Working with Instructions

Now that we have added a Product Pack and analysed the inner working of the Instruction, we will add more Instructions and begin working with Tachyon. The Instructions we add will provide different functionality in terms of questions we can ask as well as actions we can take.

Work with Instructions

Adding Instructions via Product Packs

1. Launch the SkyTap Shared Drive shortcut on the desktop and navigate to 1E Tachyon - Course Content\Tachyon 5.0 Course Content\
2. Download and copy the Icons.zip folder to c:\temp\ right click and extract all
3. Also download and copy the 1E Tachyon - Course Content\Tachyon 5.0 Course Content\AdditionalProductPacks.zip to c:\temp and extract the contents
4. Launch the Settings Application from the Tachyon Portal if not already open
5. Click on the Instructions node and then select Instruction Sets
6. Click on the Upload button at the top right
7. Navigate to C:\Temp\tachyonplatform.v5.0.0.592\ProductPacks\Classic and select 1E-Patch-Success.zip. Click Open
8. There will be 3 instructions in the Unassigned Instruction Set, Select the 3 instructions
9. Click Add new set
10. In the Add new instruction set box type Patch Success in the Name field
11. Click Choose file in the Custom Icon box. Navigate to c:\temp\icons and select Tachyon.png
12. Click Open. Click Add
13. Click the Upload button again
14. In the Open dialog box navigate to C:\Temp\tachyonplatform.v5.0.0.592\ProductPacks\Classic and multi-select 1E-ConfigMgrConsoleExtensions.zip, 1E-Explorer-TachyonAgent.zip, and 1E-Explorer-TachyonCore.zip Click Open
15. Ensure that the Instructions are successfully verified and installed. Navigate to the Recent Uploads tab to see status
16. Click on Upload again navigate to c:\temp\AdditionalProductPacks
17. Multi-select 1E-Explorer-1ECore.zip and 1E-Explorer-Examples.zip Click Open
18. Ensure that you now have 197 instructions in your unassigned instruction set
19. If you see the Errors count go above zero, ping your instructor to troubleshoot
20. Navigate to c:\programdata\1E\Tachyon and open Tachyon.ConsumerAPI.log
21. Search for Uploaded in the log and note all the Instruction uploaded

Managing Instructions in Sets

The Product Packs have a varying number of Instructions within them. Once imported into Tachyon, we must group them into Instruction Sets before we can use them. In this exercise we will group the Instructions into Instruction Sets to demonstrate the process. In the next exercise we will use the Product Pack Deployment Tool to perform a bulk import of product packs.

