Filtering findings for reports

A finding is the result of a check on an endpoint at a specific point in time. When you run an assessment, the results appear on the Findings page in the Compliance tab or in the Vulnerability tab. Use the provided categories on the Findings page to filter results and save those filtered results as reports. Using findings, reports can be customized and re-run using any combination of available data.

Filter compliance findings

From the Comply menu, click Findings. The findings for compliance assessments are displayed in the Compliance tab. At the top level, you can filter by Computer Group(s). Click within the edit field to add multiple groups to the filter. You can also apply the OR and AND buttons to the selected computer groups.

Only groups that include sensors that are collected by the Tanium Data Service (TDS) are available for filtering.

Click Customize Columns to add or remove categories from the findings grid.

To use filters with more categories, click the Filters link to access Standard filter categories and the Filter Builder.

Standard filter

Using the provided fields, you can filter findings by Computer Group, Rule ID, Rule, Endpoint, Scan Method (Any, Client-Based, Remote Authenticated), Operating System Generation, Operating System, Standard, Profile, Status Category, IP Address and % Compliant (Pass/Fail).

% Compliant (Pass/Fail) is the percentage of the Pass column in relation to the Findings column. Note that this filter does not apply to Findings on the Standard and Profile and Rule tabs.

Filter builder

Click the Filter Builder button in the Filters section to create your own filter. With the filter builder, you can filter compliance and vulnerability findings using Comply Tanium Data Service (TDS) and additional TDS harvested sensors.

From the filter builder, you can filter on the following (This is a sample of some of the available sources):

Computer Groups - Filter compliance or vulnerability findings based on Tanium computer groups.

You can also filter on the following sensors:

Comply - Compliance Findings - Create a complex filter using the metadata from the expansion columns that Comply supplies. The available columns for Compliance Findings are as follows:

Check ID - The unique identifier for a Compliance rule. It is made up of the benchmark name, benchmark version, profile name, profile version, and rule id.
Status (State) - The result of the scan engine evaluation of the rule. (Many, but not all, of these are the same as Status Category).
- fail - The endpoint did not satisfy all the conditions of the rule.
- pass - The endpoint satisfied all the conditions of the rule.
- fixed - The endpoint failed, but was then fixed (either by a tool or manually).
- error - The engine could not complete the evaluation, therefore the endpoint's compliance status is uncertain. This might occur, for example, if a scan was run with insufficient privileges and could not gather all necessary data.
- unknown - A problem was encountered and the results are unknown. This might occur, for example, if the output of the engine could not be interpreted.
- notapplicable - The rule was not applicable to the targeted endpoint. For example, the rule may be specific to an OS that is not installed on the endpoint.
- notchecked - The rule was not evaluated by the engine. This may occur if the rule contains elements that are not supported by the engine.
- notselected - The rule was not selected in the benchmark.
- informational - The rule was checked, but the output from the engine is only informational for auditors or administrators and is not a compliance category. This status is intended for a rule whose main purpose is to extract information from the endpoint rather than to test the endpoint.
Status Category - A computed value based on the state. The possible values for category are: fail, pass, error, informational. These are all mapped to the same state values. All other state values are ignored.
- Fail - The endpoint did not satisfy all the conditions of the rule.
- Pass - The endpoint satisfied all the conditions of the rule.
- Error- The engine could not complete the evaluation, therefore the endpoint's compliance status is uncertain. This might occur, for example, if a scan was run with insufficient privileges and could not gather all necessary data.
- Informational - The rule was checked, but the output from the engine is only informational for auditors or administrators and is not a compliance category. This status is intended for a rule whose main purpose is to extract information from the endpoint rather than to test the endpoint.
Rule ID - The rule identifier for the benchmark rule.
Profile - The name of the benchmark profile.
Rule - The name of the benchmark rule.
Severity - The severity value of the rule.
Standard - The combination of the benchmark name and profile name.

Version - The benchmark version.

Comply - Compliance Percentage - This sensor returns the aggregate compliance percentage from an endpoint.

Comply Assessment Status - This sensor returns the status of each assessment evaluated on an endpoint. It has three columns.

Assessment ID -The unique hash of the assessment that was evaluated on an endpoint.
Status - The status of the assessment. The possible values are:
- Scanned - The assessment has been completed on the endpoint without error.
- Error - The assessment has been completed but an error has occurred.
Status Details - The error code that represents the type of error that occurred during the assessment. To view error code details, see Reference: Common errors.

Quick filter

You can also quick filter the Findings view by toggling the following tabs:

Standard and Profile: A collection of checks and rules along with logic for how to combine those checks to determine a final status for an endpoint
Rule: A standard and any filters applied to that standard in a custom profile
Endpoints: The targets that are being evaluated
Operating system: The operating system installed on the targets
All Findings: Lists all results found by assessments. Click the Get more details icon for an individual finding to view pop-up with information for that finding.

Filter vulnerability findings

From the Comply menu, click Findings. The findings for vulnerability assessments are displayed in the Vulnerability tab. At the top level, you can filter by Computer Group(s). Click within the edit field to add multiple groups to the filter. You can also apply the OR and AND buttons to the selected computer groups.

