Creating investigations

Overview

Investigations provide visibility into activity and performance history across endpoints and leverage Tanium knowledge for activities of interest across endpoints. Investigations enable intelligent workflows for learning more about activities of interest and their potential impacts across all the endpoints in an environment. Investigations provide a better way to view and organize data from Tanium Clients. Investigations enable you to correlate data points that came from one or multiple endpoints. Add activities that have forensic value to investigations to triage issues quickly, and add comments about these data points and the conditions in which they occur for team collaboration.

Analyze the context of activities in an investigation such as performance and system events, software installations, and installations of browser plugins. Investigations provide summaries of all known details for activities of interest and intelligently present detailed visualizations to provide deeper understanding of what is occurring in an environment. With summary context, you can view endpoints that are of interest to investigators, understand which activities on those endpoints are likely relevant, and what actors participated in those events.

You can assign an owner to each investigation, analyze the impacts of each investigation, and use Tanium solutions to take actions such as remediation measures or complete quarantine on specific endpoints or groups of endpoints. You can view each investigation as a unique entity where comments regarding the investigation are preserved.

You can add comments to closed investigations, but you cannot edit the investigation in any other way without reopening the investigation. From the Investigations page, select a closed investigation and click Actions > Reopen to reopen a closed investigation.

Create an investigation

  1. From the Investigations menu, select Overview. You can view summary charts for all current open investigations:
    The Overview page shows the number of open investigations based on different distributions:
    • Investigations by priority - shows the number of open investigations distributed by the priority of each investigation.
    • Investigations by assignee - shows the number of open investigations distributed by the owners of each investigation.
    • Investigations by status - shows the number of open investigations distributed by the current status of each investigation.
  2. Select activities to add from the Investigate tab on the Endpoint Details page. For information on accessing the Endpoint Details page, see Tanium Reporting User Guide: View endpoint details.
  3. For any activity, you can click Add to Investigation to add the activity to an investigation. You can select multiple activities and click Add to Investigation to add multiple activities.
  4. Click New or Existing. If you select Existing, select the name of the investigation that you want to add the activity to and click Save. If you click New, provide a name and description for the new investigation. Assign the investigation to a user and assign a priority. The user that you assign the investigation to is typically tasked with further analysis of the implications of the investigation and is responsible for performing any required tasks on the endpoints.
  5. Select the content set to which the investigation is saved. When you create a new investigation, the investigation content set is default. You can save a new investigation without selecting a content set, but if you edit an existing investigation that is inside a deleted content set, the content set field displays as blank and you cannot save the investigation until you have provided a new content set option.
  6. Click Save.

Alternatively, you can create an investigation from the Investigate tab on the Endpoint Details page. For more information, see Investigating performance and activity history on an endpoint.

Work with investigations

  1. From the Investigations menu, select Overview.
  2. Select the name of an investigation to drill down into the details of the investigation and the activities that the investigation contains. Click Actions > Edit to change the name, content set, assignee, or priority. Click Actions > Export to download data for all activities and comments that are included in an investigation in JSON format. The JSON file is downloaded to the local downloads directory on the local system.
  3. The Investigations page provides status, priority, assignee, creator, and dates when the investigation was created and last updated.
  4. The Activities Timeline provides a view of the activities across time for endpoints. You can zoom into the Activities Timeline to understand the relationships between activities in an investigation and double-click an activity to make it the center point in the timeline. Time filters can be very useful in the combined view; however, you might need a very short window due to the quantity of events. Click Revert to revert the Activities Timeline to the default display for the investigation.
  5. For each activity in an investigation you can view and add comments. Click the number in the comments column for any activity to view or add comments. By default, the Scope, Author, Comments, Last Updated, and Actions columns display in the activities grid. You can click Customize Columns and select to show Endpoint, User, Activity Type or Activity Start Time columns. In the comments drawer, click Add Comment to add a new comment. You can edit or delete existing comments that you have added. You can add comments to closed investigations, but you cannot add additional activities to a closed investigation without reopening the investigation. On the Overview page, click the name of a closed investigation and select Actions > Reopen.

Delete an investigation

  1. From the Investigations menu, select Overview.
  2. The Overview page provides a list view of all current investigations. Select the name of an investigation.
  3. Select Delete investigation. Click Delete when prompted.

Close an investigation

  1. From the Investigations menu, select Overview.
  2. Select the name of an investigation.
  3. Click Actions > Close to close the investigation.
  4. Provide a comment to explain the reason for closing the investigation. The comment you provide is the final comment in the thread for the investigation unless you reopen the investigation.
  5. Click Close Investigation.

Reopen an investigation

  1. From the Investigations menu, select Overview.
  2. (Optional) You can filter for closed investigations to locate potential investigations to reopen.
  3. Select the name of a closed investigation.
  4. Click Actions > Reopen to reopen the investigation.
  5. Provide a comment to explain the reason for reopening the investigation.
  6. Click Reopen Investigation.