Other resources

Release Notes

Support Knowledge Base
(login required)

Detect overview

With Detect, you can find compromised machines by deploying intel to groups. The endpoints in these groups are scanned. When intel match is found, an alert is generated. These alerts streamline the analysis of suspicious activity and enable real-time responses to intrusions.

Types of threat data

You can customize what intel is applied to your groups and combine threat data from multiple sources.


You can use signals through an integration with Tanium™ Trace for the continuous, real-time evaluation of process, network, registry, and file events on the endpoint. Signals implement a specific language that the Detect service ingests and validates for both language syntax and the currently supported terms and conditions. Signals are available as a feed from Tanium, or you can author your own signals.

Intel documents

An intel document represents a collection of artifacts to detect and respond to a potential intrusion. These artifacts can include MD5 hash, file names, domain names, registry data, IP addresses, and process handles. These indicators of compromise (IOCs) might be subject to versioning with updates distinguished by a globally unique identifier (GUID). The common formats, OpenIOC and STIX, provide adaptability for a specific intrusion and can be shared across the enterprise and the broader community. In addition to uploading intel documents manually, you can import or stream intel documents from other sources, such as:

  • PwC Threat Intelligence
  • TAXII Streams
  • iSight Partners Threatscape
  • STIX and OpenIOC formatted data
  • Tanium Trace

YARA files

YARA is a pattern-matching engine. YARA files use rules to classify and identify suspicious content inside files on the targeted endpoints. Each rule consists of a logical Boolean expression to combine user-defined descriptions consisting of byte patterns, strings, and regular expressions. You can use a text editor or tools that auto generate stub rules. YARA files, when combined with a defined search scope, are used like regular intel for detection scans.

For more information, see the YARA website.

Reputation data

For endpoints configured to use reputation intel, the hashes found by the saved questions are sent to the third-party reputation service for assessment. If this intel generates an alert, process and driver hashes are decorated to provide an at-a-glance status. Any known malicious matches automatically initiate a quick scan on the targeted computer group and an intel document that is used for ongoing background scanning.

Detect intel scanning

After you install Detect, the endpoints get Detect packages. These packages are automatically created and deployed when groups are configured or intel is uploaded. Each package is pushed separately on the endpoint, can be updated independently, and consist of the following pieces: 

  • Group configuration package: Contains the Detect tools, the evaluation engine, the intel mapping file, and any blackout periods.
  • Intel package: Contains the intel to investigate on the endpoint.

Intel aggregation and deployment

As intel is brought into the Detect workbench, the source of the intel, such as Tanium Signals or OpenIOC, is identified and you can apply custom labels. With custom labels, you can organize any type of intel into sets that are relevant for your environment. For example, you might want to sort your intel by priority, incident case, or based on the applicable attack surface.

When you create a group configuration, you build an intel mapping file of the intel sources and labels that you want to apply. The intel mapping file dictates how intel is compiled and applied to the endpoints. During deployment, all endpoints receive all intel. The intel mapping file tells the engine which intel to use during evaluations. By having the full intel package available on the endpoint, you can rapidly change the applied intel with a simple configuration change. The sources and labels allow you to dynamically update the intel documents and signals that are included in the evaluation.

How evaluation scanning works

The evaluation engine searches the endpoint for the specified intel in three ways: with continuous background scans, limited-use quick scans, and live event monitoring with Trace.

Background scans provide automated threat scanning across hundreds of endpoint artifacts and they support a diverse set of threat intelligence types. The engine searches for the specified intel and evaluates the intel against the defined candidate population. If a match is found, the engine generates an alert and the Detect service collects these alerts on a regular basis, without waiting for the scan to complete.

Quick scans are meant to be used in a limited capacity, as they can only search with a single piece of intel on one computer group at a time. Initiating a quick scan pauses background scan, completes the quick scan, and then the background scan resumes. This type of scanning is helpful in situations of high urgency. If any matches are found, they generate an alert that is reported asynchronously; you do not have to wait for the scan to complete.

When a scan finds a match, the alert is gathered from the endpoint and reported back to Detect. From there, you can further investigate the endpoint through Tanium Trace or other Tanium solutions.

In the event that you have endpoints that are mission-critical or need to limit when Detect can be active, you can include blackout periods with the group configuration. Neither type of scan can run during those times.

Integration with other Tanium modules and components

By Integrating Detect with other Tanium products and content, detection scans can run faster and more thoroughly. Then that data can be used throughout the network for remediation.

Tanium™ Connect

Events and alerts generated by Detect are sent to Connect. By configuring a Connect destination, this information is actionable outside of Tanium. Detect sends hash information from saved questions to Connect and reputation service providers to elaborate on process hashes for an at-a-glance reputation status. You can also configure incoming connections from sources such as Palo Alto Wildfire to create threat data.

Tanium™ Index

Index creates a full index of all the files that exist on an endpoint local file system. Index captures file and path information, the hash, and magic number. With Index, Detect can quickly determine whether a particular file exists on the endpoint without having to scan through the entire file system. You can create intel documents to look for a full or partial file name or directory path, file hash (MD5, SHA1, and SHA256), and the magic number.

Tanium™ Trace

Detect integrates with Trace in the following ways: 

  • You can use Trace evidence from a single endpoint to scan any other endpoint that has Detect tools installed.
  • You can use Trace historical data that was captured by the event recorder for in-depth scanning of each endpoint for evidence of intel matches. Signals are sent to the Trace event recorder for live process event matching.
  • You can make a live connection to a suspicious endpoint from a Detect alert for further investigation.

Additional Detect documentation

Evaluation engine documentation

The evaluation engine documentation provides an in-depth explanation of how the endpoint interacts with intel and the scan types. The documentation lists descriptions of the intelligence document types, sensor type, possible error messages, and other features that affect the evaluation. From the Detect home page, click Help , then click the Evaluation Engine tab.

API documentation

The API documentation provides the list of paths and models and includes interactive features to try out operations. From the Detect home page, click Help , then click the API tab.

External resources

For detailed information about intel documents and their development, see the following resources.

Last updated: 4/3/2018 3:50 PM | Feedback