Searching across the enterprise

Use Reveal to search for specific items of sensitive information across an entire enterprise. You can search for sensitive information that matches a search string in real-time and not wait for an alert from a rule match. Quick search targets all of the endpoints in the Reveal action group. Use a literal search string and parameters that you want the search to target. Reveal returns a list of results that match the search criteria you provide.

Reveal converts search strings to lowercase, removes punctuation, and removes common stop words, such as articles. Reveal then searches for the exact sequence of tokens across the environment. For example, if a search query is process is started, this is tokenized as ["process","started"]. These tokens match the malicious process has started , but not started the process because the tokens are not in the same order as the query.

Perform a quick search

  1. From the Reveal menu, click Quick Search.
  2. In the search field, provide a literal search string or a token from a previous or saved search. For example, 123-45-6789 to find an exact match.
  3. (Optional) Expand Search Parameters to add filters to limit the files that you want to target.
  4. Click Search.

Recent quick searches are saved to enable you to perform the same search multiple times. However, the search terms used in the search are obfuscated and preserved as a token that corresponds to the original search terms. By obfuscating the original search terms, potentially sensitive data is not displayed in the Reveal workbench.

Investigate quick search results

Quick search results appear as Reveal discovers matches to the search criteria. Select up to five endpoints and click Connect. A live connection is opened to the endpoints. When the endpoint connection state displays as Active, click the endpoint name to investigate the files where matches occur.

Click the check box next to a file name and click Find Similar Files to see other computers in your enterprise that have the same file or similar files.

Both the quick search query and the searchable data are encrypted with a one way hash. Hashing occurs before the query is distributed to endpoints, and unencrypted queries and results are not persisted. The query is retained in the browser during the search workflow only. When results snippets are requested, the file is read on demand on the endpoint, and results are returned directly to Reveal. Reveal does not write any unencrypted file content to disk, and no unencrypted query or result is ever sent as Tanium content.