Module 2 — Lesson 8 of 8 (Capstone)

Real-World Scenarios

Apply everything you have learned in Module 2 to four realistic scenarios based on challenges IT teams face at Mercury Insurance every day. These scenarios require you to combine Direct Connect, remote remediation, ServiceNow integration, and investigation skills.
📚 Overview
🔧 Deep Dive
🛠 Hands-On
Check

Putting It All Together

In lessons 1 through 7, you learned the foundations of Tanium Investigate: Single Endpoint View, data collection, the investigation workspace, Direct Connect, remote remediation, and ServiceNow integration. This capstone lesson presents four scenarios that require you to apply multiple skills together, just as you would in a real production environment at Mercury Insurance.

For each scenario, read the situation carefully, think about what tools and techniques you would use, and then select the best course of action. After checking your answer, read the full walkthrough to understand the complete approach.

Module 2 Skills Integration

Tanium Investigate Single Endpoint View (SEV) Direct Connect Live process/file access Data Collection Sensors & queries Remediation Kill, deploy, restart Investigation Workspace ServiceNow Integration Tanium Performance Fleet-level context

Four Scenarios at a Glance

🧊
Scenario 1
Frozen Computer — Urgent help desk ticket, user has 20 min deadline. Direct Connect + process kill.
🔒
Scenario 2
Suspicious Process — Security alert on 3 endpoints. Quarantine + evidence collection.
🛠
Scenario 3
Post-Patch Issues — 50 endpoints degraded. Performance + Investigate together.
📄
Scenario 4
ServiceNow-Driven — Full disk, slow laptop. Investigate and remediate from SN.

Key Principles for Real-World Investigations

Assess First

Always check the SEV and endpoint data before taking action. Understand the scope and severity.

Contain if Needed

For security incidents, quarantine first to stop damage while preserving evidence for analysis.

Use the Right Tool

Performance for fleet-level trends, Investigate for endpoint deep dives. They complement each other.

Document Everything

Annotations, work notes, ticket updates. Build the record as you go, not from memory after.

Prevent Recurrence

Fixing the symptom is not enough. Address the root cause and deploy preventive measures fleet-wide.

Scenario 1: "My Computer is Frozen"

The Situation

A Personal Lines underwriter calls the help desk: "My computer is completely frozen. I can't click anything, the mouse moves but nothing responds. I have a policy review due in 20 minutes and I can't access any of my files." The user is in the Rancho Cucamonga office.

Your Investigation Data

Single Endpoint View — CAEI779855
12
Health Score
100%
CPU (47 min)
88%
Memory
72%
Disk
ProcessCPUMemoryStatus
WINWORD.EXE78%4.2 GBRunaway
OneDrive.exe12%1.8 GBElevated
explorer.exe3%280 MBNormal
TaniumClient.exe1%85 MBResponsive
KEY INSIGHT: Tanium client is responsive even though UI is frozen. Direct Connect is available.

Full Walkthrough

Open Direct Connect

From the SEV, initiate a Direct Connect session. Establishes within seconds since the Tanium client is responsive.

Confirm the Process

In the Processes tab, verify WINWORD.EXE is at 78% CPU and 4.2 GB RAM. Note the PID for the audit trail.

Notify the User

"I can see the issue remotely. Microsoft Word has frozen and is consuming all your CPU. I'm going to close the stuck Word process — you may lose any unsaved changes. Is that okay?"

Kill the Process

Terminate WINWORD.EXE via Direct Connect. Within 5-10 seconds, CPU drops to 22% and the machine becomes responsive.

Verify and Document

Watch performance graphs stabilize. Ask user to confirm. Investigate root cause (large file? COM add-in? OneDrive conflict?). Update ticket. Total time: under 5 minutes.

Scenario 2: Suspicious Process Detected

The Situation

The security team sends an urgent message: "We have detected an unusual process, svchost-update.exe, running on 3 endpoints in Claims. The process name is designed to look like a legitimate Windows service but it is not a known Microsoft binary. It was first seen 2 hours ago and appears to be making outbound HTTPS connections to an external IP."

