Version: 102
restore

Contents

Summary

Reference information about the Tachyon Activity Record (TAR) feature, sometimes referred to as either the inventory, or forensics feature, and previously known as Agent Historic Data Capture.

What is Tachyon Activity Record?

The Tachyon client, while running, continuously captures details of certain activities and events as they happen, similar to Windows Task Manager or Perfmon. During startup, the Tachyon client is able to detect some events that occurred when it was not running. Data is regularly written into a local, compressed and encrypted persistent storage tables, that are accessible to SCALE as SQL tables. The Tachyon client periodically aggregates data in order to minimize the amount of storage required, so that each capture source has a live, hourly, daily and monthly table. The whole process is designed to minimize impact on device performance, storage and security.

Persistent storage tables cannot be deleted or modified because they are managed by the Tachyon client and used by the Tachyon Activity Record feature. Whereas User Defined Persistent Storage Tables can be created, deleted and modified using SCALE because they are managed by Tachyon instructions run by users.

The Tachyon Activity Record schema is provided below. Configuration options for each capture source are described in 1E Client - Tachyon client settings: Capture source settings. With some exceptions, the defaults are the same for each capture source, but aggregation and retention settings can be set individually for each table.

To use any TAR features you must have Inventory enabled by setting Module.Inventory.enabled=true in the client configuration file.

The Tachyon client has two mechanisms of knowing when an event occurs that is of interest:

  • Event-based relies on a source external to the Tachyon client (normally the operating system) providing a notification to indicate that something has happened
  • Polling-based is where the Tachyon client will periodically check a source of data and work out what has changed by looking at differences in the data returned. Polling intervals means some brief events that occur between polls can be missed.

On Windows, the Tachyon client is able to use Event Tracing for Windows (ETW). However, if desired, the individual capture sources can be configured to use polling instead of ETW. 

Other data collection methods that run periodically (polling-based) for a short period:

  • Windows performance counters for disk, memory, network and processor performance
  • a proprietary metric collection process that tests the Operating System and its software.
On this page:

Capture sources

The table below lists currently supported data capture sources, on which OS they are supported, and which capture method is used by default. See Constraints of Legacy OS regarding Windows XP, Vista and Windows Server 2003.

TAR data sourceDescriptionWindowsmacOSLinuxSolarisAndroid

ARP cache entries

$ARP_xxx

The Tachyon client captures translations between IP addresses and MAC (physical) addresses, known as ARP (Address Resolution Protocol).

ARP cache polling is every 30 seconds.

  • Introduced in 3.2
  • Polling on all versions of Windows
Not yet availableNot yet availableNot yet availableNot yet available

Device performance

$DevicePerformance_xxx

The Tachyon client captures metrics for device performance by interrogating Windows Performance Counters. These metrics cover disk, memory, network and processor performance.

Device performance polling is every 10 seconds.

This capture source is required by the 1E Experience application.

  • Introduced in 5.0
  • Windows Performance Counters
Not yet availableNot yet availableNot yet availableNot yet available

DNS resolutions

$DNS_xxx

The Tachyon client captures whenever a DNS address is resolved.

When using the polling method, the polling interval is every 30 seconds.

  • Introduced in 2.1
  • Polling on Windows 8 and below

  • ETW on Windows 8.1 and above

  • Introduced in 2.1 (not available for Mojave and later)
  • Polling
Not yet availableNot yet availableNot yet available

Operating System performance

$OperatingSystemPerformance_xxx

The Tachyon client captures metrics for performance and sensitive processes by running a metrics executable every four hours by default, that captures 15 metrics.

Operating system performance polling is every 4 hours (14,400 seconds).

This capture source is required by the 1E Experience application.

  • Introduced in 5.0
  • Proprietary metric collection
Not yet availableNot yet availableNot yet availableNot yet available

Process executions

$Process_xxx

The Tachyon client captures whenever a process starts on the device.

When using the polling method, the polling interval is every 30 seconds.

  • Introduced in 2.1
  • Polling on Windows XP
  • ETW on Windows Vista and above
  • Introduced in 2.1
  • Polling
  • Introduced in 2.1
  • Polling
  • Introduced in 2.1
  • Polling
Not yet available

Process stabilizations

$ProcessStabilization_xxx

The Tachyon client captures the time taken for a process to be considered stable. This is captured when a process starts on a device, provided that process is in a list of processes selected for monitoring in the 1E Client configuration file.
  • Introduced in 3.2
  • ETW on Windows Vista and above
Not yet availableNot yet availableNot yet availableNot yet available

Process usage

$ProcessUsage_Daily

The Tachyon client captures details about running processes from start to end.