Only groups that include sensors that are collected by the Tanium Data Service (TDS) are available for filtering.

To use filters with more categories, click the Filters link to access Standard filter categories and the Filter Builder.

To add categories to the filter, click Customize Columns to include additional fields, for example, filter by CVSS v3 or CVSS v2.

You can filter findings by Computer Group, Severity, and expand the Filters link to use the following additional filters:.

Standard filter

Filter findings using any of the following categories: Check ID, CVE Year, Score (CVSS 3), Endpoint, Scan Method, Operating System Generation, Operating System, Title, IP Address, CPEs, Affected Products, Affected Platforms and CISA Known Exploited Vulnerabilities (KEV). (See the Filter builder section below for details on each category.)

Quick filter

You can also quick filter the findings by Severity by clicking the Critical, High, Medium, Low, None, Unscored buttons.

Additionally, quick filter with following categories:

Check ID: The CVE ID. For example, CVE-2020-0810
Endpoints: The targets that are being evaluated
Operating system: The operating system installed on the targets
Severity: Critical, High, Medium, Low, None, Unscored
All Findings: Lists all results found by assessments. Click the Get More Details icon for an individual finding to view.

Filter builder

Click the Filter Builder button in the Filters section to create your own vulnerability filter. In the Source column for vulnerability filters, the following sensors are available:

Vulnerability Findings Sensor - These findings are derived from the Comply - CVE Findings sensor, which only has the Check ID column. Vulnerability findings include the following TDS expansion columns:

Affected Platforms - The list of platform names associated with the CVE.
Affected Products - The list of product names associated with the CVE .
Check ID - The CVE (Common Vulnerabilities and Exposure) ID.
CISA Date Added - The date CISA added the vulnerability to the CISA KEV list.
CISA Due Date - The date federal agencies must remediate by.
CISA KEV - Is the vulnerability on the CISA KEV list.
CPEs - The list of CPEs (Common Platform Enumeration) associated with the CVE.
CVE Modified Date - The date when the CVE definition was last modified.
CVE Created Date - The date when the CVE definition was created.
CVE Year - The year the CVE was created.
Scan Type - The scan method.
CVSS(V2 or V3) Score - The Common Vulnerability Scoring System score assigned to the CVE.
CVSS(V2 or V3) Severity - The CVSS severity value. One of the following:
- Critical - CVSS score greater than or equal to 9.0
- High - CVSS Score greater than or equal to 7.0 and less than 9.0.
- Medium - CVSS Score greater than or equal to 4.0 and less than 7.0.
- Low - CVSS Score greater than 0.0 and less than 4.0.
- None - CVSS Score equal to 0.0.
- Unscored - No CVSS Score has been assigned.
CVE Title - The title of the CVE.

Comply - Oval Findings - This sensor returns the list of OVAL (Open Vulnerability Assessment Language) definitions that the scan engine has determined apply to the endpoint. The OVAL definitions are associated with CVEs and are what is used by the scan engine to determine if an endpoint is vulnerable to a particular CVE.

Filter Builder Example

Create a filter to view vulnerability findings from endpoints that have run a Windows 10 compliance benchmark assessment.

For this example, you've run both a compliance scan and vulnerability scans on Windows 10 endpoints, but you want to filter down to those Windows 10 endpoints that ran the compliance scan only. You would select the following fields in the filter builder:

Source: Comply-Assessment status/Column: Assessment ID/Operator:is equal to/Value: The assessment hash for the particular assessment you want to filter by.

Once your selections are made, click the Apply button.

Custom Sensors

If you have created a custom sensor and registered it in TDS, it appears at the end of the Source list for the filter, allowing you to filter by these custom sensors. For example, if you've tagged your endpoints by location, and you have a custom sensor for all the endpoints in your Dallas data center, you can select the sensor for the Dallas data center in the filter builder and use it to find all the vulnerabilities in the Dallas data center. Note that for custom sensors, no columns will appear in the filter builder.

Download as CSV

You can export Findings to a CSV file and download the file by doing the following:

Click the Download as CSV button on the Findings page.
In the export window, enter Name for the CSV file. This file name cannot include spaces or relative paths.
Optionally, select the check box to Include Headers in the file.
Choose a Compression Type or select None.
Filename-
Use the default filename or enter your own name.
Include Headers-This is selected by default.
Compression Type - Choose None, Zip (default), or Gzip.
Columns Selection:
- All columns (including hidden columns)-In addition to the columns available in the grid, select this option to also include columns from the Details view.
- Visible columns only-Only include items visible in the grid.
- Custom set of columns-Select this option to choose which columns to include from a provided list.
Click the Export button. The CSV file is downloaded to your local system and saved in the Reports > Exports tab.

Create reports from findings

Use the Save As button on the Findings page to create a report from the current view.

In the Save Report page, entering the following:

Enter a Report Name. A default name for the report is automatically generated.
Optionally, enter a description for the report.
Select a Content Set. See Tanium Core Platform User Guide: Managing RBAC for information on content sets.
Click Save.

View reports by clicking on Reports in the Comply menu.