Noise elimination for Tanium and other mesh scanners
If you're using Tanium or other tools that do similar full mesh scanning, you may notice a high volume of benign but technically true positive detections in your Vectra environment. This is caused by full mesh endpoint scanning, which can overwhelm your detection surface with noise and reduce the overall signal quality of the platform.
What You Need to Know
Full mesh scanning generates predictable, non-malicious traffic from your endpoints.
Vectra detects this traffic as part of normal operation, but the resulting detections are not security-relevant.
Left unfiltered, this can create unnecessary noise that obscures meaningful threat activity.
Recommended Action
To improve signal quality without losing visibility, Vectra strongly recommends the following:
Configure your Tanium (or similar) deployment to use static source ports for its scan traffic.
Engage Vectra Support to enable a Tanium-specific configuration that filters this traffic based on the source ports you define.
What This Configuration Does
Applies a source port-based filter directly on the sensor.
Drops only isession metadata associated with full mesh scans.
Does not impact network traffic processing, detection fidelity, or security visibility.
All traffic is still monitored and processed—only noisy metadata is suppressed before it generates detections or appears in Stream or Recall.
Why It Matters
This filtering ensures your detection surface remains focused on actionable threats, not routine management traffic. You’ll reduce false positives and improve the relevance of alerts—without sacrificing any coverage.
Next Steps
Please contact Vectra Support with:
Confirmation that Tanium or other similar full mesh scanning is deployed in your environment.
The static source port(s) you’ve configured for this scanning.
Any other relevant environment context.
Our team will help you apply the configuration safely and quickly.
Last updated
Was this helpful?