When using the polling method, the polling interval is every 30 seconds.

  • Introduced in 3.2
  • Polling on Windows XP
  • ETW on Windows Vista and above

Not yet availableNot yet availableNot yet availableNot yet available

Sensitive processes

$SensitiveProcess_xxx


The Tachyon client captures metrics for performance and sensitive processes by running a metrics executable every four hours by default, that captures 15 metrics.

Sensitive processes polling is every 4 hours (14,400 seconds).

This capture source is required by the 1E Experience application.

  • Introduced in 5.0
  • Proprietary metric collection
Not yet availableNot yet availableNot yet availableNot yet available

Software installations

$Software_xxx

The Tachyon client captures which software is present on a device, and when it is installed and uninstalled.

Software polling is every 120 seconds.

  • Introduced in 2.1
  • Polling on all versions of Windows
  • Introduced in 2.1
  • Polling
  • Introduced in 2.1
  • Polling
  • Introduced in 2.1
  • Polling
Not yet available

Software performance

$SoftwarePerformance_xxx

The Tachyon client captures metrics for software performance in terms of disk I/O, memory and processor usage.

Software performance polling is every 10 seconds.

This capture source is required by the 1E Experience application.

  • Introduced in 5.0
  • Windows Performance Counters
Not yet availableNot yet availableNot yet availableNot yet available

TCP outbound connections

$TCP_xxx

The Tachyon client captures whenever an outbound TCP connection is made.

When using the polling method, the polling interval is every 30 seconds.

  • Introduced in 2.1
  • Polling on Windows XP
  • ETW on Windows Vista and above
  • Introduced in 2.1
  • Polling
  • Introduced in 2.1
  • Polling
Not yet available Not yet available

User usage

$UserUsage_Daily

The Tachyon client captures details about user sessions from login to logout. (So system accounts such as those used to run serviced are excluded.)

The polling interval is every 30 seconds.

  • Introduced in 3.2
  • Polling on all versions of Windows
Not yet availableNot yet availableNot yet availableNot yet available

How do I retrieve the data from Tachyon client devices?

Live and aggregated Tachyon Activity Record data is stored in the following persistent storage tables. You can simply query these using SELECT statements.

TAR data sourceLive tablesHourly tablesDaily tablesMonthly tables
ARP cache entries$ARP_Live$ARP_Hourly$ARP_Daily$ARP_Monthly
Device performance$DevicePerformance_Live$DevicePerformance_Hourly$DevicePerformance_Daily$DevicePerformance_Monthly
DNS resolutions$DNS_Live$DNS_Hourly$DNS_Daily$DNS_Monthly
Operating System performance

$OperatingSystemPerformance_Live

$OperatingSystemPerformance_Hourly

$OperatingSystemPerformance_Daily

$OperatingSystemPerformance_Monthly

Process executions$Process_Live$Process_Hourly$Process_Daily$Process_Monthly
Process stabilizations$ProcessStabilization_Live$ProcessStabilization_Hourly$ProcessStabilization_Daily$ProcessStabilization_Monthly
Process usagen/an/a$ProcessUsage_Dailyn/a
Sensitive processes$SensitiveProcess_Live$SensitiveProcess_Hourly$SensitiveProcess_Daily$SensitiveProcess_Monthly
Software installations$Software_Live$Software_Hourly$Software_Daily$Software_Monthly
Software performance$SoftwarePerformance_Live$SoftwarePerformance_Hourly$SoftwarePerformance_Daily$SoftwarePerformance_Monthly
TCP outbound connections$TCP_Live$TCP_Hourly$TCP_Daily$TCP_Monthly
User usagen/an/a$UserUsage_Dailyn/a
Example - querying historic captured data
/* Sum the number of connections made per process today */
SELECT  SUM(ConnectionCount) AS Connections
,     ProcessName
FROM   $TCP_Daily
WHERE   TS = DATETRUNC(STRFTIME("%s", "now"), "day")
GROUP BY ProcessName;

Note the below example uses LIKE because the inventory tables are not created with COLLATE NOCASE, and need to be queried in a case-sensitive fashion. If ProcessName = "chrome.exe" is used then it will not match "Chrome.exe" or "chrome.EXE".