22. Return to the Settings Application and navigate to Instructions – Instruction Sets. In the Instruction set pane, click the Unassigned Instruction Set and then click the plus sign + at the end of the sort by field but in front of Unassigned
23. Type in Processes in the Name field. In the custom icon field click on Choose File. Navigate to c:\temp\icons. Click the Process.png Click Open. Click Add
24. Select the Unassigned Instruction Set to review all the uploaded Instructions
25. In the Search field under the name of the instruction set (Unassigned), type Process into the filter box
26. In the lower right click on the 50 button to show additional rows
For the grouping on Instructions into Instruction Sets, please ensure you are searching for the words as exactly documented here, or you will possibly miss some Instructions and in later labs will not be able to execute them.
27. Click Select All and click on Move in the right panel. Drop down to the Processes Instruction Set and click Move
28. Create an Instruction Set named Services
29. Add a custom icon from c:\temp\icons\service.png
30. Select the Unassigned Instruction Set in the Instruction Sets pane
31. From the Instructions pane, type Service into the filter box
32. Move the services related Instructions into the Services Instruction set
33. Create an Instruction Set named Registry
34. Add a custom icon from c:\temp\icons\registry.png
35. Select the Unassigned Instruction Set in the Instruction Sets pane
36. From the Instructions pane, type Registry into the filter box
37. Move the Registry related Instructions into the Registry Instruction Set
38. Create an Instruction Set named 1E Client
39. Add a custom icon from c:\temp\icons\Tachyon.png
If you forget to add your custom icons you can also select the instruction set and click on the hamburger menu next to the name and choose Edit
40. Select the Unassigned Instruction Set in the Instruction Sets pane
41. From the Instructions pane, type Tachyon Agent into the filter box
42. Move the Tachyon Agent related Instructions into the 1E Client Instruction Set
43. From the Instructions pane, type 1E Client into the filter box
44. Move the 1E Client related Instructions into the 1E Client Instruction Set
45. Select the Unassigned Instruction Set and in the Search field type in Operating System
46. Select all the instructions and then Click the Add new set box at the right to create a New Instruction Set
Again, use caution when using the Select All button in this window as it only selects the displayed instructions. Notice the control in the lower right to display 12-24-48 items in the list.
47. In the Add new Instruction Set box Name field type OS
48. Add a custom icon from c:\temp\icons\Win10.png
49. Ensure that the box is checked to Include the X number of Selected Instructions
50. Click Add
51. Create an Instruction Set named ConfigMgr
52. Add a custom icon from c:\temp\icons\sccm.jpg
53. From the Instructions pane, type ConfigMgr into the filter box
54. Move the CM related Instruction into the ConfigMgr Instruction Set
55. After searching for ConfigMgr also search for SCCM and move those instructions into the ConfigMgr instruction Set
56. Create an Instruction Set named Tags
57. Click on the Unassigned instruction set. Type Coverage Tag in the search box
58. Move these instructions to the Tags Instruction Set
59. Do another search for Freeform Tag
60. Move all the Tag related instructions to the Tags Instruction Set
61. Create an Instruction Set named Quarantine
62. Click on the Unassigned instruction set. Type in Quar and move all the Quarantine related instructions to the Quarantine Instruction Set
63. Create an Instruction Set named Device Criticality
64. Click on the Unassigned instruction set. Type in Critical in the search field
65. Move the 2 instructions for Device Criticality to the Device Criticality Instruction Set
66. Now that we've added instructions to Tachyon and organized them into Instruction Sets, we are ready to begin engaging clients. There are two types of instructions, Questions and Actions. In these exercises, we will ask questions and execute actions on our Tachyon clients
We are only using a subset of Instructions which were uploaded from the Product Packs. Don't be concerned about the instructions still residing in the Unassigned group.

Using the Product Pack Deployment Tool for the Integrated Product Packs

Tachyon 5.0 ships with the Tachyon Product Pack Deployment Tool which gives you a way to bulk import Product Packs and Guaranteed State artifacts into Tachyon. We also have a set of Integrated Product Packs to import. We can use this during the Tachyon install or as a standalone bulk import. The product packs must be in the same folder as the tool. Your Guaranteed State Administrator must also have Instruction Set Administrators role to use the Product Pack Deployment Tool for Integrated Product Packs.

67. Still logged into 1ETRW72 as 1ETRN\Manager1
68. Click Start and in the Search field type \\1ETRNAP\temp Click the temp folder to Launch Windows Explorer. Right click tachyonplatform.v5.0.0.592\ProductPacks\ folder and select copy. Navigate to c:\tools and right click and select Paste
69. Double click c:\tools\ProductPacks\Tachyon.ProductPackDeploymentTool.exe
70. Type in https://tachyon.1etrn.local/consumer in the Server field. Click on Test Connection
71. We should see connected to the Tachyon Server and the version number in the Results pane
72. Ensure that all the Integrated Product Packs are selected and click Upload Selected
The Tachyon Product Pack Deployment Tool will import them into Tachyon. It will also move them into an Instruction Set named the same as the .zip file. The Tachyon Product Pack Deployment Tool will also upload Classic Product Packs into Tachyon. You would need to copy the Classic Product Packs into the same folder as the tool and the supporting files. You may want to rename the Instructions Sets as the tool will name them the same as the name of the .zip file which may not be the name that you want for the instruction sets. These are easier to use in production if the Instruction Set name is indicative of the instructions that are in the set.

Changing Tachyon Agent Settings

In this exercise, we will evaluate the 1E Client settings, and make a change to one of them.

