.
  • Fixes the support for the LogPath variable.
  • Updates Threat Response Read Only User Permissions.
  • Removes TrustedCertPath log spam.
  • Fixes Signal validation in the text editor and filter builder.
  • Importing intel from a local directory now works correctly with subdirectories.
  • Fixes timestamps in response actions.
  • Removes extraneous "k" from UI display.
  • Updates DNS resolver cache hosts to support Japanese character sets.
  • Fixes "Uninstall Threat Response" to no longer leave entry in module dropdown.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: November 5, 2021

Fixes

  • Fixes an issue where OpenIOC failed to detect files that contain multi-byte characters in FileName or FilePath.
  • Fixes an issue in the recorder where the SELinux policy could prevent the new Installed Applications sensor from executing.
  • Fixes an issue where a response action can result in failure rather than running the expected duration.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: September 28, 2021

Fixes

  • Fixes an issue where Quick Links may not maintain changes in the user console.
  • Fixes the default verbosity of console.log to make problem resolution easier.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: September 17, 2021

Fixes

  • Fixes an issue with the recorder where 3rd party installations could hang when the Tanium client is running.
  • Fixes an issue where the Recorder process on Linux may continually increase in usage over time.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: August 9, 2021

Fixes

  • Fixes an issue where after using quick add to create a FileName or FilePath in addition to a FileHash IOC, no alerts are generated during Quick Scans.
  • Fixes an issue where upgrading to the latest version of Threat Response from Threat Response version 3.3.33 could cause the workbench to become unusable.
  • Fixed an issue where the intel.db might not be generated after upgrading from early versions of Threat Response.
  • Fixed an issue where auto pruning of alerts could cause the Threat Response console to not be able to retrieve pages in the workbench.
  • Fixed an issue where Index exclusions may not apply correctly due to case sensitivity.

Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response uses the file attributes for the createdAt date instead of the actual date the evidence is created in Threat Response in the Saved Evidence view. This can lead to not intuitively finding saved evidence since newer files would be expected to be visible at the top of the list.

Release Date: July 27, 2021

Important Notes

  • Threat Response now has the ability to auto-prune alerts that are in the “Unresolved” state. It will auto-prune alerts to the last 100,000 “Unresolved” alerts and any “Unresolved” alert older than 60 days. Alerts in the “In-Progress” or “Resolved” state will NOT be auto-deleted. This feature will be automatically turned on in TaaS, but will be disabled for on-premise installations. Contact your support service for details on how to enable this feature for on-premise customers.
  • IndexCX provides significant performance improvements for endpoints allowing for the efficient searching of hashes and file meta-data. These changes include a slow walk of the disk and high-priority paths where more frequent updates are required. Please see our online documentation for more details about the benefits and configuration of IndexCX.
  • Reputation now uses IndexCX to allow for the efficient searching of large numbers of hashes with minimal endpoint impact. For 3.4 this change means that malicious hashes found by reputation are now scanned upon intel deployment. You may want to adjust your intel deployment frequency to account for this.
  • Index-CX now uses new sensors that start with 'Index File ...' instead of 'Index File Query ...'. You will need to update any Saved Questions and Connect jobs (for example those used by Reputation) to these new sensors in order to maintain functionality with Index-CX.

Improvements

  • Alert Pruning - For TaaS customers alert auto pruning will occur. See Need to Know for details.
  • IndexCX - better performance and granular control
  • Reputation now uses IndexCX to allow for the efficient scanning for larger numbers of hashes.
  • Local Drive selection and visibility from Live File Browsing
  • Impact details are now included in alerts
  • Add proxy settings to Stream configuration via the UI
  • Ability to export all event related to a specific process
  • Added SRUM data collection via live response
  • Provide a summary of live response changes when generating packages
  • Include content to help remediate alert storms
  • Support TAXII feed from IntSight
  • Support for sending Windows Security events via Stream
  • Help text provided for creating suppression rules
  • THR Trends boards respect RBAC2 permissions
  • Implement persistent query filters
  • Saved Evidence dates will no longer be changed on upgrade
  • Square brackets are now allowed in Live Response names
  • A banner will now be displayed when the THR license has expired
  • Health check remediation re-issue now issues correctly
  • Fixed issue where DB locks were not allowing Alert state changes
  • Detect will no longer try to parse all old quickscan files simultaneously
  • Fixed issue with poor Alert grid performance on Intel pages
  • Column changes are now persisted when opening the Alert details drawer
  • Fixed issue where search for an Index exclusion will deselect all currently selected exclusions
  • Fixed issue where filter builder interpreted the work ‘and’ in a signal incorrectly
  • Updated PowerForensic Prefetch sensor description
  • Added pop-up text to enterprise-pivot icon
  • Fixed issue where clicking Alerts would cause page to temporarily disappear
  • Increased Live Connection initiation timeout
  • Fixed text display under Saved Evidence Page

