Investigating performance and activity history on an endpoint
If you are viewing an endpoint in Reporting or Interact, you can quickly view and analyze performance history and activity history on a single endpoint.
View performance and activity history from the Investigate tab. You access the Investigate tab on the Endpoint Details page of the Reporting workbench. For information on accessing the Endpoint Details page, see Tanium Reporting User Guide: View endpoint details.
Performance events
Investigate provides a visualization of resource consumption over a specific period of time. Performance events include data for CPU, memory, network, disk, and IO. For each type of performance event you can select specific metrics and view the average, minimum, and maximum values of usage over a time frame. For example, for CPU events, you can view the average, minimum, and maximum percentage of CPU usage over a period of time that you select or provide. The selected or provided time frame displays as a line graph that you can zoom in and out of to analyze with deeper focus. Select multiple metrics to visualize how they correlate with one another.
CPU and memory events display a visualization of the processes that were running at any single point in time during the time frame you select or provide, enabling you to understand which processes were consuming CPU or memory resources at that precise time. You can filter for specific processes to display in the visualization. Wildcards and regular expressions are not supported.
- At the top of the performance timelines, select the scope to use as a time frame, or select Custom. If you select Custom, provide values for the date and time that correspond with the start and end of the time frame and click Apply Scope.
- Click the provided icons to zoom in and out of the time frame to analyze a specific time or understand a bigger picture visualization. Panning back and forward in the time frame moves the time frameback or forward by half the current time frame until you reach the minimum (2 weeks ago) or maximum (current time) supported values. For example: Panning out of a "Last 4 Hours" range moves backward in time by two hours, showing six hours ago to two hours ago. Hover over the line chart to show metrics at that specific point in time. Click a highlight to filter the grid to those activities.
- (Optional) You can filter for specific processes to display in the visualization. Select a sub-tab (CPU, Memory, Network, Disk, or IO) and select or clear the check boxes of Metrics and Processes to show or hide them in the charts.
Activities
On the Endpoint Details page, select the Investigate tab and scroll to the activities grid. Events display system-impacting events such as patch installations or policy changes. The following events are available:
| Event Type | OS | Time Type | Description |
|---|---|---|---|
| Patch installation by Tanium Patch |
Linux |
Point in time | An operating system patch was installed on the endpoint. |
| Browser plugins | macOS Windows |
Point in time | Browser plugins have been installed, updated or uninstalled. |
| System reboot | Linux macOS Windows |
Point in time | An endpoint has been rebooted. |
| External storage connected | Windows | Point in time | An external storage device has been connected. |
| GPO policy changes performed by Tanium Enforce | Windows | Point in time | A new Windows group policy setting has been applied or a currently applied policy has been changed. |
| User logon/logoff | Windows | Point in time | A user has logged into or off of an endpoint. |
| Local account lockout | Windows | Point in time | A local account has been locked out. |
| ServiceNow ticket creation | Linux macOS Windows |
Point in time | A ServiceNow ticket has been created. |
For each activity in the grid, you can click to view advanced details for the activity. Advanced details provide the start and stop times of the activity and information about the specific event. For example, if the activity is a Windows event, you can view information from the Windows event log and view the Windows event message.
In the activities grid, click Scope Charts to Timeframe in the Actions column to view the activities timeline that is focused on the selected activity. Focusing on the selected activity enables you to understand how the selected activity occurs with regards to other activities occurring around the same time.
You can select an activity in the grid and click Show Recorder Data to display events from the Client Recorder Extension that occurred within a 10 minute timeframe of the selected activity. Selecting this option displays recorder events that occurred five minutes before and five minutes after the activity start time. For more information about the types of events that the Client Recorder Extension captures, see Tanium Client Recorder Extension User Guide.
In the activities grid, select one or more events and click Add to Investigation to add the activity to a new or existing investigation.
ServiceNow
Investigate provides the ability to integrate activities from ServiceNow. You can add ticket creation in ServiceNow as an activity in an investigation.
Using ServiceNow integration requires the Investigate Partner Integration permission.
- From ServiceNow, select a ticket for which you want to add activities to an investigation.
- Click Launch Tanium Live UI.
- A direct connection is opened to the endpoint that is the subject of the ticket.
- On the Endpoint Details page, select the Investigate tab and scroll to the activities grid.
- In the activities grid, select one or more activities and click Add to Investigation to add the activity to an investigation.
Last updated: 9/21/2023 10:54 AM | Feedback