Reference: Sensors

Use sensors for scoping incidents and rapidly responding to them. Threat Response provides sensors that are executed on all endpoints and diagnostic sensors to monitor the Threat Response service. Where appropriate, these sensor results include a timestamp in the YYYY-MM-DD HH:MM:SS.mmm+00:00 format.

Threat Response sensors permit the use of regular expressions. If the Treat input as regular expression option is enabled, special characters and literals require character escapes.

About deploying parameterized sensors as actions

Sensors that require extensive computational resources across the security enterprise are deployed as actions. An example of a computational sensor is one that hashes files and performs binary searches. Deploying parameterized sensors as actions increases the speed of larger tasks, including:

  • Searching across directories for binary data
  • Matching the hash values of files across many directories
  • Hashing and matching executables and their loaded modules

Actions are not processed one at a time. Short actions run at the same time as longer actions. Because actions are not strictly queued, shorter actions are not delayed by the execution of more extensive actions.

Actions do not time out. Because the processing time of an action depends on the nature of the task, an action is considered complete when the job begins. The results, however, might not be immediately available.

When you deploy an action, you must provide an IR job ID. Then, you can view results files from Windows-based endpoints with the Incident Response Job Results sensor by specifying the job ID as a parameter. You can retrieve and copy job results files to a central location by using one of the platform-specific collection actions.

For more information about sensors for search, remediation, and file collection, see Tanium Knowledge Base Incident Response Sensors and Packages reference.

Common Use Cases
Task Question Package / Sensor
Retrieve a list of all running processes on all endpoints with their hashes Get Running Processes with Hash from all machines Sensor: 
Running Processes with Hash
Retrieve the currently running processes matching a specific MD5 hash Get MD5 Hash Match Files Executing from all machines Package:
Incident Response - MD5 Hash Match Files Executing
Display IR job results in Tanium Console Get Incident Response Job Results from all machines Sensor: Incident Response Job Results
Copy IR job results for Windows-based endpoints to a central location Get Has Incident Response ID Files from all machines Package: IR Gatherer - Collect Info to Central Server

Deploy a parameterized sensor as an action

  1. Identify the endpoints that you want to target.
    1. Ask a question to return a set of endpoints.
    2. Select the endpoints and click Deploy Action.
  2. Specify the parameterized sensor.
    1. Type the name of the parameterized sensor in the Deployment Package field.

      For example, type: Incident Response - Search for Files.

    2. Specify parameters for the sensor. For the Incident Response - Search for Files sensor, indicate a Pattern of files to match and the IR Job ID.

      The IR Job ID can be any value that you choose. Use this value to get the results of the action. The value must be unique. If two actions share the same job ID, the files identified by those actions might be destroyed. Remember the value so that you can retrieve the job results later.

    3. Click Show Preview to Continue and review the results.
    4. Complete deployment of the action. Click Deploy Action.
  3. Get the results of the parameterized sensor action.
    1. Ask the question: Get Incident Response Job Results from all machines.
    2. Specify the Incident Response Job ID.

      The value for the job ID is the same value that you specified when you deployed the action.

    3. Click Go.

Using sensors to query indexed files

To check indexing status, use the Index Status sensor. For more information about the status values, see Tanium Knowledge Base Index Reference: Index Status.

Use the Index Query File sensors to get details about files that have been indexed.

The Index Query File Details sensors return Created and Last Modified time stamps. The time stamps in the results make the strings that are returned for each file unique. To reduce the overall number of strings, use the following workflow:

  1. Start with one of the following sensors that are less likely to return as many unique strings:
    • Index Query File Path Using Name
    • Index Query File Path and Hash
    • Index Query File Exists
    • Index Query File Hash Recently Changed
    • Index Query File Count
    • Index Query File Permissions

  2. After getting results from the sensors above, you can drill down to get more details with the following sensors:
    • Index Query File Details
    • Index Query File Details Using Name
    • Index Query File Details by Last Modified
    • Index Query File Details Using Name Sort By Largest
    • Index Query File Permissions

For more information about these sensors, see Tanium Knowledge Base Index Reference: Sensors.