| | | | |

Cyber Analysis 102

By

Endpoint Analysis & Asset Investigation — L1 SOC Analyst Guide

Overview

This guide covers the initial steps for investigating endpoint alerts for the L1 Analyst onboarding. The focus is on determining whether a known malicious hash exists in the environment and identifying the affected device and its user.

By the end of this section you will be able to:

  • Search for a known malicious hash across all endpoints using Tanium
  • Cross-reference a hash on VirusTotal for threat context
  • Pivot to asset details in Tanium Inventory
  • Pull asset, user, and organizational context from ServiceNow (SNOW)

Tools Used

  • Tanium — Endpoint query and asset inventory platform
  • ServiceNow (SNOW) — Asset management, user information, and ticketing system
  • VirusTotal (virustotal.com) — Hash lookup and malware reference, no login required

Step 1: Search for a Malicious Hash in Tanium

Use Case: You have received a list of known IOCs containing file hashes and need to determine if any exist on endpoints in the environment.

  1. Click the nine-dot menu in the left-hand pane
  2. Click Interact, then Question Builder
  3. Click Add Row, then click the Filter by Name dropdown
  4. Select File Details, then scroll down and select MD5

Tip: Always prefer MD5 when searching hashes in Tanium — it returns the most reliable results compared to SHA1 or SHA256.

Investigative Note: A hash cannot be altered by renaming a file. If a malicious file has been renamed to disguise itself, the hash will still expose it. When in doubt, search by hash rather than filename.

  1. Click the “+” symbol to add another row
  2. Type “Computer Name”, select it from the dropdown, and click the checkmark
  3. Use the six-dot handle to drag Computer Name to the first position
  4. Scroll down and click “Ask Question”

Tanium queries every computer in the environment by design. This means a single search answers a critical investigative question: is this hash isolated to one device, or is it present across multiple endpoints?

  1. Copy your hash value from the ticket or IOC list
  2. Paste it into the “Filter by Text” field
  3. Allow results to populate in real time

Important: Do not use “*” (wildcard) in this context — it will return all files rather than filtering for your specific hash.

Interpreting Results:

  • Results returned = the hash was found, along with the device name(s) and file path(s)
  • No results = the hash was not detected on any endpoint in the environment
  • Multiple devices returned = the scope of the incident extends beyond a single endpoint and should be noted in the ticket

Step 2: Cross-Reference the Hash on VirusTotal

Open virustotal.com in a separate tab and search the hash for additional context such as malware family, detection rate, and known threat intelligence. No account is needed for basic lookups.

This step helps establish what the file does and contributes to thorough documentation in the ticket.

[See Confluence: IOC Investigation -- VirusTotal Usage]

Step 3: Pivot to Asset Details in Tanium Inventory

Use Case: A hash hit was returned. You now need to identify the affected device.

  1. Copy the computer name from your results
  2. Click the nine-dot menu again
  3. Click Overview
  4. Click the light blue “Inventory Devices” link
  5. Paste the device name into the “Filter Items” field
  6. Click the asset name on the left to open the full device profile

What You’ll Find:

  • Installed applications
  • Hardware and OS details
  • Endpoint-specific information useful for triage

Key questions to answer at this stage:

  • What is the device? (type, OS, installed software)
  • Where is it? (location, ownership, network context)

This context shapes every decision that follows in the investigation.

Step 4: Look Up the Asset in ServiceNow (SNOW)

Use Case: You have a device name and need to pull its organizational and user context from the CMDB.

[See Confluence: ServiceNow Asset Investigation -- official documentation]

Adding Base Items to Your Favorites (first-time setup):

  1. Click “All” in the top-left corner of ServiceNow
  2. Type “Base Items” in the search field
  3. Click the star icon to favorite it, then click “Done”
  4. Base Items will now appear in your favorites bar for faster access going forward

Running the Search:

  1. Click “Base Items” and allow a few seconds for it to load
  2. Paste the computer name into the search field and press Enter
  3. Allow up to 30 seconds for the search to complete

Base Items pulls from the CMDB (Configuration Management Database), providing a structured organizational view of the asset that complements what Tanium shows at the endpoint level.

Customizing Your Column View:

  1. Click the cog icon next to “Actions” on the selected rows bar
  2. In the “Available” column, locate “User” — if not present, use “Assigned To”
  3. Click it, then click the right arrow to move it to your active columns
  4. Scroll down and locate “IP”, move it over the same way
  5. Click “OK” and allow the system a moment to process

You will now see the asset owner and IP address directly in your search results.

Drilling Into Asset and User Details:

  1. Click the asset name to open the full record
  2. Available fields include:
    • Department
    • Location and zip code
    • End User Services support group
    • User roles and access levels
  3. To go deeper on the assigned user, click the information bubble next to the user’s name
  4. Click “Open Record”
  5. Additional user details available here:
    • Business phone and mobile phone
    • Workday number
    • Manager

Note: Be patient with ServiceNow — the system needs time to process requests between steps.

[See Confluence: ServiceNow CMDB -- official documentation]

Summary & What Comes Next

Tanium and ServiceNow together provide a comprehensive picture of any endpoint — from the technical state of the device to the organizational context of its user. At this stage, the two core deliverables before escalating a ticket are:

  1. Hash identification — confirming whether a known malicious hash exists in the environment
  2. Asset discovery — identifying the device and its associated user, location, and organizational context

These are the foundational pieces of information any receiving analyst will need to take the investigation further.

Next steps are covered in separate wiki entries:

  • Searching by filename in Tanium Interact
  • Investigating IP addresses and other IOC types in Splunk
  • Checking Windows Defender logs using index=cnav
  • Escalation criteria and ticket documentation

[See Confluence: IOC Investigation Procedures] [See Confluence: Escalation Guidelines]

Similar Posts