73. Navigate to the Home node in the Explorer Application
74. Click on All Instructions on the top right
75. Expand 1E Client instruction set to review the available instructions
76. Click on Set a 1E Client configuration property <agentconfig> to <agentconfigvalue> for the Tachyon Agent
Tachyon no longer requires us to ask a question in order to deliver an action. We already know our client settings we can make the change that is required for our lab now.
77. From the Please Choose dropdown, select DefaultStaggerRangeSeconds
Clicking on Please Choose exposes the list of available properties to select
78. Set the value to 30
79. Click Perform this action
80. Input Passw0rd for the password
81. Launch LiveMail and click Send/Receive to update the inbox
82. Retrieve the authentication code from the latest email and input it into the console

83. Launch LiveMail and click Send/Receive to update the inbox
84. Open the latest email with subject Tachyon action X requires approval
85. Click on the Go to approval page link
86. Click on the approval request. Review the details of the action request. Note that all 7 clients are targeted
87. Input a comment if you wish. Check the I understand the impact of this action and approve this request box. Click Approve

88. Check the inbox in LiveMail. An email confirming the instruction was approved will be present with a current timestamp
89. Return to the Explorer Application. It should be on the responses page for our Agent reconfiguration instruction
90. Wait a few minutes as the results of our action are returned
Remember the default stagger setting? This action requires a script, so there will be a random wait between 0-300 seconds for the agents to download the script. We are changing that setting to 30 so future Instructions which require a script are executed quicker. In a production environment you want to be careful not setting this value too low.
91. On the Content page, note a pie graph detailing Success/Error
92. Click on Aggregated Table View at the top right to get details on the action
93. Click the Row that displays Exit Code and Count to expand results
94. Note the Output column, now showing DefaultStaggerRangeSeconds=30
95. Click on Raw Table View at the top right to get details on the action, this lists the machines that have responded, similar to that of the Aggregated Table View
96. Note the Output column, now showing DefaultStaggerRangeSeconds=30
97. Once 1ETRNW71 returns a result, navigate to c:\program files\1E\Client and edit 1E.Client.conf with Notepad
98. Review the settings. Note that DefaultStaggerRangeSeconds is now set to 30, per the action which we initiated
99. Once all machines have responded click Stop, and navigate to the Home node in the Explorer application and in the I want to know box type in What are the 1E Client settings
100. Click Ask this question button
101. Note that the Default Stagger Range Seconds now shows 30 for all the clients
Did you notice the speed of the results returning compared to the first time you asked this question? This is because we changed the stagger setting from 300 to 30, thus causing the clients to download the script a lot quicker, thus returning the results a lot quicker.
102. Click Stop once all the agents have reported in. Click Keep on the dialog box to keep the responses
103. Review the config file on other machines if you wish to manually confirm the setting change

102. Open SQL Management Studio and navigate to Databases>TachyonResponses>Tables. Refresh to see all the tables
103. Note there are multiple Response tables suffixed by a number. Right-click on the table with the largest number and select Select Top 1000 Rows
104. Note the results from the last question asked are present here
105. Right click on the Error table with the corresponding number. If there are any failures to execute the instruction, information on that failure would reside in this table

Working with Processes

Quite often, for security reasons or otherwise, there might be certain processes running on machines in your environment which you do not want to run. In this exercise, we will query for processes, and based on what is returned, kill a process.

