Exporting reputation data

View reputation data

To view a list of the malicious hashes that Reputation has pulled from the reputation services, open the Malicious tab in the Reputations section of the Overview page.

Only hashes with a malicious or pending status are listed.

In Threat Response, you can view the ratings on hashes for live endpoints or snapshots. For more information, see Tanium Threat Response User Guide: Connecting to live endpoints and exploring data.

Send data to Connect destinations

Use Connect 5.2.3 or later to create a connection to send the data that is in the reputation database to any Connect destination. For example, you might configure a connection to create an email notification when a malicious item is found.

  1. From the Connect Overview page, click Create Connection.
  2. Specify a name and description.
  3. For the source, select Tanium Reputation.
    You can also select the reputation status to include.
  4. Configure the destination settings for the connection.

The first run of a connection that uses Tanium Reputation as a source retrieves all available reputation items. Subsequent runs of that connection retrieve only the reputation changes since the last time the connection ran.

For more information, see Tanium Connect User Guide: Managing connections.

Send data to the reputation service

If you want to pre-populate reputation data with hashes from your environment, you can send data to the reputation service as a connection destination. When this content is pre-populated, the reputation service can start querying about the status of the items from the reputation sources.

  1. From the Connect Overview page, click Create Connection.
  2. Specify a name and description.
  3. For the source, choose a saved question that returns a hash, such as Running Processes with MD5 Hash.

    You can use the following settings for saved questions:

    Flatten ResultsYou might want to enable the Flatten Results setting to process results as individual records. For example, you might want to get notified when you see a new MD5 hash on a machine. Without the Flatten Results setting enabled, the entire data set that is retrieved by the saved question from a machine, such as all MD5 hashes, is considered to be a single record. Any change that is made to this data set shows up in the destination. By enabling the Flatten Results setting, Connect processes the new hashes on an individual basis (one MD5 hash from one machine) instead of all hashes from a machine as a single record.
    Hide ErrorsIf the saved question returns an error, you can use the Hide Errors setting to prevent the error results from getting sent to the destination.
    Hide No ResultsIf the saved question returns [No results], you can use the Hide No Results setting to prevent this result from being sent to the destination.
    Include Recent ResultsIf you want to include results from machines that are offline, select Include Recent Results, which returns the most recent answer to the saved question for the offline endpoint.
    Answer Complete Percent

    Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.

    TimeoutMinutes to wait for clients to reply before returning processed results when Answer Complete Percent is set to 0. If the Answer Complete Percent value is not met at the end of the time limit, then the connection run is marked as a failure.
    BatchsizeNumber of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.
  4. For the destination, choose Tanium Reputation and select the appropriate hash type for the Hash Field.

Each reputation service connection destination is configured for a specific hash column name. You must use a separate destination for each hash type that you are populating. For example, if you are populating both MD5 and SHA1 hashes from different saved questions, create two connection destinations with different values for the Hash Field field.

Send data to Trends boards

Use Trends 3.6.323 or later to import a board that contains different panels of reputation metrics. By default, the Reputation Overview page shows the metrics from the Service Usage section of the Reputation board.

  1. From the Trends menu, click Boards and then click Import > Gallery.
  2. Select Reputation and then select which sections or panels you want to import.
    By default, everything is selected.
  3. Click Validate.

    If you see a warning about missing content sets, select Reputation.

  4. Click Import.

For more information, see Tanium Trends User Guide: Importing the initial gallery.