Fixes

  • Quarantine config file now works with non-standard Tanium Client directories on Linux/Mac
  • Updated Reputation Intel Documents to allow for THR quick scanning
  • Improve TAXII feed http/https attempts
  • Fixed false positives in quick scans due to percent characters
  • Live Response now supports multiple environment variables
  • Improved suppressions matching for Linux group/user fields
  • Update to the Mac Autoruns sensor
  • Help ensure wal file do not grow without bound on the module server
  • Quick scans now properly handle process signatures
  • Support Azure blobs as a live response destination
  • Improved import of signals with group terms in the signal
  • Fixed viewing profiles with deleted computer groups
  • Fixed "Assign to workbench" action
  • Upgrading will no longer modify the date of saved evidence
  • Square brackets no longer cause errors in live response
  • Fixed license requirements for legacy licenses
  • Fixed remediation action reissue time
  • Fixed alert status changes
  • Remediation of orphaned quick scans
  • Improve alert page performance
  • Fixed data grid customizations
  • Fixed searching/selecting exclusions
  • Fixed signal filter builder that had an "AND" in the context
  • Corrected description of powerforensics prefetch sensor
  • Fix display of text on saved evidence page
  • Remove PWC as an IOC provider
  • Quickscan for signal will no longer treat % as a wildcard
  • Fixed unicode character parsing in event service
  • Added ability to impact previous signals where the process terms are grouped
  • Image filters are now included in filter exports
  • Fixed issue where moving a single intel to workbench would move all intel documents form that source


Known Issues

  • If the recorder is manually disabled and then manually re-enabled, profiles must be pushed in order for the recorder to actually start backup.
  • Malicious hashes located by Reputation will not be scanned until the next Intel deployment.
  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: July 06, 2021

Fix

  • This release contains performance and stability fixes for the recorder.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • Memory Collection on MacOS may fail to load the osxpmem kernel extension and fail to collect a memory snapshot.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: June 11, 2021

Improvement

  • Sets the default maximum number of values to 12 full reputation reports in an Intel document to ensure a safe quick scan size.

Fixes

  • This release contains fixes for applying SELinux policies for the Linux recorder on Red Hat Enterprise Linux.
  • This release contains fixes for Recorder filters for the /dev/shm path on Linux systems running eBPF recorder.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM

Release Date: May 13, 2021

Important Notes

This Threat Response release adds the capability to use eBPF (extended Berkeley Packet Filter) as the source for the Tanium Recorder on supported RHEL/CentOS and Oracle Linux endpoints. The Tanium Recorder defaults to this mode if an endpoint has the correct requirements.

New Features

  • Support for the use of eBPF on RHEL 7.8+ and Oracle Linux 7.8+ endpoints with proper dependencies and kernel versions.
  • RHEL 7.8 - 8.1 DO require kernel-headers and kernel-devel that match the running kernel in order to be able to use eBPF.
  • Oracle Linux 7.8-8.2 DO require kernel-headers and kernel-devel that match the running kernel in order to be able to use eBPF.
  • Oracle Linux UEK kernel 7.8+ DOES require the kernel-uek-devel package.

Improvements

  • Support for the .yar file extension when uploading YARA rules.
  • Improved Quick Scan coverage messaging.
  • Added capability to filter alerts by intel source.
  • Adds support for setting backlog_wait_time on OEL7 endpoints.

