Reference: Supported file types for rule evaluation
For rules to evaluate on a file, the file must match the following criteria:
- The file must be hashed by Tanium Index using hash type MIME.
- The file must be in a format that Tanium Reveal can read. For more information, see Reference: Supported file types for rule evaluation.
- Binary files must be less than 32 MB. To increase the default size limit, edit the setting CX.index.ExtractorMaxSourceMB.
- The file must not be filtered by the Reveal Parse Exclusions by Regular Expression or Reveal Parse Exclusions by File Path settings, which you can configure using a profile. For more information, see Creating profiles.
The contents of Zip archives are extracted into memory and Reveal evaluates rules against such contents if the compressed zip file size is within the specified overall maximum configured file size. By default this setting is 32 MB, and you can customize this default value using the CX.index.MaxZipSizeMB setting. If the uncompressed size is larger than the MaxZipSizeMB setting size, the archive is not extracted into memory and indexed.
For example, if you use the default setting value (32MB):
-
A zip file that is 1MB (compressed) and 20MB (uncompressed) would have its contents indexed.
-
A zip file that is 5MB (compressed) and 40MB (uncompressed) would not have its contents indexed.
A zip archive is determined by magic number 504b0304. Many file types are actually zip archives with a magic number of 504b0304. For example: ZIP, JAR, WAR, EAR, XLSX, PPTX, XLSX. Use the CX.index.ZipRecursionLimit (default 10) setting to configure the recursion limit for how deep to extract and index within zip files. For more information, see Tanium Client Index Extension User Guide: Indexing file systems.
When you create or edit a rule, you can add a filter to target file types in one or more categories. The following options are available:
Category | Format | File types |
---|---|---|
Configuration | Text |
CFG, CONF, INI, YAML |
Microsoft Excel | Binary | ODS, XLAM, XLSM, XLSX, XLTM, XLTX |
Microsoft PowerPoint | Binary |
ODP, POTM, POTX, |
Microsoft Word | Binary | DOCM, DOCX, DOTM, DOTX, ODT |
Binary | FDF, PDF | |
Structured text | Text |
CSV, TSV, PSV, JSON, XML |
Text | Text | TXT |
Reveal can read files in any of the supported file types, regardless of the file extension. If you do not specify a file type filter for a rule, the rule attempts to read all files that are hashed by Tanium Client Index Extension. When you assign a file type to a rule, the rule only attempts to read files with the listed file extensions.
Supported MIME types
Reveal supports the following MIME types:
xml:
-
text/xml
-
text/html
text:
-
text*
pdf:
-
application/pdf
csv:
- .csv
- .tsv
- .psv
zip:
-
A zip archive is determined by magic number 504b0304.
Last updated: 9/25/2023 4:34 PM | Feedback