Incident Response overview
Tanium Incident Response™ (Incident Response) consists of several solutions that you can deploy to manage incidents across the enterprise.
With the core Incident Response (IR) solution, you deploy a set of IR tools to each endpoint. With these tools on the endpoints, you can:
- Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
- Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
- Identify outliers and anomalies by collecting and comparing data across systems in real time.
- Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.
Index the file systems on Tanium Client endpoints that are running Windows or Mac OS X operating systems. A file system inventory, hashes, and magic numbers are recorded in an SQLite database for investigation of threat indicators.
Analyze the contents of memory live on Windows endpoints in your environment.
Collect information from compromised Windows, Linux, and Mac OS X endpoints for further forensic analysis. Investigate potentially compromised systems by looking at file system metadata, event logs, and memory.
Isolate targeted machines a from communicating with unapproved network addresses or IP ranges by applying network quarantine. You can apply a quarantine to Windows, Linux, and Mac OS X endpoints that show evidence of compromise or other suspicious activity. You can use Tanium Quarantine to apply, remove, and test for quarantine.
In cases where a wider search or a search for a large or dispersed data set is required, you can integrate Tanium IOC Detect™ (IOC Detect) into the hunt. For example, to exhaustively search for hundreds of hashes, or to perform recursive searches in nested directories, use IOC Detect to create and schedule a custom IOC. For more information about IOC Detect, see Tanium IOC Detect User Guide.
Last updated: 10/12/2017 10:25 AM | Feedback