1E Explorer TachyonCore product pack
Classic Product Pack used to create the 1E Explorer TachyonCore instruction set that includes instructions for Tagging and Quarantine.
Please refer to:
Creating the Tags instruction set for steps required to upload this product pack and create the Tags instruction set
Tagging client devices for details on setting, deleting, querying and using tags
1E Quarantine for guidance on using the quarantine device instructions.
Instructions
Instruction text (ReadablePayload) | Type | Description | Instruction file name | Version |
---|---|---|---|---|
Action | Add a specified action firewall rule to a specified IP address. Windows only. | 7 | ||
Question | Returns all installed software. | 7 | ||
Question | Returns details of audio devices. Windows only. | 6 | ||
Question | Returns details of BIOS firmware. | 6 | ||
Question | Returns details of the processor's cache memory. | 6 | ||
Question | Returns details of all optical drives. | 6 | ||
Action | Starts or stops a service and any services that are dependent on it. | 6 | ||
Question | Reports the existance of the specified coverage tag | 6 | ||
Question | Reports whether the defined coverage tag has the specified value | 6 | ||
Question | Reports whether the specified freeform tag exists | 6 | ||
Question | Reports whether the defined freeform tag has the specified value | 6 | ||
Question | Check a simple Indicator of Compromise. | 6 | ||
Action | Flushes the DNS cache on the machine | 6 | ||
Action | Ping a specific IP address | 6 | ||
Action | Changes the startup type and the state of an operating system service | 6 | ||
Question | Returns the number of coverage tags. | 6 | ||
Question | Returns the number of freeform tags. | 6 | ||
Action | Creates a freeform tag with an empty value. If this tag already exists, its value will be removed. | 6 | ||
Action | Deletes all coverage tags. This is a high impact instruction and should be used with care. | 6 | ||
Action | Deletes all freeform tags. This is a high impact instruction and should be used with care. | 6 | ||
Action | Deletes specified coverage tag | 6 | ||
Action | Deletes a file with specified path | 6 | ||
Action | Deletes specified firewall action rule assigned to specified IP address. Windows only. | 6 | ||
Action | Deletes specified freeform tag | 6 | ||
Question | Returns details of device drivers. | 6 | ||
Question | Gets all devices that currently have any open TCP connections to the specified IP address. It includes information about processes and ports. | 6 | ||
Question | Gets devices listening on a specific network port. It also includes information about the listening process. | 6 | ||
Question | Shows count of disabled Windows services. | 6 | ||
Question | Returns details of video graphic adapters. Windows only. | 6 | ||
Action | Enable or Disable Windows Advanced Firewall for a given profile. Note that this enables locally, and that GPO will override if set. | 3 | ||
Question | Executes a WMI query and returns result. The query execution will be successfull only if the WMI namespace and class exists. Windows only. | 6 | ||
Question | Finds a directory by name. | 6 | ||
Question | Finds a file by name. | 6 | ||
Question | Finds a file by size and SHA256 hash. | 6 | ||
Question | Finds file version, Original Filename, Product Name and Product version of a file you specify | 5 | ||
Question | Returns all coverage tag values | 6 | ||
Question | Returns all freeform tag values | 6 | ||
Question | Returns value of a specific coverage tag | 6 | ||
Question | Memory details for each installed DIMM. | 6 | ||
Question | Returns the Powershell execution policy on the device. | 6 | ||
Question | Retrieve the content of files matching the given file path search pattern. Wildcard characters and environment variables may be used. | 7 | ||
Question | Retrieves the lines of files matching the given file path search pattern. Wildcard characters and environment variables may be used. | 6 | ||
Question | What details does the operating system have about a particular file | 10 | ||
Question | What access permissions exist for a particular file | 12 | ||
Question | Retrieve the files in a specified folder. Windows Only. | 6 | ||
Question | Retrieve the files in a specified folder and all subfolders. Windows Only. | 6 | ||
Question | Gets devices with a specified action firewall rule assigned to a specified IP address. Windows Only. | 6 | ||
Question | Returns firewall rules filtered by state | 3 | ||
Question | Returns the value of a specific freeform tag | 6 | ||
Question | Retrieves the historical inbound connections recorded on the device | 5 | ||
Question | Retrieves the historical inbound mapped drives recorded on the device | 5 | ||
Question | What shared printers are being used on the machine? | 5 | ||
Question | Returns a list of installed Windows hotfixes. | 6 | ||
Question | Gets the IP addresses assigned to devices. Windows Only. | 6 | ||
Question | Shows a list of all users logged into devices, including interactive and remote desktop sessions. | 6 | ||
Question | Retrieves the historical outbound connections recorded on the device | 5 | ||
Question | Retrieves the historical and currently exposed shared drive usage recorded on the device | 5 | ||
Question | What printers are shared from the machine? | 4 | ||
Question | Get all running processes. | 6 | ||
Question | Queries the quarantine status of the device. Please use with care, and please read the documentation for the quarantine feature before use. | 5 | ||
