Trends

Public

1
 Trends - Introduction

©2020 Tanium. All rights reserved. 2

Trends is a Tanium module that gathers data over time to create data visualizations. Trends is
an excellent way to visualize, communicate and tell a story about data using Tanium in a way
that’s approachable for all users, from users to administrators to senior executives.

The charts you see here are built using Tanium data over time. Trends builds on Tanium’s
unique architecture and live feedback from the endpoint to provide context for the huge
amounts of data available to you, allowing you to visualize, understand and communicate the
true state of your security and operations health.

With Trends you can:

• Collect data from the endpoints across the enterprise to present visualizations of historical counts
for information related to hardware and software inventory, operational hygiene, and endpoint
security posture.
• Create organized collections of boards and panels to display the collected data in impactful charts.
• Customize the chart type, date or date range, color scheme, and text for each panel.
• Set data condition thresholds that trigger visual status indicators (for example, red, yellow, or green
panel backgrounds).
• Publish boards to a file that you can distribute to stakeholders or post to an internal web server.
• Navigate from historical trends to current, real-time status for the same key question, returned in
the familiar results grid, where you can deploy actions or use the merge and drill-down features to
examine the details.
• Further explore question results that display in a panel by opening the question in Tanium™

2
Interact where you can deploy and schedule actions as necessary.

2
Senior executives are lacking the tactical view of their environment, so it can be
hard for them to know the state of their environment. That’s where Trends comes in.
With Trends, you can create detailed visualizations that tell a story about the state
of your organization’s environment.

Operations and security data need to be in context of what matters most to the
business. Is it the new zero-day vulnerability? The scope and scale of their
environment? The status of a major operating system upgrade?

Be aware of the value that simple visualizations can bring to senior executives:

• 91% of the highly vulnerable board members can’t interpret a cybersecurity report
• 98% of the highly vulnerable executives are not confident in their organization's ability
to track all devices and users on the system at all times
• Only 10% of the highly vulnerable respondents agree that they were regularly updated
with information about the types of threats to cybersecurity that are pertinent to their
business
• 87% of highly vulnerable board members and executives don’t consider their malware,
antivirus, software and patches to be 100% up-to-date at all times

Trends is best used to communicate and tell a story. You can show effects: If we’re
making daily improvements to the state of our environment, does the data show that
we’re moving in a positive direction?

3
To a Tanium user, simply asking questions tells us what we need to know on a tactical, day to
day level. But this chart may not be easy for upper level management to interpret. How can
we convey the state of high-priority versus low priority patches at a glance?

4
Trends gives you the ability to create high-impact visualizations that are customized to your
business needs.

In this example, we can see the status of applicable patches broken down by severity.

5
The difference between results in Interact and results in Trends is that Interact shows data in
real time, at the present moment. Trends shows data collected over time. A global company
spread over continents may find value in knowing data over time not only to address historical
questions, but simply to gather a complete picture of their environment. For a global
company, there isn't any one time during the day that they can get a full picture of all their
endpoints due to time differences among the different corporate branches. Trends was built
with this in mind.

Generally, customers want to see data over the past day, 7 days, or 14 days. For example:
What endpoints have logged in over the recent 21 day time window?

Trends has a few ways of showing data, such as:

• Current full estate – A single column of aggregated answers to a question over the past 7
days. Similar to the "recent" capability in Tanium Interact, also known as "last reported”
endpoint status.
• Historical trends - Data over time, such as a three month or three week period
• Realtime connected – Data for what's connected right now

6
Trends provides visibility into the history of key pieces of information about the
enterprise IT estate, the ability to coordinate with real-time status for those same
indicators, and the ability to deploy actions on an endpoint. Rather than purchasing
an expensive third party tool, senior leaders can simply leverage Tanium. A good
Tanium administrator can provide senior leaders with the kind of insight they
need fast and more effectively.

7
Key Trends Concepts

8
One key thing to note about Trends is that it is designed to track a single answer from an
endpoint per day, not multiple answers. For example, you cannot use Trends to see what OS
patch a specific computer was running on a specific date in the past. Instead, you can use
Trends to drill down from the insights afforded by the aggregate counts to the most recent
results about OS patches, and from recent results, you can drill down to results for specific
computers.

A result row aggregates results with matching strings or numbers, so tracking the top 1,000
occurrences affords sufficient visibility into the items you want to track in most cases.

9
A source is a configuration that defines a saved question, how often to issue the question, and how
often the results are collected and aggregated. For the purpose of Trends, saved questions are limited
to results from a single sensor. However, the sensor used can be a single column sensor, a multi-
column sensor, or a parameterized sensor. By default, Trend’s saved questions are issued every
five hours plus one more time right before data collection. The frequency is designed to get
responses from endpoints that are offline sometimes during a one day period but are online at least
one of the times the saved question is issued. The results from the saved questions are cached on the
Tanium Server. Once a day the data is collected from the Tanium server, aggregated by
computer group, and stored in the Trends database. This data is used to populate the Trends
panels.

Saved questions created by Trends sources will only be issued to computer groups visible to Trends.
As a result, if a new computer group is created, it must be enabled in the Trends workbench before it
can be utilized by Trends.

Trends sources rely on sensors that already exist within Tanium. If a new sensor is needed, it
must be created before the source is configured.

