Scanning endpoints

Use Intel documents and signals to find matches on the endpoint through the Detect engine. The engine scans the endpoint through background scans, quick scans, and live signals monitoring through Trace. Background scans begin shortly after intel is deployed to the endpoint and continue on regular intervals. Quick scans are initiated on demand, typically when you need to urgently locate all instances of a potential compromise.

A scan can have three possible results:

  • Match: Identifies potential compromise and generates alerts.
  • No match: None of the intel matched the data on the endpoints.
  • Inconclusive: Generally, an indication that the scan did not complete for some reason.

When a scan finds a match, the alert is gathered from the endpoint and reported to Detect. From there, you can further investigate the endpoint through Tanium Trace or other Tanium solutions.

Background scans

The Detect engine on the endpoint is continually scanning for intel matches. Matches found are considered alerts, which are gathered regularly and sent back to Detect. When a scan is due to run, the engine first checks the last scan to see if the scan was interrupted. If the scan was interrupted, the engine resumes the scan instead of starting a new scan. The scan details must be the same; such as the active configuration id, revision id, and intel revision. Otherwise, it must invalidate the scan and start a new one.

Background scans run automatically on an interval specified by the engine configuration. The default is 24 hours. To edit the configuration of the engine, see the Engine Evaluation documentation. From the Detect home page, click Help , then click the Evaluation Engine tab.

Blackout periods prevent scans from running and interrupt running scans. For more information, see Create a group configuration.

From the group configuration page or a specific computer group, you can see more details about the scan status, tool availability, and open Taniumâ„¢ Interact results to drill down further.

Figure  1:  Scan status and tools

Run a quick scan

Quick scans send a single piece of intel to the endpoints for immediate matching and alert reporting. If the intel is too large, the quick scan option is not available. You can use Signals, OpenIOC, STIX, or YARA intel in a quick scan.

For signals, you can use quick scans for a seven day historical query on the recorder database. Quick scans on signals are also useful when you are authoring signals.

If a background scan is running at the time the quick scan starts, the background scan pauses and then resumes when the quick scan finishes.

The computer group must have Detect tools to be used in a quick scan.

  1. (Optional) Deploy an action to manually push Detect tools to computers that are not part of a group configuration.
  2. Go to Management > Intel.
  3. Click the intel name.
  4. Click Quick Scan.
  5. Select a computer group.
  6. Click Start Scan.

The Detect icon pulses while the quick scan is running. After the quick scan completes, you can use the Interact icon to view the detailed results of the scan. As alerts are generated and gathered asynchronously from the scan, they might display on the Alerts page prior to the scan completion.

Last updated: 9/17/2019 3:26 PM | Feedback