Direct connecting to endpoints and exploring data

You can review endpoint data with a direct connection or from an endpoint snapshot.

  • Direct connection

    With direct connections, you can conduct analysis within seconds, without time­-consuming data transfers or parsing. You can take multiple snapshots of the endpoint data, browse the file system, export events, and save evidence for remediation.

  • Endpoint snapshot

    Snapshots capture the endpoint data for asynchronous investigation offline, preserving the recorder database for storage and collaborative analysis. on the Tanium Module Server. With snapshots, you can export events, and save evidence for long-­term analysis.

Threat Response supports direct connections using Tanium Direct Connect. Direct Connect provides a communication channel for other Tanium modules and a central location for configuring and administering direct endpoint connections across modules. Direct Connect replaces the mechanism for live endpoint connections that was used in previous versions of Threat Response to provide better performance and a consistent experience across Tanium modules. To install Direct Connect, see Tanium Direct Connect User Guide.

For new installations beginning with Threat Response 2.4, Direct Connect is enabled by default.

Direct connect to an endpoint

You can connect to endpoints that are registered with Tanium and are a member of a computer group that is accessible to you. You must have the IP address or computer name of the endpoint.

You can make a direct connection to one or more endpoints.

  1. On the Threat Response overview page, go to Direct Connect.

  2. Type the IP address or computer name of an endpoint that you want to add. Matching endpoints appear as you type.

    If the endpoint you want to add is not in the list, verify that the endpoint is a member of a computer group that you can access. An indicator next to the text field shows whether an endpoint is currently online.


  3. Select one or more endpoints to add. Click Connect.

The live endpoint list displays endpoint connections that have been attempted, are connected, have failed, or where the connection has been closed. The history of connected endpoints is sorted by the last date on which endpoints were connected. Additionally, the date and a link to the last must gather package for the endpoint is provided. To download the most recent must gather package for an endpoint, click the link in the Last Must Gather column for the endpoint. If you do not see the Last Must Gather column, click the additional details icon at the top right of the grid and make sure to select Last Must Gather column to display this data. Live endpoint connection status appears next to the endpoint with the connection information. An endpoint remains on the Direct Connect list until the connection is manually closed, regardless of the connection status. The connection times out after ten minutes of inactivity.

Capture a snapshot

You can capture a snapshot of an endpoint database for offline analysis and detailed forensics.

When you use Direct Connect to manage live endpoint connections, you cannot view snapshots of Recorder 1.x databases (monitor.db). This does not apply to Recorder 2.x databases (recorder.db).

  1. On the Threat Response overview page, go to Direct Connect.
  2. Click the computer name to go to the events grid. Click Capture.
  3. Go to Saved Evidence.
  4. View the snapshot progress by expanding the computer name.

To view endpoint name and the number of captures, go to the Snapshots menu. The snapshot name is the endpoint host name with a timestamp in a YYYY_MM_DDTHH.MM.SS.mmmZ format.

Close the connection

You can manually close a connection to one or more endpoints. Select the endpoints you want to disconnect on the Direct Connect page. Click Delete.

Browse the file system on connected endpoints

You can browse the file system on connected endpoints and download files that you want to keep as saved evidence. You can delete files on an endpoint if you have the Threat Response Administrator privilege.

  1. Click an endpoint from the live endpoint list.
  2. Click Browse File System to open a file browser at the root directory. On Windows endpoints the default location is c:\. On macOS and Linux endpoints the default location is /. Click a row in the results grid and click the folder icon in the process path column to open the file system to the directory that contains the file.
  3. Navigate the file system by typing a path, or by clicking directories in the file browser of the breadcrumbs of the path. For each file in a directory you can view the size, creation date, modification date, and the permissions for the file. Symbolic links are visible while file browsing in a live connection.
  4. Click one or more files to download as saved evidence. From the Threat Response menu, click Saved Evidence > Files to access the files that you download.
  5. You can delete files and folders on an endpoint if you have the Threat Response Administrator privilege. To delete a file, ensure that you have the Threat Response Administrator role and click the delete icon at the end of the row. Click Delete. Deleting symbolic links requires Tanium Direct Connect 2.4 or higher.

Search for events

You can inspect and investigate endpoint data after you make a live connection or capture a snapshot. Search endpoint data for events using various parameters and operators. The search section displays all times in the UTC time standard.

  1. Open the events grid on a live connection or snapshot.
  2. Click an exploration button to search for events. Each exploration button is associated with a specific event type. The filter criteria for each event type changes based on the even type you select. For example, you can filter on such criteria as process path, IP address, operation, event type, hash, signature, key value, and more. For example, for file events you can sort on the following operations:

    Create

    An event that corresponds with the creation of a file

    Write

    An event that corresponds with writing to a file

    Delete

    An event that corresponds with the deletion of a file

    Move

    An event that corresponds with the moving of a file to a different location in the file system

    Permissions Changed

    An event that corresponds with changing the permission on a file

    Open

    An event that corresponds with the opening of a file by another process

  3. Filter the search results to locate specific events that match criteria you provide. You can enter multiple sets of criteria based on various attributes of the event type. Less than three sets of filter criteria are treated as a logical AND. If you add more than two sets of filter criteria you can select to apply any or all of the criteria you have provided as a filter. The results are shown below the filters that you specify.
  4. For most event types, the event grid features a column with a pivot icon. Click the icon to display questions that you can ask in Tanium Interact to gain further insight into the event.

Click a process to view additional details. The Process Tree visualization appears with focus on the process you selected. If a process is currently running, it displays the refresh icon. Drag the visualization in any direction to view peer or ancestor processes.

