Other resources

Release Notes

Support Knowledge Base
(login required)

Tanium IOC Detect overview

Tanium IOC DetectTM (IOC Detect) provides indicator of compromise (IOC) detection and YARA rule matching for management and analysis capabilities to enable real-time responses to intrusions. IOC Detect also provides a REST API that allows for integration between IOC Detect and other parts of the security network.

The IOC Detect process

The scalability of the Tanium platform increases the relevance of the data that is gathered during the detection phase. Threat intelligence is founded on key factors of adaptability, integration, and scale:

  • Adaptability is required for an iterative cycle of IOC analysis. An adaptable strategy promotes instantaneous analysis, reporting, and response.
  • Integration of IOC detection into your security strategy speeds investigation and recovery.
  • Scalability and speed provide “just-in-time” relevance of information across the target network.

IOC Detect implements these crucial requirements in the following cycle of detection.

Figure  1:  The IOC detection cycle

Phase Action Description
1 Hunt with indicators The key to security is the application of threat intelligence sources at scale. Use IOC detection for a rapid return on intelligence and visibility of all network endpoints.

With IOC Detect, you can import existing IOCs in groups, streams, and by managed subscription. You can issue the IOCs you collect manually or by scheduled detection. You receive responses to your detections in real time, when they are most relevant.

2 Investigate compromised systems In addition to real-time threat intelligence, a robust network security strategy requires action based on investigation. IOC Detect promotes the real-time investigation of an intrusion with the rapid return of relevant information. The result is threat analysis based on detailed and actionable endpoint information.
3 Remediate compromised systems After analysis is complete, take action to remediate the compromised computers using the management capabilities of Tanium.
4 Develop new indicators Analysis goes beyond identifying the affected endpoints. Comprehensive analysis extends to the development of new IOCs to fit an emergent threat. The IOC Detect viewer displays IOC definitions as well as normalized and raw views of IOCs, including registry settings and the use of logical operators in the representation of a complex forensic artifact.
5 Refine the intelligence and continue hunting Refine threat intelligence iteratively by repeating the detection cycle and improving IOCs.

You can use IOC Detect to edit an IOC and improve it to better match the appearance of the artifact on the target network. You can then start a detection to pinpoint the affected computers. You can repeat this cycle of detection, analysis, and refinement as you determine the extent of the intrusion.

Sources of threat data

You can use IOC Detect to aggregate multiple forms of information into one place to scan the entire enterprise.


An IOC represents a collection of artifacts that can be used to detect and respond to a potential intrusion. These artifacts can include MD5 hash, file name changes, domain names, registry settings, IP addresses, and process handles. IOCs are represented in a human-readable format, often XML. IOCs might be subject to versioning with updates distinguished by a globally unique identifier (GUID). The common IOC formats, OpenIOC and STIX, provides adaptability for a specific intrusion and be shared across the enterprise and the broader community. In addition to importing IOCs manually, you can import or stream IOCs from other sources, such as:

  • PwC Threat Intelligence
  • TAXII Stream
  • iSight Partners Threatscape
  • STIX and OpenIOC formatted data
  • Tanium TraceTM

YARA files

YARA is a regular expression engine. YARA files use rules to classify and identify suspicious content inside files on the targeted endpoints. Each rule consists of a logical Boolean expression to combine user-defined descriptions consisting of byte patterns, strings, and regular expressions. You can use a text editor or tools that autogenerate stub rules. IOC Detect can import YARA files to use for detection scans.

For more information, see the YARA website.

Integration with other Tanium modules and components

By Integrating IOC Detect with other Tanium products and content, detection scans can run faster and more thoroughly. Then that data can be used throughout the network for remediation.

Tanium ConnectTM
Events and detection results generated by IOC Detect are sent to Tanium ConnectTM (Connect). By configuring a destination, this information is actionable outside of Tanium. You can also configure incoming connections from sources such as Palo Alto Wildfire to create threat intelligence.

Tanium Index
Tanium Index (Index) creates a full index of all the files that exist on an endpoint local file system. Index captures file and path information, the hash, and magic number. With Index, IOC Detect can quickly determine whether a particular file exists on the endpoint without having to scan through the entire file system. You can create IOCs to look for a full or partial file name or directory path, file hash (MD5, SHA1, and SHA256), and the magic number.

Tanium ProtectTM
Use IOC detection results to create Process Rule policies in Tanium ProtectTM (Protect) to identify any existing compromises and prevent future incidents across the network.

Tanium TraceTM
IOC Detect integrates with Tanium TraceTM (Trace) in two ways. Use Trace evidence from a single endpoint to scan any endpoint that is managed by Tanium. You can also use Trace data for in-depth scanning of each endpoint for historical evidence of IOCs.

Additional IOC Detect documentation

From the IOC Detect Settings, you can access the API and Indicator documentation. The API documentation provides the list of paths and models; with an interactive feature to try out operations. The Indicators documentation lists descriptions of the intelligence document types, sensor type, and other features that affect the sensor evaluation.


For detailed information about IOCs and IOC detection, see the following resources.

Last updated: 8/1/2017 7:13 PM | Feedback