Fixes

  • Improved TAXII feed discovery routes for HTTP/HTTPS.
  • Fixed non-existent file name errors when live browsing.
  • Allow for mass deletion of system notifications.
  • Signal feed will now follow Tanium Module Server Proxy Settings.
  • Updated API documentation around alert deletion.
  • Fixed icons when browsing a file with insufficient permissions.
  • Updated column sorting while file browsing.
  • Improvements to SELinux handling for the Tanium Recorder.
  • Fixed an issue where OEL endpoints running in unicast mode could cause endpoints to be unresponsive.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies may fail installation on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.

Release Date: May 11, 2021

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.

Release Date: April 6, 2021

Important Notes

The primary improvements in Threat Response 3.2 are the ability to use RBAC to limit alerts and saved evidence that a user can view to only those that are associated with endpoints that user can view, and the ability to use Chronicle go-location URLs in stream configurations.

Support

This previous release of Threat Response 3.1 brings full feature parity with the legacy Trace service and Trace product. This 3.1 release marked the end of life of all Trace versions and Threat Response versions 1.x, which will be August 1, 2021.

Upgrade notes

Tanium Threat Response 3.2 provides RBAC capabilities for Alerts and Saved evidence based on users computer group access. This functionality has dependencies on the version of Interact (version 2.6.30 or higher) and Direct Connect (version 1.9.1 or higher).

Users will NOT be able to see old alerts after upgrade unless the RBAC permission Threat Response Visibility Bypass is granted to them. Once you go to 3.2, new Alerts and Saved Evidence will have an EID attached which is what the new visibility is based on. A full THR administrator will also be able to see the historical alert data.

New Features

  • Improved RBAC for alerts and saved evidence based on computer management rights of each user.
  • The ability to use geo-location based URLs in Stream for Chronicle.

Improvements

  • Improvement to Live Response to omit sparse data from Use.Jrnl collection to speed up collections.
  • Improvements to Mac sensors to now return shell history details.

Fixes

  • Autorun program details will no longer generate network connections to domain controllers.
  • An incorrect stream config will no longer cause profile deployment to fail.
  • Ensured that Threat Response will not get into a state where two alert gathering questions are running simultaneously.
  • HandleDetails-results.txt results are no longer truncated.
  • FIPS enforcement will no longer break Live Response collections.
  • Running Process with Parent now handles exceptions properly.
  • Fixed an issue where recent live connections would fail if the endpoint IP changed.
  • Live Response file collector max depth is now honored correctly.
  • Response actions fixed to fire properly.
  • Upgrade from 2.6.7 now correctly adds signals.
  • DNS sensors now return correctly on Windows 64 bit machines.

Known Issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.


  • Saved Evidence dates collected by the legacy Trace service may be changed to the upgrade date when migrated to the new Threat Response service. (NOTE: The collection date is retained in the file download title/name).

Release Date: March 16, 2021

Change

  • Fixes an issue where Response Actions could be continuously issued every few hours for manually created Response Actions.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.


Release Date: February 8, 2021

Important Notes

The release of Tanium Threat Response 3.1 continues the migration to Tanium Client Management’s Endpoint Configuration service. The Threat Intelligence database is now also distributed to endpoints as part of the central tools and configuration management capability. This new functionality combines all solution configurations into one distribution mechanism, reducing the complexity required to configure and deploy Tanium Threat Response.

The previously used packages and actions for Threat Intelligence delivery will no longer be present. For details of Endpoint Configuration please refer to the Endpoint Configuration User Guide:

http://docs.tanium.com/endpoint_configuration/endpoint_configuration/

Threat Response 3.1 includes updated versions of the endpoint components Tanium Index, Tanium Event Recorder, and Tanium Stream.

Support

This release of Threat Response brings full feature parity with the legacy Trace service and Trace product. This release marks the end of life of all Trace versions and Threat Response versions 1.x, which will be August 1, 2021.

Upgrade notes

Tanium Threat Response 3.1 removes the legacy Trace service hosted on the Tanium module server. All UI and API functionality previously provided by this service have been migrated to the Threat Response service. For details of API changes please refer to the UI provided API documentation.

Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.

