Saving evidence for analysis

Beyond saving a snapshot of an endpoint, you can save specific events from the Process Details view that can be used to generate Indicators of Compromise (IOCs) for use with Detect or Protect Policies. The saved evidence persists on the Tanium Module Server even after closing the live endpoint connection. Saved evidence is visible to multiple users to support information sharing among incident responders.

Save files

While reviewing the event data from a live endpoint connection, you can save files directly from the Events grid as you investigate. You can save files of any type.

You must have a live connection to the endpoint to save file evidence. You cannot save file evidence from snapshots.

  1. Go to Live Endpoints from the Trace home page.
  2. Click the computer name for an active connection.
  3. Use the Explore buttons or other search parameters to identify the file that you want in the events grid.

    Consider using the File button and a search expression to narrow the results.

  4. Click an event row.
  5. Click the Save icon in the row.

  6. Review the size and path of the file and click Yes to confirm.

The file is saved under Saved Evidence > Files.

Download a file

There might be times when a suspicious file requires more analysis or reporting to threat intelligence. After you have saved a file from a live connection as evidence, you can also download it from Trace. The file contents are in an encrypted ZIP format that is downloaded to the machine that is hosting the browser.

  1. From the Trace home page, go to Saved Evidence > Files.
  2. Select a saved file.
  3. Click Download.
  4. (Optional) Decrypt the file with the password infected.

If you need to inspect the file without opening it, the ZIP headers are not encrypted.

View file properties and values

The Files view displays the host and path by default; however, you might need more information about a particular file.

  1. From the Trace home page, go to Saved Evidence > Files.
  2. Select a saved file.
  3. Expand the details by clicking the arrow. File details


Delete a file

You can permanently remove a file from the Tanium Module Server.

  1. From the Trace home page, go to Saved Evidence > Files.
  2. Select a saved file.
  3. Click Delete.

Save events

When you save an event as evidence, it also includes additional details about the event and its sources.

  1. Open the Events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the computer name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. Use the Explore buttons or other search parameters to find the file that you want.
  3. Click an event row.
  4. Select the event to save. You have two options:
    • On the Process Details page, select Save Process Evidence.
    • In the Detailed Process History grid, select a row and click Add Evidence.

The event is saved under Saved Evidence > Events.

Create Protect rules

You can pivot from evidence on a single endpoint to create Protect policies for multiple computer groups containing Windows endpoints. You can add them to existing process rule policies or create new ones from Trace, where you seamlessly complete the policy configuration in Protect.

You must be licensed for Protect.

  1. From the Trace home page, go to Saved Evidence > Events.
  2. Click one or more saved events.
  3. Click Create Protection Policy.
  4. Confirm the evidence to use and click Create.
  5. On the Policy Selector page, create a new policy or add the evidence to an existing policy.
  6. Complete the information on the Edit Policy page.
  7. Click Create or Update as appropriate.
  8. Review the Policy Summary and add enforcements as needed.

For more information, see the Tanium Protect User Guide.

Delete an event

You can permanently remove event evidence from the Tanium Server.

  1. From the Trace home page, go to Saved Evidence > Events.
  2. Select a saved event.
  3. Click Delete.
  4. On the confirmation window, click OK.

Export events

You can export some or all of the events from an endpoint as a zipped CSV file. If you are exporting a large event database, take a snapshot and export the events from the snapshot to reduce the load on the endpoint.

  1. Open the events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the Computer Name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. (Optional) Use the Explore buttons or other search parameters to filter the rows.
  3. Click Export .

    By default, exports for live connections are limited to 10,000 rows. If you need to change this number, see Change the live connection export limit. Snapshots are not limited.

  4. Name the export.
  5. Go to Saved Evidence > Exports.
  6. Click Download.
  7. On the confirmation window, click OK.

Large exports might take a while to become available.

You can also export from the Event History tab of a specific process.

Copy event details

You can copy the contents of an event grid cell to use elsewhere in Tanium or other programs.

  1. Open the events grid on a live connection or snapshot.

    For live connections:

    1. From the Trace home page, go to Live Endpoints.
    2. For an active connection, click the Computer Name.
    For snapshots:
    1. From the Trace home page, go to Saved Evidence > Snapshots.
    2. Click the caret to expand the list of available snapshots.
    3. Click the snapshot name or date.

  2. (Optional) Use the Explore buttons or other search parameters to find the cells that you want.
  3. Hold the Alt key while clicking the left mouse button on a event cell.
  4. Paste the cell contents where needed.

You can also copy cells from the Event History tab of a specific process.

Delete an event

You can permanently remove event evidence from the Tanium Server.

  1. From the Trace home page, go to Saved Evidence > Exports.
  2. Select an export.
  3. Click Delete.
  4. On the confirmation window, click OK.

Manage Trace IOCs

As you examine the endpoint event data during an investigation, you might confirm that an event is malicious. You can save such events and files as evidence. If you are licensed for Detect, you can use saved evidence items to generate IOC-formatted intel documents directly in Trace. These Trace IOCs are viewable and managed by Detect, where you can add them to recurring scans or start one immediately.

You must be licensed for Detect.

For more information about using intel documents, see the Tanium Detect User Guide.

Generate an IOC

You can create a new IOC from Trace for use in Detect.

  1. From the Trace home page, go to IOCs.
  2. Click New IOC.
  3. (Optional) Rename the IOC.
  4. Complete the IOC details.
  5. In the IOC Normalized Tree drop-down menu, select Item from saved evidence.
    IOC saved evidence
  6. Click Add .

    You can add multiple items.

  7. Select an indicator type and value from the drop-down menus.
    Trace populates the list information from the details of saved evidence.
  8. Click Generate.

The new IOC is now available in Detect in the Trace source.

Edit an IOC

You can edit an existing Trace IOC.

  1. From the Trace home page, go to IOCs.
  2. In the IOC grid, select a row.
  3. Click Edit.
  4. Make your changes.
  5. Click Save.

Delete a Trace IOC

When you delete a Trace IOC, it also removes it from Detect.

  1. From the Trace home page, go to IOCs.
  2. In the IOC grid, select a row.
  3. Click Delete.

Suggested reading

For further information about incident response and forensic investigation, see the following resources.

McCarthy, N. K., and Matthew Todd. The Computer Incident Response Planning Handbook Executable Plans for Protecting Information at Risk. New York: McGraw-Hill, 2012.

Pepe, Matthew, and Jason T. Luttgens. Incident Response & Computer Forensics. Third ed.

Last updated: 8/16/2018 10:09 AM | Feedback