Searching across the enterprise

Use event data to locate suspicious activity on other endpoints. Evaluate the extent of an intrusion and take informed action at scale.

Hunt across the enterprise

Instead of pivoting from a single endpoint out, you can use the Threat Response sensors to search for suspicious events on multiple endpoints across the network.

Queries for simple events, such as a process, registry key, or file, yield immediate results. You can search for “known-bad” events, and recognize and evaluate the “known-good” events. You might be encountering a set of evidence that seems suspicious, at first, but might actually be normal system activity.

  1. From the Threat Response menu, click Enterprise Hunting.
  2. (Optional) Narrow the list of sensors by clicking filters or typing in search terms. This limits the visible sensors and highlights the applicable Common Uses.
  3. To review the sensor summary, click the caret to expand.

  4. Click the sensor name to open the parameters configuration page and complete the fields as needed.

    If a sensor has no configurable parameters, the Interact results grid opens immediately.

    If you select Common Uses the parameter fields are automatically populated. Click Ask Question. The results are available in an Interact grid where you can also create a saved question. You must close the grid to select a different sensor. For more information, see the Tanium Interact User Guide: Results.

  5. Select the results that need further investigation.
  6. Open a live connection or take a snapshot of the endpoints and verify that the events are actually malicious.
  7. (Optional) Quarantine or remediate the compromised endpoints.
  8. Create an IOC to scan for this type of activity in the future.

To search for files on disk, see Tanium Client Index Extension User Guide: Reference: Index sensors.

To search historical activity, use the following sensors:

  • Trace DNS Queries
  • Trace Executed Process Hashes
  • Trace Loaded Drivers
  • Trace Executed Processes
  • Trace Logon Events
  • Trace Executed Process Trees
  • Trace Network Connections
  • Trace File Operations
  • Trace Image Loads
  • Trace Registry Keys or Values