If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. To target endpoints where Client Recorder Extension version 1.x exists, ask the Legacy - Recorder Installed sensor. In the results of this sensor If the Supported Endpoints column displays “Yes”, you must remove Client Recorder Extension version 1.x from the endpoint before you can install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the appropriate Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints. If this has not been done and the endpoint is targeted for tools, the installation will not proceed.

Tanium recommends systems with at least two cores for Recorder installs, and has required this configuration from Threat Response 2.6 to Threat Response 3.0. Beginning with this release, you may set an option to allow Recorder to run on a single core system. The Recorder CPU setting is modified via content and defaults to the recommended setting of ON (meaning that 2 CPU cores are required to run Recorder). Memory and CPU usage can increase to higher than normal levels when running the Recorder on a single CPU core endpoint. For more information, see:

http://docs.tanium.com/threat_response/threat_response/requirements.html#Endpoint_hardware_requirements

Normally memory and CPU usage average less than 1% over time, with periods of higher activity. System resource usage can increase as workload on an endpoint increases. Under certain workloads, such as long lived processes with multiple forked child processes, memory and CPU usage can become high.

New Features

  • Retirement of the legacy Trace module server service
  • Completion of the migration to new UI framework
  • Ability to create response actions without alerts in THR
  • Support for Mitre ATT&CK sub-techniques in signals
  • Add ability to filter alerts by GUID
  • Utilise Endpoint Configuration Service for threat intel deployment
  • Support Include filters for Recorder and Stream configurations
  • Integration with Enforce module for remediation actions

Improvements

  • Support for token based authentication in Threat Response API
  • Combined API route for new saved evidence page
  • Increased information in the saved evidence page
  • Enterprise hunting page redesign
  • Filter by username in saved evidence page
  • Redesign of live response page
  • Include Threat Intel revision details on Intel page
  • Improved error messages in the signal builder
  • New recorder configuration to disable dual cpu requirement

Fixes

  • Resolved stack trace on Linux for "Service Process Details" sensor
  • Resolve issue where Intel deployment can fail on an endpoint when Windows endpoints have certain hotfixes installed and no internet access
  • Refactored Live Connection page to prevent the grid bottom being beyond end of page
  • Resolved issue where copying the Defender intel document name did not copy to clipboard
  • Resolved issue where Safari did not render tables in the Intel and Management pages
  • Refactored Intel documents page where suppress option was not available
  • Resolved issue where snapshot date and time does not represent the actual creation time
  • Refactored Response Activity page to ensure sorting worked as expected
  • Resolved issue where retroactive suppressions only work on unresolved alerts
  • Resolved issue where process information in the side panel is not consistent
  • Corrected file operation types in Enterprise Hunting questions
  • Resolved an issue where the UI presented an error when trying to pivot from an alert to a live connection where the event has been pruned from the recorder database
  • Corrected issue with using “does not contain” and “does not equal” in Live Connection filtering
  • Remove timestamps from Trace Logon Events Sensor to allow “make stackable” to function
  • Resolved issue where edited signals did not display properly in the intel page
  • Resolved issue where sorting of impact rating on home page was incorrect
  • Resolved issue with intelDocs API to ensure existing documents are updated as expected
  • Resolved issue Yara search scope allowed duplicates or blanks
  • Resolved issue where dates are not validated in live connection filters
  • Resolved issue where alerts generated by OpenIOC documents may display the incorrect field data
  • Resolved issue where an IOC with no name could be uploaded in the UI
  • Resolved issue that caused temporary intel database files to not be deleted
  • Resolved issue with signals builder that allowed group() syntax to be used with process terms
  • Resolved issue where filtering the Live Connection view with SQLite terms can cause unusual search results
  • Intel Document ID page blank with an invalid signal
  • Resolved issue where quickscan results could show no systems but increase alerts count
  • Resolved issue where some computer groups could show twice in the Quickscan UI
  • Resolved issue where incorrect parsing of filters or signals can cause filter or alerts page to not render
  • Resolved an issue that prevented the sorting of the Response activity page correctly
  • Resolved stack trace issue with the Service Process Details sensor when executed on Linux systems
  • Resolved issue where applying a filter to the top panel does not accurately change the other displayed results