106. Navigate to the Home node in the Explorer Application
107. Click on All Instructions at the top right of the page and expand Processes
108. Click on What Processes are Running?
109. Leave the Parameters default, click Ask this question
110. On the Responses page, once results are presented, scroll down as far as you wish, reviewing the different columns returned from the question
111. Click on any row to expand the results showing which machines have the process running. Click Close to return to the entire list
112. Return to the Home node, and type Process into the I want to know box, and select What Processes are Running?
113. Click Edit in the Parameters window
114. In the Parameters section on the right, expand Coverage and expand Device
115. Leave the condition to contains, and type in 1ETRNW73. Click Set
116. Click on Ask the question to execute the question
117. Once the results are returned, click on the Summary tab. Validate that Approximate target and Responses count both show 1, and Responses > Successes shows a count of 1
118. Return to the Content tab. Note the only machine returning processes information is 1ETRNW73
119. Click on the Filter results button, and type calc.exe into the Executable box. Click Search
120. Note the results are now filtered onto the single process. This indicates that calc.exe process is running on 1ETRNW73
121. Click on Follow-up action in the filter space
122. In the question box, type in Kill
123. Click on Kill Process(es) with image name matching <exename>
124. In the input box for enter process name, type in calc.exe
125. Note the Approximate target value in the Parameters window. Since we are doing a follow up action, only the initial coverage will be impacted by this action. Any other clients running calc.exe will not be impacted by this action
126. Click Perform this action
127. Input Passw0rd for the password and click Confirm and Send
128. Open LiveMail. Click Send/Receive to ensure the authentication email is in the inbox
129. Open the email with title Instruction X requires authentication with the appropriate time stamp and type the authentication code into the Tachyon console where requested

130. Log onto 1ETRNW73 with 1ETRN\Tachyon_adminG if not already logged in
131. Confirm that Calculator is running and present in the task bar
132. Launch the Explorer application if not already open in Chrome, and note that a notification is available for the pending request
133. Click on the Notifications
134. On the Request for action approval page, review the details of the request
135. Expand the 1 setting and 1 device details and validate the filters we set when asking the original question
136. Check the I understand the impact of this action and approve this request box. Click Approve
137. Wait a few seconds. Note that the Calculator application disappears from the Taskbar
138. Navigate to c:\programdata\1E\Client and double-click 1E.Client.log
139. At the bottom of the log, note that the agent is running an instruction which kills the calc.exe process

140. Return to 1ETRNW71
141. Note the console is on the Content page
142. Note the results show a count of 1 for Killed and 0 for Failed
143. Click on the Summary tab to validate the coverage of the action as well as the success
144. Note Approximate target, Sent count and Responses count are all 1, and the Responses Success count is 1
145. Click Stop for the Kill Process(es) calc.exe action. Click Ok
The duration of this action was set to 60 minutes by default, so it will continue for 60 minutes if not stopped. This is to account for machines which might not be online at the start of a question or an action but come online before the duration expires. You may find in your environment different questions and actions dictate different durations.
146. Ask the processes question again and validate that calc.exe is no longer running
147. You may repeat the process of killing a process, using the Process ID instead of the executable name if you wish

Working with Services

In an enterprise, having real time knowledge of Services on client machines is very valuable information. Often, you might want to stop or disable a service. Other times, you might want to start or enable a service. In this exercise, we will work with Services, both querying and taking actions.

148. Navigate to Home in the Explorer Application
149. Click on All Instructions
150. Expand the Services Instruction Set, and review the questions available
151. Click on What services are running?
152. Leave the parameters default. Click Ask this question
153. Review the results, scrolling down to see all services listed
154. You must scroll quite a while to see all the services. We will filter the results to drill down onto a specific service on a single machine
155. Click the Back to top button to return to the top
156. Expand Filter Results. In the Name box, input RemoteRegistry. Click Search
157. Note the service is stopped on all machines but 1ETRNCM
158. Return to the home page, and in the search box, type in Services
159. Click on Which Windows services are disabled?
160. Click Ask this question
161. On the Contents page, change view from graph to table view at the top right
162. Click on the Filter results button, and in the caption type in Remote. Click Search
163. Click on Remote Registry to expand the results. Note the machines on which the service is disabled
The service is disabled on the Windows 10 machines in our environment. Though it is stopped on all machines except 1ETRNCM, it is not disabled on all the machines, except for the Windows 10 machines.
164. Click the Follow-up Action tab, and in the search box, type Service
165. Select Set service <servicename> startup type to <startuptype> and state to <state>
166. In the Set service box, input RemoteRegistry. Set Startup type to Manual. Set state to Start
167. Note the Approximate target number
Even though it shows 7 as the approximate target the instruction will only run on the 2 that were returned by the filter. We have 3 types of filters in Tachyon Coverage Filter is applied before the question is asked and limits the devices that get the question or the action. Question Filters use the attributes of the responses and are applied after a question is asked – it limits the number of devices that will respond. View Filters use the attributes of the responses and are applied after a question is asked and after the responses have returned but limit what is displayed.
168. Return to the home page
169. Type Services into the search box, and select Which Windows services are disabled?
170. Click Edit in the Parameters space
171. Expand Coverage
172. Click on Management Group, click in the search box to display our list of Management Groups, select All Win 10 Lab Workstations. Click Set
We could also use our Device attributes to set our coverage based on Name of Device.
Note the Approximate target has changed to 2 connected devices. We have 2 machines in our environment that are members of our Management Group.
173. Click Ask this question. Review the results in the Aggregated table view
174. Click the Actions tab, and in the search box, type Service
175. Select Set service <servicename> startup type to <startuptype> and state to <state>
176. In the Set service box, input RemoteRegistry. Set Startup type to Manual. Set state to Start. Click Perform this action
177. Note the Approximate target is now limited to 2 devices, which is the coverage of the original question
178. Input Passw0rd for the password
179. Launch LiveMail. Click Send/Receive to get the latest email in the inbox
180. Retrieve the authentication code from the email and input it into the Explorer Application. Click Submit

