Connecting to live endpoints and exploring data

You can review endpoint data with a live endpoint connection or from an endpoint snapshot.

  • Live endpoint connection

    With live endpoint connections, you can conduct analysis within seconds, without time­-consuming data transfers or parsing. You can take multiple snapshots of the endpoint data, browse the file system, export events, and save evidence for remediation.

  • Endpoint snapshot

    Snapshots capture the endpoint data for asynchronous investigation offline, preserving the recorder database for storage and collaborative analysis on the Tanium Module Server. With snapshots, you can export events, and save evidence for long-­term analysis.

Connect to a live endpoint

You can connect to endpoints that are registered with Tanium and are a member of a computer group that is accessible to you. You must have the IP address or computer name of the endpoint.

You can make a live endpoint connection to one or more endpoints.

  1. On the Threat Response home page, go to Live Endpoints.
  2. Type the IP address or computer name of an endpoint that you want to add. Matching endpoints appear as you type.

    The first time that you start Threat Response, the list of endpoints that are accessible to you might take a few minutes to populate. If the endpoint you want to add is not in the list, verify that the endpoint is a member of a computer group that you can access. An indicator next to the text field shows whether an endpoint is currently online.


  3. Select the endpoint to add. Click Connect

 

The live endpoint list displays endpoint connections that have been attempted, are connected, have failed, or where the connection has been closed. The live endpoint connection status is displayed next to the endpoint with the connection information. An endpoint remains on the Live Endpoints list until the connection is manually closed, regardless of the connection status. The connection times out after ten minutes of inactivity. If you are having trouble making a connection, see Resolve live endpoint connection problems.

Capture a snapshot

You can capture a snapshot of an endpoint database for offline analysis and detailed forensics.

  1. On the Threat Response home page, go to Live Endpoints.
  2. Click the computer name to go to the events grid. Click Capture.
  3. Threat Response measures the size of the database and verifies that there is enough disk space for the snapshot.
  4. Click Yes in the confirmation window.
  5. Go to Saved Evidence.
  6. View the snapshot progress by expanding the computer name.

To view endpoint name and the number of captures, go to the Snapshots menu. The snapshot name is the endpoint host name with a timestamp in a YYYY_MM_DDTHH.MM.SS.mmmZ format.

Close the connection

You can manually close a connection to one or more endpoints. Select the endpoints you want to disconnect on the Live Endpoints page. Click Delete.

Browse the file system on connected endpoints

You can browse the file system on connected endpoints and download files that you want to keep as saved evidence. You can delete files on an endpoint if you have the Threat Response Administrator privilege.

  1. Click an endpoint from the live endpoint list.
  2. Click Browse File System to open a file browser at the root directory. On Windows endpoints the default location is c:\. On macOS and Linux endpoints the default location is /. Click a row in the results grid and click the folder icon in the process path column to open the file system to the directory that contains the file.
  3. Navigate the file system by typing a path, or by clicking directories in the file browser of the breadcrumbs of the path. For each file in a directory you can view the size, creation date, modification date, and the permissions for the file.
  4. Click a file to download it as saved evidence. From the Threat Response menu, click Saved Evidence > Files to access the files that you download.
  5. You can delete files on an endpoint if you have the Threat Response Administrator privilege. To delete a file, ensure that you have the Threat Response Administrator privilege and click the delete icon at the end of the row. Click Delete.

Search for events

You can inspect and investigate endpoint data after you make a live connection or capture a snapshot. Search endpoint data for events using various parameters and operands. The search section displays all times in the UTC time standard.

  1. Open the events grid on a live connection or snapshot.
  2. Select a parameter from the drop-down list.

    Each exploration button changes what options are available; such as process path, IP address, operation, event type, hash, signature, key value, and more.

  3. Select an operand from the drop-down list.
  4. Enter the search information.
  5. (Optional) Click Add to create a complex search expression.

    Use Add to connect multiple words if you are searching for command-line events.

    You can change search entries by clicking the entry and then clicking Update.
  6. Click Search.
  7. (Optional) Click Export to Excel to share your search results.

The results and count are shown below the search expression.

To view details about a process, click the process of interest. A page of detailed information appears. The information includes a timeline and a history table. The timeline represents the duration of the process from creation to termination and plots each of the events that occurred within the context of the process.

The Detailed Process History table includes information about the timestamp, item type, operation, and operand. Additional process information appears, including:

  • Process path
  • Command line
  • Hash
  • Parent command line
  • Process ID
  • Parent process ID
  • Time of the event
  • User

The hash at-a-glance indicator is available from the events grid or from the Process Details page.

A hash can have one of the following ratings:

  • Non-Malicious (Green)
  • Malicious (Red)
  • Suspicious (Yellow)
  • Unknown (Grey)
  • Pending

Click a hash to open the Reputation Report Details page. For VirusTotal reputation data, you can expand the details and see a color-coded list of sources that have assessed the hash.

View event distribution

To understand which event types are consuming the most space, you can compare all of the events on an endpoint by count. The results of this comparison help you to decide which events to filter out. All of the records in the database on the specific endpoint appear, limited by the maximum size or days configured.

  1. Open the events grid on a live connection or snapshot.
  2. Click Event Distribution.
  3. Review the events.
    • Click Sort By Count to reorder the events.
    • Hover over a bar to see the exact number of events.