Known Issues

  • Trace DNS query sensor can return incorrect results on Windows 7 systems
  • Changing the status on a very large number of alerts can fail silently
  • Live response actions submitted to a system where the hostname changes after initial submission can cause the action to reissue multiple times

Release Date: November 24, 2020

Important Notes

  • The release of Tanium Threat Response 3.0 uses Tanium Client Management and Tanium Endpoint Configuration (provided by Tanium Client Management) to deliver configuration and tools centrally. This new functionality combines all solution configurations into one distribution mechanism to greatly reduce the complexity of actions and packages that was previously required to configure and deploy Tanium Threat Response. The previously used packages and actions for delivery of tools and configurations will no longer be present. For details of Tanium Client Management and Tanium Endpoint Configuration please refer to the Tanium Endpoint Configuration User Guide at

http://docs.tanium.com/endpoint_configuration/endpoint_configuration/index.html.

  • Threat Intelligence packages are currently still delivered in their own package and scheduled action managed by Tanium Threat Response.
  • Tanium Core Platform 7.4 or later is required to be installed to support the use of Threat Response 3.0 and other modules relying on the Tanium Endpoint Configuration. All dependencies are now enforced in the UI. Before you can load the Threat Response workbench, a check for all required Tanium dependencies is performed. If you need to install additional Tanium dependencies, the name and required version is provided in a UI notification.
  • Threat Response 3.0 includes upgrades to the endpoint components Tanium Index and Tanium Event Recorder.
  • With this release we are ending Tanium Administrative Console and Workbench support for Internet Explorer 11. For the best experience please use a recent version of Google Chrome, Microsoft Edge, or Mozilla Firefox to access the Tanium Console.


Upgrade notes

  • Installation or upgrade of Interact, Trends, and Tanium Client Management must be completed prior to installing Threat Response 3.0 or any other module supporting the Endpoint Configuration management framework.
  • When using Tanium Client Management it is a requirement to ensure that the service account for the Threat Response module includes the role Endpoint Configuration Service Account role.
  • Tanium Threat Response deprecates support for the legacy Web Socket Client for live endpoint connections. Live Connections to remote endpoints are now performed exclusively with Tanium Direct Connect. For details of installation and configuration of Tanium Direct Connect please consult the Tanium Direct Connect User Guide at

http://docs.tanium.com/direct_connect/direct_connect/index.html

  • Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.
  • If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. *If Client Recorder Extension version 1.x is currently deployed on a targeted endpoint, you must remove it before you can install Client Recorder Extension version 2.x tools via the new Endpoint Configuration Framework. The recommended steps for upgrading are to
  1. Upgrade from Threat Response 1.x to Threat Response 2.4
  2. Ensure both the module server and the endpoints are upgraded
  3. Upgrade from Threat Response 2.4 to Threat Response 3.0

Fixes

  • Fixes a state where alerts may not be returned from endpoints.
  • Fixes an issue where Stream configurations may not load on MacOS endpoints.
  • Fixes an issue where a user is unable to edit an Index configuration from the profile page.
  • Fixes an issue where a failed saved evidence migration may cause an upgrade failure due to a service processing error.
  • Fixes an issue where Stream filters may not correctly deploy to endpoints.
  • Fixes an issue where the Start Index Scheduled Actions are not correctly updated at upgrade.
  • Fixes an issue where the Reputation integration fails due to a React transition.

Release Date: October 13, 2020

Important notes

  • The release of Tanium Threat Response 3.0 uses Tanium Client Management and Tanium Endpoint Configuration (provided by Tanium Client Management) to deliver configuration and tools centrally. This new functionality combines all solution configurations into one distribution mechanism to greatly reduce the complexity of actions and packages that was previously required to configure and deploy Tanium Threat Response. The previously used packages and actions for delivery of tools and configurations will no longer be present. For details of Tanium Client Management and Tanium Endpoint Configuration please refer to the Tanium Endpoint Configuration User Guide at http://docs.tanium.com/endpoint_configuration/endpoint_configuration/index.html. Threat Intelligence packages are currently still delivered in their own package and scheduled action managed by Tanium Threat Response.
  • Tanium dependencies are now enforced. Before you can load the Threat Response workbench, a check for all required Tanium dependencies is performed. If you need to install additional Tanium dependencies, the name and required version is provided in a UI notification.


