Use Detect to streamline the analysis of suspicious activity and enable real-time responses to intrusions. Deploy intelligence about indicators of compromise to continuously scan groups of endpoints. When a potential compromise is detected, an alert gets generated.
You can customize what intel is applied to your groups and combine threat data from multiple sources.
You can use signals through an integration with Tanium™ Trace for the continuous, real-time evaluation of process, network, registry, and file events on Windows endpoints. Signals implement a specific language that the Detect service ingests and validates for both language syntax and the currently supported terms and conditions. Signals are available as a feed from Tanium, or you can author your own signals.
An intel document represents a collection of artifacts to detect and respond to a potential intrusion. These artifacts can include MD5 hashes, file names, domain names, registry data, IP addresses, and process handles. These indicators of compromise (IOCs) might be subject to versioning with updates distinguished by a globally unique identifier (GUID). The common formats, OpenIOC and STIX, provide adaptability for a specific intrusion and can be shared across the enterprise and the broader community. In addition to uploading intel documents manually, you can import or stream intel documents from other sources, such as:
- PwC Threat Intelligence
- TAXII Streams
- iSight Partners Threatscape
- STIX and OpenIOC formatted data
- Tanium Trace
YARA is a pattern-matching engine. YARA files use rules to classify and identify suspicious content inside files on the targeted endpoints. Each rule consists of a Boolean expression to combine user-defined descriptions consisting of byte patterns, strings, and regular expressions. You can use a text editor or tools that auto generate rules. YARA files, when combined with a defined search scope, are used like regular intel for detection scans.
For more information, see the YARA website.
For endpoints configured to use reputation intel, the hashes found by the saved questions are sent to the third-party reputation service for assessment. If this intel generates an alert, process and driver hashes are decorated to provide an at-a-glance status. Any known malicious matches automatically initiate a quick scan on the targeted computer group and an intel document that is used for ongoing background scanning.
Detect packages are automatically created and deployed when groups are configured or intel is uploaded. Each package is pushed separately on the endpoint, and can be updated independently. The packages consist of the following pieces:
- Group configuration package: Contains the Detect tools, the evaluation engine, the intel mapping file, and any blackout periods.
- Intel package: Contains the intel to investigate on the endpoint. Intel packages can be a sync package (all intel) or a delta package (new intel since previous sync or delta package). When intel is updated, a delta intel package is pushed to the endpoints. The name of this update package contains the word Delta, for example: Detect Intel for Windows Revision 51 Delta. After the configured Intel Package Publication Max Deltas (default: 10), a sync package is deployed again.
Intel aggregation and deployment
As intel is brought into the Detect workbench, the source of the intel, such as Tanium Signals or OpenIOC, is identified and you can apply custom labels. Use custom labels to organize any type of intel into sets that are relevant for a specific environment. For example, you might want to sort intel by priority, incident case, or based on the applicable attack surface.
When you create a group configuration, you build an intel mapping file of the intel sources and labels that you want to apply. The intel mapping file dictates how intel is compiled and applied to endpoints. During deployment, all endpoints receive all intel. The intel mapping file determines which intel the engine should use during evaluations. By having the full intel package available on the endpoint, you can rapidly change the applied intel with a simple configuration change. The sources and labels allow you to dynamically update the intel documents and signals that are included in the evaluation.
How evaluation scanning works
The evaluation engine searches the endpoint for the specified intel in three ways: with continuous background scans, limited-use quick scans, and live event monitoring with Trace.
Background scans provide automated threat scanning across hundreds of endpoint artifacts and they support a diverse set of threat intelligence types. The engine searches for the specified intel and evaluates the intel against the defined candidate population. If a match is found, the engine generates an alert and the Detect service collects these alerts on a regular basis, without waiting for the scan to complete.
Quick scans are meant to be used in a limited capacity, as they can only search with a single piece of intel on one computer group at a time. Initiating a quick scan pauses background scan, completes the quick scan, and then the background scan resumes. This type of scanning is helpful in situations of high urgency. If any matches are found, they generate an alert that is reported asynchronously; you do not have to wait for the scan to complete.
When a scan finds a match, the alert is gathered from the endpoint and reported back to Detect. From there, you can further investigate the endpoint through Tanium Trace or other Tanium solutions.
If you have endpoints that are mission-critical or need to limit when Detect can be active, you can include blackout periods with the group configuration. Neither type of scan can run during those times.
By Integrating with other Tanium products and content, detection scans can run faster and more thoroughly.
Events and alerts generated by Detect are sent to Connect. By configuring a Connect destination, this information is actionable outside of Tanium. Detect sends hash information from saved questions to Connect and reputation service providers to elaborate on process hashes for an at-a-glance reputation status. You can also configure incoming connections from sources such as Palo Alto Wildfire to create threat data.
Use Index to create a full index of the files that exist on an endpoint local file system. Index captures file and path information, the hash, and magic number. With Index, Detect can quickly determine whether a particular file exists on the endpoint without having to scan through the entire file system. You can create intel documents to look for a full or partial file name or directory path, file hash (MD5, SHA1, and SHA256), and the magic number.
Detect integrates with Trace in the following ways:
- You can use Trace evidence from a single endpoint to scan any other endpoint that has Detect tools installed.
- You can use Trace historical data that was captured by the event recorder for in-depth scanning of each endpoint for evidence of intel matches. Signals are sent to the Trace event recorder for live process event matching.
- You can make a live connection to a suspicious endpoint from a Detect alert for further investigation.
Evaluation engine documentation
The evaluation engine documentation provides an in-depth explanation of how endpoints interact with intel and types of scans. The documentation provides a description of intelligence document types, sensor types, possible error messages, and other features that affect the evaluation. From the Detect home page, click Help , then click the Evaluation Engine tab.
The API documentation provides the list of paths and models and includes interactive features to try out operations. From the Detect home page, click Help , then click the API tab.
For detailed information about intel documents and their development, see the following resources.
- Structured Threat Information eXpression (STIX): A Structured Language for Cyber Threat Intelligence Information
- Trusted Automated eXchange of Indicator Information (TAXII)
- Writing YARA rules
This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.
Tanium is committed to the highest accessibility standards to make interaction with Tanium software more intuitive and to accelerate the time to success. For more information, see Tanium Product Accessibility.
Last updated: 9/18/2020 10:35 AM | Feedback