Example - handling case-sensitivity
SELECT * FROM $Process_Live WHERE ProcessName LIKE "chrome.exe"

How is the data managed?

The Tachyon client automatically aggregates and grooms data in each inventory table, according to aggregation intervals and data retention settings which are configurable in the 1E Client configuration file.

  • Default aggregation cycle interval is every 60 seconds, therefore it may take up to a minute before an event appears in an aggregated table
  • Default retention for live tables is 5000 entries provided at least 3 aggregation cycles have occurred (older entries are deleted to make room for new entries)
  • Default retention for hourly tables is a rolling 24 hours.
  • Default retention for daily tables is a rolling 31 days.
  • Default retention for monthly tables is a rolling 12 months.

Each aggregated table is built from the live table, and does not have a dependency on other aggregated tables. For example, Monthly is fed by Live, not fed by Daily. This allows retention settings to be configured independently for each table.

Data is stored in a local, compressed and encrypted persistent store, which persists during a Tachyon client upgrade, uninstall and re-installation, unless specifically deleted.

If the Tachyon client is unable to write to storage (out of disk space or other file-system problems), it will fail but continue monitoring in the hope this situation will improve later.

Tachyon Activity Record schema

The following table shows the fields which exist only in the Live and Aggregated (Hourly, Daily, Monthly) tables. This table is provided to help you avoid schema issues.

TAR data sourceFields that exist only in Live tablesFields that exist only in Aggregated tables
ARP cache entriesn/an/a
Device performancen/aSampleCount
DNS resolutionsn/aLookupCount
Operating System performancen/aExecutionCount
Process executionsCommandLine, ProcessId, ParentProcessIdExecutionCount
Process stabilizationsProcessId, StabilizationTimeMsExecutionCount, TotalStabilizationTimeMs
Process usagen/aAll fields only available in $ProcessUsage_Daily.
Sensitive processesn/aDetectionCount
Software installationsIsUninstallInstallCount, UninstallCount
Software performancen/aSampleCount
TCP outbound connectionsProcessIdConnectionCount
User usagen/an/a

Timestamps

The timestamp column (TS) in each table is stored in Unix Epoch format. Defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), Thursday, 1 January 1970

To convert to a readable text format use the EPOCHTOJSON function. See also datetime handling.

Example - converting Unix Epoch timestamps
SELECT Fqdn, EPOCHTOJSON(TS) AS TS_ FROM $DNS_Hourly WHERE Fqdn LIKE "%facebook%";

Timestamps are truncated in the aggregated tables.

  • Hourly - time is truncated to each hour - so an event that occurred at 2017-01-27 18:03:54 would be included in the summary for 2017-01-27 18:00:00
  • Daily - time is truncated to midnight on each day - so an event that occurred at 2017-01-27 18:03:54 would be included in the summary for 2017-01-27 00:00:00
  • Monthly - time is truncated to midnight on the first day of each month - so an event that occurred at 2017-01-27 18:03:54 would be included in the summary for 2017-01-01 00:00:00

ARP cache entries

The following table shows fields available in the $ARP_ tables. 

FieldDatatypeDescriptionSample valueTables
CacheCountintegerThe number of times that the combination of IpAddress, MacAddress and Subnet were seen in the ARP cache for this time period.1234All
IpAddressstringThe IP address that was resolved using ARP.192.168.11.12All
MacAddressstringThe MAC (physical) address to which the IP address was resolved.58-82-a8-93-4c-daAll
SubnetstringThe CIDR-format IP subnet to which the resolved IP address belongs.192.168.11.0/8All
TSintegerWhen the record was added to the table. See Timestamps.1500756083

All

The Tachyon client polls the operating system ARP cache periodically. Since the lifetime of an entry in the ARP cache can be variable, if an entry in the ARP cache is encountered which is already present in the Tachyon client's database, the Tachyon client will increment the CacheCount field on the table for that row, and update the timestamp (TS) field to the current time. To that end, the CacheCount field can be used to determine how frequently a particular entry was observed in the operating system's cache.

Device performance

The following table shows fields available in the $DevicePerformance_ tables. 