181. Log into 1ETRNW101 as 1ETRN\User
182. Double-click the Services applet on the desktop
183. Scroll down to Remote Registry and validate that it is not running and set to disabled

184. Still logged into the Explorer application as 1ETRN\Tachyon_adminG click on the notifications node
185. If already on the Notifications page, refresh the page
186. Click on the pending request. Review the details of the action, and note that it is now only going to 2 machines
187. Check the I understand the impact of this action and approve this request box. Click Approve

188. Click the refresh button in the Services applet to refresh the view. Note that the Remote Registry service is now running, and the startup type is changed from Disabled to Manual
189. Review the 1E.Client.log. Note the reference to remoteregistry at the bottom of the log, along with a successful status for the corresponding InstructionId

190. Return to the Explorer Application. It should be on the Content page
191. Note that the Action column shows Manual + Start for both machines in scope
192. Click on the Summary tab and note that the Target, Sent, Responses, and Success counts are all 2

Working with the Registry

193. Navigate to the Home node in the Explorer Application
194. Type Registry into the I want to know box and select What are all the values under the registry key <hive> <subkey>?
195. In the subkey box, type in software\1E\Client\Persist
196. The value must be inputted exactly as shown above. If the value doesn't match what is on the clients, no results will be returned
197. Click Ask this question
198. From the start menu in windows, type in regedit in the search window and launch regedit
199. Navigate to HKLM\software\1E\Client\Persist
200. Review the different values present under this key. Leave regedit running
201. Return to the Explorer Application. Note that we are on the Responses page
202. Click the Filter Results tab, and input 1ETRNW71 into the Device name box. Click Search
203. Confirm the results seen here match what is shown in the registry, clear the search filter
204. Click on the Actions tab, and input registry into the search box, and click on Set registry entry <hive> <subkey> <name> to <valuetype> <value>
205. In the subkey box, input software\1E\Client
206. In the name box, input Test
207. Change the type to REG_SZ
208. In the value box, input Test
209. Click Perform this action
210. Follow the two factor authentication process by providing the password and then inputting the authentication code provided in the resultant email, as done in previous tasks

211. From the start menu in windows, type regedit in the search window and launch regedit
212. Navigate to HKLM\software\1E\Client. Note that a default and the InstallationDirectory values exist
213. Approve the action in the Tachyon exchange console
214. Review the details of the action. Note that is it going to all 7 devices
215. In the registry, return to HKLM\Software\1E\Client. Click F5 to refresh the view
216. Note that a REG_SZ value named Test is created, with the data set to Test
The change is almost immediate. This is because we do not need a script to make this change, rather we are using the native language. This allows Tachyon to immediately execute the action we deployed via Tachyon. In a later lab, we will talk about native language vs. scripts.

