Threat Response overview

Use Threat Response to expedite incident response actions from hours or days to minutes. Detect, react, and recover quickly from attacks and the resulting business disruptions.


Threat Response continuously records key system activity for forensic and historical analysis. You can look for specific activity across every endpoint in an enterprise and drill down into process and user activity on individual endpoints in both real-time and historical views. You can investigate alerts from external sources such as Microsoft Defender and Deep Instinct to leverage the endpoint visibility provided by Threat Response.


Threat Response monitors activity in real time and generates alerts when potential malicious behavior is detected. You can configure threat intelligence from a variety of reputable sources such as TAXII and iSight. Use threat intelligence to search endpoints for known indicators of compromise and perform reputation analysis. The reputation data that Threat Response uses constantly compares activity such as all processes run, autorun related files, and loaded modules against known malicious hashes defined by user hash lists or other services such as Palo Alto Wildfire, VirusTotal, and ReversingLabs.


Threat Response includes sensors and packages that provide endpoint visibility and remediation. With the sensors, you can search endpoint data quickly for evidence of compromise. When you have discovered compromised endpoints, you can use Threat Response packages to isolate incidents and prevent additional compromise, data leakage, and lateral movement.

Interoperability with other Tanium products

Threat Response works with Tanium™ Connect, Tanium™ Enforce, Tanium™ Impact, and Tanium™ Trends for additional alerting, remediation, and trending of incident related data.


Configure a Connect destination to export Threat Response data outside of Tanium. Connect can send information to security information and event management (SIEM) products and services including Micro Focus ArcSight, IBM QRadar, LogRhythm, McAfee SIEM, and Splunk. For more information, see Connect User Guide: Configuring SIEM destinations. Threat Response sends hash information from saved questions to Connect and reputation service providers to elaborate on process hashes for an at-a-glance reputation status. You can also configure incoming connections from sources such as Palo Alto Wildfire to create threat data.


Use Threat Response findings to create process and network rule policies for endpoints to prevent future incidents across the network. Failing to identify and address more fundamental vulnerabilities exploited during an incident leaves the organization with no net improvement to their security posture.


Use alert integration with Impact to take a data-driven approach to manage lateral movement impact within your organization by identifying, prioritizing and remediating access rights dependencies to reduce attack surface, prioritize actions, and scope incidents.


Threat Response features Trends boards that provide data visualization of Threat Response concepts.

Threat Response - Alerts

When a match to intel that you have applied on a computer group is detected, an alert is generated from the endpoint and reported back to Threat Response. The Threat Response - Alerts board features visualizations that illustrate patterns of alerts over time on the endpoints in an environment. The following panels are in the Threat Response - Alerts board:

  • Mean Time to Investigate Alerts

  • Mean Time to Resolve Alerts

  • Lifetime Alerts Count

  • Alerts by Status

  • Alerts by Endpoint

  • Alerts by Intel

  • Alerts by Intel Type

  • Alerts by Intel Source

  • Alerts by Label

Threat Response - Deployment

The Threat Response - Deployment board features visualizations that show the status of Threat Response components on endpoints in an environment and provides visibility into any areas of Threat Response that require remediation. The following panels are in the Threat Response - Deployment board:

  • Threat Response Coverage

  • Overall Status

  • Index Status

  • Recorder Status

  • Incident Response Tools Status

  • Threat Response Health

  • Recorder Health

  • Detect Last Scan Time

  • Detect Intel Revision

  • Detect Profile ID and Revision

  • Detect Tools Version

  • Index Tools Version

  • Incident Response Tools Version

  • Recorder Tools Version

Threat Response - Stream STATS

The Threat Response - Stream Stats board features visualizations that show the status of stream data generation. The following panels are in the Threat Response - Stream Stats board:

  • Data Sent This Month

  • Data Sent Last Month

For more information about how to import the Trends boards that are provided by Threat Response, see Tanium Trends User Guide: Importing the initial gallery.