FieldDatatypeDescriptionSample valueTables
DiskOthersAverageQueueLengthrealAverage queue length for non-system disk(s). A high value indicates that these disk(s) are not keeping up with the I/O backlog.0.041All
DiskOthersAverageSecondsPerWriterealAverage time taken for non-system disk(s) to perform a write. A high value indicates that these disk(s) are taking too long to service write requests.0.00177All
DiskOthersFreeSpaceMegabytesintegerThe free disk space across non-system disk(s). A lower value indicates that these disks are running low on space and space may need to be released.1513894All
DiskOthersSplitIoPerSecondrealThe I/O operations which were broken into multiple requests across non-system disk(s). A high value may indicate excessive disk fragmentation.0.02669All
DiskOthersUsageTimePercentrealThe percentage of time that non-system disk(s) were servicing requests. A high value indicates these disk(s) may be excessively busy.3.1447All
DiskSystemAverageQueueLengthrealAverage queue length for the system disk. A high value indicates that this disk is not keeping up with the I/O backlog.0.06877All
DiskSystemAverageSecondsPerWriterealAverage time taken for the system disk to perform a write. A high value indicates that this disk is taking too long to service write requests.0.001319All
DiskSystemFreeSpaceMegabytesintegerThe free disk space on the system disk. A lower value indicates that this disk is running low on space and space may need to be released.27261All
DiskSystemSplitIoPerSecondrealThe I/O operations that were broken into multiple requests on the system disk. A high value may indicate excessive disk fragmentation.0.9275All
DiskSystemUsageTimePercentrealThe percentage of time that the system disk was servicing requests. A lower score indicates this disk may be excessively busy.3.8339All
MemoryHardPageFaultsPerSecondrealThe amount of memory pages that had to be read from disk-based storage. A higher value indicates this device is low on available physical memory0.2385All
MemoryPageFileUsagePercentrealThe percentage of the page file that is in use. A higher value indicates more high page file use, which may mean the device is low on available physical memory.9.6219All
MemoryUsageMegabytesintegerThe amount of physical memory in use.27946All
MemoryUsagePercentrealThe percentage of physical memory in use. A higher value indicates higher memory consumption, and therefore less available physical memory.85.43All
NetworkActiveTcpConnectionsintegerThe average number of active (inbound and output) TCP connections.90All
NetworkBytesReceivedPerSecondintegerThe average number of bytes received per second across all network adapters.2145All
NetworkBytesSentPerSecondintegerThe average number of bytes sent per second across all network adapters.1579All
NetworkSaturationPercentintegerNot yet implemented.0All
ProcessorInterruptTimePercentrealThe amount of time the CPU spent servicing interrupts. A higher value may indicate faulty or misconfigured hardware/drivers.0.23485All
ProcessorQueueLengthrealThe CPU queue length (backlog of processing work). A higher value means that the CPU is not keeping up with the workload.0.33All
ProcessorTimePercentrealThe CPU load. A higher value indicates that the CPU is fully loaded and additional processing power may be required.15.10All
ProcessorTimeSecondsrealThe average number of CPU seconds (amount of processor work) per second. A value of 1 indicates that a single CPU core was entirely busy for a second.143.12All
SampleCountintegerNumber of samples used to form this aggregated data4244
  • $DevicePerformance_Hourly
  • $DevicePerformance_Daily
  • $DevicePerformance_Monthly
TSintegerWhen the record was added to the table. See Timestamps.1500756083All
UserRatingintegerNot yet implemented.0All

New in 5.0 this capture source is used by the Tachyon Experience application.

DNS resolutions

The following table shows fields available in the $DNS_ tables. 

FieldDatatypeDescriptionSample valueTables
FqdnstringThe FQDN which is being resolved.

client-office365-tas.msedge.net

All

LookupCountintegerSum of resolutions per FQDN within the hour, day, month.1234
  • $DNS_Hourly
  • $DNS_Daily
  • $DNS_Monthly
TSintegerWhen the record was added to the table. See Timestamps.1500756083

All

When using polling, the local DNS cache is queried for all unique FQDNs. This includes an initial scan of cache entries created before the Tachyon client starts, which are stored with the same timestamp. New entries that appear in the cache are deemed to correspond to new resolutions and stored with the timestamp of when the polling occurred.

When using ETW, the Tachyon client attempts to capture DNS queries at the point that they are made. The query is captured, not the result of that query. That is, the Tachyon client will capture a request to resolve an FQDN which may ultimately not be resolvable. The DNS cache is not scanned.

