Investigating risk vectors

Risk vectors, which assess the risk for your enterprise in specific categories, determine part of the overall risk score. To review the formula for the risk score, see Risk score.

You can see the score for each risk vector in the Risk Vectors section of the Risk Overview page. Click a category to open the page for that vector for further investigation. The page for each vector has charts to show detailed information about the riskiest endpoints for that vector.

Risk continuously monitors endpoints for changes and updates the reports, tables, and charts to reflect those changes. Once every 24 hours a snapshot is taken to preserve a daily record of the score at that time, which allows you to monitor changes over time.

You can switch between pages by selecting a vector from the dropdown menu on the Risk Vector page. Select a computer group to refine the data on the page to that group. When you select a computer group, all scores for that group are calculated on demand.

If an endpoint does not have the necessary tools to calculate the score for a vector, the score for that vector on the endpoint defaults to 0. One exception is the Administrative Access vector. Because Impact is used to measure that vector and is supported only on domain-joined Windows endpoints, this vector applies only to domain-joined Windows endpoints with the necessary tools. Linux endpoints, macOS endpoints and Windows endpoints that are not joined to a domain return a 0 score for the Administrative Access vector.

The available computer groups are those that are configured in the Reporting service.

To see a chart that shows the contribution to the total risk score from each risk vector, on the Risk Overview page, click Help and then click Risk Score.

System Vulnerability

The system vulnerability vector uses data from Tanium Comply to determine which endpoints are not patched against documented Common Vulnerabilities and Exposures (CVEs) and the severity of the vulnerabilities on the endpoint. To reduce risk, you must continuously assess, track, and remediate vulnerabilities on endpoints to minimize the window of opportunity for attackers when a vulnerability is announced and reduce attack surface. The maximum score for this vector is 400 (40% of the total score).

The System Vulnerability Over Time chart shows the change in the average system vulnerability score for your enterprise over the past 90 days. Monitor this chart to determine how the vulnerability score changes as you patch CVEs or new vulnerabilities are announced.

Click the Endpoints tab to show the Endpoints by Asset Criticality and Vulnerability chart. This chart shows the endpoints that have the highest number of detected vulnerabilities. Remediate the vulnerabilities on these endpoints to reduce the risk that they present.

screen capture of Endpoints by Asset Criticality and Vulnerability chart

Click the CVEs tab to show the Highest Vulnerability Count by Highest CVE chart. This chart shows the endpoints with the highest CVE ratings, grouped by CVE.

screen capture of Highest Vulnerability Count by Highest CVE chart

You can use Comply to explore the vulnerabilities on endpoints, and then use Patch to remediate the vulnerabilities. On the Endpoints or CVEs tab, select one or more endpoints or CVEs and click Explore in Comply to investigate the vulnerability findings for those endpoints or specific CVEs. On the CVEs tab, select one or more CVEs and click Remediate in Patch to open the Patches page for that CVE.

For more information, see Comply User Guide: Filter vulnerability findings and Patch User Guide: Create lists from the Patches view.

System Compliance

The system compliance vector uses data from Tanium Comply to assess the compliance state of endpoints:

  • Of all the compliance checks that have been run against the endpoint, what is the pass/fail ratio?
  • How compliant is the endpoint when measured against the defined compliance policy for the organization?

To reduce risk, establish and maintain secure configurations for endpoints and software (operating systems and applications) to meet organizational security requirements and conform to defined policies. The maximum score for this vector is 200 (20% of the total score).

The System Compliance Over Time chart shows the change in the average system compliance score for your enterprise over the past 90 days. Monitor this chart to determine how the compliance score changes as you secure configurations on endpoints.

Click the Summary tab to show the Endpoints by Compliance Rule Failures chart. This chart shows the endpoints that have the highest number of compliance failures.

screen capture of the Endpoints by Compliance Rule Failures chart


Click the Total Failures tab to show the Endpoints by Compliance Rule Failures chart. This chart shows the endpoints that have the highest number of compliance failures.

screen capture of the Endpoints by Compliance Rule Failures chart


Click the Rule Failures tab to show the Compliance Rule Failures by Failed Endpoint Count chart. This chart shows the compliance rules that have the highest number of failed endpoints.

screen capture of the Compliance Rule Failures by Failed Endpoint Count chart


You can use Comply to explore the compliance failures on endpoints, and then use Enforce to update the configuration for endpoints. On any tab, select one or more endpoints or compliance check IDs and click Explore in Comply to investigate the compliance findings for those endpoints or specific compliance checks.

screen capture of Explore in Comply button

For more information, see Comply User Guide: Filter compliance findings and Enforce User Guide: Creating policies.

Administrative Access

The Administrative access vector uses data from Tanium Impact to analyze the potential lateral movement for an endpoint if it is compromised, including outbound impact, inbound impact, direct control, and indirect control. For more information, see Impact User Guide: Credential dumping and lateral movement.

