Tanium — Tool Overview
What is Tanium?
Tanium is an enterprise endpoint management and security platform that enables real-time visibility and control across every device in the environment. Unlike traditional security tools that rely on scheduled scans or passive data collection, Tanium queries endpoints directly and returns results in real time. For SOC analysts, this means the ability to ask questions about the entire environment and get answers within seconds — regardless of the number of endpoints.
Key Features Relevant to SOC Operations
Real-Time Endpoint Querying (Interact) The Interact module allows analysts to query every endpoint in the environment simultaneously using natural language-style questions built through the Question Builder interface. This is the primary module used during hash and filename investigations.
Hash and File Search Analysts can search for specific file hashes or filenames across all endpoints. Results return the device name and file path of any matches, enabling rapid scope assessment during an IOC investigation. MD5 is the preferred hash format for Tanium searches as it returns the most reliable results.
Asset Inventory The Inventory module provides a structured view of all endpoints in the environment. Analysts can filter by device name and access detailed asset profiles including installed applications, hardware specifications, and OS details.
Scope Assessment Because Tanium queries the entire environment simultaneously, it is well suited for determining whether a threat is isolated to a single device or present across multiple endpoints — a critical question in any investigation.
Endpoint Visibility Tanium provides visibility into the current state of any endpoint, including running processes, installed software, and file system details. This supports deeper investigation beyond initial hash or filename hits.
How SOC Analysts Use Tanium
At the L1 level, Tanium is primarily used in two ways. First, to search for known malicious hashes or filenames across the environment to determine whether an IOC is present and on which devices. Second, to pivot into the asset inventory to gather device-level details on any endpoint of interest. Together these two functions allow an analyst to establish the presence and scope of a potential threat and document the findings in the ticket.
Investigative Note: Tanium queries the entire environment by design. A single hash search will surface every device containing that file — making it an efficient first step for scope assessment when working from an IOC list.
Access
Tanium is accessed via the Tanium console in your browser. The primary modules used for L1 investigations are Interact and Inventory, both accessible through the nine-dot menu in the left-hand pane.