Exporting reputation data
In Threat Response, you can view the ratings on hashes for live endpoints or snapshots. For more information, see Tanium Threat Response User Guide: Connecting to live endpoints and exploring data.
The first run of a connection that uses Tanium Reputation as a source retrieves all available reputation items. Subsequent runs of that connection retrieve only the reputation changes since the last time the connection ran.
For more information, see Tanium Connect User Guide: Managing connections.
If you want to pre-populate reputation data with hashes from your environment, you can send data to the reputation service as a connection destination. When this content is pre-populated, the reputation service can start querying about the status of the items from the reputation sources.
- From the Connect Overview page, click Create Connection.
- Specify a name and description.
- For the source, choose a saved question that returns a hash, such as Running Processes with MD5 Hash.
You can use the following settings for saved questions:
Setting Description Flatten Results You might want to enable the Flatten Results setting to process results as individual records. For example, you might want to get notified when you see a new MD5 hash on a machine. Without the Flatten Results setting enabled, the entire data set that is retrieved by the saved question from a machine, such as all MD5 hashes, is considered to be a single record. Any change that is made to this data set shows up in the destination. By enabling the Flatten Results setting, Connect processes the new hashes on an individual basis (one MD5 hash from one machine) instead of all hashes from a machine as a single record. Hide Errors If the saved question returns an error, you can use the Hide Errors setting to prevent the error results from getting sent to the destination. Hide No Results If the saved question returns [No results], you can use the Hide No Results setting to prevent this result from being sent to the destination. Include Recent Results If you want to include results from machines that are offline, select Include Recent Results, which returns the most recent answer to the saved question for the offline endpoint. Answer Complete Percent
Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.
Timeout Minutes to wait for clients to reply before returning processed results when Answer Complete Percent is set to 0. If the Answer Complete Percent value is not met at the end of the time limit, then the connection run is marked as a failure. Batchsize Number of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.
- For the destination, choose Tanium Reputation and select the appropriate hash type for the Hash Field.
Each reputation service connection destination is configured for a specific hash column name. You must use a separate destination for each hash type that you are populating. For example, if you are populating both MD5 and SHA1 hashes from different saved questions, create two connection destinations with different values for the Hash Field field.
For more information, see Tanium Trends User Guide: Importing the initial gallery.
Last updated: 7/19/2021 8:16 PM | Feedback