Exporting reputation data

View reputation data

To view a list of the malicious hashes that Reputation has pulled from the reputation services, open the Malicious tab in the Reputations section of the Overview page.

Only hashes with a malicious or pending status are listed.

In Threat Response, you can view the ratings on hashes for live endpoints or snapshots. For more information, see Tanium Threat Response User Guide: Connecting to live endpoints and exploring data.

Send data to Connect destinations

Use Connect 5.2.3 or later to create a connection to send the data that is in the reputation database to any Connect destination. For example, you might configure a connection to create an email notification when a malicious item is found.

  1. From the Connect Overview page, click Create Connection.
  2. Specify a name and description.
  3. For the source, select Tanium Reputation.
    You can also select the reputation status to include.
  4. Configure the destination settings for the connection.

The first run of a connection that uses Tanium Reputation as a source retrieves all available reputation items. Subsequent runs of that connection retrieve only the reputation changes since the last time the connection ran.

For more information, see Tanium Connect User Guide: Managing connections.

Send data to the reputation service

If you want to pre-populate reputation data with hashes from your environment, you can send data to the reputation service as a connection destination. When this content is pre-populated, the reputation service can start querying the status of the items from the reputation sources.

  1. Create a saved question for each of the following questions to collect hash data from your environment:

    Question syntax Saved Question Name
    Get AutoRun Files[SHA256,1] from all machines with is Windows contains true Reputation - Windows AutoRuns (SHA 256)
    Get Linux AutoRuns[MD5,1] from all machines with Is Linux contains true Reputation - Linux Autoruns (MD5)
    Get Mac AutoRuns[MD5,1] from all machines with Is Mac contains true Reputation - macOS Autoruns (MD5)
    Get Index - File Hash Recently Changed[100,*,*,*,4D5A*,*,*,*,*,0,3,1] from all machines Reputation - Microsoft EXE Recently Changed
    Get Index - File Hash Recently Changed[100,*,*,*,FEEDFACE*,*,*,*,*,0,3,1] from all machines Reputation - Recently Changed macOS MACH-O 32 Bit
    Get Index - File Hash Recently Changed[100,*,*,*,FEEDFACF*,*,*,*,*,0,3,1] from all machines Reputation - Recently Changed macOS MACH-O 64 Bit
    Get Index - File Hash Recently Changed[100,*,*,*,7F454C46*,*,*,*,*,0,3,1] from all machines Reputation - Recently Changed macOS ELF
    Get "Driver Details with Hash"[SHA256] from all machines Reputation - Driver Details (SHA 256)
    Get "Loaded Modules with Hash"[SHA256] from all machines Reputation - Loaded Modules (SHA256)
    Get "Running Processes with Hash"[SHA256] from all machines Reputation - Running Processes with Hash (SHA256)
    Get "Service Module Details with Hash"[sha256] from all machines Reputation - Service Module Details (SHA256)
    Get Trace Executed Process Hashes[3 hours,1571257836726|1571261435726,500] from all machines Reputation - Trace Executed Process Hashes (MD5)

    For more information on creating saved questions, see Tanium Console User Guide: Create a saved question.

  2. From the Connect Overview page, click Create Connection.
  3. Choose Saved Question from the Source drop-down, select one of the saved questions that you created in step 1 from the Saved Question Name drop-down, and select All Computers from the Computer Group drop-down.

    You can use the following settings for saved questions:

    SettingDescription
    Include Recent ResultsIf you want to include results from machines that are offline, select Include Recent Results, which returns the most recent answer to the saved question for the offline endpoint.
    Answer Complete Percent

    Results are returned when the saved question returns the configured complete percent value. Any results that come in after the configured percent value has passed are not sent to the destination. If you are finding that the data returned from the saved question is incomplete in your destination, you can disable this setting by setting it to 0. If disabled, all data is returned after the timeout passes.

    Timeout

    Minutes to wait for clients to reply before returning processed results when Answer Complete Percent is set to 0. If the Answer Complete Percent value is not met at the end of the time limit, then the connection run is marked as a failure.

    For the best results, set this to 10 minutes.
    BatchsizeNumber of rows that are returned for the saved question results at one time. This setting might vary depending on your destination.
  4. Specify a name that matches the saved question name and enter a connection description.
  5. For the destination, choose Tanium Reputation and select the appropriate hash type for the Hash Field.



    Each reputation service connection destination can only be configured for 1 hash column name. If a saved question returns multiple hash types (such as MD5 and SHA256) and you want to send both hashes to Reputation, you must create 2 connections, one for each hash type in the Hash Field.

  6. In the Schedule section, select Enable Schedule to update and stagger the schedule and prevent these connections from running simultaneously.
  7. Select Advanced - Define as a Cron Expression and enter one of the following Cron expressions in the Advanced field:

    Saved Question Name Cron expression Frequency
    Reputation - Windows AutoRuns (SHA 256) 0 */3 * * * 0 minute every third hour
    Reputation - Linux Autoruns (MD5) 48 */3 * * * 48th minute every third hour
    Reputation - macOS Autoruns (MD5) 56 */3 * * * 56th minute every third hour
    Reputation - Microsoft EXE Recently Changed 8 */3 * * * 8th minute every third hour
    Reputation - Recently Changed macOS MACH-O 32 Bit 16 */3 * * * 16th minute every third hour
    Reputation - Recently Changed macOS MACH-O 64 Bit 24 */3 * * * 24th minute every third hour
    Reputation - Recently Changed macOS ELF 32 */3 * * * 32th minute every third hour
    Reputation - Driver Details (SHA 256) 10 */1 * * * 10th minute every hour
    Reputation - Loaded Modules (SHA256) 20 */1 * * * 20th minute every hour
    Reputation - Running Processes with Hash (SHA256) 30 */1 * * * 30th minute every hour
    Reputation - Service Module Details (SHA256) 40 */1 * * * 40th minute every hour
    Reputation - Trace Executed Process Hashes (MD5) 50 */1 * * * 50th minute every hour
  8. Save the connection.
  9. Repeat steps 2-8 for the remaining saved questions.

Send data to Trends boards

Use Trends 3.6.323 or later to import a board that contains different panels of reputation metrics. By default, the Reputation Overview page shows the metrics from the Service Usage section of the Reputation board.

  1. From the Trends menu, click Boards and then click Import > Gallery.
  2. Select Reputation and then select which sections or panels you want to import.
    By default, everything is selected.
  3. Click Validate.

    If you see a warning about missing content sets, select Reputation.

  4. Click Import.

For more information, see Tanium Trends User Guide: Importing the initial gallery.