Using IR sensors and packages

Use IR sensors for rapid response to and scoping of incidents. Incident response can require computationally-intensive hashing algorithms and extensive file system scans. For this reason, IR sensors are written with a narrow scope to minimize processing and retrieve specific information within seconds. Few search operations are recursive and most sensors perform a hexadecimal search or hash match a single file and target a single directory. This strategy takes advantage of the Tanium linear chaining topology to rapidly deliver critical information at enterprise scale.

About deploying parameterized sensors as actions

Sensors that require extensive computational resources across the security enterprise, for example, sensors that hash files and perform binary searches, are deployed as actions. Deploying parameterized sensors as actions increases the speed of larger tasks, including:

  • Searching across directories for binary data
  • Matching the hash values of files across many directories
  • Hashing and matching executables and their loaded modules

Actions are not processed one at a time. Short actions run at the same time as longer actions. Because they are not strictly queued, shorter actions are not delayed by the execution of more extensive actions.

Actions do not time out. Because the processing time of an action depends on the nature of the task, an action is considered complete when the job begins. The results, however, might not be immediately available.

When you deploy the action, you must provide an IR job ID. Then, you can view results files from Windows-based endpoints with the Incident Response Job Results sensor by specifying the job ID as a parameter. You can retrieve and copy job results files to a central location by using one of the platform-specific collection actions.

Use Cases for IR content
Task Question Package / Sensor
Retrieve a list of all running processes on all endpoints with their hashes Get Running Processes with Hash from all machines Sensor: 
Running Processes with Hash
Retrieve the currently running processes matching a specific MD5 hash Get MD5 Hash Match Files Executing from all machines Package:
Incident Response - MD5 Hash Match Files Executing
Display IR job results in Tanium Console Get Incident Response Job Results from all machines Sensor: Incident Response Job Results
Copy IR job results for Windows-based endpoints to a central location Get Has Incident Response ID Files from all machines Package: IR Gatherer - Collect Info to Central Server

Before you begin

Deploy a parameterized sensor as an action

  1. Identify the endpoints that you want to target.
    1. Ask a question to return a set of endpoints.
    2. Select the endpoints and click Deploy Action.
  2. Specify the parameterized sensor.
    1. Type the name of the parameterized sensor in the Deployment Package field.

      For example, type: Incident Response - Search for Files.

    2. Specify parameters for the sensor.

      For the Incident Response - Search for Files sensor, indicate a Pattern of files to match and the IR Job ID.

      The IR Job ID can be any value that you choose. Use this value to get the results of the action. The value must be unique. If two actions share the same job ID, the files identified by those actions might be destroyed. Remember the value so that you can retrieve the job results later.

    3. Complete deployment of the action. Click Deploy Action.
  3. Get the results of the parameterized sensor action.
    1. Ask the question: Get Incident Response Job Results from all machines
    2. Specify the Incident Response Job ID.

      The value for the job ID is the same value that you specified when you deployed the action.

    3. Click Go.