Scanning endpoints

Threat Response scans each endpoint using the intel documents and Signals that you defined. Scanning includes background scans, on-demand scans, and live Signals monitoring through the recorder. Background scans begin shortly after intel is deployed to the endpoint and continue on regular intervals. On-demand scans are initiated on demand, typically when you need to urgently locate all instances of a potential compromise.

A scan can have three possible results:

  • Match: Identifies potential compromise and generates alerts.
  • No match: None of the intel matched the data on the endpoints.
  • Inconclusive: Generally, an indication that the scan did not complete for some reason.

When a scan finds a match, the alert is gathered from the endpoint and reported to Threat Response. From there, you can further investigate the endpoint.

The two available types of scans are background scans and on-demand scans. Background scans and on-demand scans are complementary; background scans are run on a schedule for all intel. On-demand scans are immediate; they are intended for use cases such as testing or piloting new intel. In this way, you can test the results of specific intel with an on-demand scan and when the intel is revised appropriately to ensure it generates the intended alerts can be scanned on a routine basis through background scans.

Background and On-demand scans, regardless of the intel type, are throttled to ensure they do not overuse endpoint resources. All Tanium Client extensions in total consume no more than 5% of the available CPU resources on each endpoint.

On-demand scans that initiate endpoint throttling cause the endpoint to throttle background scan alerts for the effective period of the throttle, which is one hour by default.

Endpoint throttling does not initiate any system notifications. Server throttling continues to send notifications.

Background scans

Background scans run continuously against intel. Threat Response actively acknowledges alerts when they are received. Alerts are not duplicated for the same artifact on the same endpoint.

To edit a detection configuration, see Detection configurations.

On-demand scans

On-demand scans send a single piece of intel to the endpoints for immediate matching and alert reporting. You can use Signals, OpenIOC, STIX, YARA, or reputation intel in an on-demand scan. There is no size limit of the intel document you can use for an on-demand scan, but be aware of the network impacts of sending large amounts of data for scanning.

For Signals, you can use on-demand scans for a seven day historical query on the event recorder database. On-demand scanning on Signals is also useful when you are authoring Signals. On-demand scans are not supported for Signals that contain ancestry object types. For example, ancestry.path.

  1. From the Threat Response menu, go to Intel. Select an the intel document.
  2. Click the three dots in the upper right and select Start On-Demand Scan.
  3. Select Override scan blockout windows if you want the on-demand scan to ignore any configured scan blockout windows. Selecting this option forces the on-demand scan to execute on endpoints that are currently online. Override scan blockout windows requires the Threat Response Override Scan permission.
  4. Select the computer groups you want the on-demand scan to target. Click Start.
  5. Click Run.
  6. A new on-demand scan is initiated in the On-Demand Scans section of the intel document page. For each active on-demand scan you can view the number of alerts for the intel you are scanning for and the total number of online endpoints and the number of endpoints on which that the scan has completed. A completed scan indicates that the scan has been deployed to targeted endpoints and no additional endpoints will receive the scan. After a scan has completed, endpoints that the scan targets that might have been offline could come back online and report alerts. Each on-demand scan has an associated scan ID which is a six digit number. You can filter by scan ID on the Alerts tab of the intel document page to view alerts that are associated with the on-demand scan.

    Results are limited to endpoints that are online, have an active Threat Response profile deployed, and are present in one or more of the computer groups you have targeted for the on-demand scan.

  7. When an on-demand scan is complete, the results of the scan are available on the On-Demand Scan History tab of the intel document page. You can view historical on-demand scans and their results and preserve this data for auditing purposes.

On-demand scans are action-based and require an approver if action approval is enabled. You can add the Threat Response content set to action approval bypass to allow action bypass for on-demand scans.

Delete an on-demand scan

To delete an on-demand scan select an on-demand scan from either the On-Demand Scans section of the intel page or the On-Demand Scan History tab, click Delete next to the on-demand scan that you want to delete.