Trends cannot be used to gather data from endpoints that are not managed by Tanium.

10
This is a Trends board titled Windows 10 Compatibility. A board can have one or more
sections with one or more panels in each section. A board organizes a collection of panels. You can
create and edit boards to add panels, and you can publish boards to downloadable HTML files.

11
A panel displays a visualization for data collected by a source. Panels are essentially charts and Trends
offers a variety of chart types depending on how you’d like to display the data.

Panels depend on sources; you must create a source before you create a panel that uses the source.

12
A section is a collapsible division on a board that you can use to further group panels. A
board can have multiple sections and each section can contain multiple panels.
Sections are optional and by default, boards do not contain any sections.

In the example above, the Windows 10 Compatibility board features two sections:
Default, with two panels (Windows 10 Compatibility Summary and Windows 10
Compatibility Categorization) and Advanced Security Features, with two panels
(SecureBoot Capability and TPM Presence).

13
After choosing a chart type for the panel, there are a number of customizable settings.

Update the X and Y axis labels to display horizontally under the chart and vertically to the left
of the chart. Note: these options require a chart type that uses axis labels.

Additionally, modifying the legend display options customizes the items that appear in the
chart. To exclude an item from the chart, deselect the checkbox next to the item name. Click
the color swatch next to any item to change the color that displays for that item – there is no
limit to the number of times a color may be used.

14
Conditional formatting allows you modify the background color of the chart if a certain
threshold is met. Multiple conditions can be used, however, it is important to note that which
ever rule is hit first applies.

In this example, Tanium client is at 100% true and so the background color is green. If the
Tanium client was less than 100%, but above 75% (80% for example), then the background
color would be yellow.

Conditional formatting is a great way to quickly see when something needs attention.

15
This is an expanded Trends view of the current Running Applications panel. In single panel
view, notice the more detailed information available, including number of endpoints that match
specific criteria.

From here you can change the chart type, count, computer group and date range as well as
filter the results based on text you enter.

Once you are in edit mode, you can change any of the panel configurations.

16
With Trends we have the ability to toggle between ”Online” and “Online and
Most Recent Offline” clients. This allows us to account for natural times when
fewer endpoints may be online, such as during weekends or holidays. In this
example, you can clearly see dips where the “online computers” decrease
during weekends. Selecting “Online and Most Recent Offline” will smooth out
this chart, and perhaps save us from having to explain to the executive board
why there are dips in their operating systems over time.

17
Every time a saved question is run, the Tanium server will note whether that
specific endpoint is online, and will store that data. If an endpoint responds to a
saved question within the last 24 hours, it is considered Online. Endpoints that have
responded within the last 7 days, are considered “Online and Most Recent Offline”.

The online and offline statuses relate to the time Trends collected the results, not the
present time. For example, Trends collects data at 9:00 UTC for a source that
queries Get Machines Requiring a Reboot from all machines, and the data for Online
clients and Online and most recent offline clients are tallied at that point in time.

18
Importing the initial gallery is an excellent way to quickly get started with Trends.

Initial Gallery components rely on content within Tanium. If the necessary

content is not installed when you import the initial gallery, the corresponding
sources, boards, and panels will not be created. Initial Content, Managed
Applications, and Tanium Patch are some examples of content Trends will check
for when importing the initial gallery.

As you can see above, you can pick and choose which boards and panels to
import. Once imported, all saved questions created by the initial gallery will be
issued immediately. You can make modifications to titles, descriptions, and
dates of the imported initial gallery items and reimport as necessary.

19
Labs
• Lab 1 – Load Trends Sample Data
• Lab 2 – Initial Deployment and Inventory

5 10 15 20 25 30
Lab Time

20
Example Panels and Use Cases

21
Here’s an example of Trends panel showing Tanium client deployments over
time. It tells a useful story for how far the deployment has come over the past
month.

22
In this example, over 80% of the endpoints on the environment are missing over 50 - 100
patches for compliance.

23
You can show two visualizations side by side to demonstrate that although the
environment is generally compliant with patches, servers are substantially less
compliant.

24
This panel relies on a custom sensor that can be acquired through a TAM.

Instructions for creating this panel can be found here:

https://community.tanium.com/s/question/0D50e00004ykrbKCAQ/how-to-
monitor-patch-list-compliance-using-trends

25
You can show that the environment is making progress dealing with a new
vulnerability such as the Spectre vulnerability.

26
You can show how a vulnerability remediation effort has succeeded over time.
This panel shows how the fast response from the environment administrators
has dramatically decreased the vulnerable endpoints within a short period of
time.

27
Trends is very useful for conveying the status of major operating system
migrations, such as this example of a Windows 10 migration.

28
Labs
• Lab 3 – Operating System Overview
• Lab 4 – Detailed Technical View – Spectre / Meltdown
• Lab 5 – Publishing an Executive Overview
• Lab 6 – Patch Compliance

5 10 15 20 25 30
Lab Time

29
Trends provides visibility into the history of key pieces of information about the
enterprise IT estate, the ability to coordinate with real-time status for those same
indicators, and the ability to deploy actions on an endpoint. Rather than purchasing
an expensive third party tool, senior leaders can simply leverage Tanium. A good
Tanium administrator can provide senior leaders with the kind of insight they
need fast and more effectively.

30
Closing Q&A

31