Tanium Detect overview
Tanium DetectTM provides intel matching to generate alerts. These alerts streamline the analysis suspicious activity and enable real-time responses to intrusions.
Detect allows you to customize which intel documents and signals get applied to which computer groups and when the evaluation scans can run. The intel list is based on the intel source and the labels that you create. They dictate how Detect compiles the intel and publishes it to the endpoints. The endpoints search for the specified intel and evaluate the intel against any scoping constraints for a match. If a match is found, the engine generates an alert and the Detect service collects these alerts on a regular basis. From the alert, you can review the reputation data and, if needed, further investigate compromised endpoints by pivoting into Tanium Trace.
You can customize what intel is applied to each computer group, blending threat data from multiple sources.
Signals implement a specific language to be used for the continuous, real-time evaluation of process, network, registry, and file events on the endpoint through an integration with Tanium Trace. The Detect service ingests and validates this intel for both proper language syntax and the currently supported terms and conditions. They are available as a feed from Tanium or they can be written manually.
An Intel document represents a collection of artifacts that can be used to detect and respond to a potential intrusion. These artifacts can include MD5 hash, file names, domain names, registry data, IP addresses, and process handles. IOCs might be subject to versioning with updates distinguished by a globally unique identifier (GUID). The common formats, OpenIOC and STIX, provide adaptability for a specific intrusion and can be shared across the enterprise and the broader community. In addition to uploading intel documents manually, you can import or stream intel documents from other sources, such as:
- PwC Threat Intelligence
- TAXII Streams
- iSight Partners Threatscape
- STIX and OpenIOC formatted data
- Tanium TraceTM
YARA is a pattern-matching engine. YARA files use rules to classify and identify suspicious content inside files on the targeted endpoints. Each rule consists of a logical Boolean expression to combine user-defined descriptions consisting of byte patterns, strings, and regular expressions. You can use a text editor or tools that autogenerate stub rules. YARA files, when combined with a defined search scope, are used like regular intel for detection scans.
For more information, see the YARA website.
For endpoints configured to use reputation intel, the hashes found by the saved questions are sent to the third-party reputation service for assessment. If this intel generates an alert, process and driver hashes are decorated to provide an at-a-glance status. Any known malicious matches automatically initiate a quick scan on the targeted computer group and an intel document that is used for ongoing background scanning.
By Integrating Detect with other Tanium products and content, detection scans can run faster and more thoroughly. Then that data can be used throughout the network for remediation.
Events and alerts generated by Detect are sent to Tanium ConnectTM. By configuring a destination, this information is actionable outside of Tanium. ConnectYou can also configure incoming connections from sources such as Palo Alto Wildfire to create threat data.
Tanium Index creates a full index of all the files that exist on an endpoint local file system. Index captures file and path information, the hash, and magic number. With Index, Detect can quickly determine whether a particular file exists on the endpoint without having to scan through the entire file system. You can create intel documents to look for a full or partial file name or directory path, file hash (MD5, SHA1, and SHA256), and the magic number.
Detect integrates with Tanium TraceTM in four ways. Use Trace evidence from a single endpoint to scan any other endpoint that has Detect tools installed. You can also use Trace historical data captured by the event recorder for in-depth scanning of each endpoint for evidence of intel matches. Signals are sent to the Trace event recorder for live process event matching. Lastly, from a Detect alert you can make a live connection to a suspicious endpoint for further investigation.
From the Detect home page help , you can access the Evaluation Engine documentation. This documentation provides an in-depth explanation of how the endpoint interacts with intel, the scan types, and it lists descriptions of the intelligence document types, sensor type, possible error messages, and other features that affect the evaluation.
For detailed information about intel documents and their development, see the following resources.
- An Introduction to OpenIOC
- The OpenIOC Framework
- Structured Threat Information eXpression (STIX): A Structured Language for Cyber Threat Intelligence Information
- Trusted Automated eXchange of Indicator Information (TAXII)
- Understanding Indicators of Compromise (IOC), Part I by Will Gragido for RSA Research
- Understanding Indicators of Compromise (IOC), Part II by Will Gragido for RSA Research
- Writing YARA rules
Last updated: 10/17/2017 5:28 PM | Feedback