Reference: Manage high-priority paths

Tanium Threat Response uses Index to scan the entire disk on an endpoint at regular intervals that typically occur between once a day and once a week. Index does not use recorder events to update file data across the entire disk. Many Threat Response users want more frequent updates for files in certain regions of the disk. To provide this visibility, in addition to the baseline disk scan, Threat Response enables you to specify high priority paths that use recorder events to update data and also scans every 24 hours by default.

A high priority path must include a file.path starts with clause in Tanium signal syntax. Escape backslash characters in paths. For example, use C:\\Users\\Administrator to make C:\Users\Administrator a high profile path.

  • Supported: file.path starts with 'C:\\Users\\Administrator'
  • Unsupported: file.path starts with 'C:\'

A high priority path, in addition to the file.path starts with clause, can additionally specify one or more file.path ends with clauses to narrow the file types to inspect.

  • Supported: file.path starts with 'C:\\Users\Administrator' and file.path ends with '.dat'
  • Supported: file.path starts with 'C:\\Windows\\System32' and file.path ends with '.dll' and file.path ends with '.exe'
  • Unsupported: file.path ends with '.dat' (Note that the file.path ends with must be combined with a file.path starts with filter)

A high priority path can include one wildcard, indicated by an asterisk, in the starts with clause. The wildcard must appear two or more levels deeper than the disk root.

  • Supported: file.path starts with 'C:\\Users\\*\\Downloads'
  • Unsupported: file.path starts with 'C:\*\Tanium'
  • Unsupported: file.path starts with '*:\Program Files'