Reference: Manage high-priority paths

Tanium Threat Response uses Index to scan the entire disk on an endpoint at regular intervals that typically occur between once a day and once a week. Index does not use recorder events to update file data across the entire disk. Many Threat Response users want more frequent updates for files in certain regions of the disk. To provide this visibility, in addition to the baseline disk scan, Threat Response enables you to specify high priority paths that use recorder events to update data and also scans every 24 hours by default.

A high priority path must include a file.path starts with clause in Tanium signal syntax. Escape backslash characters in paths. For example, use C:\\Users\\Administrator to make C:\Users\Administrator a high profile path.

  • Supported: file.path starts with 'C:\\Users\\Administrator'
  • Unsupported: file.path starts with 'C:\'

A high priority path, in addition to the file.path starts with clause, can additionally specify one or more file.path ends with clauses to narrow the file types to inspect.

  • Supported: file.path starts with 'C:\\Users\Administrator' and file.path ends with '.dat'
  • Supported: file.path starts with 'C:\\Windows\\System32' and file.path ends with '.dll' and file.path ends with '.exe'
  • Unsupported: file.path ends with '.dat' (Note that the file.path ends with must be combined with a file.path starts with filter)

If a high priority path full scan (default 24 hrs) has occurred, and in a few hours, a normal Index scan (default 7 days) triggers, the high priority path is scanned again as scans for high priority paths and default scans are separate.

The Index exclusions in Threat Response take precedence over any configured high priority paths. If the origin of a high priority path matches any of the configured Threat Response Index exclusions, the high priority path scans complete immediately after starting, and do not find files or directories.

The Index exclusions in Reveal will not take precedence over any high priority paths configured in Threat Response.