Upgrade notes

  • Tanium Threat Response deprecates support for the legacy Web Socket Client for live endpoint connections. Live Connections to remote endpoints are now performed exclusively with Tanium Direct Connect. For details of installation and configuration of Tanium Direct Connect please consult the Tanium Direct Connect User Guide at http://docs.tanium.com/direct_connect/direct_connect/index.html
  • Tanium Threat Response profile advanced settings have been deprecated and removed from the UI. The relevant settings (including distribute over time) have been replaced by the Tanium Endpoint Configuration Tools Installation settings.

New Features

  • This release includes a new endpoint configuration framework, replacing the actions and packages formerly used to configure endpoint tooling.
  • This release includes a refreshed user experience, bringing more reporting, consistency, and configurability to the forefront.
  • This release adds support for recording of HTTP header events on Windows endpoints via Tanium Recorder.
  • This release includes support for file read events with new recorder updates.
  • This release provides the capability to send Mitre ATT&CK techniques associated with signals in match events sent through Tanium Connect to external destinations.

Improvements

  • Provides more detailed information on the Threat Response home page to quickly visualize Threat Response indicators and view metrics across an entire enterprise.
  • Home page includes configurable quick links to redirect users to regularly used locations.
  • Usability improvements have been made across the Threat Response workbench. This includes improved filtering and sorting in addition to improved workflows.
  • Adds the ability to more intuitively navigate from the Process Tree view back to list view when exploring processes.
  • Adds usability improvements to provide sorting on the Outbound Impact column of the alerts view.
  • Add usability improvements to the alerts workflow by adding a link to configure Reputation from the alert details.
  • Adds the ability to upload custom Stream configuration data.
  • Adds updates to the Health Status page to more easily troubleshoot - and to quickly resolve - issues on managed endpoints.
  • Provides visibility into the count of undeployed profiles by adding this level of information to the profiles summary.

