Tanium Trace overview
With Tanium Trace™, you can directly investigate key forensic and security events on Linux and Windows endpoints across the network. Trace provides a live and historical view of critical events including process execution, logon history, network connections, and file and registry changes. The Trace solution is comprised of three parts:
- The Trace event recorder that monitors event data on the endpoint.
- The Trace interface where you can explore and manage endpoint Trace data.
- The sensors for issuing searches across the entire enterprise for Trace data.
The Trace event recorder is responsible for continuously saving key forensic evidence on each endpoint. The event recorder works by monitoring the endpoint kernel and other low-level subsystems to capture a variety of events.
Because data can accumulate quickly, even when a system is idle, Trace intelligently collates similar events and efficiently stores them in a local database. With these optimizations, the default configuration can retain up to several months of historical data. You can customize the amount of local storage that is consumed by Trace, and filter the types of recorded evidence.
Traditional disk and memory forensics techniques can successfully reconstruct fragments of endpoint activity, but are limited to the evidence that is natively preserved by the underlying operating system. This type of evidence from a period of interest can rapidly degrade as time elapses. Trace maintains a complete, easy-to-interpret history of events so you can replay recent system events.
Types of recorded events
Trace records a broad range of events, that include additional context and metadata, as well as UTC timestamps. Recorded event examples include: process execution, file system activity, registry changes, network connections, driver loads, and user authentication. All process events are recorded; however, you can specify which registry, network, file, and security events are recorded.
For more meaningful databases and to retain data for longer periods, consider excluding events that occur in high numbers; for example, LanguageList registry values.
Event filtering is based on the following types.
|Driver||Driver load events, including the full path and hash. For Windows, it also includes if the driver was digitally signed and the signing entity.
Driver events typically make up a small amount of events overall. You cannot filter driver events.
|File|| File system events, such as files written to directory locations on the endpoint. The associated process and user context are included.
An example is a malware file copied to a location that is used by Windows Update.
|Network|| Network connection events, such as an HTTP request to an Internet location, including the associated process and user context. Events are recorded for all inbound and outbound TCP and UDP connections.
|Process|| Process create, child process create, and process exit events. The full command line, MD5 hash, parent process metadata, and user context are included.
Process events are always gathered. You cannot filter process events out.
|Registry||[Windows only] Changes to the registry including the creation or alteration of registry keys and values. Includes the associated process and user context.|
|Security||Security events include authentication, privilege escalation, and more. This event type includes logon events, even if operating system logs have rolled.|
|DNS||[Later versions of Windows only] DNS request information, including the process path, user, query, response, and the type of operation.|
Sources of event recorder data
The event recorder gathers data from multiple sources into a single, local database on the endpoint. Kernel events are gathered from Linux and Windows tools. The optional Microsoft Sysmon configuration provides additional information about the executed processes on Windows endpoints.
Trace is a powerful product on its own; however, when coupled with other Tanium products you can apply the findings from your investigation as you investigate or at any time after. The findings from an investigation are essential inputs to short and long-term remediation plans, and they can be developed in parallel to the investigation from the start.
Trace uses data from Tanium Connect™ to elaborate on process and driver hash events. The source data adds details these events for an at-a-glance reputation status assessment from multiple threat intelligence providers.
Tanium Incident Response™
Trace works with Tanium Incident Response™ to provide enterprise hunting at scale. Using sensors from either solution, you can search across endpoints by operating system or intrusion lifecycle phase, and for specific types of evidence. For example, you could use the Autorun Program Details sensor to search for all persistent binaries in your environment. Some sensors also include common use buttons that fill parameter fields, such as the Trace Executed Processes PowerShell Suspicious Command Line Arguments search on Windows endpoints. The results from all endpoints are presented as an actionable Interact grid within Trace.
Use Trace saved evidence from analyzed endpoints to create Tanium Detect™ indicators of compromise (IOC) intel documents to scan endpoints across the network. The event recorder monitors for Detect signals and notifies Detect if any events match the signal. Missing a single infected system, backdoor command-and-control address, or compromised set of user credentials can potentially allow an attacker to easily regain access and nullify the entire remediation effort.
Use Trace findings to create process and network rule policies for Windows endpoints in Tanium Protect™ to prevent future incidents across the network. Failing to identify and address more fundamental vulnerabilities exploited during an incident leaves the organization with no net improvement to their security posture.
Use any of the Trace saved questions in Tanium Trends™ boards and panels to provide graphical representation of Trace data overall. Trends can pivot from the overall view to Tanium Interact for specific responses by endpoint.
To obtain a license for these and other Tanium products, see your Tanium Technical Account Manager (TAM).
Last updated: 10/17/2017 5:17 PM | Feedback