Tanium Threat Response must be configured to receive IOC streams only from trusted sources.

An XCCDF Rule

Description

<VulnDiscussion>Using trusted and recognized IOC sources may detect compromise and prevent systems from becoming compromised. An IOC stream is a series or stream of intel that is imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Threat Response can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be manipulated separately after they are imported.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253843r997267_rule
Severity: Medium
References: CCI-001414
Updated: 17 days ago

Consult the documentation on trusted intel subscription feeds. 

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication.

2. Click "Modules" on the top navigation banner.
3. Click "Threat Response".

4. Expand the left menu.

5. Click "Intel".

6. Select "Sources".

7. Click "New Source".

8. Select the specified Source from the list.

9. Fill out the specified information based on the documented trusted intel feeds. 

10. Select "Create".

Tanium Threat Response must be configured to receive IOC streams only from trusted sources.

Description

Remediation - Manual Procedure