Operating System performance

The following table shows fields available in the $OperatingSystemPerformance_ tables.

FieldDatatypeDescriptionSample valueTables
CpuSecondsreal

9.1E-05

All

ExecutionCountintegerSum of ??? within the hour, day, month.1
  • $OperatingSystemPerformance_Hourly
  • $OperatingSystemPerformance_Daily
  • $OperatingSystemPerformance_Monthly
Metricstring

A row for each of the following 15 metrics:

MetricDescriptionSample value

BootTime

Most recent time taken in seconds for the device to boot to the logon prompt. A long boot up duration may influence user satisfaction..
CreateFileTime taken to create an empty, temporary file. A high value indicates that the operating system may be underperforming for basic file operations.
CreateProcessThe time taken to create a new process. A high value indicates that the operating system is taking a long time to create new processes.
CreateThreadThe time taken to create a new thread within a process. A high value indicates that the operating system is taking a long time to create new threads.
CreateWindowThe time taken to generate an empty window. A high value indicates poor Windows desktop performance, which may cause applications to appear unresponsive.
DiskRandThe time taken to perform a random access disk operation on the system drive. A high value indicates poor random disk access performance.
DiskSeqThe time taken to perform a sequential access disk operation on the system drive. A high value indicates poor sequential disk access performance.
LoadDLLThe time taken to load and unload a DLL in a process. A high value indicates library loading is slow, which may affect the startup time of applications.
MemoryThe time taken to allocate, zero and free a block of memory. A high value indicates that the operating system is slow to serve memory requests, which may affect application performance.
MessageDispatchThe time taken to dispatch and confirm processing of a windows message. A high value indicates poor message processing throughput, which may affect application responsiveness.
OpenHandleThe time taken to acquire a basic operating system resource. A high value indicates that applications may underperform because the operating system is slow to service resource requests.
RegReadHKLMThe time taken to read from the HKLM Windows Registry hive. A high value indicates poor registry read performance, which in turn may affect application performance.
RegWriteHKCUThe time taken to write to the HKCU Windows Registry hive. A high value indicates poor registry write performance, which in turn may affect application performance.
RegWriteHKLMThe time taken to write to the HKLM Windows Registry hive. A high value indicates poor registry write performance, which in turn may affect application performance.
UDPSendThe time taken to perform a basic loopback UDP send. A high value may indicate problems with the operating system network stack

All

TSintegerWhen the record was added to the table. See Timestamps.1500756083

All

New in 5.0 this capture source is used by the Tachyon Experience application.

Process executions

All platforms except Android. The following table shows fields available in the $Process_ tables. 

FieldDatatypeDescriptionSample valueTables
CommandLinestring

The full command-line of the process, including (on Windows) the executable name.

Sometimes the executable name part of the command-line is quoted, sometimes it's not - it's arbitrary based however the parent process launched the child; so you may see a mix of command-lines like...

  • "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" 
  • \??\C:\Windows\system32\conhost.exe 0x4
  • C:\Windows\system32\svchost.exe -k UnistackSvcGroup
"C:\Windows\system32\VmConnect.exe" "1EUKDEVWKS1231" "TCH-CLI-WXPX86" -G "B2C72520-BBC6-4736-BBBC-5CCF50FE6666" -C "0"
  • $Process_Live
ExecutableHashstring

The MD5 hash of the process executable.

dae0bb0a7b2041115cfd9b27d73e0391All
ExecutableNamestringThe filename (including extension) of the process executable.vmconnect.exe

All

ExecutablePathstring

The path and filename of the process executable.

On Windows, this is the NT-device format version of the path (as a process does not necessarily need to have been launched from a device which has a drive-letter mapping).

\device\harddiskvolume8\windows\system32\vmconnect.exeAll
ExecutionCountintegerSum of executions per executable within the hour, day, month.1234
  • $Process_Hourly
  • $Process_Daily
  • $Process_Monthly
ParentExecutableNamestringThe filename (including extension) of the executable of the process which spawned this one.mmc.exeAll
ParentProcessIdintegerThe process ID of the process which spawned this one.2088
  • $Process_Live
ProcessIdintegerOperating-system dependent process ID.178
  • $Process_Live
TSintegerWhen the record was added to the table. See Timestamps.1500756083

All

UserNamestringThe name of the user in whose session the process was launched (or blank if it is a system-launched process)1E\bill.gatesAll

On Windows, the 1E Client service runs as LOCAL SYSTEM, therefore details of almost every process will be available to the Tachyon client features; however some processes may not be accessible because of permissions.

