Reference: Trace sensors

Trace provides sensors that are executed on all endpoints and diagnostic sensors to monitor the Trace service. Where appropriate, these sensor results include a timestamp in the YYYY-MM-DD HH:MM:SS.mmm+00:00 format.

Trace sensors permit the use of regular expressions. If Treat input as regular expression is enabled, special characters and literals require character escapes.

Trace sensors

Trace sensors aggregate information on file, process, network, security, and registry events collected at network endpoints. By default, these sensors execute on all endpoints.

Trace provides the following sensors, each with specific parameters, for network traces:

Trace Executed Processes

The Trace Executed Processes sensor returns historical data from each managed endpoint regarding process executions.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 1:   Trace Executed Processes parameters
Setting Description
Time range

Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until the present.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The maximum results per host is 10. However, if the Make Stackable parameter is enabled, the maximum results per host is 100.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Process path The directory and file name of the executed process.
Parent process path The directory and file name of the parent process.
Command line Arguments supplied to the executed process; might or might not include full path, depending on how the process was launched.
MD5 Hash The MD5 hash of the file executed to create the process.
Domain The domain, user group, or system context for the user that executed the process.

Example: CORP

Username The username that executed the process.

Example: joe.smith

Trace File Operations

The Trace File Operations sensor returns information about operations on files, for example, RenamePath, CreateNewFile, Write, and DeletePath.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 2:   Trace File Operations parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
File path The directory and path of the file.

Example: desktop\words.doc or /usr/local/bin

File operation The operation on the file.

Examples: CreateNewFile, Write, DeletePath, RenamePath

Process path The path of the process executing the operation.

Example: system32\cmd.exe or /bin/chmod/

Domain The domain, user group, or system context for the user that executed the process responsible for the file operation.

Example: CORP

Username The username that executed the process responsible for the file operation.

Example: joe.smith

Trace Logon Events

The Trace Logon Events sensor retrieves historical data about logon events on managed endpoints.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 3:   Trace Logon Events parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The maximum results per host is 10. However, if the Make Stackable parameter is enabled, the maximum results per host is 100.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Domain The domain, user group, or system context for the process.

Example: CORP

Username The Active Directory username associated with the user account.

Example: joe.smith

Source host The host name or IP address of one endpoint that is the target for sensor execution.
Logon process The file name of the executable that launched the logon process.

Example: process.exe or /usr/sbin/sshd

Logon type number A number indicating the logon type. This must be one of the following options:

2: Interactive
3: Network
7: Unlock
10: Remote Interactive

Logon provider The process associated with the logon event.

Example: Advapi

Trace Network Connections

The Trace Network Connections sensor retrieves historical data about network connection events on managed endpoints.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 4:   Trace Network Connections parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

If Make Stackable is enabled, the maximum is 100, without that setting the maximum is 10.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Include 127.0.0.1 traffic Select to include network connections from the localhost. This option assumes that the localhost is the device running Tanium Console.

By default, traffic from the localhost is included.

Source IP address If the sensor is targeted to a single host, the IPv4 address of the device.
Source port The port number from which the connection was made on the targeted host.
Destination IP address The IPv4 address of the destination.
Destination port The number of the port to which the connection was made.
Process path Use this option to specify the process path of the process to be found.

Example: jane.smith\software.exe

Domain The domain, user group, or system context for the user that executed the process responsible for the network activity.

Example: CORP

Username The username that executed the process responsible for the network activity.

Example: jane.smith

Trace Registry Keys or Values

The Trace Registry Keys or Values sensor retrieves historical data about changes to registry keys and values on managed Windows endpoints.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 5:   Trace Registry Keys or Values parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The maximum results per host is 10. However, if the Make Stackable parameter is enabled, the maximum results per host is 100.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Registry key path The registry key path to search the target computer group for.

Example: HKLM\Software\VendorName\

Registry value name The key value to search the target computer group for.

Example: "Setting name" in HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name

Operation The type of registry event.

Examples: SetValueKey, DeleteKey, DeleteValueKey

Process path The path of the process to be found.

Example: jane.smith\software.exe

Domain The domain or system context for the user that executed the process responsible for the registry change.

Example: CORP

Username The username that executed the process responsible for the registry change.

Example: jane.smith

Trace Loaded Drivers

The Trace Loaded Drivers sensor retrieves information about driver load events.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 6:   Trace Loaded Drivers parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The maximum results per host is 10. However, if the Make Stackable parameter is enabled, the maximum results per host is 100.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Driver path The path and device driver file name.

Example: windows\system32\driver.sys

Driver hash The hash of the specified driver file.
Driver signed Select one of the following values to specify whether the device driver is signed: Yes, No, or Either.

By default, this value is set to Yes.

Signing entity The name of the vendor that signed the file.

Example: VendorName

Trace Executed Process Trees

The Trace Executed Process Trees sensor retrieves the child or parent process of the specified process.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 7:   Trace Executed Process Trees parameters
Setting Description
Process Name Specifies the process name.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Use Full File Paths If enabled, the sensor output returns full file paths.
Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Process Context Select one of the following values to specify where the process appears in the tree: As Child or As Parent.

