Searching across the enterprise

Use Reveal to search for specific items of sensitive information across an entire enterprise. You can search for sensitive information that matches a search string in real-time and not wait for an alert from a rule match. Quick search targets all of the endpoints in the Reveal action group. Use a literal search string and parameters that you want the search to target. Reveal returns a list of results that match the search criteria you provide.

Reveal converts search strings to lowercase, removes punctuation, and removes common stop words, such as articles. Reveal then searches for the tokens across the environment. For example, if a search query is process is started, this is tokenized as ["process","started"].

You can enable or disable quick search from the Reveal settings under the Tanium Index subscription settings heading. Quick search uses additional disk and CPU resources on endpoints.

Perform a quick search

  1. From the Reveal menu, click Quick Search.
  2. In the search field, provide a literal search string or a token from a previous or saved search. For example, 123456789 to find an exact match. When performing a Quick Search, you cannot use a delimiter such as -. Such a search string matches on the group of characters before or after the delimiter, but does not treat it as a full string.
  3. (Optional) Expand Search Parameters to add filters to limit the files that you want to target.
  4. Click Search.

Recent quick searches are saved to enable you to perform the same search multiple times. However, the search terms used in the search are obfuscated and preserved as a token that corresponds to the original search terms. By obfuscating the original search terms, potentially sensitive data is not displayed in the Reveal workbench.

Investigate quick search results

Quick search results appear as Reveal discovers matches to the search criteria. Select up to five endpoints and click Connect. A live connection is opened to the endpoints. When the endpoint connection state displays as Active, click the endpoint name to investigate the files where matches occur.

Both the quick search query and the searchable data are encrypted with a one way hash. Hashing occurs before the query is distributed to endpoints, and unencrypted queries and results are not persisted. The query is retained in the browser during the search workflow only. When results snippets are requested, the file is read on demand on the endpoint, and results are returned directly to Reveal. Reveal does not write any unencrypted file content to disk, and no unencrypted query or result is ever sent as Tanium content.