Managing alerts

You can view alerts in the following locations:

  • The high-level overview on the Detect home page
  • An individual intel document
  • The Alerts page

View unresolved alerts

  • On the Detect home page, the alert visualization provides a high-level view of the alerts. To see a list of the unresolved alerts, click Investigate.



  • On the Detect home page, you can also review alerts by label or source type.


View alerts by intel document

From the Detect Menu, click Management > Intel. To open a single piece of intel, click the name of the item. From the individual page, you can review alerts that are associated with the intel, the activity over the last 30 days, the engine analysis, and you can edit the definition.

You can also initiate quick scans for intel documents from the intel page.

Example of IOC intel:


Example of signal:


Investigate reputation data

For endpoints that use reputation intel, hashes found by the saved questions are sent to the reputation service for assessment. If this intel generates an alert, hashes are decorated to provide an at-a-glance status. Any known malicious matches automatically initiate a quick scan on targeted computer groups and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs appear with Reputation as their source.

When the reputation for a hash changes, the intel is updated. For example, if a hash is no longer considered malicious according to reputation data, the associated intel document is updated so no further alerts are generated. If no malicious hashes exist in an intel document, the document is deleted.

  1. Expand an alert to see the hash indicator. A hash can have one of the following ratings:
    • Non-Malicious (Green)
    • Malicious (Red)
    • Suspicious (Yellow)
    • Unknown (Gray)
    • Pending
  2. Click a hash to view more details. For reputation data that comes from VirusTotal, you can expand the details and see a color-coded list of intelligence providers that have assessed the hash.

The Detect icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. Alerts are generated and gathered asynchronously from the scan. Alerts might be displayed on the Alerts page before the scan completes.

Review reputation data

For endpoints that use reputation intel, hashes found by the saved questions are sent to the third-party reputation service for assessment. If this intel generates an alert, process and driver hashes are decorated to provide an at-a-glance status. Additionally, any known malicious matches automatically initiate a quick scan on the targeted computer group and generate an IOC for ongoing background scans. Each reputation IOC can contain up to 20 hashes. These IOCs display with Reputation as the source.

The hash indicator is available by expanding an alert.

A hash can have one of the following ratings:

  • Non-Malicious (Green)
  • Malicious (Red)
  • Suspicious (Yellow)
  • Unknown (Grey)
  • Pending ()

In addition to the at-a-glance visualization, clicking a hash opens the Reputation Report Details window. For VirusTotal reputation data, you can view a color-coded list of intelligence providers that have assessed the hash.

Find similar matches

Limit alerts to those that are similar to a specific alert.

  1. From the Detect Menu, click Alerts. Select an alert.
  2. Expand the basic alert details and click Find Similar Matches.

Investigate alerts in Trace

If you have a suspicious alert, you can open a live connection in Trace to investigate further.

For Tanium Platform version 7.1.314.3071 and later, you must have additional Trace permissions. For more information, see the Tanium Trace User Guide: Console roles and privileges.

  1. From the Detect Menu, click Alerts. Select the alert that you want to investigate. You can investigate one alert at a time.
  2. Click Actions > Investigate in Trace.
  3. When Trace is ready, click Start live connection [endpoint name].

The live endpoint page opens in Trace, with appropriate filtering for the type of alert you are investigating. Take a snapshot of suspicious endpoints for saved evidence.

Delete alerts

You can delete alerts at any point. If an alert is matched again at a later time, the alert will reoccur.

  1. From the Detect Menu, click Alerts.
  2. Select the alerts that you want to delete.

    If needed, reorder or filter the list of alerts.

  3. Click Actions > Delete.

Last updated: 8/2/2018 11:29 AM | Feedback