217. Return to the Explorer Application. Note that it is now on the Content page, and the status shows a count of 7
218. Switch to the Aggregated table view. Click on the aggregated row with the count to see the list of machines this action was applied to
219. Click on the Summary tab to validate that the action was successful on all 7 machines
220. Return to regedit. Navigate to HKLM\software\1E\Client. Confirm the Test value we set has been created via the Tachyon action
221. You will likely need to refresh the view to see the new value

Working with Device Tags

Device Tags allow you to add custom labels to devices for use by Tachyon. We have two types of Tags – Coverage and Freeform. Coverage Tags can be used for targeting instructions and are configured by a Tachyon Admin, devices can then be set using an instruction. Freeform Tags can be used to label the devices in your organization but are only set using instructions and cannot be used for coverage. In this exercise we will create the device tag that we will use for our Phased Deployments. We will have values for the devices that are used for Testing (TestGroup), Pilot (PilotGroup), Group1 and Group2 will show the example of Day 1 deployments and Day 2 deployments. We will set our 2 Windows 10 machines as a Pilot group in our lab using Tags. We will then ask a question using the Tag as our coverage parameter.

Creating the Pilot Group Tag

Planning the coverage tags for the entire environment should be done thoughtfully. Each device has a list of the tags that have been set on the 1E Client. The list includes Name=Value plus a delimiter. The entire list for each Agent cannot be over 512 characters.

222. Logged into 1ETRNW102 as 1ETRN\Tachyon_AdminPP
223. Open Google Chrome and switch to the Settings application
224. Navigate to Configuration – Custom Properties
225. Click Add. In the Add Custom Property box type PhasedRollout in the Name field
Tag names can only be a maximum of 16 characters any tags exceeding the length limit will not be reported back and those devices will not be included in the coverage.
226. In the Property Type box select CoverageTag
227. In the Values box type in the following values
TestGroup
PilotGroup
Group1
Group2
228. You will need to click the + sign after adding the first value to add the additional fields
229. Click Add

Setting a Tag on Devices

We use instructions to tell the 1E Client which tags to add to each device. We have two types of Tags in Tachyon. Coverage Tags and FreeForm Tags. FreeForm tags have less stringent limitations for length but cannot be used to define coverage (you would ask a question to get a list of devices that have that freeform tag). Tag data is stored in the Tachyon Master Database for each device. The entire list of Coverage Tags on each device must not exceed 512 characters.

230. Switch to the Explorer Application. Navigate to Home
231. Click on All Instructions and Expand the Tags Instruction Set
232. Select What are the coverage tags. Leave the parameters as they are
233. Click Ask This Question
234. When the results come back notice we have 0 tags on our devices. You may need to switch to Aggregated table view
235. Notice the || in our results. These are the delimiters that will be used for the list of tags on each device. You must factor in these characters when planning for your coverage tags
236. Stop the Instruction
237. Ask the question again but this time change the coverage to All Win10 Lab Workstations Management Group. Click on Ask This Question
238. Click on Actions from the Question we just asked
239. Click All Actions
240. Expand the Tags Instruction Set. Notice the Actions we have available in this instruction set
We use these instructions to set tags and delete tags for the devices in our environment.




241. Select the Set coverage tag <tagname> to <tagvalue> action
242. Click in the first parameter field – notice our only choice is PhasedRollout. We have only created one tag in our Settings Application – Custom Properties but with multiple values. Select PhasedRollOut and PilotGroup
243. Click Perform this Action. You will have to enter your password
244. Open LiveMail and enter your Authentication Code

245. In Google Chrome – Explorer Application
246. Navigate to Notifications and Approve the Instruction number from above

247. In the Explorer Application ask the question What are the coverage tags?
248. Notice we have 2 devices set as our PhasedRollout - PilotGroup

249. Open File Explorer and Navigate to c:\ProgramData\1E\Client
250. Open the 1E.Client.log and look for the instruction number from the approval that you did
251. You will see the action of running the instruction logged and also that the Tags have changed

Asking a Question Using our Coverage Tag

Now that we have our devices tagged, we will ask another question. We will use the Device Tag for our coverage.

