Reputation overview

With Reputation, you can build a repository of reputation data from various sources, such as Palo Alto Networks WildFire, Recorded Future, ReversingLabs, and VirusTotal. These sources determine threat levels for file hashes. Other Tanium products, such as Tanium™ Threat Response, can use this data to give an indication of potentially malicious files. You can also send reputation data to supported Tanium™ Connect destinations or import reputation data to Tanium™ Trends boards.

The reputation database is a cache that consists of reputation items. When configured, reputation items are scanned by a reputation source. A reputation source is a service that determines whether a reputation item is considered to be malicious, non-malicious, suspicious, or has an unknown status.

Reputation item life cycle

A reputation item remains in the database as long as the Tanium processes are accessing the status of the item. The status of the reputation items is kept up to date based on the settings for the reputation service and provider.

Reputation items are added to the reputation database

As long as the maximum database size is not exceeded, reputation items are added to the reputation database in the following scenarios:

  • When a Tanium process, such as Threat Response, identifies a new hash.
  • When a saved question connection source sends a list of hashes to Connect.

When the reputation items are first added, it is unknown whether they are malicious. The reputation item state most likely starts out as unknown or pending.

Reputation items are scanned

How long it takes for an initial scan of the items depends on your configured reputation service settings.

If you configure multiple reputation service providers, a reputation item is created for each reputation source. For example, for a single hash, three separate reputation items are created for WildFire, ReversingLabs, and VirusTotal.

WildFire

All reputation items are sent to WildFire as they are received.

Recorded Future

The settings for Recorded Future determine how many hashes to send at a time, and the maximum API calls per minute/day. For more information about these settings, see Configure Recorded Future reputation source.

ReversingLabs A1000

The settings for ReversingLabs A1000 determine how many hashes to send at a time, and the maximum API calls per minute/day. For more information about these settings, see Configure ReversingLabs A1000 reputation source.

ReversingLabs TitaniumCloud

The settings for ReversingLabs TitaniumCloud determine how many hashes to send at a time, and the maximum API calls per minute/day. For more information about these settings, see Configure ReversingLabs TitaniumCloud reputation source.

VirusTotal

The settings for VirusTotal determine how many hashes to send at a time, and the maximum API calls per minute/day. For more information about these settings, see Configure VirusTotal reputation source.

Reputation items are rescanned

Reputations might change for reputation items over time. When Reputation rescans an item, it is checked against the reputation sources again. For more information on how to configure the rescan properties, see Installing ReputationConfigure Reputation service settings.

The Rescan Item Interval setting is global for all reputation provider types. The value determines how often Reputation rescans items. For example, if this value is set to 1 day, all of the items in the database get checked every day.

Wildfire

Reputation scans Items according to the Rescan Item Interval value.

Recorded Future

You can configure Reputation to rescan items when Recorded Future gets new reputations for hashes.

Reputation compares the Maximum Age of New Items setting with the First Seen attribute in Recorded Future. The First Seen attribute is the date when Recorded Future first records any instance of that hash, from any Recorded Future customer. If the item is less than the configured maximum, Reputation considers the item as new and rescans the item. The Rescan New Item Interval setting determines how often Reputation rescans the new items.

ReversingLabs A1000

You can configure Reputation to rescan items when ReversingLabs A1000 gets new reputations for hashes.

Reputation compares the Maximum Age of New Items setting with the First Seen attribute in ReversingLabs A1000. The First Seen attribute is the date when ReversingLabs A1000 first records any instance of that hash. If the item is less than the configured maximum, Reputation considers the item as new and rescans the item. The Rescan New Item Interval setting determines how often Reputation rescans the new items.

ReversingLabs TitaniumCloud

You can configure Reputation to rescan items when ReversingLabs TitaniumCloud gets new reputations for hashes.

Reputation compares the Maximum Age of New Items setting with the First Seen attribute in ReversingLabs TitaniumCloud. The First Seen attribute is the date when ReversingLabs TitaniumCloud first records any instance of that hash, from any ReversingLabs TitaniumCloud customer. If the item is less than the configured maximum, Reputation considers the item as new and rescans the item. The Rescan New Item Interval setting determines how often Reputation rescans the new items.

VirusTotal

If you have a paid API key for VirusTotal, you can configure Reputation to rescan items when VirusTotal gets new reputations for hashes.

Reputation compares the Maximum Age of New Items setting with the First Seen attribute in VirusTotal. The First Seen attribute is the date when VirusTotal first records any instance of that hash, from any VirusTotal customer. If the item is less than the configured maximum, Reputation considers the item as new and rescans the item. The Rescan New Item Interval setting determines how often Reputation rescans the new items.

When you configure these settings, be careful to keep the number of API calls within the bounds of your agreement with VirusTotal.

Items are removed from the reputation database

When the number of days in the Remove Item Interval value passes, and that item has not been queried by a saved question or other Tanium process to check its status, the item is removed from the database.

A reputation item can be re-added to the database if the hash is found again.

Hash List

The hash list is a list of reputation hashes that are known to be false detections or known to be malicious. Reputation hashes in the hash list are not sent to reputation sources for analysis. You can add or delete specific hashes from the hash list, or you can export and import the entire list.

For more information, see Managing hashes.

Interoperability with other Tanium products

Reputation works with other Tanium products for additional reporting of related data.

Connect

You can use Tanium Reputation as a connection source or destination in Connect. For more information, see Send data to Connect destinations and Send data to the reputation service.

Threat Response

You can configure Tanium Threat Response to search for specific data from Tanium Reputation. For more information, see Tanium Threat Response: Set up the reputation service.

Trends

Reputation features Trends boards that provide data visualization of Reputation concepts.

The Reputation board displays how much data is sent to reputation providers, and usage metrics within Reputation. The following sections and panels are in the Reputation board:

  • Resource Usage
    • Outbound Items
    • Outbound Processing Queue
    • Outbound API Requests
    • Successful Outbound API Requests
    • Failed Outbound API Requests
    • Reputation Database Size
  • Service Usage
    • Inbound Items
    • Total Items
    • Purged Items
    • Hash List
    • Hash List Items in Environment

For more information about how to import the Trends boards that are provided by Reputation, see Send data to Trends boards and Tanium Trends User Guide: Importing the initial gallery.