| | | | | |

Standard Endpoint Investigation

By

Objective: Determine the distribution of a specific file across the environment to establish a baseline for the investigation.

Exercise Note: For this instructional walkthrough, a Standard Reference MD5 Hash is utilized. This allows the Analyst to practice the workflow using a known, high-incidence file to ensure the system and parameters are responding as expected.

Step 1: Input and Search Translation

  • The Action: Enter the reference hash into the Interact search bar.
  • The Goal: Locate and click the “Use enhanced search…” link that appears below the input field.
  • Screenshot #1: Capture the search bar with the link visible.

Analyst Insight (The Translation Key): Clicking “Enhanced Search” is a critical step. It acts as a built-in translator, converting a simple text string into the specific technical query Tanium requires to scan the global index. Without this, the search may return incomplete data.

Step 2: Technical Parameter Verification

  • The Action: Once the translation link is clicked, a parameter window will appear.
  • The Goal: Confirm the MD5 field contains the hash and all other fields (Name, Path, etc.) are set to an asterisk (*).
  • Screenshot #2: Capture the blue parameter window.

Analyst Insight (Wildcard Optimization): Using the asterisk (*) as a wildcard ensures that the search is not overly restricted. This allows you to find the file regardless of its name or its location on the hard drive, focusing purely on the digital fingerprint (MD5).

Step 3: Result Analysis

  • The Action: Click Ask Question and monitor the results as they populate.
  • Screenshot #3: Capture the results table showing the Count and File Path.

Analyst Insight (Interpreting Volume): Total incidence counts will fluctuate based on the current state of the environment. A high count (e.g., >100,000) indicates the file is widely deployed and likely authorized software. Conversely, a low count (e.g., <10) indicates an “outlier” that requires prioritized investigation.

Phase 1: Enterprise Scope Assessment

Objective: Determine the distribution of a specific file across the environment to establish a baseline for the investigation.

Exercise Note: For this instructional walkthrough, we are utilizing a Standard Reference Hash (MD5: 7eb8585d57b6ded87948624e62f7642f). This allows the Analyst to practice the workflow using a known, high-incidence file.

Step 1: Input and Search Translation

  1. Open the Tanium Console and click on the Interact search bar at the top of the page.
  2. Copy and paste the following string exactly: Get Index Query File Details contains 7eb8585d57b6ded87948624e62f7642f
  3. Important: Do not press Enter. Look directly below the text you just pasted.
  4. Locate the blue text that says “Use enhanced search translation to specify more parameters” and click it.
  • Screenshot #1: Capture the search bar with the blue “Enhanced Search” link visible.

Analyst Insight (The Translation Key): Clicking “Enhanced Search” is a critical step. It acts as a built-in translator, converting a simple text string into the specific technical query Tanium requires to scan the global index. Without this, the search may return incomplete data.

Step 2: Technical Parameter Verification

  1. After clicking the link, a light blue window will open.
  2. Verify that the MD5 row contains the hash you pasted.
  3. Look at all other rows (Name, Path, Size, etc.). Every single one must contain only a single asterisk (*).
  4. If a row is blank or has different text, delete it and type an asterisk (*).
  • Screenshot #2: Capture the blue parameter window showing the hash and the wildcards.

Analyst Insight (Wildcard Optimization): Using the asterisk (*) as a wildcard ensures that the search is not overly restricted. This allows you to find the file regardless of its name or its location on the hard drive, focusing purely on the digital fingerprint (MD5).

Step 3: Executing the Query and Result Analysis

  1. Click the blue “Ask Question” button at the bottom of the parameter window.
  2. Wait for the progress bar at the top of the results table to reach 100%.
  3. Look for the column titled “Count”.
  • Screenshot #3: Capture the full results table showing the high Count and the Full Path.

Analyst Insight (Interpreting Volume): Total incidence counts will fluctuate based on the current state of the environment. A high count (e.g., >100,000) indicates the file is widely deployed and likely authorized software. Conversely, a low count (e.g., <10) indicates an “outlier” that requires prioritized investigation.

Step 1: Navigating to the Interact Workbench

  1. Open the Tanium Console.
  2. Locate and click on the Module Menu (the “Nine Dots” icon) in the top-left corner of the page.
  3. Select Interact from the list of available modules. This opens your primary investigation workbench.
  4. Locate the “Ask a Question” search bar in the center of the Interact page.
  5. Copy and paste the following string exactly: Get Index Query File Details contains 7eb8585d57b6ded87948624e62f7642f
  6. Important: Do not press Enter. Look directly below the text you just pasted.
  7. Locate the blue text that says “Use enhanced search translation to specify more parameters” and click it.
  • Screenshot #1: Capture the module menu (Nine Dots) and the Interact search bar with the blue “Enhanced Search” link visible.

Step 4: Identifying the Target Computer

  1. In the results table from Step 3, look at the row containing your target file.
  2. Locate the Computer Name column.
  3. Note: In a high-count scenario, there will be thousands of names. For this exercise, pick one specific computer name from the list to use for the rest of your investigation.
  4. Highlight or select that computer name to ensure it is documented in your worksheet.
  • Screenshot #4: Capture the results table with one specific Computer Name highlighted.

Analyst Insight (The Pivot): Identifying a specific computer name allows you to move the investigation from a “Global” view to a “Local” view. You need this name to look up the asset owner in ServiceNow and to check specific activity logs in the SIEM later on.

Step 4: Finding the Computer Name (The Drill Down)

  1. Look at the results table where you see the Count (the 130,000+ number).
  2. On the far left of that row, click the Checkmark Box to select that specific result.
  3. Look at the top of the table for a button that says “Drill Down” and click it.
  4. A new search bar will appear. Type Computer Name into that bar and select the sensor called “Computer Name” from the dropdown list.
  5. Click the blue “Go” or “Ask Question” button.
  6. Tanium will now open a new set of results. This time, there will be a column called Computer Name.
  7. Choose One: Pick any one computer name from that list. This is your “Target Machine” for the rest of the worksheet.
  • Screenshot #4: Capture the table that now shows the Computer Name column alongside the file details.

Analyst Insight (Drilling Down): When Tanium gives you a high count, it’s summarizing the data to save time. “Drilling Down” tells Tanium, “I’ve seen the summary; now show me the actual machines.” You always need to drill down when you’re ready to move from “Global Research” to “Specific Incident Response.”

Similar Posts