Module 2 — Lesson 5 of 8

Direct Connect

Establish a real-time, persistent connection to an individual endpoint for deep, live investigation — browsing files, inspecting processes, pulling evidence, and monitoring performance as it happens.
📚 Overview
🔧 Deep Dive
🛠 Hands-On
Check

Direct Connect is a real-time, persistent connection from the Tanium console to a specific endpoint. Unlike standard Tanium questions — which broadcast queries to thousands of machines and collect aggregated results — Direct Connect opens a dedicated, live session to a single device. Think of it as a secure, agent-based remote console that gives you deep visibility into everything happening on that endpoint right now, without requiring the user to install anything extra or grant screen-sharing access.

How Direct Connect Works

YOUR BROWSER TANIUM SERVER TARGET ENDPOINT Tanium Console Direct Connect UI Tanium Server Auth + RBAC + Broker Tanium Client Persistent Channel HTTPS Encrypted Live data Responses Processes CPU, Mem, PID Files Browse + Pull Registry Keys + Values Perf Mon Real-time graphs Audit Log Every action

Direct Connect Capabilities

💻
Live Processes
See every running process with CPU, memory, disk I/O, and parent/child trees in real time
📁
File Browsing
Navigate the full file system remotely -- browse, inspect, and download files for analysis
📈
Real-Time Perf
Live CPU, memory, disk, and network graphs updating every few seconds
🔑
Registry + Audit
Inspect registry keys live and every action is logged in a tamper-proof audit trail
Key Concept

Direct Connect is not a replacement for Tanium's fleet-wide question/answer model. It complements it. Use fleet queries to identify which endpoints have a problem, then use Direct Connect to dive deep into a specific endpoint for detailed investigation.

Establishing a Direct Connect Session

Navigate

From the SEV, Investigation Workspace, or endpoint listing, select the target machine and click "Direct Connect."

Authenticate

The Tanium server sends a connection request. The client authenticates the request and verifies your RBAC permissions.

Live Session

A persistent channel opens. The console displays live tabs for processes, file system, registry, and performance metrics.

Investigate

Browse files, inspect processes, pull evidence, monitor performance -- all in real time from a single interface.

Disconnect

Close the session. The channel tears down and the endpoint returns to normal polling. Sessions auto-timeout after 15-30 min of inactivity.

The entire connection is brokered through the Tanium server — your browser never communicates directly with the endpoint. This means Direct Connect works regardless of the endpoint's network location: on-premises, remote over VPN, or on a home network, as long as the Tanium client can reach the Tanium server.

Simulated: Direct Connect Session

Direct Connect -- CAEI778766 (jsmith, Claims)
Processes
File System
Registry
Performance
Network
92%
CPU Usage
78%
Memory
45%
Disk I/O
Connected
Session Status
ProcessPIDCPU %Memory (MB)Disk I/OParent
CRMAgent.exe482168.2%3,247Highservices.exe
outlook.exe21048.4%412Medexplorer.exe
chrome.exe33675.1%890Lowexplorer.exe
svchost.exe10283.2%156Lowservices.exe
TaniumClient.exe8120.8%45Lowservices.exe
ALERT: Resource Hog Detected
CRMAgent.exe (PID 4821) is consuming 68.2% CPU and 3.2 GB RAM. Process started 4h 32m ago. Parent: services.exe. This process is the primary cause of the user's reported slowness.

Capability Deep Dives

When to Use Direct Connect vs. Other Methods

SituationBest ToolWhy
Problem happening right now on one endpointDirect ConnectLive, real-time data from that specific machine
Need to browse files or download evidenceDirect ConnectFile system access without remote desktop
Need registry-level detailDirect ConnectLive registry browsing, no user interaction needed
User unavailable or non-technicalDirect ConnectNo user involvement required
Check many endpoints at onceFleet QueriesDirect Connect is one endpoint at a time
Need historical dataFleet Queries / TDSDirect Connect shows current state only
Scoping a problem across the fleetFleet QueriesIdentify how many endpoints are affected first
Multi-team, multi-source correlationInvestigation WorkspaceCombines fleet data, timelines, annotations
Building a case with evidence chainInvestigation WorkspacePersistent record with annotations over time

Audit Trail: Every Action is Logged

Every action you take during a Direct Connect session is recorded in Tanium's audit log:

  • Who initiated the session (your Tanium username)
  • When the session started and ended
  • Which endpoint was connected to
  • Every file browsed, downloaded, or deleted
  • Every process inspected or terminated
  • Every registry key viewed or modified

The audit log is stored server-side and cannot be modified by the person who performed the actions. It is accessible to Tanium administrators and can be exported for compliance reporting or integration with your SIEM.

