Skip to main content

1E 23.11 (SaaS)

Querying Tachyon Activity Records using the Tachyon PowerShell Toolkit

Querying historical data from the Tachyon Activity Records on clients.The Tachyon agent collects a considerable amount of historical data such as processes executed, TCP connections, etc. This information is referred to as Tachyon Activity Records. To query information in these tables, you would normally write a specific instruction in TIMS which returns data from a specific table. If you want to retrieve information from different tables, you would normally write an instruction for each table you wish to query, or you could alternatively write a parametrized instruction that takes the query as a parameter and returns a fixed schema result.

The Tachyon PowerShell Toolkit gives you two ways of invoking Tachyon Activity Record queries.

  • The dynamic query functionality allows you to simply invoke a query directly. However, like the dynamic scripting and SCALE functionality, this requires that you have a valid instruction signing certificate so that the associated instruction can be dynamically created, uploaded and executed. Please refer to Requirements for using the Tachyon PowerShell Toolkit: Code Signing Certificate.

  • Alternatively, you can use the invoke-activityquery cmdlet. This does not require you to possess a code signing certificate, but you need to have uploaded the instruction it depends on, 1E-Exchange-ActivityRecordQry. This is included in the Toolkit files.

The results from both approaches are exactly the same.

For more information about Tachyon Activity Records, please refer to Tachyon Activity Record.

Getting Started with Tachyon Activity Record dynamic queries

To execute a Tachyon Activity Record dynamic query, you specify the query inside single quotes as an argument.

For example

invoke-tachyondynamic -query 'select * from $arp_live' -targetscope urth-dev

Note

Single quotes are used to prevent the PowerShell interpreter from processing the $ symbol. You can also use double quotes if you escape the $ with a backquote like this "select * from `$arp_live"

The screenshot below shows an example.

233276701.png
Getting Started with the invoke-tachyonactivityquery cmdlet

You can also query Tachyon Activity Records even if you lack an instruction signing certificate. To do this, you must first upload the 1E-Exchange-ActivityRecordQry instruction on which it depends. This instruction is bundled with the PowerShell toolkit. To upload it, either use the Tachyon settings UI, or the publish-instruction cmdlet included in the PowerShell Toolkit.

invoke-tachyonactivityquery -query <query> -targetscope <scope>|-targetfqdns <fqdns>

For exanple

invoke-tachyonactivityquery -query 'select * from $arp_live' -targetscope urth-dev

As with the dynamic query option, you can use double quotes instead around the query if you escape the $ symbol to prevent PowerShell from processing it.