Module 2 — Lesson 1 of 8

Overview & Purpose

What is Tanium Investigate, the problem it solves, its five foundational pillars, and how it works alongside Tanium Performance.
📚 Overview
🔧 Deep Dive
🛠 Hands-On
Check

Tanium Investigate bridges the gap between detecting an issue and resolving it. Launched Q3 2023, it reduces Mean Time to Investigate (MTTI) and Mean Time to Remediate (MTTR) by consolidating endpoint data, collaboration, and remediation into one workspace.

$9K+
Cost per Min of IT Downtime
🔄
23 min
Lost per Context Switch
1 Pane
Single Console for Everything
👥
3 Teams
Help Desk + Ops + Security

The 5 Pillars of Investigate

Data Collection 1 Data Enrichment 2 Data Visualization 3 Collaboration 4 Remediation 5 Processes, files, network, events Correlate & contextualize Timelines, trees, charts Shared workspace & annotations Kill, deploy, restart, fix
Think of it this way

If Tanium Performance is the smoke detector, Tanium Investigate is the firefighter's toolkit -- thermal camera, hose, radio, and incident report all in one.

The Problem: Swivel-Chair Troubleshooting

Without Investigate, a single "my laptop is slow" ticket sends a tech through 5+ tools and 45 minutes of tab-switching.

Ticket Arrives

Read the help desk ticket description

Lookup Machine

Open SCCM / endpoint tool to find the device

Check Monitoring

Switch to a separate monitoring dashboard

Remote In

Use a separate remote-access tool

Manual Checks

Event logs, Task Manager, installed apps

Ask a Colleague

Message on Teams: "Have you seen this before?"

Investigate collapses all 6 steps into one console.

Performance vs. Investigate

AspectTanium PerformanceTanium Investigate
FocusMonitoring & health scoringActive troubleshooting & resolution
Primary UseDetecting degradation proactivelyDiagnosing root cause of known issues
ViewFleet-wide dashboards & trendsSingle endpoint deep-dive & workspaces
DataAggregated health scores & metricsGranular process-level & event-level data
ActionsAlerting, reporting, fleet remediationRemote mgmt, file download, process control

Tandem Workflow

Performance Detects

Health scores drop on 15 Sales endpoints

Performance Alerts

Threshold alert fires, IT Ops notified

Investigate Takes Over

Tech opens SEV on an affected machine

Investigate Diagnoses

CRM update causing a memory leak identified

Investigate Remediates

Kill process + deploy rollback from workspace

Key Terminology

Scenario: Map the Right Tool

For each situation, decide whether you would use Tanium Performance, Tanium Investigate, or both working together.

A. You need to see fleet-wide boot time trends across all departments this month.

Correct! Fleet-wide dashboards and trend analysis is Performance's domain.
Not quite. Fleet-wide monitoring and trends belong to Performance. Investigate focuses on individual endpoint deep-dives.

B. A user reports Outlook keeps freezing. You need to see which process is consuming memory on their machine.

Correct! Process-level deep-dive on a single endpoint is exactly what Investigate's SEV provides.
Not quite. Single-endpoint process-level troubleshooting is Investigate territory -- specifically the Single Endpoint View.

C. Health scores drop for 30 endpoints in Accounting. You need to find out why and fix it.

Correct! Performance detects the fleet-wide drop and alerts. Investigate then deep-dives into affected endpoints, diagnoses root cause, and remediates.
Not quite. This scenario needs both: Performance for detection and alerting, then Investigate for root cause analysis and remediation on affected endpoints.

Who Uses Investigate?

Match each persona to their primary use case:

🎧
L1/L2
SEV for quick ticket triage -- hardware, software, performance at a glance
IT Ops
Workspaces for multi-team, multi-endpoint incident response
🔒
Security
Direct Connect + file download for forensic evidence collection

✍ Knowledge Check

1. What two metrics is Tanium Investigate specifically designed to reduce?

Correct! Tanium Investigate was purpose-built to reduce Mean Time to Investigate (MTTI) and Mean Time to Remediate (MTTR).
Not quite. Investigate targets MTTI (Mean Time to Investigate) and MTTR (Mean Time to Remediate) -- the two metrics most impacted by tool fragmentation.

2. Which of the following is NOT one of the five pillars of Tanium Investigate?

Correct! Patch Management is handled by the Tanium Patch module. The five pillars are Data Collection, Data Enrichment, Data Visualization, Collaboration, and Remediation.
Not quite. The five pillars are: Data Collection, Data Enrichment, Data Visualization, Collaboration, and Remediation. Patch Management belongs to Tanium Patch.

3. How do Tanium Performance and Tanium Investigate work together?

Correct! Performance is the early warning system; Investigate is the response toolkit for root cause analysis and remediation.
Not quite. Performance monitors and alerts; Investigate provides the deep-dive tools to diagnose root cause and remediate.
← Previous: Real-World Scenarios Next: Single Endpoint View →
Mercury Insurance — Digital Workplace Team
DEX Specialization Training © 2026