Pro Tip

Direct Connect requires the endpoint to be online and communicating with the Tanium server. If the user says their machine "froze" and they force-powered it off, you cannot connect until it boots back up. If you suspect an intermittent issue, connect proactively while the machine is still running and symptomatic, rather than waiting for the user to reboot first.

Best Practice

Before starting a Direct Connect session for a sensitive investigation (HR issue, security incident, legal hold), document your purpose in the investigation workspace or your ticketing system. This establishes intent and context that complements the technical audit trail.

Scenario: What Would You Do?

Help Desk Ticket #INC0091547

Reported by: Claims adjuster, working from home
Subject: "My laptop is extremely slow right now"
Details: Can barely open Outlook and has a deadline in 30 minutes. Health score: 31 (Critical). User is remote.

What is the best immediate action?

Correct! The user has a 30-minute deadline and the problem is happening right now. Direct Connect lets you see exactly what is consuming resources in real time without requiring the user to do anything or interrupting their work.
Not quite. The user has a 30-minute deadline -- Direct Connect gives you live process visibility immediately without disrupting the user. A reboot wastes time and may not fix the root cause. A fleet query does not help this specific user right now. Scheduling for tomorrow is unacceptable given the deadline.

Scenario: Choosing the Right Tool

For each situation, select the most appropriate investigation approach:

A. 15 endpoints in Accounting all show health scores below 40 since this morning. You need to understand the scope and commonality.

Correct! Use fleet queries first to scope the problem across all affected endpoints, identify commonalities (same software update? same patch?), and then Direct Connect to one machine for the granular deep dive.
Not quite. Connecting to 15 endpoints one at a time is inefficient. Start with a fleet query to identify patterns across all 15, then Direct Connect to one representative machine for detail.

B. A user reports they cannot open a specific application. You suspect a corrupted config file in the user's AppData directory.

Correct! Direct Connect's file browsing capability lets you navigate directly to the suspected file, inspect it, and even download it for comparison -- all without the user needing to do anything.
Not quite. Direct Connect is designed for exactly this scenario -- you need file-system-level access on a specific endpoint. No need to involve the user or query the whole fleet.

✍ Knowledge Check

1. What is the primary difference between Direct Connect and a standard Tanium fleet query?

Correct! Direct Connect opens a dedicated, real-time channel to one endpoint for granular investigation (file browsing, process inspection, registry checks). Fleet queries broadcast to thousands of endpoints and return summarized results. They serve different purposes and complement each other.
Not quite. Direct Connect opens a persistent, live channel to a single endpoint for deep investigation. Fleet queries are for asking questions across many endpoints at once. They complement each other.

2. Which of the following is NOT something you can do during a Direct Connect session?

Correct! Direct Connect shows the current, real-time state of the endpoint. It does not provide historical data. For historical performance trends, use Tanium Performance dashboards or the Investigation Workspace timeline views.
Not quite. Direct Connect is a live, real-time tool -- it shows what is happening now, not what happened 30 days ago. Use Performance dashboards or TDS for historical data.

3. Why is the audit trail for Direct Connect sessions important?

Correct! The audit trail records who connected, when, to which endpoint, and every action performed. Essential for compliance reporting, security investigations, and protecting the investigator with a verifiable record.
Not quite. The audit trail is a tamper-proof record of all actions taken during a session -- who, what, when, and where. It is critical for compliance, security, and accountability.
← Previous: Investigation Workspace Next: Remote Remediation →
Mercury Insurance — Digital Workplace Team
DEX Specialization Training © 2026