252. Navigate to the Home screen of the Explorer Application
253. In the I want to know field type in Operating and choose What Operating System Information Does Windows SystemInfo Report?
254. Next to Parameters click Edit
255. Expand Coverage – Tags
256. In the Select Key field choose PhasedRollout
257. In the Select Value field choose PilotGroup Click Set
258. Click Ask this Question 
259. Notice that we only have responses from our 2 Windows 10 Devices

Working with Quarantine

In the event of a security breach, Tachyon can quarantine devices. This will cut off the device from all network traffic except for the Tachyon Switch. This can contain an outbreak while the device is remediated. In this exercise, we will target a specific system and quarantine it. We with then remove it from quarantine.

Checking Quarantine State

260. Logged into 1ETRNW102 as 1ETRN\Tachyon_AdminPP
261. Open Google Chrome and Navigate to the Explorer Application
262. From the Home screen click All Instructions
263. Expand Quarantine
264. Click Are my devices quarantined?
Read the warning here – this is a very powerful feature and can take all your devices off the network if the coverage is not correct.
265. Click Ask this question
266. This is a simple query to see if the devices are actually quarantined. As you can see none of our devices are in quarantine

Quarantine a Device

In this task we are going to quarantine 1ETRNW72

267. Navigate to Explorer application – Home screen
268. In the I want to know field type in Quarantine
269. Click on Quarantine Selected Devices. Click Edit on parameters
It is possible to quarantine the Tachyon server so be extremely careful with your coverage.
270. Click coverage
271. Expand Device. Choose = in the first field and type in 1ETRNW72.1ETRN.local in the second field
Use the FQDN here to ensure you don't quarantine the wrong machine.
272. Click Set
273. Click Perform this Action
274. Type in your Password
275. Open LiveMail and enter your authentication code

276. Open LiveMail and Launch the Notification Page or refresh Chrome and navigate to Notifications
277. Approve the Request

Checking the Quarantined Device

278. In the Explorer application check the results from the instruction
279. Notice there is now 1 device quarantined
280. Click on Quarantined in Status and see the device name
281. Launch a Command Prompt and type in ping 1etrnw72. Your request will time out without a response

282. Launch a command prompt and ping 1ETRNDC
283. Ping 1ETRNCM
These should both time out without a response. Once placed in quarantine a device can only be accessed from the Tachyon server.
284. Ping Tachyon (our alias for 1ETRNAP)
This should ping as normal – all remediation efforts will have to originate from the Tachyon server for this device that is quarantined. This will greatly stop the propagation of any malware that gets introduced into your environment.
285. Launch a new browser window and navigate to Google.com
286. Notice that our device cannot get to other devices or the internet

Removing a Device from Quarantine

Now we will issue the instruction that will remove the device from quarantine. The device can only communicate with the Tachyon Switch at this time.

287. Still logged in as 1ETRN\Tachyon_Admin1
288. Open Google Chrome – the Explorer Application should still be open
289. Navigate to Home and in the I want to know field type in Quaran and Select Releases Selected devices from Quarantine
290. Click Edit on the Parameters
291. Expand Coverage – Expand Device
292. In the contains field select =
293. In the next field type in 1ETRNW72.1ETRN.Local click Set
294. Type in the entire FQDN or the instruction will fail
295. Click Perform this action
296. Type in Passw0rd and click Confirm and Send
297. Open LiveMail and copy the authentication code for Instruction X
298. Paste the code into the Authentication Code box. Click Submit

299. Still logged in as 1ETRN\Tachyon_AdminG
300. Open Chrome and refresh the page
301. In the Explorer Application navigate to Notifications
302. Approve Instruction X from above

303. In the Explorer Application – Navigate to Instructions – History
304. Select our Releases selected devices from quarantine
305. Wait for this one to complete
306. Move back to Instructions – History. Select Are my devices quarantined?
307. Rerun this instruction
308. Wait for it to complete and see that all 7 devices are now NotQuarantined
309. Open a command prompt and Ping 1ETRNW72. Device should respond

310. Ping any of the other devices in the lab
All the devices should now respond to the ping request
311. Browse to the Internet
312. The device should be able to get to the internet
The ability to quarantine devices is critical to be able to combat a security emergency. This functionality is also dangerous as the devices are only able to communicate with the Tachyon server to enable the ability to remediate the issue and the remove the quarantine. It is possible to quarantine the Tachyon Server, and this would prevent you from removing the quarantine.

