Other resources

Release Notes

Support Knowledge Base
(login required)

Incident Response overview

Tanium Incident Response™ (Incident Response) consists of several solutions that you can deploy to manage incidents across the enterprise.

Incident Response

With the core Incident Response (IR) solution, you deploy a set of IR tools to each endpoint. With these tools on the endpoints, you can: 

  • Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
  • Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
  • Identify outliers and anomalies by collecting and comparing data across systems in real time.
  • Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.

More information:


Index the file systems on Tanium Client endpoints that are running Windows or Mac OS X operating systems.  A file system inventory, hashes, and magic numbers are recorded in an SQLite database for investigation of threat indicators.

More information:

IR Memory

Analyze the contents of memory live on Windows endpoints in your environment.

More information:

IR Gatherer

Collect information from compromised Windows, Linux, and Mac OS X endpoints for further forensic analysis. Investigate potentially compromised systems by looking at file system metadata, event logs, and memory.

More information:


Isolate targeted machines a from communicating with unapproved network addresses or IP ranges by applying network quarantine. You can apply a quarantine to Windows, Linux, and Mac OS X endpoints that show evidence of compromise or other suspicious activity. You can use Tanium Quarantine to apply, remove, and test for quarantine.

More information:

Integration with IOC Detect

In cases where a wider search or a search for a large or dispersed data set is required, you can integrate Tanium IOC Detect™ (IOC Detect) into the hunt. For example, to exhaustively search for hundreds of hashes, or to perform recursive searches in nested directories, use IOC Detect to create and schedule a custom IOC. For more information about IOC Detect, see Tanium IOC Detect User Guide.

Last updated: 10/12/2017 10:25 AM | Feedback