Investigating findings

When a compliance check fails or a vulnerability is found, use the Investigate feature to find the actual values on the endpoints that caused the issue.

Before you begin

Investigations are only supported:

  • With the Tanium Scan Engine
  • On the Tanium Client version 7.4 or later
  • With Tanium Interact 2.14.106 or later

    for full functionality (converting Findings filters to Investigations filters is not supported with earlier versions of Interact)

Investigations are NOT supported:

  • In low resource mode.

  • On unmanaged devices

The following RBAC permission is required: Comply Investigation Execute. See User role requirements.

The Investigation feature only becomes available for existing assessments when they are redeployed or run again as part of a set schedule.

For information on the Open Vulnerability and Assessment Language (OVAL), you can refer to oval.mitre.org.

Investigate compliance findings

Compliance checks are defined through benchmarks, which are listed on the Standards page in Comply. Each benchmark contains a set of rules. Each rule contains a set of checks (criteria). When investigating compliance findings, you are examining the expected values for the checks of the selected rule and comparing them to the actual values that were the result of the rule being evaluated on the endpoint.

The Investigation feature does not display findings for passed compliance rules.

To investigate compliance findings,

  1. Select Findings from the Comply menu.

  2. In the Compliance tab, select the Ruleor All Findings tabs.

    Filter the list if necessary either by Computer Group or by using any of the available filter items. You can also investigate findings from the All Findings tab.
  3. Select the rule check box and click the Investigate button to open the Benchmark Rule Details window. (You can only investigate one rule at a time.) You can also click the Get more details arrow to open the flyout and click the Investigation button located there.



  4. If you receive a No rule checks message after you click Investigate, that means there are no checks on the endpoints for the selected rule. This may be because the rule is defined for informational purposes only and therefore has no criteria and nothing to evaluate.

Compliance investigations

In the Investigation/Benchmark Rule Details window, there are several sections of information.

  • The Details section has the general data about the rule, including the Benchmark, Description, Rational, and Remediation suggestion.

The table with the list of checks (also called tests) has several columns:

  • Status - Indicates whether the endpoints listed for this check Pass, Fail or experienced an Error. There are two kinds of status errors. An OVAL Error indicates there was a problem collecting information or analyzing a check on the endpoint. An Investigation Error is a Tanium error, likely a Tanium Interact TSE-error. See Tanium Interact User Guide: Troubleshooting.
  • Test Description - This text is taken from the OVAL content for that check.
  • Expected Objects - The type of object that is expected to be checked on the endpoint.
  • Expected Status - The property of the object being checked on the endpoint.
  • Actual Values - The object found on the endpoint and all the associated properties of that object. The property names are in black and the actual values are in green.
  • If you are checking for the actual value of something on an endpoint, and that something does not exist on the endpoint, no actual value will be returned. "no objects found" may be displayed instead.

  • Type - The type of check, Compliance, Inventory, or SCE. The difference between a Compliance check and an Inventory check is a field in the OVAL definition type. For Compliance, this checks if the system meets a predefined state. For Inventory, this checks if the required software installed on the system. The SCE (script check engine) checks items that OVAL cannot and is packaged together with the benchmark.
  • Count - The number of endpoints that have the actual value listed for the check.


Filter tests list

You can filter tests in the table by Status, Definition Type, or any of the other available grid filters.



Get more details

Click the arrow on a check in the Investigation/Benchmark Rule Details window to see details about that check. From this window, you can click the View Endpoints and View XML buttons.

  • View Endpoints -

    Click this button to see all the endpoints that have the actual value for that check. When you click View Endpoints, the server asks live questions (as opposed to Findings where results are cached). Because these are live questions, endpoint count may not be the same as it is in Findings. This may be due to endpoints having gone offline in the interim. Also note that the percentage number under the Endpoints heading will continue to update as endpoints continue to respond.
  • View XML - Click this button to view the raw OVAL XML for this check. Viewing the XML shows you the details of what the check does. The first section is the test, and the next section is the expected object. The object has properties that are listed here. The next section is the expected state.
  • View Script Details - Only SCE checks will have this additional button available. Click View Script Details to see the raw script that was run on the endpoint to find a specific check.


Investigate vulnerability findings

Vulnerability checks are defined through a vulnerability source, which is listed on the Standards page. Each source has a list of CVEs, and each CVE has vulnerability definitions and/or patch definitions. Each definition has a set of criteria or checks. When investigating vulnerability findings, you are examining the expected values for checks and comparing them to the actual values that were discovered on the endpoint.

To investigate vulnerability findings,

  1. Select Findings from the Comply menu.

  2. In the Vulnerability tab, from the Check ID or All Findings tabs, locate a particular CVE using any of the available filters

    .
  3. Select the CVE check box and click the Investigate button to open the CVE Details window. (You can only investigate one CVE at a time.) You can also click the Get more details arrow to open the flyout and click the Investigation button located there.



Vulnerability investigations

In the Investigation/CVE Details window, there are several sections of information.

  • The Details section has the general data about the rule, including the CVE ID, the score and severity.

The table with the list of checks (also called tests) has several columns:

  • Status - This indicates whether the endpoints listed for this check were found=True, not found=False, or experienced an Error. Note that it’s the combination of checks that were found and not found that determine the vulnerability. There are two kinds of status errors. An OVAL Error indicates there was a problem collecting information or analyzing a check on the endpoint. An Investigation Error is a Tanium error, likely a Tanium Interact TSE-error. See Tanium Interact User Guide: Troubleshooting.
  • Test Description - This text is taken from the OVAL content for that check.
  • Expected Objects - The type of object that is expected to be checked on the endpoint.
  • Expected Status - The property of the object being checked on the endpoint.
  • Actual Values - The object found on the endpoint and all the associated properties for that object. The property names are in black and the actual values are in green.
  • If you are checking for the actual value of something on an endpoint, and that something does not exist on the endpoint, no actual value will be returned. "no objects found" may be displayed instead.

  • Type - This indicates the check was found in an OVAL Vulnerability definition or an OVAL Patch definition. Some check are found in both.
  • Endpoints - The number of endpoints that have the actual value listed for the check.


Filter tests list

You can filter tests in the table by Status, Definition Type, or any of the other available grid filters.



Get more details

Click the arrow on a check in the Investigation/CVE Details window to see details about that check, including the list of vulnerability definitions and/or patch definitions.

By default, only definitions that have the check are shown. If you want to see other definitions that are related to that CVE but do not include that check, you can deselect the Has Test check box and if there are any such definitions, they will be listed.

From this window, you can also click the View Endpoints and View XML buttons.

  • View Endpoints -

    Click this button to see all the endpoints that have the actual value for that check. When you click View Endpoints, the server asks live questions (as opposed to Findings where results are cached). Because these are live questions, endpoint count may not be the same as it is in Findings. This may be due to endpoints having gone offline in the interim. Also note that the percentage number under the Endpoints heading will continue to update as endpoints continue to respond.
  • View XML - Click this button to view the raw OVAL XML for this check. Viewing the XML shows you the details of what the check does.