Reference: Sensors

Use sensors for scoping incidents and rapidly responding to them. Threat Response provides sensors that are executed on all endpoints and diagnostic sensors to monitor the Threat Response service. Where appropriate, these sensor results include a timestamp in the YYYY-MM-DD HH:MM:SS.mmm+00:00 format.

Threat Response sensors permit the use of regular expressions. If the Treat input as regular expression option is enabled, special characters and literals require character escapes.

About deploying parameterized sensors as actions

Sensors that require extensive computational resources across the security enterprise are deployed as actions. An example of a computationally sensor is one that hashes files and performs binary searches. Deploying parameterized sensors as actions increases the speed of larger tasks, including:

  • Searching across directories for binary data
  • Matching the hash values of files across many directories
  • Hashing and matching executables and their loaded modules

Actions are not processed one at a time. Short actions run at the same time as longer actions. Because actions are not strictly queued, shorter actions are not delayed by the execution of more extensive actions.

Actions do not time out. Because the processing time of an action depends on the nature of the task, an action is considered complete when the job begins. The results, however, might not be immediately available.

When you deploy an action, you must provide an IR job ID. Then, you can view results files from Windows-based endpoints with the Incident Response Job Results sensor by specifying the job ID as a parameter. You can retrieve and copy job results files to a central location by using one of the platform-specific collection actions.

For more information about sensors for search, remediation, and file collection, see Tanium Knowledge Base Incident Response Sensors and Packages reference.

Table 1:   Common Use Cases
Task Question Package / Sensor
Retrieve a list of all running processes on all endpoints with their hashes Get Running Processes with Hash from all machines Sensor: 
Running Processes with Hash
Retrieve the currently running processes matching a specific MD5 hash Get MD5 Hash Match Files Executing from all machines Package:
Incident Response - MD5 Hash Match Files Executing
Display IR job results in Tanium Console Get Incident Response Job Results from all machines Sensor: Incident Response Job Results
Copy IR job results for Windows-based endpoints to a central location Get Has Incident Response ID Files from all machines Package: IR Gatherer - Collect Info to Central Server

Deploy a parameterized sensor as an action

  1. Identify the endpoints that you want to target.
    1. Ask a question to return a set of endpoints.
    2. Select the endpoints and click Deploy Action.
  2. Specify the parameterized sensor.
    1. Type the name of the parameterized sensor in the Deployment Package field.

      For example, type: Incident Response - Search for Files.

    2. Specify parameters for the sensor. For the Incident Response - Search for Files sensor, indicate a Pattern of files to match and the IR Job ID.

      The IR Job ID can be any value that you choose. Use this value to get the results of the action. The value must be unique. If two actions share the same job ID, the files identified by those actions might be destroyed. Remember the value so that you can retrieve the job results later.

    3. Click Show Preview to Continue and review the results.
    4. Complete deployment of the action. Click Deploy Action.
  3. Get the results of the parameterized sensor action.
    1. Ask the question: Get Incident Response Job Results from all machines.
    2. Specify the Incident Response Job ID.

      The value for the job ID is the same value that you specified when you deployed the action.

    3. Click Go.

Recorder diagnostic sensors

The recorder uses additional sensors to capture diagnostic information about status and operations.

Recorder sensors permit the use of regular expressions. If Treat input as regular expression is enabled, special characters and literals require character escapes. Fields that support regular expressions require wildcards for partial string matches. For example, to search for Processes named cmd.exe with different process paths, you need to use *.cmd.exe as opposed to cmd.exe. To match processes named 123.abc and 123.xyz, use a wildcard at the end of the expression. For example: .\\123\..

These sensors are issued on a default schedule.

Table 2:   Diagnostic sensors
Sensor Description Parameter Results
Trace Invalid File OperationsThis sensor detects corrupt databases.N/AIf there is an invalid file operation in the Trace database, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Trace Database Size More Than ThresholdThis sensor determines whether the specified endpoint database exceeds the maximum size.The maximum size of the endpoint database, in bytes. For example, 1000000000.If the size of any endpoint exceeds the maximum value, this sensor returns a value of Yes. Otherwise, this sensor returns a value of No.
Trace Database Exceeded MaximumThis sensor determines whether the Trace endpoint database has exceeded the maximum configured size.Double the maximum size of the endpoint database, in bytes. For example, 2000000000.If the answer is Yes, a Scheduled Action triggers a package to disable Trace service on the endpoint.
Tanium Trace Database HealthThis sensor examines the Trace database for potential issues, including exceeding the maximum size, mismatched schema version, if integer timestamps are not being used, and if a simple database query fails.N/AThis sensor reports if the health check passed, indicates the database size, and lists any detected issues with the database.
Trace Endpoint Certificate InstalledThis sensor checks whether the Trace Endpoint Certificate is installed.N/AIf Trace Endpoint Filter is installed on a managed endpoint, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Tanium Trace Endpoint FiltersThis sensor lists the endpoints that have Tanium Trace filters installed.N/AIf Trace Endpoint Filter is installed on a managed endpoint, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Trace Group Configuration LevelThis sensor determines whether the trace database is configured.N/AIf the database is configured on a managed endpoint, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Windows Audit PolicyThis sensor retrieves Windows operating system audit data.N/ADisplays audit status by alpha-ordered category, subcategory, and activity rating. Audit status is indicated by one of the following: Success or No Auditing.

Using sensors to query indexed files

To check indexing status, use the Index Status sensor. For more information about the status values, see Tanium Knowledge Base Index Reference: Index Status.

Use the Index Query File sensors to get details about files that have been indexed.

The Index Query File Details sensors return Created and Last Modified time stamps. The time stamps in the results make the strings that are returned for each file unique. To reduce the overall number of strings, use the following workflow:

  1. Start with one of the following sensors that are less likely to return as many unique strings:
    • Index Query File Path Using Name
    • Index Query File Path and Hash
    • Index Query File Exists
    • Index Query File Hash Recently Changed
    • Index Query File Count
    • Index Query File Permissions

  2. After getting results from the sensors above, you can drill down to get more details with the following sensors:
    • Index Query File Details
    • Index Query File Details Using Name
    • Index Query File Details by Last Modified
    • Index Query File Details Using Name Sort By Largest
    • Index Query File Permissions

For more information about these sensors, see Tanium Knowledge Base Index Reference: Sensors.

Last updated: 6/20/2019 1:57 PM | Feedback