Incident Response overview

Tanium™ Incident Response consists of several solutions that you can deploy to manage incidents across the enterprise.

Incident Response

With the core Incident Response (IR) solution, you deploy a set of IR tools to each endpoint. With these tools on the endpoints, you can: 

  • Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
  • Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
  • Identify outliers and anomalies by collecting and comparing data across systems in real time.
  • Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.

Do not install Tanium Incident Response or deploy Incident Response tools when Tanium Threat Response is imported.

More information:


Index the file systems on Tanium Client endpoints that are running Windows, Linux, or macOS operating systems.  File system inventory, hashes, and magic numbers are recorded in an SQLite database for investigation of threat indicators.

More information:

Live Response

Configure what information to collect from suspicious Windows, Linux, and macOS endpoints for further forensic analysis and data correlation. Investigate potentially compromised systems with a customizable and extensible framework.

More information:


Isolate targeted machines from communicating with unapproved network addresses or IP ranges by applying network quarantine. You can apply a quarantine to Windows, Linux, and macOS endpoints that show evidence of compromise or other suspicious activity. You can use Tanium Quarantine to apply, remove, and test for quarantine.

More information:

Integration with Detect

In cases where a wider search or a search for a large or dispersed data set is required, you can integrate Tanium™ Detect into the hunt. For example, to exhaustively search for hundreds of hashes, or to perform recursive searches in nested directories, use Detect to create a custom IOC intel document for quick scans or background scans. For more information about Detect, see the Tanium Detect User Guide.