By default, this value is set to As Child.

# of Events to Search

Specifies the number of process execution events to use when building trees, counting back from the most recent results.

The maximum number of events is 20,000. Larger values might impact how long the sensor takes to run.

Time range Returns historical results within the selected time range for each endpoint.

Trace Executed Process Hashes

The Trace Executed Process Hashes sensor returns the MD5 hashes of all processes executed within a specified time range.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 8:   Trace Executed Processes parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The default maximum results per host is 500, but can be increased to any value.

Trace DNS Queries

The Trace DNS Queries sensor returns historical data from each endpoint regarding DNS queries.

This sensor is supported only for the following operating systems: Windows 2012 R2, Windows 2016, Windows 8.1, and Windows 10.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 9:   Trace DNS Queries parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The maximum results per host is 10. However, if the Make Stackable parameter is enabled, the maximum results per host is 100.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Process path The path of the process to be found.

Example: jane.smith\software.exe

Username The username that executed the DNS request.

Example: jane.smith

Query The name sent for the query.

Example: w3.org

Response The IP address resolved from the query.
Operation The type of DNS operation.

Example: DNS Query Complete

Trace Image Loads

The Trace Image Loads sensor returns historical data from each endpoint regarding image loads.

This sensor is supported on all versions of Windows that are supported by the Trace recorder.

Parameters

This sensor uses the following parameters to refine the endpoint data.

Table 10:   Trace Image Loads parameters
Setting Description
Time range Returns historical results within the selected relative time range for each endpoint. The default is from one hour ago until now.

Available selections are:

  • 30 minutes
  • 1 hour
  • 3 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • 1 month
  • unlimited
  • absolute time range

If the Time Range field is set to absolute time range, the sensor uses the value for the Absolute Time Range setting instead.

Absolute Time Range Returns historical results within the selected time range for each endpoint. To use this setting, the Time Range field must be set to absolute time range.
Treat Inputs as Regular Expressions Treat input strings as regular expressions.

By default, this option is cleared, and input is treated as a simple case-insensitive substring match.

Output only Yes or No Returns only a Yes or No indication of matches to the search parameters, instead of full details.
Max results per Host Limits the number of results returned by the endpoint. If the results exceed the value a warning indicates that the results were truncated.

The maximum results per host is 10. However, if the Make Stackable parameter is enabled, the maximum results per host is 100.

Make Stackable / Skip Unique Omits columns likely to be unique per host, such as host name and timestamps, to facilitate stack analysis.
Process Path The path of the process to be found.

Example: jane.smith\software.exe

Image Path The path of the image to be found.

Example: windows\system32\library.dll

Image Hash

The hash of the specified image file.

Image Signed

Select one of the following values to specify whether the image is signed: Yes, No, or Either.

By default, this value is set to Yes.

Signing Entity

The name of the vendor that signed the file.

Example: VendorName

Trace diagnostic sensors

Trace uses additional sensors to capture diagnostic information about the status and operations of the Trace service. Trace issues these sensors on a default schedule.

Table 11:   Trace Diagnostic sensors
Sensor Description Parameter Results
Tanium Trace Status Use this sensor to obtain a status report on Trace service components and their versions. This sensor provides information about the status of the operating system components that are used to collect information, including the event recorder, auditd, or the Microsoft System Monitor. The results returned also include when an event was last written to the database. N/A The results of the Tanium Trace Status sensor are displayed in the Trace Home page.
Trace Invalid File Operations This sensor detects corrupt databases. N/A If there is an invalid file operation in the Trace database, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Trace Database Size More Than Threshold This sensor determines whether the specified endpoint database exceeds the maximum size. The maximum size of the endpoint database, in bytes. For example, 1000000000. If the size of any endpoint exceeds the maximum value, this sensor returns a value of Yes. Otherwise, this sensor returns a value of No.
Trace Database Exceeded Maximum This sensor determines whether the Trace endpoint database has exceeded the maximum configured size. Double the maximum size of the endpoint database, in bytes. For example, 2000000000. If the answer is Yes, a Scheduled Action triggers a package to disable Trace service on the endpoint.
Tanium Trace Database Health This sensor examines the Trace database for potential issues, including exceeding the maximum size, mismatched schema version, if integer timestamps are not being used, and if a simple database query fails. N/A This sensor reports if the health check passed, indicates the database size, and lists any detected issues with the database.
Trace Endpoint Certificate Installed This sensor checks whether the Trace Endpoint Certificate is installed. N/A If Trace Endpoint Filter is installed on a managed endpoint, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Tanium Trace Endpoint Filters This sensor lists the endpoints that have Tanium Trace filters installed. N/A If Trace Endpoint Filter is installed on a managed endpoint, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Trace Group Configuration Level This sensor determines whether the trace database is configured. N/A If the database is configured on a managed endpoint, this sensor returns a value of True. Otherwise, this sensor returns a value of False.
Windows Audit Policy This sensor retrieves Windows operating system audit data. N/A Displays audit status by alpha-ordered category, subcategory, and activity rating. Audit status is indicated by one of the following: Success or No Auditing.

Last updated: 8/29/2018 11:21 AM | Feedback