The Tachyon client captures process starts; it does not track how long the process has been running, or how much CPU-time (or user/kernel/active time) the process has used.

Each time the Tachyon client starts it does an initial scan of processes before it starts capturing, and will use that time to record when these processes started.

The UserName field is derived from the session in which the process was executed, and doesn't necessarily reflect the user in whose context the process was executed.

Process stabilizations

Windows only. The following table shows which OS and polling methods are available for Process stabilizations

FieldDatatypeDescriptionSample valueTables
ExecutableNamestringThe filename (including extension) of the process executable.vmconnect.exe

All

ExecutionCountintegerSum of executions per executable and username within the hour, day, month. For example, vmconnect.exe run by 1e\user1 and vmconnect.exe run by 1e\user2 will have separate rows and thus will be summed separately.53
  • $ProcessStabilization_Hourly
  • $ProcessStabilization_Daily
  • $ProcessStabilization_Monthly
ProcessIdintegerOperating-system dependent process ID.178
  • $ProcessStabilization_Live
StabilizationTimeMsintegerThe time taken for the process to be considered stable, measured in milliseconds. This will be a multiple of 100.4500
  • $ProcessStabilization_Live
TotalStabilizationTimeMsintegerSum of the time taken to be considered stable per executable and unsername within the hour, day, month. For example, vmconnect.exe run by 1e\user1 and vmconnect.exe run by 1e\user2 will have separate rows and thus will be summed separately.864300
  • $ProcessStabilization_Hourly
  • $ProcessStabilization_Daily
  • $ProcessStabilization_Monthly
TSintegerWhen the record was added to the table. See Timestamps.1500756083All
UserNamestringThe name of the user in whose session the process was launched (or blank if it is a system-launched process)1e\bill.gatesAll

The following table shows fields available in the $ProcessStabilization_ tables. 

On Windows, the 1E Client service runs as LOCAL SYSTEM, therefore details of almost every process will be available; however some processes may not be accessible because of permissions. The Tachyon client captures only information that can be accessed by LOCAL SYSTEM - as such it does not check the UI responsiveness of a process.

By default, process stabilization monitoring is not active. To enable, the process names must be specified in the 1E Client configuration file as follows:

  • Add Module.Inventory.ProcessStabilization.MonitoredProcesses=<string> to the 1E Client configuration file.
  • This is a list of comma separated values, and the case is not significant. For example, winword.exe and WINWORD.EXE are treated the same.
  • The list of monitored processes does not currently have a limit, however adding a large list of processes to monitor can cause performance degradation and the process stabilization time will become less accurate.

A process' resource usage is tracked, and it will be considered stable once it's resource utilisation has stopped fluctuating. The margin in which a process is considered stable can be modified in the 1E Client configuration file. Changing from default is not recommended.

  • This margin is controlled by the fuzziness configuration setting.
  • Add Module.Inventory.ProcessStabilization.Fuzziness=<integer> to the 1E Client configuration file. It cannot be lower than 1, and cannot exceed 66. The default is 5.

A process that exits before it is considered stable is not be recorded. Currently, such processes are discarded. A warning is logged when this occurs.

The accuracy of process monitoring decreases if more processes need to be monitored concurrently. For example, accuracy will decrease if many processes are started at the same time. Warnings are logged when this occurs.

The accuracy of the process monitoring decreases if the system is under considerable load, for example high disk or CPU stress.

Aggregation is grouped by the UserName and ExecutableName fields. Unlike process executions, process stabilization values for UserName and ExecutableName are lower case.

Process usage

Windows only. The following table shows fields available in the $ProcessUsage_Daily table.

