Use Trace to directly investigate key forensic and security events on Linux, Mac, and Windows endpoints across a network. Trace provides a live and historical view of critical events including process execution, logon history, network connections, and file and registry changes. The Trace solution consists of three parts:
- The Trace event recorder that monitors event data on the endpoint.
- The Trace interface where you can explore and manage endpoint Trace data.
- The sensors for issuing searches across the entire enterprise for Trace data.
The Trace event recorder continuously saves key forensic evidence on each endpoint. The event recorder monitors the endpoint kernel and other low-level subsystems to capture a variety of events.
Even an idle system quickly accumulates data. Trace intelligently collates similar events and efficiently stores them in a local database. The default configuration can retain up to several months of historical data. You can customize the amount of local storage that is consumed by Trace, and filter the types of recorded evidence.
Traditional disk and memory forensics techniques can successfully reconstruct fragments of endpoint activity, but are limited to the evidence that is natively preserved by the underlying operating system. This type of evidence from a period of interest can rapidly degrade as time elapses. Trace maintains a complete, easy-to-interpret history of events so you can replay recent system events.
Types of recorded events
Trace records a broad range of events, that include additional context and metadata, and UTC timestamps. Recorded event examples include: process execution, file system activity, registry changes, network connections, driver and library loads, and user authentication. You can specify which process, registry, network, file, and security events Trace records.
For more meaningful databases and to retain data for longer periods, consider excluding events that occur in high numbers; for example, LanguageList registry values.
Event filtering is based on the following types:
|Driver||Driver load events, including the full path and hash. For Windows, it also includes if the driver was digitally signed and the signing entity.
Driver events typically make up a small amount of events overall. You cannot filter driver events.
|File||File system events, such as files written to directory locations on the endpoint. The associated process and user context are included.
Possible examples are a malware file being copied to a location that Windows Update uses, or content changes made to a file.
|Network||Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP connections.
|Process||Process create, child process create, and process exit events. The full command line, MD5 hash, parent process metadata, and user context are included.|
|Registry||[Windows only] Changes to the registry including the creation or alteration of registry keys and values. Includes the associated process and user context.|
|Security||Security events include authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled.|
|DNS||[Windows 8.1 or later] DNS request information, including the process path, user, query, response, and the type of operation.|
[Windows only] Image load events include:
A possible example is the loading of an unsigned DLL.
Sources of event recorder data
The event recorder gathers data from multiple sources into a single, local database on the endpoint. Kernel events are gathered from Linux, Mac, and Windows tools. On Windows endpoints, the optional Microsoft Sysmon configuration provides additional information about the executed processes.
Some features of the Trace recorder require specific versions of Windows.
* If Sysmon is configured, the driver load information recorded by Sysmon is used.
When coupled with other Tanium products you can apply the findings from an investigation as you investigate or at any time after. The findings from an investigation are essential inputs to short and long-term remediation plans, and they can be developed in parallel to the investigation from the start.
Trace uses data from Tanium Connect to elaborate on process and driver hash events. The source data adds details about these events for an at-a-glance reputation status assessment from multiple threat intelligence providers.
Tanium™ Incident Response
Trace works with Tanium Incident Response to provide enterprise hunting at scale. Use sensors from either solution to search across endpoints by operating system or intrusion lifecycle phase, and for specific types of evidence. For example, use the Autorun Program Details sensor to search for all persistent binaries in your environment. Some sensors also include common use buttons that fill parameter fields, such as the Trace Executed Processes PowerShell Suspicious Command Line Arguments search on Windows endpoints. The results from all endpoints are presented as an actionable Interact grid within Trace.
Use Trace saved evidence from analyzed endpoints to create Tanium Detect indicators of compromise (IOC) intel documents to scan endpoints across the network. The event recorder monitors for Detect signals and notifies Detect if any events match the signal. Missing a single infected system, backdoor command-and-control address, or compromised set of user credentials can potentially allow an attacker to easily regain access and nullify the entire remediation effort.
Use Trace findings to create process and network rule policies for Windows endpoints in Tanium Protect to prevent future incidents across the network. Failing to identify and address more fundamental vulnerabilities exploited during an incident leaves the organization with no net improvement to their security posture.
Use any of the Trace saved questions in Tanium Trends boards and panels to provide graphical representation of Trace data overall. Trends can pivot from the overall view to Tanium Interact for specific responses by endpoint.
To obtain a license for these and other Tanium products, contact your Tanium Technical Account Manager (TAM).
This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.
Last updated: 1/10/2019 4:05 PM | Feedback