Module 1 — Lesson 6 of 8

Root Cause Analysis

Learn to systematically trace endpoint performance problems back to their origin using Tanium Performance data, timeline analysis, and change correlation.

📚 Overview

🔧 Deep Dive

🛠 Hands-On

✅ Check

🔍

Steps in the RCA Process

📈

Pattern Types (Systemic vs. Isolated)

📋

100%

Documentation Rate Goal

Five-Step RCA Workflow

Remember

RCA is not about assigning blame. It is about understanding what happened so you can prevent it from happening again. A blameless RCA culture encourages transparency and better outcomes.

Systemic vs. Isolated Issues

🌐

Systemic

Multiple endpoints affected. Usually caused by a change deployed at scale (patch, GPO, deployment). Fix once, fix all.

💻

Isolated

Single endpoint or very few. Hardware failure, user-installed software, unique config. Requires per-device investigation.

Watch Out

Do not assume a problem is isolated because you have only one ticket. Many users suffer silently. Always check whether the same pattern exists on other endpoints before concluding it is isolated.

Timeline Analysis in Tanium

Tanium Console — Endpoint Timeline: CAEI-445521

Timeline

Metrics

Processes

Reading the timeline: A sudden spike at a specific time (especially off-hours) strongly suggests an event-driven cause. A gradual creep over days/weeks suggests resource exhaustion.

Change Correlation Sources

Tanium Patch

Was a patch deployed around the time the problem started?

Tanium Deploy

Was new software installed or updated on the affected group?

Group Policy

Were GPO changes applied to these endpoints?

ServiceNow Changes

Check the change calendar for infrastructure changes at that time.

Deep Dive: Correlation vs. Causation in IT ▼

Just because two events happened at the same time does not mean one caused the other.

Example: A patch deployed Tuesday 10 PM. Wednesday morning, 50 endpoints show high CPU. But an AV definition also pushed at 11 PM. It could be the AV scan, not the patch.

🔬

Control Group

Compare patched endpoints with and without the AV update

🛠

Process Check

Is CPU from TrustedInstaller or MsMpEng.exe?

🔄

Test Reversal

Roll back on a small group — strongest evidence of causation

Change Impact Analysis

Compare endpoint performance before and after a known change event. Tanium's continuous metric history makes this possible.

Health Score Before

Health Score After

Control Group (No Change)

The control group confirms that the change — not an environment-wide factor — is the cause of the degradation.

Walkthrough: Post-Patch Slowness

The Situation

Thursday morning. Claims Department (120 endpoints) reports widespread slowness. Tickets started around 9 AM. Tuesday night patch cycle targeted this group.

Identify the Symptom

Health scores dropped 82 → 54 overnight. CPU avg 78% (up from 35%), disk I/O latency doubled. Memory normal.

Check the Timeline

Sharp inflection at 2:00 AM Wednesday — sudden, not gradual. Event-driven.

Correlate with Changes

KB5034441 deployed at 1:30 AM. No other deployments in 7 days. No infrastructure changes.

Isolate the Group

Underwriting (same hardware, same OS, NOT patched) — stable at 80+. Problem is specific to the patched group.

Root Cause Found

TiWorker.exe stuck in a retry loop due to a .NET conflict. Fix: restart TrustedInstaller service via Tanium action.

Exercise: Order the RCA Steps

Drag the five RCA steps to their correct order (1 through 5):

Correlate with changes

Identify the symptom

Determine root cause

Isolate affected group

Check the timeline

Step 1: Drop here

Step 2: Drop here

Step 3: Drop here

Step 4: Drop here

Step 5: Drop here

Correct order: (1) Identify the symptom, (2) Check the timeline, (3) Correlate with changes, (4) Isolate the affected group, (5) Determine the root cause. Each step narrows down possibilities until you reach the definitive cause.

Knowledge Check

1. An endpoint's health score dropped suddenly at 3:00 AM. What does this timing pattern most likely indicate?

A gradual hardware failure An event-driven cause such as a deployment, patch, or configuration change Normal user activity patterns A network outage

Correct: B. A sudden, sharp decline at a specific time (especially outside business hours) strongly suggests an event such as a scheduled deployment or patch.

2. You suspect a Tuesday night patch caused performance degradation. What is the strongest evidence to confirm the patch is the root cause?

The patch was deployed the same night the problem started A vendor advisory mentions potential performance issues with the patch Rolling back the patch on a pilot group resolves the issue, while a control group that kept the patch still shows degradation Users report that their computers feel slower

Correct: C. A controlled test — reversing the suspected change on a subset and verifying resolution, while the control group still shows the problem — is the strongest evidence of causation. Timing alone (A) is correlation, not causation.

← Previous: Alerting & Thresholds Next: Remediation at Scale →

DEX Training

Root Cause Analysis

Five-Step RCA Workflow

Systemic vs. Isolated Issues

Timeline Analysis in Tanium

Change Correlation Sources

Tanium Patch

Tanium Deploy

Group Policy

ServiceNow Changes

Change Impact Analysis

Walkthrough: Post-Patch Slowness

Identify the Symptom

Check the Timeline

Correlate with Changes

Isolate the Group

Root Cause Found

Exercise: Order the RCA Steps

Knowledge Check