Skip to main content
CUI

STIG Rule - V-254888

Back to STIG Browser

V-254888

SV-254888r960804_rule

CAT II

Tanium Threat Response must be configured to receive IOC streams only from trusted sources.

From: Tanium 7.x Application on TanOS Security Technical Implementation Guide (V2R2)

Description

<VulnDiscussion>Using trusted and recognized IOC sources may detect and prevent systems from becoming compromised. An IOC stream is a series or stream of intel that is imported from a vendor based on a subscription service or manually downloaded and placed in a folder. Threat Response can be configured to retrieve the IOC content on a regularly scheduled basis. The items in an IOC stream can be separately manipulated after they are imported.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Consult with the Tanium System Administrator to determine if the Threat Response module is being used, if not this is Not Applicable. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Intel". 6. Select "Sources". 7. Verify all configured Threat Response Streams are configured to a documented trusted source. If Threat Response is configured to a stream that has not been documented as trusted, this is a finding.

Fix Text

Consult the documentation on trusted intel subscription feeds. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Intel". 6. Select "Sources". 7. Click "New Source". 8. Select the specified Source from the list. 9. Fill out the specified information based on the documented trusted intel feeds. 10. Select "Create".

CCI Reference

CCI-001414
Created
2026-04-07 20:08:37
Last Updated
2026-04-07 20:08:37
Back to Browse
CUI