Exporting reputation data

Use Connect 5.2.3 or later to create a connection to send the data that is in the reputation database to any Connect destination. For example, you might configure a connection to create an email notification when a malicious item is found.

The first run of a connection that uses Tanium Reputation as a source retrieves all available reputation items. Subsequent runs of that connection retrieve only the reputation changes since the last time the connection ran.

For more information, see Tanium Connect User Guide: Managing connections.

If you want to pre-populate reputation data with hashes from your environment, you can send data to the reputation service as a connection destination. When this content is pre-populated, the reputation service can start querying the status of the items from the reputation sources.

1. Create a saved question for each of the following questions to collect hash data from your environment:

   Question syntax	Saved Question Name
   Get AutoRun Files[SHA256,1] from all machines with is Windows contains true	Reputation - Windows AutoRuns (SHA 256)
   Get Linux AutoRuns[MD5,1] from all machines with Is Linux contains true	Reputation - Linux Autoruns (MD5)
   Get Mac AutoRuns[MD5,1] from all machines with Is Mac contains true	Reputation - macOS Autoruns (MD5)
   Get Index - File Hash Recently Changed[100,*,*,*,4D5A*,*,*,*,*,0,3,1] from all machines	Reputation - Microsoft EXE Recently Changed
   Get Index - File Hash Recently Changed[100,*,*,*,FEEDFACE*,*,*,*,*,0,3,1] from all machines	Reputation - Recently Changed macOS MACH-O 32 Bit
   Get Index - File Hash Recently Changed[100,*,*,*,FEEDFACF*,*,*,*,*,0,3,1] from all machines	Reputation - Recently Changed macOS MACH-O 64 Bit
   Get Index - File Hash Recently Changed[100,*,*,*,7F454C46*,*,*,*,*,0,3,1] from all machines	Reputation - Recently Changed macOS ELF
   Get "Driver Details with Hash"[SHA256] from all machines	Reputation - Driver Details (SHA 256)
   Get "Loaded Modules with Hash"[SHA256] from all machines	Reputation - Loaded Modules (SHA256)
   Get "Running Processes with Hash"[SHA256] from all machines	Reputation - Running Processes with Hash (SHA256)
   Get "Service Module Details with Hash"[sha256] from all machines	Reputation - Service Module Details (SHA256)
   Get Trace Executed Process Hashes[3 hours,1571257836726|1571261435726,500] from all machines	Reputation - Trace Executed Process Hashes (MD5)
   The saved questions in this table are examples that can return hash data from endpoints. Implement saved questions and use hash types that are appropriate for your environment. If you use Index sensors to populate the reputation service, the Index configuration must have the appropriate hash type enabled. For more information, see Tanium Threat Response User Guide: Index configurations.

   For more information on creating saved questions, see Tanium Console User Guide: Create a saved question.

2. From the Connect Overview page, click Create Connection.
3. Choose Saved Question from the Source drop-down, select one of the saved questions that you created in step 1 from the Saved Question Name drop-down, and select All Computers from the Computer Group drop-down.

   You can use the following settings for saved questions:

   Setting	Description
   Include Recent Results	If you want to include results from machines that are offline, select Include Recent Results, which returns the most recent answer to the saved question for the offline endpoint.
   Answer Complete Percent	Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.
   Timeout	Minutes to wait for clients to reply before returning processed results when Answer Complete Percent is set to 0. If the Answer Complete Percent value is not met at the end of the time limit, then the connection run is marked as a failure. For the best results, set this to 10 minutes.
   Batchsize	Number of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.

4. Specify a name that matches the saved question name and enter a connection description.

5. For the destination, choose Tanium Reputation and select the appropriate hash type for the Hash Field.
   
   
   
   

   Each reputation service connection destination can only be configured for 1 hash column name. If a saved question returns multiple hash types (such as MD5 and SHA256) and you want to send both hashes to Reputation, you must create 2 connections, one for each hash type in the Hash Field.

6. In the Schedule section, select Enable Schedule to update and stagger the schedule and prevent these connections from running simultaneously.

7. Select Advanced - Define as a Cron Expression and enter one of the following Cron expressions in the Advanced field:

   Saved Question Name	Cron expression	Frequency
   Reputation - Windows AutoRuns (SHA 256)	0 */3 * * *	0 minute every third hour
   Reputation - Linux Autoruns (MD5)	48 */3 * * *	48th minute every third hour
   Reputation - macOS Autoruns (MD5)	56 */3 * * *	56th minute every third hour
   Reputation - Microsoft EXE Recently Changed	8 */3 * * *	8th minute every third hour
   Reputation - Recently Changed macOS MACH-O 32 Bit	16 */3 * * *	16th minute every third hour
   Reputation - Recently Changed macOS MACH-O 64 Bit	24 */3 * * *	24th minute every third hour
   Reputation - Recently Changed macOS ELF	32 */3 * * *	32th minute every third hour
   Reputation - Driver Details (SHA 256)	10 */1 * * *	10th minute every hour
   Reputation - Loaded Modules (SHA256)	20 */1 * * *	20th minute every hour
   Reputation - Running Processes with Hash (SHA256)	30 */1 * * *	30th minute every hour
   Reputation - Service Module Details (SHA256)	40 */1 * * *	40th minute every hour
   Reputation - Trace Executed Process Hashes (MD5)	50 */1 * * *	50th minute every hour
   The cron expressions provided in this table are examples demonstrating a staggered schedule. Implement a connection schedule that is appropriate for your environment. Running all of the aforementioned saved questions/connection jobs can quickly consume an API quota for a given reputation provider, such as VirusTotal. Configure the "Maximum Hashes Processed Per Day" setting if the provider allows it. Fewer saved questions/connection jobs may be required to avoid consuming the API quota. Understand the potential resource usage of sensors on endpoints and implement according to your environment. Use discretion when implementing saved questions that run on a frequent basis. Environments with resource constraints may be impacted. For example, "Loaded Modules with Hash [SHA256]" takes time to run and returns stringy results. Increasing the connection frequency, staggering the connection job schedules, modifying the hash type or excluding low resource endpoints from targeting may be necessary. Contact Tanium Support for assistance in understanding the reputation workflow and defining the saved questions and connection schedule suitable for your environment.

8. Save the connection.
9. Repeat steps 2-8 for the remaining saved questions.

Use Trends 3.6.323 or later to import a board that contains different panels of reputation metrics. By default, the Reputation Overview page shows the metrics from the Service Usage section of the Reputation board.

For more information, see Tanium Trends User Guide: Importing the initial gallery.