Investigation Workspace — SEC-2026-0312 — Suspicious Process
Affected Endpoints (3)
Process Details
Network IOCs
Timeline
Critical
Severity
3
Endpoints
2h 14m
Time Active
Active
Outbound Conn
EndpointUserProcess PathHash (SHA-256)External IP
CAEI781901jsmith C:\Users\jsmith\AppData\Local\Temp\svchost-update.exe a3f8e2...7d91 185.234.xx.xx:443
CAEI782340alee C:\Users\alee\AppData\Local\Temp\svchost-update.exe a3f8e2...7d91 185.234.xx.xx:443
CAEI782901mwong C:\Users\mwong\AppData\Local\Temp\svchost-update.exe a3f8e2...7d91 185.234.xx.xx:443
ANALYSIS: Same file hash across all 3 endpoints. Same external IP. Parent process: powershell.exe. Persistence: scheduled task "WindowsUpdateCheck" found.

Full Walkthrough

Create Workspace

Open investigation, link to security incident number, add all 3 endpoints.

Quarantine Immediately

Isolate all 3 endpoints from the network. Tanium client maintains its connection for continued investigation. Stop potential data exfiltration.

Gather Evidence

Direct Connect to each endpoint: record PID, parent process, file path, creation timestamp. Download the executable. Record SHA-256 hash for threat intel lookup.

Check Network IOCs

Identify the external IP, port, connection duration. Provide to security team for firewall blocking.

Check Persistence

Search registry auto-run entries. Check Task Scheduler. Found: scheduled task "WindowsUpdateCheck" — this is how it survives reboots.

Document and Hand Off

All findings in investigation workspace with annotations. Push to ServiceNow security incident. Security team has hashes, IOCs, timeline, and full evidence chain.

Scenario 3: Post-Patch Troubleshooting

The Situation

Tanium Performance alerts fire at 8:15 AM Wednesday: 50 endpoints across Underwriting have degraded health scores. Average health dropped from 76 to 41 overnight. A cumulative Windows update was deployed Tuesday night. The Underwriting manager calls: "Half my team can't work — their laptops are crawling. What did you do to our machines?"

Tanium Performance — Underwriting Computer Group
50
Affected (of 120)
76 → 41
Avg Health Drop
82%
Avg CPU (baseline: 28%)
4x
Disk I/O Latency
GroupCountPatchedAvg HealthAvg CPU
Affected Endpoints50Tue night4182%
Unaffected Endpoints70Not yet7825%
Early-patched (1 AM)5Tue 1 AM7230%
KEY INSIGHT: Early-patched endpoints (1 AM) already recovered to health 72. Post-patch optimization is transient.

Full Walkthrough

Confirm with Performance

Filter to Underwriting group. Verify all 50 affected endpoints were patched between 1-3 AM Tuesday. The 70 unaffected were scheduled for Wednesday night.

Pivot to Investigate

Create investigation workspace. Select 3 representative affected endpoints (different hardware, different sub-teams).

Direct Connect Deep Dive

All 3 show TiWorker.exe at 40-55% CPU and SearchIndexer.exe at 15-25%. These are standard post-patch optimization processes.

Check Early-Patched Machines

The 5 endpoints patched at 1 AM have already recovered to health 70+. Post-patch processes completed after ~6 hours.

Communicate

Inform the manager: "Standard Windows post-patch optimization. Based on early-patched machines, expect recovery by noon."

Monitor Stragglers

At noon, 45 of 50 recovered. For the remaining 5, Direct Connect reveals stuck TiWorker. Deploy targeted service restart.

Scenario 4: ServiceNow-Driven Investigation

The Situation

A ServiceNow ticket from a Claims adjuster: "My laptop is very slow and I can't open any applications. Outlook takes 5 minutes to load, Excel won't open at all, and I get 'low disk space' warnings every few minutes. This has been getting worse for the past week."