Device Criticality

Within Tachyon we can classify our devices into degrees of importance or how critical the device is to an organization. We can then base our coverage of instructions on this for use in targeting. For example, if we set our domain controllers to Critical we could send an instruction and target all devices except for the Critical ones. We can also view our Guaranteed State results based on Criticality. We will look at that data in the Guaranteed State exercises

First Look at Criticality

In this task we are going to set our Lab Servers to Critical, our Windows 10 devices to High, and our Windows 7 Devices to Medium. We use instructions to set this on the device.

313. Still logged in as 1ETRN\Tachyon_Admin1
314. Navigate to the Home screen of the Explorer Application
315. In the I want to know field type in Critical. Select What is the criticality of my devices?
316. Click Ask this Question
317. Click Stop once all 7 devices have returned results
Notice that all our devices are listed as Undefined. This is how a device shows until a criticality has been set.

Setting Criticality

318. Navigate back to Home. Type Critical in the I want to know field
319. Select Set the criticality of my devices. Click Please choose in the list select Critical
320. Click Edit in the parameters row
321. Expand Coverage – Expand Management Group – Choose Lab Servers. Click Set
322. Type in Passw0rd and click Confirm and Send
323. Open LiveMail and copy the Authentication Code
324. Paste it into the Authentication Code box for Instruction XX. Click Submit

325. In the Explorer Application navigate to Notifications
326. You may need to refresh to see Instruction XX from above
327. Type something in the comment box
328. Check I understand the impact. Click Approve

329. Wait for all devices to respond
330. Repeat the Steps above to set the following:
Windows 10 = High
Windows 7 = Medium

Viewing Criticality

331. In the Explorer Application – Home – I want to know
332. Type in Critical and select What is the criticality of my devices?
333. Click Ask this question
334. Drill into each Criticality to see the devices that are assigned to each one

335. Still logged into 1ETRNAP as 1ETRN\AppInstaller
336. From the Start Menu launch SQL Management Studio
337. Connect to the Database Engine
338. Expand Databases
339. Expand TachyonMaster
340. Expand Tables
341. Right Click dbo.GlobalSetting and choose Select Top 1000 Rows
342. In the Name column look at the CriticalityMapping values
343. Right Click on dbo.Device and choose Select Top 1000 Rows
344. Scroll over to the Criticality Column to view the settings
We will revisit Device Criticality in Guaranteed State

Using the Tachyon Exchange

In this exercise we will download some product packs from the Tachyon Exchange directly from the Explorer Application and import those product packs into Tachyon.

Download the Product Packs

345. Still logged into 1ETRNAP as 1ETRN\AppInstaller
346. Launch the Settings Application
347. Navigate to Instructions – Instruction Sets
348. Click on Tachyon Exchange in the upper right
349. Scroll down and look at the product packs that are available to download
The Tachyon Exchange is a collection of both community written and 1E authored product packs. All have been verified by 1E and signed with the 1E Code Signing Certificate.
350. Explore the Tachyon Exchange to see the offerings available. When you are finished download any Product Pack you choose
351. Click on Download Product Packs
352. In the Checkout page click Free Download
353. On the Purchase Confirmation page click on the link below IT Management. Once the download completes Save the .zip to c:\temp
354. Download 2 additional product packs that interest you. Save them to c:\temp
355. Upload into Tachyon and move them into an Instruction Set

Lab Summary

In this lab, we worked with Tachyon in a variety of different ways. We added different Product Packs to Tachyon which provided us with specific functionality defined within those Product Packs. We organized the individual instructions from the Product Packs into Instruction Sets. We then asked questions and executed actions using the different instructions. We learned how to create and deploy device tags and use them for Coverage for our Instructions. We learned how to use Quarantine to help us remediate security issues and prevent further spread. We learned how to set and view Device Criticality. We then learned how to download product packs from the Tachyon Exchange and import them into Tachyon for use

Next Page
Ex 6 - TCN Opr v5.0 - Working with Patch Success