Getting started

1. Install Tanium™ Incident Response solutions.

   More information: Installing Incident Response solutions

2. Deploy IR tools to the endpoints that are running Tanium Client.

   More information: Deploying IR tools

3. Use IR sensors to scope and hunt incidents, examine forensic artifacts, collect real time data, and monitor endpoints for malicious activity.

   More information: Using IR sensors and packages

4. Index operating systems.

   Use the Tanium Index solution to index the local file systems on Tanium Client endpoints that are running Windows or Mac OS X operating systems. After the file systems are indexed, you can use sensors to query specific file attributes, such as path, hash, and modified dates.

   More information: Indexing file systems

5. Collect files from endpoints.

   • Move a set of arbitrary files. You can define this list of files with a comma-separated list.
     More information: Copying IR data to a central location
   • With Live Response, you can configure what files and what destinations you want to use to collect data from endpoints.
     More information: Collecting data with Live Response
6. Isolate endpoints.

   You can apply a quarantine on endpoints that show evidence of compromise or other suspicious activity. When applied, the endpoint cannot communicate with any resource other than the Tanium Server.

   More information: Isolating endpoints