| | | | |

Endpoint Analysis 101

By

Endpoint Analysis & Asset Investigation — L1 SOC Analyst Guide

Overview

This guide covers the initial steps for investigating endpoint alerts for the L1 Analyst onboarding. The focus is on determining whether a known malicious hash exists in the environment and identifying the affected device and its user.

By the end of this section you will be able to:

  • Search for a known malicious hash across all endpoints using Tanium
  • Cross-reference a hash on VirusTotal for threat context
  • Pivot to asset details in Tanium Inventory
  • Pull asset, user, and organizational context from ServiceNow (SNOW)
  • Search Windows Defender AV logs in Splunk to determine if action was taken on a file

Tools Used

  • Tanium — Endpoint query and asset inventory platform
  • ServiceNow (SNOW) — Asset management, user information, and ticketing system
  • VirusTotal (virustotal.com) — Hash lookup and malware reference, no login required
  • Splunk — SIEM platform used to search AV and endpoint event logs

Step 1: Search for a Malicious Hash in Tanium

Use Case: You have received a list of known IOCs containing file hashes and need to determine if any exist on endpoints in the environment.

  1. Click the nine-dot menu in the left-hand pane
  2. Click Interact, then Question Builder
  3. Click Add Row, then click the Filter by Name dropdown
  4. Select File Details, then scroll down and select MD5

Tip: Always prefer MD5 when searching hashes in Tanium — it returns the most reliable results compared to SHA1 or SHA256.

Investigative Note: A hash cannot be altered by renaming a file. If a malicious file has been renamed to disguise itself, the hash will still expose it. When in doubt, search by hash rather than filename.

  1. Click the “+” symbol to add another row
  2. Type “Computer Name”, select it from the dropdown, and click the checkmark
  3. Use the six-dot handle to drag Computer Name to the first position
  4. Scroll down and click “Ask Question”

Tanium queries every computer in the environment by design. This means a single search answers a critical investigative question: is this hash isolated to one device, or is it present across multiple endpoints?

  1. Copy your hash value from the ticket or IOC list
  2. Paste it into the “Filter by Text” field
  3. Allow results to populate in real time

Important: Do not use “*” (wildcard) in this context — it will return all files rather than filtering for your specific hash.

Interpreting Results:

  • Results returned = the hash was found, along with the device name(s) and file path(s)
  • No results = the hash was not detected on any endpoint in the environment
  • Multiple devices returned = the scope of the incident extends beyond a single endpoint and should be noted in the ticket

Step 2: Cross-Reference the Hash on VirusTotal

  1. Go to virustotal.com and paste the hash into the search field
  2. Review the results for detection ratio, malware family, and known threat intelligence
  3. Locate the Microsoft entry in the vendor results and copy the detection name — this is the Microsoft Defender signature for the hash

This step helps establish what the file does and contributes to thorough documentation in the ticket. No account is needed for basic lookups.

[See Confluence: IOC Investigation -- VirusTotal Usage]

Step 3: Pivot to Asset Details in Tanium Inventory

Use Case: A hash hit was returned. You now need to identify the affected device.

  1. Copy the computer name from your results
  2. Click the nine-dot menu again
  3. Click Overview
  4. Click the light blue “Inventory Devices” link
  5. Paste the device name into the “Filter Items” field
  6. Click the asset name on the left to open the full device profile

What You’ll Find:

  • Installed applications
  • Hardware and OS details
  • Endpoint-specific information useful for triage

Key questions to answer at this stage:

  • What is the device? (type, OS, installed software)
  • Where is it? (location, ownership, network context)

This context shapes every decision that follows in the investigation.

Step 4: Look Up the Asset in ServiceNow (SNOW)

Use Case: You have a device name and need to pull its organizational and user context from the CMDB.

