Incident Scoping Agent (Preview)

The Tanium Incident Scoping Agent automates enterprise-wide scoping for Microsoft Defender incidents by bridging detection and investigation. Integrated directly into Microsoft Security Copilot, the Tanium agent uses real-time intelligence from the Tanium Autonomous IT Platform to confirm impacted endpoints across the enterprise.

Agent Task: Ingest entities from a Microsoft Defender incident - files, processes, registry keys, IP addresses, and domains - and identify which are notable or unusual, prioritizing what matters for investigation.

Agent workflow

Input: Scopes each notable entity included in a Microsoft Defender incident across the entire endpoint environment using Tanium real-time intelligence, identifying additional impacted devices, users, and processes that Microsoft Defender might not have surfaced.

Output: Generates a clear scoping report with hashes, paths, users, and parent processes, so analysts have the full view across the environment.

Powered by Tanium's real-time intelligence, the Tanium Incident Scoping Agent enables:

• Reduced mean time to investigate: Automates the manual KQL queries and console hopping analysts perform on every incident, delivering enterprise-wide results to analysts in near real time.
• Assurance before containment: Gives analysts the full picture before they act, and the peace of mind to know that every file, process, and network artifact has been checked across the estate.
• Entity-level intelligence: Provides prevalence and variation data - hashes, paths, parent processes, and users - so analysts can distinguish common artifacts from potential threats.

For more details about Tanium, go to https://www.tanium.com/contact-us/.