Other resources

Release Notes

Video Tutorial

Support Knowledge Base
(login required)

Threat Response overview

Use Threat Response to expedite incident response actions from hours or days to minutes. Detect, react, and recover quickly from attacks and the resulting business disruptions.


Threat Response monitors activity in real time and generates alerts when potential malicious behavior is detected. You can configure threat intelligence from a variety of reputable sources. Use this information to search endpoints for known indicators of compromise and perform reputation analysis. The reputation data that Threat Response uses constantly compares activity such as all processes run, autorun related files, and loaded modules against known malicious hashes defined by user black lists or other services such as Palo Alto Wildfire, VirusTotal, and ReversingLabs.


Threat Response continuously records key system activity for forensic and historical analysis. You can look for specific activity across every endpoint in an enterprise and drill down into process and user activity on individual systems in both real-time and historical views.


Threat Response includes sensors and packages that provide endpoint visibility and remediation. With the sensors, you can search endpoint data quickly for evidence of compromise. When you have discovered compromised endpoints, you can use Threat Response packages to isolate incidents and prevent additional compromise, data leakage, and lateral movement.

Integration with other Tanium products

Threat Response has built in integration with Tanium™ Connect, Tanium™ Protect, and Tanium™ Trends for additional alerting, remediation, and trending of incident related data.


Configure a Connect destination to export Threat Response data outside of Tanium. Threat Response sends hash information from saved questions to Connect and reputation service providers to elaborate on process hashes for an at-a-glance reputation status. You can also configure incoming connections from sources such as Palo Alto Wildfire to create threat data.


Use Threat Response findings to create process and network rule policies for Windows endpoints in Protect to prevent future incidents across the network. Failing to identify and address more fundamental vulnerabilities exploited during an incident leaves the organization with no net improvement to their security posture.


Use any of the Threat Response saved questions in Trends boards and panels to provide graphical representation of Threat Response data overall. Trends can pivot from the overall view to Tanium Interact for specific responses by endpoint.

Last updated: 1/10/2020 11:34 AM | Feedback