ServiceNow — INC0091847 — Tanium Endpoint Panel
18
Health Score
99.2%
Disk (237/240 GB)
82%
Memory
45%
CPU
DirectorySizeFilesStatus
C:\ProgramData\AppLogs\ClaimsSystem\85 GB12,847Unmanaged logs
C:\Users\mgarcia\42 GB--Normal
C:\Windows\38 GB--Normal
C:\Program Files\28 GB--Normal
ROOT CAUSE: ClaimsSystem application logs never configured for rotation. 85 GB accumulated over 18 months. Logs > 90 days safe to remove per compliance.

Full Walkthrough

Check Tanium Data in SN

Open ticket, view embedded Tanium data. Health: 18, Disk: 99.2%. Immediately see disk is the primary issue.

Identify the Consumer

Launch Investigate from SN. Direct Connect file system browser reveals 85 GB of ClaimsSystem log files dating back 18 months.

Verify Safety

Most recent 30 days = 4 GB. Remaining 81 GB are historical logs older than 30 days. Compliance requires only 90-day retention.

Deploy Cleanup from SN

Trigger Tanium disk cleanup targeting files > 90 days old. Frees 78 GB. Disk drops from 99.2% to 66%.

Verify and Prevent

Health score recovers to 62. Apps launch normally. Create follow-up: configure log rotation fleet-wide for all ClaimsSystem endpoints.

Pro Tip: Reactive vs. Proactive

Cleaning up the logs fixes this one machine. Configuring log rotation fleet-wide prevents this from happening on every endpoint running the Claims application. That is the difference between reactive support (fixing the symptom) and proactive engineering (fixing the root cause).

Scenario 1: "My Computer is Frozen"

Quick Recap

Underwriter's UI is frozen. 20-minute deadline. Health score 12, CPU 100% for 47 minutes. WINWORD.EXE at 78% CPU, 4.2 GB RAM. Tanium client is responsive.

What is the best immediate action?

Correct! The Tanium client is still responsive even though the UI is frozen. Use Direct Connect to kill the runaway Word process. The machine should become responsive within seconds. Total resolution: under 5 minutes.
Not quite. A force shutdown (A) risks data loss and takes several minutes. Scheduled reboot (C) does not address the immediate crisis. Disk cleanup (D) is irrelevant — disk is only at 72%. Direct Connect process kill is the fastest, safest option.

Scenario 2: Suspicious Process Detected

Quick Recap

Security alert: svchost-update.exe on 3 Claims endpoints. Not a known Microsoft binary. Making outbound HTTPS connections to external IP. First seen 2 hours ago. Potential data exfiltration.

What is the best approach?

Correct! Security investigations require: contain, investigate, document. Quarantine stops network communication while keeping Tanium open. Gather evidence (hashes, IOCs, parent process, persistence) for the security team. Deleting (A) destroys evidence. Rebooting (C) clears volatile evidence and the process may restart. Waiting (D) allows exfiltration to continue.
Not quite. In security incidents: quarantine first (stop damage), then investigate (gather evidence), then document (hashes, IOCs, timeline). Never destroy evidence by deleting files or rebooting before collecting it.

Scenario 3: Post-Patch Troubleshooting

Quick Recap

50 of 120 Underwriting endpoints degraded after Tuesday night's Windows update. Health dropped from 76 to 41. CPU averaging 82%. 70 unpatched endpoints are fine. Early-patched machines have already recovered.

What is the best approach?

Correct! This demonstrates Performance + Investigate working together. Performance gives fleet-level scope, Investigate gives endpoint-level root cause. You may find TiWorker.exe (transient) or an incompatible application (persistent). Rolling back (A) is premature. Disabling alerts (C) leaves you blind. Mass reboot (D) disrupts everyone.
Not quite. Always diagnose before remediate. Performance tells you how many are affected and when it started. Investigate tells you why. Together they let you make an informed decision.

