Aug 11, 2021

Make Your Organization Even Safer with Tanium Threat Response 3.4

New features and improved Index CX lets you investigate and respond to cyber threats more effectively in real time

By Tanium Staff

Users of Tanium Threat Response can now make their organizations even safer. Our module for investigating and responding to cyber threats in real time has been upgraded with your security in mind.

With the new Threat Response 3.4, security leaders can now:

  • Search for literally hundreds of thousands of hashes — with little or no impact on the performance of endpoint devices.
  • Set high-priority paths when a weekly crawl is not frequent enough.
  • Better utilize resources, without separate throttles needed for Classic Index.
  • Enjoy OS consistency because Threat Response now works the same for each operating system, helping to avoid issues with an OS making underlying changes between releases.
  • Efficiently search known malicious hashes, whether defined by you or found in your environment by a reputation provider. And without you needing to comb through dozens or even hundreds of separate intel documents. Instead, the hashes are simply scanned.

All this is now possible because we’ve moved Threat Response from Classic Index to Index CX.

Image of Threat Response UI

Get the critical information you need faster with Index CX

Watch this vide to learn how to quickly respond to threats with Tanium Threat Response:

What’s an Index?

An Index is a local database on each endpoint, and its store includes file metadata and hashes. This allows you to search for files across your enterprise by name, path and file hash. This also lets you combine searches when looking for unusual activity, such as PE file types without an .exe extension.

Previously, Classic Index was a separate process that had to be initiated with a Tanium action. This meant it would not update file metadata or hashes unless an endpoint was already communicating with the Tanium server.

This also meant that searching for a large number of hashes would hurt endpoint performance. Classic Index also used separate throttles, making it difficult to measure the Tanium client’s overall resource utilization.

Index CX stands for “Client Extensions,” and it’s the framework that Tanium solutions will use to extend their functionality to allow for common components. Our implementation of Index CX, known as Tanium CX, minimizes the duplication of packages, actions and sensors across our modules.

Ultimately, Tanium CX will reduce the footprint of the Tanium client on endpoints and allow for better throttling and control of the resources the client uses across our modules. Tanium CX now uses a slow and continuous search to improve performance. We’ve also made exponential improvements to searching for large numbers of hashes.

Tanium CX is throttled to 2.5% of each CPU. In our testing, where we tested batches up to 100,000 hashes, Tanium CX responded without exceeding the 2.5% CPU boundary on both physical and virtual endpoints. Classic Index would find it difficult to achieve this with even a few thousand hashes.

We’ve also overhauled and added automation under the covers. Tanium CX no longer requires a Tanium action to start. It now acts more like Recorder, meaning it will run and keep itself updated — even when an endpoint isn’t communicating with the Tanium server.

If you have offline systems with active intel on the endpoint, your background intel scans will have access to updated Tanium CX information. They also will generate alerts that will be sent to Threat Response as soon as the endpoint comes back online. In light of these improvements, you’ll see other Tanium modules, including Reveal and Integrity Monitor, move to Index CX soon.

Crawl fast or slow – your call

With Threat Response 3.4, the default scan is now a weekly slow crawl. This means Tanium CX will slowly crawl the disk once a week, updating file metadata and hashes as it goes.

However, if that isn’t frequent enough, you can now set a High Priority Path. This will run a scan every 24 hours, instead of weekly. It will also use Tanium Recorder (if enabled in the profile) to watch these paths. That way, when a file changes, Index CX will automatically update the file metadata and hashes.

Image of Threat Response showing high priority paths

High Priority Paths let you run a scan every 24 hours

Best of all, you get to define how often the slow crawl occurs and how often the high-priority paths are updated if the Tanium Recorder isn’t running. This gives you maximum flexibility, enabling you to define the Tanium CX configurations specifically for your environment.

For example, you might want one set of configurations for your critical endpoints, and another set for your virtual ones. Tanium CX gives you control of the risk vs. endpoint performance equation when looking for files at rest.


Are you looking to do an even better job of investigating and responding to cyber threats in real time? Then check out Tanium Threat Response 3.4 today.