Incident Response overview
Tanium™ Incident Response consists of several solutions that you can deploy to manage incidents across the enterprise.
With the core Incident Response (IR) solution, you deploy a set of IR tools to each endpoint. With these tools on the endpoints, you can:
- Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
- Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
- Identify outliers and anomalies by collecting and comparing data across systems in real time.
- Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.
Index the file systems on Tanium Client endpoints that are running Windows, Linux, or Mac OS X operating systems. A file system inventory, hashes, and magic numbers are recorded in an SQLite database for investigation of threat indicators.
Collect information from suspicious Windows, Linux, and Mac OS X endpoints for further forensic analysis. Investigate potentially compromised systems by looking at file system metadata, event logs, and memory.
Configure what information to collect from suspicious Windows endpoints for further forensic analysis and data correlation. Investigate potentially compromised systems with a customizable and extensible framework.
Isolate targeted machines from communicating with unapproved network addresses or IP ranges by applying network quarantine. You can apply a quarantine to Windows, Linux, and Mac OS X endpoints that show evidence of compromise or other suspicious activity. You can use Tanium Quarantine to apply, remove, and test for quarantine.
In cases where a wider search or a search for a large or dispersed data set is required, you can integrate Tanium™ Detect into the hunt. For example, to exhaustively search for hundreds of hashes, or to perform recursive searches in nested directories, use Detect to create a custom IOC intel document for quick scans or background scans. For more information about Detect, see the Tanium Detect User Guide.
This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.
Last updated: 2/15/2019 10:16 AM | Feedback