Scenario 4: ServiceNow-Driven Investigation

Quick Recap

Claims adjuster ticket: laptop very slow, can't open apps, "low disk space" warnings. Getting worse for a week. You are in ServiceNow with Tanium integration. Health score 18, disk 99.2%.

What is the best approach?

Correct! The ServiceNow-Tanium integration handles the entire workflow. Pull Tanium data, see disk at 99%, use Direct Connect to find 85 GB of unrotated log files, deploy targeted cleanup, verify recovery. User continues working uninterrupted. Then configure log rotation fleet-wide to prevent recurrence.
Not quite. Asking the user to delete files (A) puts the burden on them. An OS reinstall (C) is massively disproportionate. A new laptop (D) is wasteful. The ServiceNow-Tanium integration lets you investigate and fix silently from within the ticket.

✍ Module 2 Review: Lessons 5-8

1. What is the key requirement for establishing a Direct Connect session to an endpoint?

Correct! Direct Connect requires the endpoint to be powered on and the Tanium client to have an active communication path. No user interaction, VPN tunnels, or remote desktop is needed.
Not quite. Direct Connect only requires the endpoint to be online and the Tanium client to be communicating with the server. Everything flows through the existing Tanium infrastructure.

2. Why should you quarantine an endpoint rather than simply deleting a suspicious file during a security investigation?

Correct! In security incidents, evidence preservation is critical. Quarantine contains the threat while keeping the Tanium channel open for investigation. Deleting removes evidence and may not remove persistence mechanisms.
Not quite. Quarantine serves two purposes: stop the threat (cut network) and preserve evidence (keep files for forensic analysis). Deletion destroys evidence and may not stop the threat if persistence mechanisms exist.

3. In the post-patch troubleshooting scenario, how do Tanium Performance and Tanium Investigate work together?

Correct! Performance and Investigate are complementary. Performance excels at fleet-level visibility (50 of 120 dropped). Investigate excels at individual analysis (TiWorker.exe at 55% CPU). Together: scope (Performance), diagnose (Investigate), verify (Performance again).
Not quite. They are complementary modules. Performance shows the big picture (fleet health trends), Investigate shows the details (individual processes and files). Together they provide complete diagnostic capability.

4. What is the biggest advantage of the Tanium-ServiceNow integration for help desk agents?

Correct! The integration empowers agents to investigate and remediate from within their primary workflow tool (ServiceNow), without learning the Tanium console, without tool-switching, and without disruptive remote desktop sessions.
Not quite. The key advantage is that agents can see endpoint data and take action from within ServiceNow — no tool-switching, no remote desktop sessions, no disruption to end users.

5. In the "slow laptop with full disk" scenario, what was the critical step that prevented the problem from recurring?

Correct! Cleaning up current logs fixes the immediate problem. Configuring log rotation and deploying it fleet-wide prevents this from recurring on any endpoint running the Claims application. Reactive vs. proactive.
Not quite. The preventive step is configuring log rotation fleet-wide. Without it, the logs will grow back to 85 GB in 18 months. Fixing the root cause (log rotation) prevents recurrence everywhere.

🏆 Module 2 Progress Checkpoint

You have completed all 8 lessons in Module 2: Tanium Investigate. You now know how to use Single Endpoint View, Direct Connect, the investigation workspace, remote remediation, and ServiceNow integration to investigate and resolve endpoint issues efficiently.

Module 2 Complete!

Congratulations — you have completed all 8 lessons in Module 2: Tanium Investigate.

🏆 Tanium Investigate — Module Complete

You have completed both modules of the Tanium Specialization training. Head to the Certification Exam to demonstrate your knowledge and earn your certification.

← Previous: ServiceNow Integration Take Certification Exam →
Mercury Insurance — Digital Workplace Team
DEX Specialization Training © 2026