Question | Retrieves all the running services. Windows Only. | 6 | ||
Question | Returns details for virtualized Hyper-V guest machines that are currently running. Windows hosts only. | 6 | ||
Question | Details of RAM chips. Windows Only. | 6 | ||
Question | Return a count of all distinct Operating Systems, Version and Virtual platform for each Tachyon-connected device. | 6 | ||
Question | Returns count of all distinct versions of the specified product. Note the value entered does not need to be complete e.g. enter chrome and all products containing chrome will be returned. | 7 | ||
Question | Returns count of all distinct versions of the specified publisher and product. Note the values entered do not need to be complete e.g. enter Micro and all publishers containing Micro will be returned. | 7 | ||
Question | Returns details of installed USB devices. Windows only. | 8 | ||
Action | Terminate a single process. | 6 | ||
Action | Terminate all instances of a specified executable. | 6 | ||
Question | Get the number of local groups each matching account is a member of. Windows Only. | 7 | ||
Question | Get details of logical drives, including network drives. Windows Only. | 6 | ||
Action | Logs off %user% from all specified machines. The account should not contain a prefix. The user will be forcibly logged off - unsaved work or documents will be lost. Windows Only. | 6 | ||
Question | Get the configuration of the network adapters. Windows Only. | 6 | ||
Question | Gets details of network adapters. Windows Only. | 6 | ||
Question | Gets network listening processes and ports. | 6 | ||
Question | Performs an nslookup on a specified address and returns the output as a string. | 6 | ||
Question | Get details of physical disk drives. Windows Only. | 6 | ||
Question | Get details of plug and play devices. Windows Only. | 6 | ||
Question | Get details of installed printers. Windows only. | 6 | ||
Question | Finds all devices that currently have the specified process running with local administrator privilages. | 6 | ||
Question | Details of processors installed. Windows Only. | 6 | ||
Question | Gets processor types being used by devices. Windows only. | 6 | ||
Action | Quarantines the device. The device will only be able to contact Tachyon. CRL checks must be set to soft. Certificate expiry can cause the agent to fail to connect to the switch. If an agent is no longer connected to Tachyon after quarantine, it will remain in quarantine. Please use with care, and please read the documentation for the quarantine feature before use. | 5 | ||
Action | Schedules a reboot in a specified number of seconds. This will not prompt for user interaction! | 3 | ||
Action | Refreshes the CRL cache by setting the ChainCacheResyncFiletime. This means that windows will attempt to retrieve a CRL the next time it is called upon for verification. | 6 | ||
Action | Delete an entire registry key. Windows Only. | 7 | ||
Action | Delete a specified key for each user in the HKEY_USERS hive. Windows Only. | 7 | ||
Action | Delete a specified registry entry for each user in the HKEY_USERS hive. Windows Only. | 7 | ||
Action | Delete a specified registry entry. Windows Only. | 7 | ||
Question | Get all sub keys for a Registry key. Windows Only. | 10 | ||
Question | Get all the keys under a subkey for each user in the HKEY_USERS hive. Windows Only. | 5 | ||
Question | Get all the values under a subkey for each user in the HKEY_USERS hive. Windows Only. | 7 | ||
Question | Get all values for a Registry key. Windows Only. | 7 | ||
Question | Get a registry value for each user in the HKEY_USERS hive. Windows Only. | 8 | ||
Question | Get the value for a Registry entry. Windows Only. | 7 | ||
Question | Determine whether a given Registry key exists. Windows Only. | 7 | ||
Action | Set a registry entry for each user in the HKEY_USERS hive. Windows Only. | 7 | ||
Action | Set the value for a given Registry entry. Windows Only. | 7 | ||
Question | Determine whether a registry key exists for each user in the HKEY_USERS hive. Windows Only. | 6 | ||
Question | Determine whether a registry entry exists for each user in the HKEY_USERS hive. Windows Only. | 6 | ||
Question | Determine whether a given Registry entry exists. Windows Only. | 7 | ||
Question | Returns information about removable drives. Windows Only. | 6 | ||
Question | Shows machines running a specific executable. Windows Only. | 7 | ||
Action | Sets a value for a coverage tag on devices. This tag can be used to narrow down target devices for instructions. | 6 | ||
Action | Sets a value for a freeform tag on devices. This tag and value combination can be arbitrary. This tag cannot be used to narrow down target devices for instructions. | 6 | ||
Action | Sets the PowerShell execution policy on devices. The new execution policy will be returned after being set. | 6 | ||
Action | Removes all versions of the specified application published by the specified publisher, if present. | 6 | ||
Action | Removes the specified version of the the specified application published by the specified publisher, if it is present. | 6 | ||
Action | Unquarantines the device. Please use with care, and please read the documentation for the quarantine feature before use. | 5 | ||
Question | Gets device drivers which are not digitally signed. Windows only. | 6 | ||
Question | Find all devices on which the given user is currently logged in. Windows Only. | 7 | ||
Question | Gets Windows updates with a count of each device that is pending a reboot for this update to take effect. Windows only. | 6 |