Fixes

  • Fixes an issue where when deleting single intel doc alerts, it deletes all alerts.
  • Fixes an issue where Alerts not being generated even though signals are matching
  • Fixes an issue with intel where the Local Directory Source would not populate new intel
  • Fixes an issue where the Suppressions tab of an Intel document does not list the suppression name
  • Fixes an issue where OpenIOC EventLog-based alerts could have incorrect and incomplete data
  • Fixes an issue where the Saving Evidence progress spinner sometimes is shown indefinitely
  • Fixes an issue so that options listed in dropdown menus are alphabetically sorted
  • Fixes an issue where Intel document sorting is not preserved after applying a label
  • Fixes an issue where Detect service intel sources can unexpectedly run in parallel immediately after creating them
  • Fixes an issue with the Health Check where Incorrect Counting of Endpoints could occur
  • Fixes an issue where some links between processes in live view show "NaN W" instead of a time
  • Fixes an issue where it was not possible to add Image Filters to a recorder configuration
  • Fixes an issue where the Common Module Import for Threat Response doesn't set the quickscan computer group.
  • Fixes an issue where Threat Response alert action buttons inappropriately display when no alerts selected.
  • Fixes an issue where quick scan collecting coverage never completes.
  • Fixes an issue with filters where there was not clearing of a selection when switching the filter.
  • Fixes an issue where the Threat Response Status sensor does not include a Stream section.
  • Fixes an issue with Health Status so that all default roles can see results in this page.
  • Fixes an issue where the ability to export events to CSV was missing.
  • Fixes an issue with browsing live endpoints where it might be unable to expand the process tree when the user is SYSTEM.
  • Fixes an issue with browsing live endpoints where there could be a failure to connect or delete when targeting deep path structures.
  • Fixes interface issues with the details drawer of the profiles details page
  • Fixes interface issues with the filters page
  • Adds improved messaging about Names that exceed max length in configurations
  • Fixes an issue where an invalid alert detail will trigger an error screen when it is selected
  • Fixes an issue where an Unresolved filter on Intel Document Alert Grid would not work on page load
  • Fixes an issue where Auto Upgrade Tools actions are created and run without being enabled in service settings
  • Fixes an issue where suppression rules could return a "Failed to create suppression rule: internal server error."
  • Fixes an issue where Registry based Signals could fail with - ERROR:internal-error:Illegal result_type filter specified
  • Fixes an issue where it was not possible to add Recorder Process and File Filters in some cases
  • Fixes an issue where a file-based Signal could trigger mistakenly
  • Fixes an issue in the Suppression Rule Preview where truncation is needed for long endpoint names
  • Fixes an issue where Intel Documents sorted by Unresolved Alerts did not behave as expected
  • Fixes an issue where detached processes that are coming from Tanium Processes are not filtered out
  • Fixes an issue where Impact Details are not displayed correctly in the Alert details
  • Fixes an issue where All suppression rules were deleted when one rule was deleted
  • Fixes an issue where not all endpoints are being updated with impact data.
  • Fixes an issue with Evidence Based IOC where it was not possible to Save any new entries.
  • Fixes an issue where the health Check returns "no results" on Debian-based distributions.
  • Fixes an issue where initiating response actions from alerts returns a "DatePicker" error.
  • Fixes an issue where the "Hash Of File" sensor returns a Traceback message for large file sizes.
  • Fixes an issue where alert hover-over views flicker.
  • Fixes an issue where the Threat Response - Status sensor reports that a detect package is required.
  • Fixes an issue where the profile page was polling the entire page to reload, degrading performance.
  • Fixes an issue where the Threat Response User did not have permissions to perform QuickScans.
  • Fixes an issue where Trace Logon Events did not filter by Username, Domain, or Source Host parameters for Windows
  • Fixes an issue where Quick Scan collection could end too quickly to get results
  • Fixes an issue where editing profiles requires a password confirmation to save
  • Fixes an error with the Threat Response - Status sensor returning an error with get_all_profiles()
  • Fixes an issue where snapshots could fail on new deployments
  • Fixes performance issues with the Threat Response home page
  • Fixes an issue where the live connection start time filter does not work correctly.
  • Fixes an issue where scrolling could remove suppression rule filters.
  • Fixes an issue where GUID was not searchable in the alerts table.
  • Fixes an issue where the hash of a process in live connection process details was not always present.
  • Fixes an issue where adding a suppression rule from the intel document view did not auto select the intel document.
  • Fixes an issue where creating a suppression rule from an alert did not show all Signal options.
  • Fixes an issue to make the Live Connect history sortable by last date connected endpoints.
  • Fixes an issue where it was not possible to sort by OS in the alerts page.
  • Fixes an issue where intel and manage filter lists filtered counts could be incorrect.
  • Fixes an issue where network filters did not allow for 'operation type' selection in the filter builder.
  • Fixes an issue where the Endpoint Must Gather could fail if directories are missing on endpoints.
  • Fixes an issue where deleting a profile was not displayed in the Tasks page.
  • Fixes an issue with Health Check where error messages are hidden when packages are not cached.
  • Fixes an issue where the Threat Response - Status sensor could not see tools deployed on Linux.
  • Fixes an issue where after deleting an intel document, the fetched data is not sorted or filtered.
  • Fixes an issue where incident response was not bundling TaniumExecWrapper in Tools.
  • Fixes an issue where applying a label to intel with "select all" also displays an error about removing intel.
  • Fixes an issue with incorrect arrow directions on live connections data grid.
  • Fixes an issue where the "Disconnect" option is greyed out when selecting a live connected endpoint.
  • Fixes an issue where OpenIOC EventLog-based alerts have incorrect and incomplete data.

Known Issues

  • When viewing stacked lists in Threat Response using the Safari browser some pages may display no rows in the table. Using an alternate browser will resolve the issue.
  • The home page confirmation wizard may show that Tanium Signals require importing when the action has already been performed.


TaaS Release Date: August 30, 2020

Changes

  • Adds an updated version of the recorder that:
    • Performs a vacuum on the recorder.db when the DB is two times the chunk size over the max DB size.
    • Improves process table id lookup performance for large security events tables.
    • Fixes an issue with high CPU that might be recorded in the extensions log showing 'a sealed resource is missing or invalid'.
    • Fixes an issue where the recorder might not initialize with IPv6 TCP disabled.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.