[See Confluence: ServiceNow Asset Investigation -- official documentation]

Adding Base Items to Your Favorites (first-time setup):

  1. Click “All” in the top-left corner of ServiceNow
  2. Type “Base Items” in the search field
  3. Click the star icon to favorite it, then click “Done”
  4. Base Items will now appear in your favorites bar for faster access going forward

Running the Search:

  1. Click “Base Items” and allow a few seconds for it to load
  2. Paste the computer name into the search field and press Enter
  3. Allow up to 30 seconds for the search to complete

Base Items pulls from the CMDB (Configuration Management Database), providing a structured organizational view of the asset that complements what Tanium shows at the endpoint level.

Customizing Your Column View:

  1. Click the cog icon next to “Actions” on the selected rows bar
  2. In the “Available” column, locate “User” — if not present, use “Assigned To”
  3. Click it, then click the right arrow to move it to your active columns
  4. Scroll down and locate “IP”, move it over the same way
  5. Click “OK” and allow the system a moment to process

You will now see the asset owner and IP address directly in your search results.

Drilling Into Asset and User Details:

  1. Click the asset name to open the full record
  2. Available fields include:
    • Department
    • Location and zip code
    • End User Services support group
    • User roles and access levels
  3. To go deeper on the assigned user, click the information bubble next to the user’s name
  4. Click “Open Record”
  5. Additional user details available here:
    • Business phone and mobile phone
    • Workday number
    • Manager

Note: Be patient with ServiceNow — the system needs time to process requests between steps.

[See Confluence: ServiceNow CMDB -- official documentation]

Step 5: Search Windows Defender Logs in Splunk

Use Case: You have a Defender signature from VirusTotal and need to determine whether Defender detected or acted on the file in the environment.

Running the Search:

  1. In Splunk, run the following query using the Defender signature copied from VirusTotal:
index=<INTERNAL_AV_INDEX> "[MD5_HASH]"
  1. This searches all Defender event types across the environment for any activity matching that signature
  2. Results will show every computer that fired an action for that hash

Tip: Start in fast mode to quickly identify relevant events. Once you have narrowed down the results, switch to verbose mode for deeper field visibility.

Drilling Into Event Details:

  1. Double-click one of the green bars in the event timeline to expand results for that time window
  2. Switch to verbose mode if not already enabled
  3. Click the dropdown arrow on a returned event — navigate to the right side of the result and scroll down to review available fields, including:
    • Filename
    • Filepath
    • match_details_finding_additional_fields_action_type

The action_type field indicates what Defender did with the file. A quarantine entry confirms that Microsoft Defender quarantined the file — isolating it rather than simply detecting it.

Tip: A Tanium quarantine is a device-level action that isolates the entire endpoint from the network. A Defender quarantine is file-level — it removes a specific file from circulation. These are two distinct actions and should not be confused when documenting findings in the ticket.

Pulling It All Together — Investigative Mindset for Endpoint Triage

At the L1 level, the goal is to build a coherent, documented picture of the event from the available evidence. Work through the following questions as you investigate:

  • What is the file? — hash, filename, filepath
  • What does VirusTotal say about it? — detection ratio, malware family, Defender signature
  • What did Defender do? — detected only, or quarantined?
  • Is the file isolated to one device, or present on multiple? — scope assessment via Tanium
  • What is the asset? — device type, OS, installed applications
  • Who is the user? — name, department, business unit, contact information
  • Should this be escalated? — based on scope, Defender action, and threat intelligence findings

Investigative Note: Link any relevant malware articles or threat intelligence write-ups from Confluence or other internal resources directly in the ticket. This adds context for any analyst picking up the investigation after you.

Summary & What Comes Next

This guide covers the foundational endpoint investigation workflow for L1 analysts. The core deliverables before passing a ticket along are a clear account of what was found, where it was found, what the environment did about it, and who is affected.

Next steps are covered in separate wiki entries:

  • Searching by filename in Tanium Interact
  • Investigating IP addresses and other IOC types in Splunk
  • Proxy and firewall log analysis
  • Escalation criteria and ticket documentation

[See Confluence: IOC Investigation Procedures] [See Confluence: Escalation Guidelines]

Similar Posts