To reduce risk, implement the least-privilege model on endpoints and limit administrative access whenever possible to prevent attackers from gaining access to elevated privileges and limit potential lateral movement. For more information, see Impact User Guide: Reference: Remediation resources. The maximum score for this vector is 200 (20% of the total score).

The Administrative Access Over Time chart shows the change in the average administrative access score for your enterprise over the past 90 days. Monitor this chart to determine how the administrative access score changes as you secure endpoints.

Click the Summary tab to show the Endpoints by Impact Rating chart. This chart shows the endpoints that have the highest impact rating.

screen capture of the Endpoints by Impact Rating chart


Click the Endpoints tab to show the Endpoints by Impact Rating and Asset Criticality chart. This chart shows the endpoints that have the highest impact and criticality ratings.

screen capture of the Endpoints by Impact Ratings and Asset Criticality


Click the Groups tab to show the Top 20 Groups by Impact Rating, Direct and Indirect Control chart. This chart shows the groups that have the highest impact and criticality ratings.

screen capture of the Top 20 Groups by Impact Rating, Direct and Indirect Control chart


Click the Users tab to show the Top 20 Users by Impact Rating, Direct and Indirect Control chart. This chart shows the users that have the highest impact and criticality ratings.

screen capture of the Top 20 Users by Impact Rating, Direct and Indirect Control chart


The Administrative Access vector gathers data only from Windows endpoints.

Click Explore in Impact to open Impact, where you can analyze potential lateral movement for users, groups, and endpoints. For more information, see Impact User Guide: Identifying high impact users, endpoints, and groups.

screen capture of the Explore in Impact button


Password Identification

The password identification vector uses data from Tanium Reveal to check for unencrypted saved passwords or sensitive data on the endpoint.

To reduce risk, limit access to sensitive data, such as authentication credentials, and ensure that passwords are not stored in plain-text to prevent attackers and insider threats from accessing those credentials and gaining unauthorized access to endpoints and data. For more information on investigating rule matches using Reveal, see Reveal User Guide: Investigating rule matches. The maximum score for this vector is 100 (10% of the total score).

The Password Identification section of this page shows the number of endpoints with unencrypted files with saved passwords. The Endpoints by Confirmed Visible Passwords chart shows the endpoints on where visible passwords were found.

screen capture of the Password Identification vector page






Only validated matches impact the risk score. For more information, see Validating pattern matches.

Click Explore in Reveal to open the associated Rules page in Reveal, where you can connect to one or more endpoints and investigate the finding. For more information, see Investigating rule matches.

screen capture of the Explore in Reveal button

Expired Certificates

The expired certificates vector uses data from Tanium Core Content sensors to check for expired SSL or TLS certificates in use on the endpoint.

Expired Transport Layer Security (TLS) and Secure Socket Layer (SSL) certificates are security issues because organizations cannot validate certificate revocation status to confirm trust in those certificates. The maximum score for this vector is 50 (5% of the total score).

The Expired Certificates Over Time chart shows the change in the average expired certificates score for your enterprise over the past 90 days. Monitor this chart to determine how the expired certificates score changes as you update certificates on endpoints.

Click the Summary tab to show the Endpoints with Expired Certificates by Asset Criticality and Score chart. This chart shows the endpoints that have the highest number of expired certificates, weighted by asset criticality.

screen capture of Endpoints with Expired Certificates by Asset Criticality and Score chart


Click the Certificates by Ports tab to show the Endpoints with Expired Certificates by Port chart. This chart shows the endpoints that have the highest risk score and the detected TCP ports on the endpoint.

screen capture of the Endpoints with Expired Certificates by Port chart


Insecure SSL/TLS

The insecure SSL/TLS certificates vector uses data from Tanium Core Content sensors to check for insecure SSL or TLS certificates in use on the endpoint.

To reduce risk, update any insecure or outdated transport layer security protocols (SSLv3, TLSv1) that can expose enterprise assets to man-in-the-middle attacks and expose sensitive data to attackers through browser exploitation. The maximum score for this vector is 50 (5% of the total score).

The Insecure TLS/SSL Over Time chart shows the change in the average insecure certificates score for your enterprise over the past 90 days. Monitor this chart to determine how the expired certificates score changes as you update certificates on endpoints.

Click the Summary tab to show the Endpoints with Insecure Transport Security Protocols by Asset Criticality and Score chart. This chart shows the endpoints that have the highest number of insecure certificates, weighted by asset criticality.

screen capture of the Endpoints with Insecure Transport Security Protocols by Asset Criticality and Score chart


Click the Protocol/Port tab to show the Endpoints with Detected Protocols chart. This chart shows the endpoints that have the highest overall risk scores and are currently using insecure and outdated transport layer security protocols (SSLv3, TLSv1) to secure communications.

screen capture of the Endpoints with Detected Protocols chart