Searching across the enterprise
Event data becomes even more useful when used to locate suspicious activity on other endpoints. Enterprise-wide searching helps you to evaluate the extent of an intrusion and take informed action at scale.
The Tanium Platform must be at version 7.0 or later and have Interact installed.
When an investigation leads you to a confirmed malicious event, you can quickly pivot from the event details into a question to search all of your managed endpoints.
Trace enables this capability through sensors that power the Tanium core Ask a Question feature. All of the data captured by Trace on every endpoint can be searched at scale with the same 15-second response time that any other Tanium question produces. Likewise, the same Trace data can be retrieved through recurring searches or a SOAP API call. These results can be saved, aggregated over time, or redirected through Tanium™ Connect to other security analysis or storage solutions, such as a SIEM.
When examining process details within the endpoint data, any row of activity can be transformed into a context-sensitive search. For example, selecting a row for a CreateProcess operation prompts a search for a matching process by path, MD5 hash, or full command line; selecting a file or registry row prompts a search by the operation type and item path. You can also manually create more complex queries that leverage the full Trace data set and provide advanced options, such as time range constraints and regular expression matching.
- Open the events grid on a live connection or snapshot.
For live connections:
- From the Trace home page, go to Live Endpoints.
- For an active connection, click the Computer Name.
- From the Trace home page, go to Saved Evidence > Snapshots.
- Click the caret to expand the list of available snapshots.
- Click the snapshot name or date.
- Use the Explore buttons or other search parameters to identify the event data.
- Double-click an event to open the Process Details page.
- On the Event History tab, locate the row that you need.
- At the end of the row, click the Question icon.
Tanium provides a list of possible questions.
- Click a Question.
The Interact page opens to display the results of the question.
For more information, see Tanium Interact User Guide: Questions.
Instead of pivoting from a single endpoint out, you can use the Incident Response and Trace sensors to search for suspicious events on multiple endpoints across the network.
Queries for simple events, such as a process, registry key, or file, yield immediate results. These queries let you search for “known-bad” events, and help recognize and evaluate the “known-good” events. You might be encountering a set of evidence that appears suspicious, at first, but might actually be normal system activity unrelated to an intruder’s actions. The ability to instantly evaluate “How common is this event?” across an environment can reduce the effort required to examine a system and to build more accurate, resilient evidence for future use.
To use all of the available Enterprise Hunting sensors, you must be licensed for Incident Response.
For more information about the available sensors, see the Reference: Trace sensors or the Tanium Knowledge Base: Incident Response sensor Reference.
- In the left navigation pane, click Enterprise Hunting.
- (Optional) Narrow the list of sensors by clicking filters or typing in search terms. This limits the visible sensors and highlights the applicable Common Uses.
- If you want to review the sensor summary, click the caret to expand.
- Click the sensor name to open the parameters configuration page and complete the fields as needed.
If a sensor has no configurable parameters, the Interact results grid opens immediately.
- Click Ask Question.
The results are available in an Interact grid where you can also create a saved question. You must close the grid to select a different sensor. For more information, see the Tanium Interact User Guide: Results.
- Select the results that need further investigation.
- Open a live connection or take a snapshot of the endpoints in question and verify that the events are actually malicious.
- (Optional) Quarantine or remediate the compromised endpoints.
- Create an IOC to scan for this type of activity in the future.
Last updated: 10/23/2018 1:34 PM | Feedback