Connecting to live endpoints and taking snapshots

There are two ways to review endpoint data:

  • In real time, with a live endpoint connection.

    With live endpoint connections, you can conduct analysis within seconds, without time­-consuming data transfers or parsing. You can take multiple snapshots of the endpoint data, export events, and save evidence for remediation.

  • Asynchronously, from an endpoint snapshot of the data.

    Snapshots capture the endpoint data for investigation offline, preserving the Trace database for storage and collaborative analysis on the Tanium Module Server. With snapshots, you can export events, and save evidence for long-­term analysis.

Connect to a live endpoint

The Live Endpoint menu displays endpoint connections that have been attempted, are connected, have failed, or that the connection has been closed.

Connections close automatically after ten minutes of inactivity.

Add a live endpoint

You can make a live endpoint connection to one or more endpoints that are part of the Trace Setup action group.

  1. Go to Live Endpoints on the Trace home page.
  2. Type the IP address or computer name of an endpoint that you want to add. Matching endpoints appear as you type. For an endpoint to display as a match, it must be registered with Tanium and be a member of a computer group that is accessible to you.

    The first time that you start Trace, the list of endpoints that are accessible to you might take a few minutes to populate. If the endpoint you want to add is not in the list, verify that the endpoint is a member of a computer group that you can access. An indicator next to the text field shows whether an endpoint is currently online. See Installing Trace for more information.

  3. Select the endpoint to add.
  4. Click Connect.

    The live endpoint connection status appears next to the endpoint, with the connection information displayed below. There are several possible statuses: Active, Failed to Connect, Unexpected Interruption, or Timed Out.

An endpoint remains on the Live Endpoints list until the connection is manually closed, regardless of the connection status. The connection times out after ten minutes of inactivity. If you are having trouble making a connection, see Resolve live endpoint connection problems.

Reconnect to a live endpoint

If a live endpoint connection has been attempted, the connection information persists to re-initiate it.

  1. On the Trace home page, go to Live Endpoints.
  2. Select one or more endpoints.
  3. Click Connect.

Capture a snapshot

You can capture a snapshot of an endpoint database for offline analysis and detailed forensics.

  1. On the Trace home page, go to Live Endpoints.
  2. Click the computer name to go to the events grid.
  3. Click Capture.

    Trace measures the size of the database and verifies that there is enough disk space for the snapshot.

  4. Click Yes in the confirmation window.
  5. Go to Saved Evidence > Snapshots.
  6. View the snapshot progress by expanding the computer name.

The endpoint name and the number of captures appear in the Snapshots menu. The snapshot name is the endpoint host name with a timestamp in a YYYY_MM_DDTHH.MM.SS.mmmZ format.

Close the connection

You can manually close a connection to one or more endpoints if needed.

  1. Select the endpoints you want to disconnect on the Live Endpoints page.
  2. Click Delete.

The endpoint is removed from the Live Endpoints list.

Manage snapshots

Snapshots show all the data from an endpoint. The database file contains historical event activity going back to the first moment of recording or to the configured limits. Snapshots are stored on the Tanium Module Service.

Export a snapshot from an endpoint

You can retrieve the endpoint database manually if an offline endpoint or a live connection fails.

  1. Log on to the endpoint with administrator credentials.
  2. Stop the endpoint recorder.
    Operating SystemInstructions

    Windows

    1. From the Windows Start Menu, click Run.
    2. Type services.msc and click OK.
    3. Locate the Tanium Client service, right-click and select Stop.
    Linux

    Stop the auditd service with the following command:

    service auditd stop

    Mac

    From the Tools/Trace directory, run the following script as root or superuser:

    ./TaniumRecorder --stop

  3. Copy the monitor.db file to a location accessible to the Tanium Console from the Tanium Client installation directory.

    Change the file name to include the host name and a timestamp in this format hostname_YYYY_MM_DDTHH.MM.SS.mmmZ.db. The file name is displayed in Trace.

  4. Start the endpoint recorder.
    Operating SystemInstructions

    Windows

    1. From the Windows Start Menu, click Run.
    2. Type services.msc and click OK.
    3. Locate the Tanium Client service, right-click and select Start.
    Linux

    Start the auditd service with the following command:

    service auditd start

    Mac

    From the Tools/Trace directory, run the following script as root or superuser:

    ./TaniumRecorder --start

Upload a snapshot

You can upload an exported snapshot to the Tanium Module Server.

  1. (Optional) Install your own upload authentication certificates.
    1. Stop the Trace service on the Tanium Module Server.
    2. Replace these files with the signed key pair:

      For TanOS host machines, replace the backslash (\) with a forward slash (/).

      • services\trace\certs\httpPrivKey.pem
      • services\trace\certs\httpPublicCert.pem

        Go to https://<Tanium Module Server>:17443/status to verify your access. If you do not receive a self-signed certificate notice, it was successful.

    3. Restart the Tanium Trace service.
  2. Go to Trace > Saved Evidence > Snapshots and click Upload Snapshot in the Tanium Console.
  3. Browse to the saved snapshot.
  4. Click Upload & Connect.

If you are having difficulty uploading a snapshot, you might need to Update the Trace service URL.

Delete a snapshot

You can permanently remove an endpoint snapshot from the Tanium Module Server.

  1. Go to Saved Evidence > Snapshots from the Trace home page and select one or more endpoints.
  2. Select what you want to delete.
    • To delete a specific snapshot, click delete on the right side .
    • To delete all snapshots for an endpoint, select the endpoint and click delete .
  3. Click Yes in the confirmation window.

Last updated: 11/27/2018 11:58 AM | Feedback