Managing alerts

You can view alerts in the following locations: on the high-level overview on the home page, by viewing an individual intel document, or from the Alerts page.

View unresolved alerts

  • On the Detect home page, the alert visualization provides a high-level view of the alerts. To see a list of the unresolved alerts, click Investigate.



  • On the Detect home page, you can also review alerts by label or source type.


View alerts by intel document

Click Management > Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the engine analysis, and you can edit the definition.

You can also initiate quick scans for intel documents from the intel page.

Signals do not have the quick scan option. Signals represent the real-time event matching through an integration with Taniumâ„¢ Trace.

Example of IOC intel:


Example of signal:


Investigate reputation data

For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, hashes are decorated to provide an at-a-glance status. Additionally, any known malicious matches automatically initiate a quick scan on targeted computer groups and generates an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs appear with Reputation as their source.

  1. Expand an alert to see the hash indicator. A hash can have one of the following ratings:
    • Non-Malicious (Green)
    • Malicious (Red)
    • Suspicious (Yellow)
    • Unknown (Grey)
    • Pending
  2. Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.

The Detect icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. As alerts are generated and gathered asynchronously from the scan, they might appear on the Alerts page prior to the scan completion.

Review reputation data

For endpoints that use reputation intel, hashes found by the saved questions are sent to the third-party reputation service for assessment. If this intel generates an alert, process and driver hashes are decorated to provide an at-a-glance status. Additionally, any known malicious matches automatically initiate a quick scan on the targeted computer group and generates an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs appear with Reputation as their source.

The hash indicator is available by expanding an alert.

Figure  1:  Alert with malicious hash

A hash can have one of the following ratings:

  • Non-Malicious (Green)
  • Malicious (Red)
  • Suspicious (Yellow)
  • Unknown (Grey)
  • Pending ()

In addition to the at-a-glance visualization, clicking on the hash opens the Reputation Report Details window. For VirusTotal reputation data, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.


 

Find similar matches

You can limit alerts to those that are similar to a specific alert.

This feature is not available for alerts that were generated by signals.

  1. Go to Alerts. Click an alert.
  2. Expand the basic alert details and click Find Similar Matches.



Investigate alerts in Trace

If you have a suspicious signal alert, you can open a live connection in Trace to investigate further.

For Tanium Platform version 7.1.314.3071 and later, you must have additional Trace permissions. For more information, see the Tanium Trace User Guide: Console roles and privileges.

  1. Go to Alerts. Select the signal alert that you want to investigate.
  2. Click Actions > Investigate in Trace.
  3. When Trace is ready, click Start live connection [endpoint name].

The process and event details page opens in Trace. Take a snapshot of suspicious endpoints for saved evidence.

Delete alerts

You can delete alerts at any point. If an alert is matched again at a later time, the alert will reoccur.

  1. Go to Alerts.
  2. Select the alerts that you want to delete.

    If needed, reorder or filter the list of alerts.

  3. Click Actions > Delete.

Last updated: 2/20/2018 1:21 PM | Feedback