Trace use cases

Example 1: Scan the enterprise and drill down

Assume you are running Trace sensor questions or other Tanium sensor questions to hunt for a suspicious activity across the entire enterprise. For example, communication to a non-reputable, foreign IP address that causes an alert on a network sensor.

The high-level steps are:

  1. Use the Trace Network Connections sensor to find which hosts and processes communicated with that IP address in the past.
  2. Make a live endpoint connection to the suspected host or hosts.
  3. Identify the offending process by filtering for the destination IP address on the Network events grid.
  4. Add the process and any other potential IP addresses to the Trace saved evidence.

The evidence is now persistent, usable, and remains on the Tanium Server after the endpoint is quarantined or remediated.

Example 2: Pivot from the endpoint to enterprise-wide

Assume that while analyzing a specific endpoint, you identify a randomly named process writing data to the file C:\ProgramData\log.txt. You now want to scan the rest of the enterprise to determine the extent of other processes writing data to this file.

The high-level steps are:

  1. Click the question mark icon on the right side of the row showing the File Write event for C:\ProgramData\log.txt.

    A window opens with suggested questions. One of these questions would likely be “Which computers have written to file C:\ProgramData\log.txt?"

  2. Click the appropriate hyperlink to search for that evidence across the enterprise.

When you find an issue on a single system, you can assess the scope of the potential compromise for the entire enterprise.

Example 3: Trace evidence and other Tanium Solutions

Assume that you are analyzing a specific endpoint or group of endpoints that you believe to be a part of an incident. As you find evidence of malicious activity, you want to save the intelligence and add structure to the evidence to repeatedly interrogate other endpoints for the data.

You must be licensed for Detect. These instructions are for Detect 3.x and later.

The high-level steps are:

  1. As you drill down into processes, save the artifacts and evidence that you need.
    • The Save process evidence check box saves all process details.
    • The Add Evidence button, located above the Detailed Process History grid, saves artifacts like registry, file system, and network events.
  2. Review the saved evidence to ensure all important events are listed.
  3. Create an IOC intel document with a unique name and complete the necessary details.
  4. Add logic and items from saved evidence.
  5. Generate the IOC.

    The IOC populates to the Detect solution with Trace as the source.

  6. (Optional) Add a label the Trace intel document.
  7. Add the source or label to an existing group configuration for continuous background scanning.
  8. (Optional) Run a quick scan.

You have now codified threat intelligence to use for continuous searching for similar activity.

Last updated: 11/2/2018 3:31 PM | Feedback