Investigating rule matches

When Reveal finds a match to a rule, the Rules and Rule Sets pages update to show a breakdown of all endpoints affected by the rule according to how many matches occur on that endpoint. You can further investigate the details of the match. Each rule displays information about the number of endpoints on which matches have been detected. You can create a live connection to the endpoint and drill down to perform further analysis. You can investigate the number of matches across the endpoints over time.

From the Rules page, you can investigate the affected endpoints, and files where matches are detected when a rule match occurs.

Investigate by endpoint

  1. From the Reveal menu, click Rules.
  2. Click a rule that has matches that you want to investigate.

  3. Under Results, Reveal displays the endpoints where matches have occurred.

  4. Select up to five endpoints and click Connect. A live connection is opened to the selected endpoints. When an endpoint connection state displays as Active, click the endpoint name to view files that contain matches.
  5. For files where matches have occurred, the file name, number of hits, and path are displayed.
  6. Click an affected file to view snippets that show pattern matches in context.

When validations have been confirmed or rejected, values in the Unconfirmed hits and Confirmed hits columns on the Affected Files - <Computer Name> page for any rule where patterns have been matched and validated display in orange. Orange indicates that the data is "stale"; meaning that new validation data exists. If a file is designated as stale, it is prioritized for rescanning. When no new validation data exists, the values display in black.

For more information about validations, see Validating pattern matches.

Take action on files where rule matches occur

When a rule applies a label to files that contain a rule match, you can use Tanium questions to take action on affected files.

  1. From the Main menu, click Interact.
  2. Ask the question Get Reveal - Label Results from all machines. The results grid displays the labels that have been applied to files, and the number of files that are labeled.
  3. Select the rows for the labels that require the action, and then click Deploy Action. Interact displays the Deploy Action workflow page.

For more information, see Tanium Interact User Guide: Questions.