Threat Response overview

Use Threat Response to expedite incident response actions from hours or days to minutes. Detect, react, and recover quickly from attacks and the resulting business disruptions.


Threat Response monitors activity in real time and generates alerts when potential malicious behavior is detected. You can configure threat intelligence from a variety of reputable sources. Use this information to search endpoints for known indicators of compromise and perform reputation analysis. The reputation data that Threat Response uses constantly compares activity such as all processes run, autorun related files, and loaded modules against known malicious hashes defined by user hash lists or other services such as Palo Alto Wildfire, VirusTotal, and ReversingLabs.


Threat Response continuously records key system activity for forensic and historical analysis. You can look for specific activity across every endpoint in an enterprise and drill down into process and user activity on individual systems in both real-time and historical views.


Threat Response includes sensors and packages that provide endpoint visibility and remediation. With the sensors, you can search endpoint data quickly for evidence of compromise. When you have discovered compromised endpoints, you can use Threat Response packages to isolate incidents and prevent additional compromise, data leakage, and lateral movement.

Integration with other Tanium solutions

Threat Response has built in integration with Tanium™ Connect, Tanium™ Enforce, Tanium™ Impact, and Tanium™ Trends for additional alerting, remediation, and trending of incident related data.


Configure a Connect destination to export Threat Response data outside of Tanium. Connect can send information to security information and event management (SIEM) products and services including Micro Focus ArcSight, IBM QRadar, LogRhythm, McAfee SIEM, and Splunk. For more information, see Connect User Guide: Configuring SIEM destinations. Threat Response sends hash information from saved questions to Connect and reputation service providers to elaborate on process hashes for an at-a-glance reputation status. You can also configure incoming connections from sources such as Palo Alto Wildfire to create threat data.


Use Threat Response findings to create process and network rule policies for endpoints to prevent future incidents across the network. Failing to identify and address more fundamental vulnerabilities exploited during an incident leaves the organization with no net improvement to their security posture.


Use alert integration with Impact to take a data-driven approach to manage lateral movement impact within your organization by identifying, prioritizing and remediating access rights dependencies to reduce attack surface, prioritize actions, and scope incidents.


By default, Threat Response features Trends boards that provide data visualization of Threat Response concepts.

Threat Response - Alerts

When a match to intel that you have applied on a computer group is detected, an alert is generated from the endpoint and reported back to Threat Response. The Threat Response - Alerts board features visualizations that illustrate patterns of alerts over time on the endpoints in an environment. The following panels are in the Threat Response - Alerts board:

  • Lifetime Alerts Count

  • Alerts by Endpoint

  • Alerts by Intel Type

  • Alerts by Label

  • Alerts by Status

  • Alerts by Intel

  • Alerts by Intel Source

  • Threat Response Coverage

  • Mean Time to Investigate Alerts

  • Mean Time to Resolve Alerts

Threat Response - Deployment

The Threat Response - Deployment board features visualizations that show the status of Threat Response components on endpoints in an environment and provides visibility into any areas of Threat Response that require remediation. The following panels are in the Threat Response - Deployment board:

  • Overall Status

  • Engine Status

  • Index Status

  • Recorder Status

  • Incident Response Tools Status

  • Threat Response Health

  • Engine Health

  • Recorder Health

  • Index Scan Status

  • Detect Last Scan Time

  • Index Scan Phase

  • Detect Intel Revision

  • Detect Profile ID and Revision

  • Detect Tools Version

  • Index Tools Version

  • Incident Response Tools Version

  • Recorder Tools Version

To view Trends boards in the Threat Response home page, make sure that the Trends Data Read permission is granted to the role of the current user.

For more information about how to import the Trends boards that are provided by Threat Response, see Tanium Trends User Guide: Importing the initial gallery.