Maintaining Reveal

Perform monthly maintenance tasks to ensure that Reveal successfully performs scheduled activities on all the targeted endpoints and does not overuse endpoint or network resources. If Reveal is not performing as expected, you might need to troubleshoot issues or change settings. See Troubleshooting for related procedures.

Review and remediate Tanium Reveal issues

  1. From the Main menu, go to Modules > Reveal > Overview.

  2. Scroll to the Health dashboard to review:

    • Reveal Coverage: To investigate endpoints that do not have Reveal tools installed, click the number above Needs Attention. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Reveal coverage (installation) status for the affected endpoints. See Troubleshooting Reveal.

    • Endpoint Status: To investigate endpoints that have issues related to Reveal operations, click Attention Needed. Tanium CloudThe Tanium Server issues a question that returns the computer name, operating system, IP address, and Reveal tools status for the affected endpoints. See Troubleshooting Reveal.

Monitor and troubleshoot Reveal coverage

The following table lists contributing factors into why the Reveal coverage metric might be lower than expected, and corrective actions you can make.

Contributing factor Corrective action
Tools Not Deployed

Verify Tanium Clients are current and supported. For more information see Requirements: Tanium dependencies.

Ensure the Reveal Action Group is set to All Computers.

Ensure the Trends Action Group is set to All Computers.

Ensure the intended Reveal targets are in the appropriate Computer Groups.

Ensure the Computer Groups are included in the appropriate Rule Set in Reveal.

Index Health and Configuration

Ensure Index is properly configured and operating as expected on the endpoints.

Ensure you are not excluding the files you want Reveal to scan from indexing or hashing. This could be by an ExcludeFrom(Hashing|Indexing) setting or if the file exceeds the setting of MaxFileSizeToHashMB, 32MB by default.

Monitor and troubleshoot endpoints with confirmed sensitive data

The following table lists contributing factors into why the endpoints with confirmed sensitive data metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
See “Tools Not Deployed” and “Index Health and Configuration” above.

See the Corrective Actions for “Tools Not Deployed” and “Index Health and Configuration” in the preceding table.

Reveal Rules not targeted as desired or required To assign Reveal rules, they must be assigned to a Rule Set and the Rule Set must target the desired computer groups. First, review the specific Rule and make sure it’s assigned to a Rule Set. Next, review the Rule Set and confirm it targets the appropriate Computer Group. Examine the Computer Group and ensure that it properly targets the desired computers.
Reveal findings are not yet confirmed Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a validation - valid or invalid - of the rule. All similar snippets on all endpoints then show confirmed results. Invalid snippets no longer display in the results.

Monitor and troubleshoot endpoints with unconfirmed sensitive data

The following table lists contributing factors into why the endpoints with unconfirmed sensitive data metric might be higher than expected, and corrective actions you can make.

Contributing factor Corrective action
Reveal not fully deployed or operational

See the corrective actions detailed in the previous two tables to ensure Reveal tools and rules are properly targeted and deployed.

Reveal findings are not yet confirmed

Reveal finds matches to rules, but the findings are only confirmed once an analyst confirms or rejects the findings. Click the results of the desired rule, then select and connect to an endpoint with findings. Select a file to see the snippets, then highlight an appropriate selection of text and click Confirm to create a confirmed match of the rule. All similar snippets on all endpoints then show confirmed results.