Sunday, June 21, 2020

[SOC Advanced] Take Actions on offline endpoints using Tanium

I generally hear out complaints from security analyst's that they have received an endpoint incident and now it's time to investigate and verify through Tanium but while investigation through Tanium target computer is offline or the user is situated in another time period and unfit to reach. It is fine if you have colleague in another country to take your handover by the end of shift, what if you are alone or you never knew when computer will come online. 

One misinterpretation about Tanium is that you can take an actions against endpoints that are online only. This isn't so. Utilizing the accompanying strategy, you can target endpoints even they are offline, when they are disconnected, with the actions executing when they return on online.

To play out around the activity you should need to know two things about Tanium how to execute underneath steps:

  • How to ask Question:

  • How to take an Action:

Let’s begin,

STEP 1 : 
            Assume you want to run an action against hostname "" and this computer is not currently online right now. If I know "" is a Windows I can assure it will be captured by Tanium and target windows equals true or you can use all machine if you don't know operating system of it.

Click on “True” and will appear 3 options in Blue tabs and it's time to choose option “Deploy Action”

           To make this Action viable for disconnected or offline PCs, plan the Schedule Action on a repetitive premise. In the event that your endpoint is offline presently, all things considered it won't be online for the span of your Action. 
You can plan schedule Action (for example runs each hour or after 8 hours depends on country time frame) with the goal that you will in the end get this computer in an online state.

STEP 3 :
            Specify your ideal endpoint(s) in the Action (under Targeting Criteria). While making the Action, essentially include a filter in the Targeting Criteria area (for example a question filter).

In this example I used a question “computer name contains “

You can add more question based on what you want achieve when computer is online.

In this example I used a question “Get Index Query File Details[*,*,DriverToolkitInstaller.exe,*, *, *, *, 10] from all machines with Computer Name containing “”.

STEP 4 :
            Once it is no longer needed, it is recommended to disable or delete the Action. Otherwise the action will keep running if you didn't set start and End time (Refer STEP 2 screenshot).