View Process and Event Details

To view details for a single process over time, double-click a search result. The Process Details page displays all of the file, network, registry, and child process activity that was initiated by the current process. This page also provides the full process image path and arguments, user context, hash, and parent command line.

If the Process Details page contains question marks, it is possible that Threat Response was not deployed when the process was launched or your configuration does not use Sysmon.

You can see more details about the process history in the Event History tab.

Review endpoint events from timeline or relationship tree views.

View the Process Timeline

The process timeline shows the events over the lifetime of a process for inspection. You can zoom in and out, click and drag, and double-click on events to change the view. For specific information, hover over an event.

View the Process Tree

View a tree of network processes, including the current process, parent, children, and peer nodes. You can zoom in and out, click and drag, and double-click events to change the view. You can isolate one of the processes in the tree view and quickly focus on an artifact for analysis.

Manage snapshots

Snapshots show all the data from an endpoint. The database file contains historical event activity going back to the first moment of recording or to the configured limits. Snapshots are stored on the Tanium Module Server.

Export a snapshot from an endpoint

You can retrieve the endpoint database manually if an offline endpoint or a live connection fails.

  1. Log on to the endpoint with administrator credentials.
  2. Stop the endpoint recorder.
    Operating SystemInstructions

    Windows

    1. From the Windows Start menu, click Run.
    2. Type services.msc and click OK.
    3. Locate the Tanium Client service, right-click and select Stop.
    Linux

    Stop the auditd service with the following command:

    service auditd stop

    Mac

    From the Tools/Trace directory, run the following script as root or superuser:

    ./TaniumRecorder --stop

  3. Copy the monitor.db file to a location accessible to the Tanium Console from the Tanium Client installation directory.

    Change the file name to include the host name and a timestamp in the format: hostname_YYYY_MM_DDTHH.MM.SS.mmmZ.db. The file name is displayed in Threat Response.

  4. Start the endpoint recorder.
    Operating SystemInstructions

    Windows

    1. From the Windows Start menu, click Run.
    2. Type services.msc and click OK.
    3. Locate the Tanium Client service, right-click and select Start.
    Linux

    Start the auditd service with the following command:

    service auditd start

    Mac

    From the Tools/Trace directory, run the following script as root or superuser:

    ./TaniumRecorder --start

Upload a snapshot

  1. (Optional) Install upload authentication certificates.
    1. Stop the Threat Response service on the Tanium Module Server.
    2. Replace these files with the signed key pair:

      If you are using the Tanium Appliance, replace the backslash (\) with a forward slash (/).

      • services\trace\certs\httpPrivKey.pem
      • services\trace\certs\httpPublicCert.pem

        Go to https://<Tanium Module Server>:17443/status to verify your access. If you do not receive a self-signed certificate notice, it was successful.

    3. Restart the Tanium Trace service.
  2. In the Tanium Console, go to Threat Response > Saved Evidence and click Upload Snapshot
  3. Browse to the saved snapshot.
  4. Click Upload & Connect.

If you are having difficulty uploading a snapshot, see Troubleshooting.

Save files and events

While reviewing the event data from a live endpoint connection, you can save files and events directly from the events grid as you investigate. You can save files of any type.

You must have a live connection to the endpoint to save file evidence. You cannot save file evidence from snapshots.

  1. Open the events grid.
  2. Double-click an event row to open the Process Details page.
  3. Select Save Process Evidence.

The file is saved under Saved Evidence.

Download a file

Suspicious file might requires more analysis or reporting to threat intelligence. After you save a file from a live connection as evidence, you can also download it from the Saved Evidence page in Threat Response. The file contents are in an encrypted ZIP format that is downloaded to the machine that is hosting the browser. Decrypt files that you download with the password infected. If you need to inspect the file without opening it, the ZIP headers are not encrypted.

Create Protect rules

You can pivot from evidence on a single endpoint to create Protect policies for multiple computer groups that contain Windows endpoints. You can add policies to existing process rule policies or create new ones from Threat Response, where you seamlessly complete the policy configuration in Protect.

  1. From the Threat Response home page, go to Saved Evidence.
  2. Click one or more saved events.
  3. Click Create Protection Policy.
  4. Confirm the evidence to use and click Create.
  5. On the Policy Selector page, create a new policy or add the evidence to an existing policy.
  6. Complete the information on the Edit Policy page.
  7. Click Create or Update as appropriate.
  8. Review the Policy Summary and add enforcements as needed.

For more information, see the Tanium Protect User Guide.

Export events

You can export some or all of the events from an endpoint as a ZIP file that contains a CSV file. If you are exporting a large event database, take a snapshot and export the events from the snapshot to reduce the load on the endpoint. By default, exports for live connections are limited to 10,000 rows. If you need to change this number, see Troubleshooting.

Large exports might take a while to become available.

Select the rows in the events grid that you want to export, and click Export .

Manage IOCs

As you examine the endpoint event data during an investigation, you might confirm that an event is malicious. You can save such events and files as evidence.

Generate an IOC

  1. From the Threat Response home page, go to Intel
  2. Select Add > Evidence Based IOCs.
  3. In the IOC Normalized Tree drop-down menu, select Item from saved evidence. Add one or more items.
  4. Select an indicator type and value from the drop-down menus.
    Threat Response populates the list information from the details of saved evidence.
  5. Click Generate.

Last updated: 5/22/2019 2:42 PM | Feedback