Maintaining Reveal
Perform monthly maintenance tasks to ensure that Reveal successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Reveal is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting for related procedures.
Review and remediate Tanium Reveal issues
-
From the Main menu, go to Modules > Reveal > Overview.
-
Scroll to the Health dashboard to review:
-
Reveal Coverage: To investigate endpoints that do not have Reveal tools installed, click the number above Needs Attention. Tanium Cloud
-
Endpoint Status: To investigate endpoints that have issues related to Reveal operations, click Attention Needed. Tanium Cloud
-
Scan Failure: To investigate endpoints that have Reveal scan errors in the last 30 days, click Scan Failure to issue a question that returns the scan status for the affected endpoints. To investigate endpoints that have errors within another interval, click the interval (such as <1 hour) in the Scan Failure panel to issue a question that returns the computer name, operating system, IP address, and scan status for endpoints within that interval.
-
Data Size: To review the storage that Reveal consumes on endpoints, click Data Size to issue a question that returns data size values. To review endpoints on which Reveal consumes storage within a specific range, click that range (such as 100-500 MB) in the Data Size panel to issue a question that returns the computer name, operating system, and IP address for the matching endpoints.
-
Undersized Reveal Databases: To investigate endpoints on which Reveal tools have dropped files, click True to issue a question that returns the computer name, operating system, and IP address for the affected endpoints. See Remediating "Needs Attention" messages from Reveal Status.
-
Monitor and troubleshoot Reveal coverage
The following table lists contributing factors into why the Reveal coverage metric might be lower than expected, and corrective actions you can make.
| Contributing factor | Corrective action |
|---|---|
| Tools Not Deployed |
Verify Tanium Clients are current and supported. For more information see Requirements: Tanium dependencies. Ensure the Reveal Action Group is set to All Computers. Ensure the Trends Action Group is set to All Computers. Ensure the intended Reveal targets are in the appropriate Computer Groups. Ensure the Computer Groups are included in the appropriate Rule Set in Reveal. |
| Index Health and Configuration |
Ensure Index is properly configured and operating as expected on the endpoints. Ensure you are not excluding the files you want Reveal to scan from indexing or hashing. This could be by an ExcludeFrom(Hashing|Indexing) setting or if the file exceeds the setting of MaxFileSizeToHashMB, 32MB by default. Use the Index Resolved Config sensor to see how Index combined any Index configuration files from all modules using Index. |
Monitor and troubleshoot endpoints with confirmed sensitive data
The following table lists contributing factors into why the endpoints with confirmed sensitive data metric might be higher than expected, and corrective actions you can make.
| Contributing factor | Corrective action |
|---|---|
| See “Tools Not Deployed” and “Index Health and Configuration” above. |
See the Corrective Actions for “Tools Not Deployed” and “Index Health and Configuration” in the preceding table. |
| Recently updated rule not on desired endpoint(s) or the rule(s) or Reveal may not yet have had time to be processed. |
After deploying a rule, it might take several hours to begin to see results. You might need to allow Reveal a couple more hours. If longer than a few hours has passed, you can ask the Tanium question “Get Reveal - Background Scan Results[*] from all machines”. In the results, look for the name of the rule you are troubleshooting. Use the Filter Text box to filter to just that rule. Select columns to display and add “Rule Revision”. Use Tanium to drill down to find out about any hosts with outdated rule. |
| Reveal Rules not targeted as desired or required | To assign Reveal rules, they must be assigned to a Rule Set and the Rule Set must target the desired computer groups. First, review the specific Rule and make sure it’s assigned to a Rule Set. Next, review the Rule Set and confirm it targets the appropriate Computer Group. Examine the Computer Group and ensure that it properly targets the desired computers. |
| Reveal findings are not yet confirmed | Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a validation - confirmed or rejected - of the rule. All similar snippets on all endpoints then show confirmed results. Rejected snippets no longer display in the results. |
Monitor and troubleshoot endpoints with unconfirmed sensitive data
The following table lists contributing factors into why the endpoints with unconfirmed sensitive data metric might be higher than expected, and corrective actions you can make.
| Contributing factor | Corrective action |
|---|---|
| Reveal not fully deployed or operational |
See the corrective actions detailed in the previous two tables to ensure Reveal tools and rules are properly targeted and deployed. |
| Reveal findings are not yet confirmed |
Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a confirmed match of the rule. All similar snippets on all endpoints then show confirmed results. |
Last updated: 2/15/2023 5:47 PM | Feedback