Searching across the enterprise

Use event data to locate suspicious activity on other endpoints. Evaluate the extent of an intrusion and take informed action at scale.

Ask an enterprise-wide question

When an investigation leads you to a confirmed malicious event, you can quickly pivot from the event details into a question to search all of your managed endpoints with the Tanium Interact.

Any row of process details can be transformed into a context-sensitive search. For example, selecting a row for a CreateProcess operation prompts a search for a matching process by path, MD5 hash, or full command line; selecting a file or registry row prompts a search by the operation type and item path. You can also manually create more complex queries that use the full Threat Response data set and provide advanced options, such as time range constraints and regular expression matching.

  1. Open the events grid on a live connection or snapshot.
  2. Use the Explore buttons or other search parameters to identify the event data.
  3. Double-click an event to open the Process Details page.
  4. On the Event History tab, click the Question icon at the end of a row. Choose from the list of possible questions.

The Interact page opens to display the results of the question.

For more information, see Tanium Interact User Guide: Questions.

Hunt across the enterprise

Instead of pivoting from a single endpoint out, you can use the Threat Response sensors to search for suspicious events on multiple endpoints across the network.

Queries for simple events, such as a process, registry key, or file, yield immediate results. You can search for “known-bad” events, and recognize and evaluate the “known-good” events. You might be encountering a set of evidence that seems suspicious, at first, but might actually be normal system activity.

  1. From the Threat Response menu, click Enterprise Hunting.
  2. (Optional) Narrow the list of sensors by clicking filters or typing in search terms. This limits the visible sensors and highlights the applicable Common Uses.
  3. To review the sensor summary, click the caret to expand.
  4. Click the sensor name to open the parameters configuration page and complete the fields as needed.

    If a sensor has no configurable parameters, the Interact results grid opens immediately.

    If you select Common Uses the parameter fields are automatically populated. Click Ask Question. The results are available in an Interact grid where you can also create a saved question. You must close the grid to select a different sensor. For more information, see the Tanium Interact User Guide: Results.

  5. Select the results that need further investigation.
  6. Open a live connection or take a snapshot of the endpoints and verify that the events are actually malicious.
  7. (Optional) Quarantine or remediate the compromised endpoints.
  8. Create an IOC to scan for this type of activity in the future.

To search for files on disk, see Tanium Client Index Extension User Guide: Reference: Index sensors.

To search historical activity, use the following sensors:

  • Trace DNS Queries
  • Trace Executed Process Hashes
  • Trace Loaded Drivers
  • Trace Executed Processes
  • Trace Logon Events
  • Trace Executed Process Trees
  • Trace Network Connections
  • Trace File Operations
  • Trace Image Loads
  • Trace Registry Keys or Values