Searching across the enterprise
Use Reveal to search for specific items of sensitive information across an entire enterprise. You can search for sensitive information that matches a search string in real-time and not wait for an alert from a rule match. Quick search targets all of the endpoints in the Reveal action group. Use a literal search string and parameters that you want the search to target. Reveal returns a list of results that match the search criteria you provide.
Reveal converts search strings to lowercase, removes punctuation, and removes common stop words, such as articles. Reveal then searches for the exact sequence of tokens across the environment. For example, if a search query is process is started, this is tokenized as ["process","started"]. These tokens match the malicious process has started , but not started the process because the tokens are not in the same order as the query.
- From the Reveal menu, click Quick Search.
- In the search field, provide a literal search string. For example, 123-45-6789 to find an exact match.
- Optionally, expand the Search Parameters caret.
- Click Add Condition. Select File Type.
- Select one or more file types that you want the search to target.
- Click Search.
Quick search results appear as Reveal discovers matches to the search criteria. For each match, you can view the computer names on which matches occur. Select one or more computer names that contain matches and click Live Connection to create a live connection to the computer and investigate the files where matches occur.
Both the quick search query and the searchable data are encrypted with a one way hash. Hashing occurs before the query is distributed to endpoints, and unencrypted queries and results are not persisted. The query is retained in the browser during the search workflow only. When results snippets are requested, the file is read on demand on the endpoint, and results are returned directly to Reveal. Reveal does not write any unencrypted file content to disk, and no unencrypted query or result is ever sent as Tanium content.
Last updated: 3/13/2019 10:54 AM | Feedback