Other resources

Release Notes

Support Knowledge Base
(login required)

Incident Response overview

Tanium™ Incident Response consists of several solutions that you can deploy to manage incidents across the enterprise.

Incident Response

With the core Incident Response (IR) solution, you deploy a set of IR tools to each endpoint. With these tools on the endpoints, you can: 

  • Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
  • Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
  • Identify outliers and anomalies by collecting and comparing data across systems in real time.
  • Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.

More information:


Index the file systems on Tanium Client endpoints that are running Windows, Linux, or Mac OS X operating systems.  A file system inventory, hashes, and magic numbers are recorded in an SQLite database for investigation of threat indicators.

More information:

Live Response

Configure what information to collect from suspicious Windows, Linux, and Mac OS X endpoints for further forensic analysis and data correlation. Investigate potentially compromised systems with a customizable and extensible framework.

More information:


Isolate targeted machines from communicating with unapproved network addresses or IP ranges by applying network quarantine. You can apply a quarantine to Windows, Linux, and Mac OS X endpoints that show evidence of compromise or other suspicious activity. You can use Tanium Quarantine to apply, remove, and test for quarantine.

More information:

Integration with Detect

In cases where a wider search or a search for a large or dispersed data set is required, you can integrate Tanium™ Detect into the hunt. For example, to exhaustively search for hundreds of hashes, or to perform recursive searches in nested directories, use Detect to create a custom IOC intel document for quick scans or background scans. For more information about Detect, see the Tanium Detect User Guide.

Last updated: 12/3/2019 2:51 PM | Feedback