The Process Tree view displays all of the file, network, registry, and child process activity that was initiated by the current process. This page also provides the full process image path and arguments, user context, hash, and parent command line. A tree view of network processes display, including the current process, parent, children, and peer nodes. You can zoom in and out, click and drag, and click events to change the view. You can isolate one of the processes in the tree view and quickly focus on an artifact for analysis.

Hash information for each process is available from the events grid or from the Process Tree view for any specific process.

A hash can have one of the following ratings:

  • Non-Malicious (Green)
  • Malicious (Red)
  • Unknown (Grey)
  • Pending

Manage snapshots

Snapshots show all the data from an endpoint. The database file contains historical event activity going back to the first moment of recording or to the configured limits. Snapshots are stored on the Tanium Module Server.

Snapshots show all the data from an endpoint. The database file contains historical event activity going back to the first moment of recording or to the configured limits.

Export a snapshot from an endpoint

You can retrieve the endpoint database manually if an offline endpoint or a direct connection fails.

  1. Log on to the endpoint with administrator credentials.
  2. Stop the endpoint recorder by deploying a profile that does not contain a recorder configuration.
  3. Copy the recorder.db file to a location accessible to the Tanium Console from the <Tanium Client>/extensions/recorder directory.

    Change the file name to include the host name and a timestamp in the format: hostname_YYYY_MM_DDTHH.MM.SS.mmmZ.db. The file name appears in Threat Response.

  4. Start the endpoint recorder by deploying a profile with a recorder configuration.

Download a snapshot

You can download snapshots an endpoint databases for offline analysis and detailed forensics outside of Threat Response.

  1. Go to Threat Response > Saved Evidence. Click Snapshots.
  2. Select the snapshots that you want to download and click Download.
  3. The snapshot downloads are managed through the web browser. Note the location to which the browser downloads the file. Multiple snapshots are added to a zipped file.

Upload a snapshot

  1. (Optional) Install upload authentication certificates.
  2. In the Tanium Console, go to Threat Response > Saved Evidence and click Upload Snapshot.
  3. Browse to the saved snapshot.
  4. Click Upload & Connect.

If you are having difficulty uploading a snapshot, see Troubleshooting.

You can view uploaded snapshots from users who are using the same active persona as the active persona that uploaded the snapshot. Additionally you can view uploaded snapshots if the current user is the same as the user that uploaded the snapshot. The Threat Response Administrator Threat Response Operator role has access to view all uploaded snapshots. To provide other roles visibility into all uploaded snapshots, assign the Threat Response Visibility Bypass permission to those roles.

Save files and events

While reviewing the event data from a direct connection, you can save files - including locked files - and events directly from the events grid as you investigate. You can save files of any type.

You must have a direct connection to the endpoint to save file evidence. Saving evidence files from the endpoint is limited by available memory on the Tanium Module Server. You cannot save file evidence from snapshots.

  1. Open the events grid.
  2. Double-click an event row to open the Process Details page.
  3. Select Save Process Evidence.

The file is saved under Saved Evidence.

You can view evidence saved from endpoints that belong to computer groups for which you have permissions to access. For example, you can view evidence from endpoints for which the active persona belongs to at least one management rights group to which the endpoint belongs. If the current user belongs to at least one management rights group to which the endpoint is a member of, saved evidence for that endpoint is visible. The Threat Response Administrator Threat Response Operator role has access to view all saved evidence. To provide other roles visibility into all saved evidence, assign the Threat Response Visibility Bypass permission to those roles.

The Threat Response Saved Evidence Read/Write permissions toggle the visibility of saved evidence. If you remove the Threat Response Downloads Read/Write permissions for a user, the files tab is not available under saved evidence, however selecting All still displays files in the results.

If an endpoint is offline for longer than the configured value of the Max Endpoint Age (Days) setting in Tanium Interact, only the users with the Threat Response Visibility Bypass permission can view alerts and saved evidence for the endpoint. If such an endpoint comes back online, alerts and saved evidence become visible to users with the correct permissions.

Download a file

Suspicious files might require more analysis or reporting to threat intelligence. After you save a file from a direct connection as evidence, you can also download it from the Saved Evidence page in Threat Response. The file contents are in an encrypted ZIP format that is downloaded to the endpoint that is hosting the browser. Decrypt files that you download with the password infected. If you need to inspect the file without opening it, the ZIP headers are not encrypted.

Create Enforce rules

You can pivot from evidence on a single endpoint to create Enforce policies for multiple computer groups that contain Windows endpoints. You can add policies to existing process rule policies or create new ones from Threat Response, where you seamlessly complete the policy configuration in Enforce.

  1. From the Threat Response overview page, go to Saved Evidence.
  2. Click one or more saved events.
  3. Click Create Protection Policy.
  4. Confirm the evidence to use and click Create.
  5. On the Policy Selector page, create a new policy or add the evidence to an existing policy.
  6. Complete the information on the Edit Policy page.
  7. Click Create or Update as appropriate.
  8. Review the Policy Summary and add enforcements as needed.

Export events

You can export some or all of the events from an endpoint as a ZIP file that contains a CSV file. If you are exporting a large event database, take a snapshot and export the events from the snapshot to reduce the load on the endpoint.

Large exports might take a while to become available.

Select the rows in the events grid that you want to export, and click Export .

Manage IOCs

As you examine the endpoint event data during an investigation, you might confirm that an event is malicious. You can save such events and files as evidence.

Generate an IOC

  1. From the Threat Response overview page, go to Intel.
  2. Select Add > Evidence Based IOCs.
  3. In the IOC Normalized Tree drop-down menu, select Item from saved evidence. Add one or more items.
  4. Select an indicator type and value from the drop-down menus.
    Threat Response populates the list information from the details of saved evidence.
  5. Click Generate.