FieldDatatypeDescriptionSample valueTables
CommandLinestringThis is a single instance of the command used to launch that instance, most probably the first one. It will not contain any differences if other instances are launched with a slightly different comand line. It is an indication of a typical command line for this instance.C:\Program Files\Git\mingw64\libexec\git-core\git-credential-manager.exe
DurationintegerThe number of minutes covered by the individual execution(s) of at least one instance of this executable.
Duration can never be more than 1440 minutes, being the number of minutes in a day.
1
ExecutableHashstringThe MD5 hash of the binary that contains the entry point (usually an exe)ad3ec70ae9e82582bdf6aa6fd5811376
ExecutableNamestringThe name of the binary that contains the entry point obtained from stamped version information where possible, the filename if not.git-credential-manager.exe
ExecutableSizeintegerThe size of the binary that is hashed below 131168
ExecutableVersionstringThe version information stamped into the executable where available.1.5.0.0
ExecutionCountintegerThe number of instances observed during the Duration period2
IsOSProcessinteger

A value of 1 indicates that this is categorised as an operating system by the rules in place.

A value of 0 indicates that it is not.

0
LastSeeninteger

The UTC Timestamp of when the last instance of the executable (of all the accumulated subjects of this record) was last seen (polling) or actually exited (events).

Whilst any instance is running, for the current day records, LastSeen will creep across the day and duration will increase as time passes if the process remains running.

Once midnight is crossed then the daily records for yesterday are 'closed off' by setting LastSeen = TS + 86400 (the number of seconds in a day), which is midnight of the next day.

If all instances of one binary are exited and never run again that day, then the LastSeen field for that daily record should 'stick' at one value and never ever change again.

In other words the maximum difference between TS and LastSeen in a single row is at most 86400, being the number of seconds in a day.

Tracking of an execution summary from one day to another ("carry-over") can be achieved by looking for a record based on TStomorrow = LastSeentoday with all the other key information the same. If that exact key record with the 'carry over' conditions is not found then the process did not theoretically continue across midnight.

Note that a process that dies after 23:59:00 and starts before 00:01:00 the next day will appear to be a continuous process in the summary tables. Even though it could theoretically have stopped for nearly two minutes. This is because the resolution of the table is to the start of the minute the event occurred in.

1526982245
TSinteger

When the record was added to the table. See Timestamps.

Midnight UTC that is the start day of the 24 hours covered by this record.

1526947200

The Tachyon client captures executable usage; this is from the moment the executable is turned into a process, hence the process usage. The Process Usage data presented is grouped by executable binary, and parallel runs are accumulated in the ExecutionCount, but not in the Duration, where coverage time period is desired instead.

Sensitive processes

A "sensitive process" is one flagged by the Tachyon Performance Metrics program as one which consumes extra CPU when files and processes are created, registry entries are read, etc., suggesting such processes are monitoring such low level O/S operations. Antivirus and other security software legitimately does this (as does for example Windows Explorer and the 1E Client itself), but other processes that do it may be a security hazard.

Windows only. The following table shows fields available in the $SensitiveProcess_ tables. 

FieldDatatypeDescriptionSample valueTables
CpuSecondsrealAverage CPU used by the process executable during the sample intervals.

0.456

All

DetectionCountintegerSum of the number of samples within the hour, day, month in which the process executable was detected.1
  • $SensitiveProcess_Hourly
  • $SensitiveProcess_Daily
  • $SensitiveProcess_Monthly
ExectablePathstring

The path and filename of the process executable.

On Windows, this is the NT-device format version of the path (as a process does not necessarily need to have been launched from a device which has a drive-letter mapping).

c:\windows\system32\conhost.exe

All

ProductstringThe title of the software product.Microsoft® Windows® Operating SystemAll
TSintegerWhen the record was added to the table. See Timestamps.1500756083

All

VersionstringVersion of the process executable.10.0.17763.404All

New in 5.0 this capture source is used by the Tachyon Experience application. 

For Windows XP permissions restrictions mean that not all sensitive processes are detected.

Software installations

All platforms except Android. The following table shows fields available in the $Software_ tables. 

FieldDatatypeDescriptionSample valueTables
ArchitecturestringThe platform architecture of the software product.x64All
InstallCountinteger

Sum of installs per software product version within the hour, day, month.

0 if uninstalled, or present but not detected as installed.

1234
  • $Software_Hourly
  • $Software_Daily
  • $Software_Monthly
IsUninstallinteger0 = install, 1 = uninstall.0
  • $Software_Live
Productstring

The title of the software product that was installed/uninstalled.

Google Chrome

All
PublisherstringThe publisher of the software product that was installed/uninstalled.Google Inc.All
TSinteger

When the record was added to the table. See Timestamps.

The Tachyon client assumes a "new" installation/uninstallation occurred at the point of polling.

1500756083

All

UninstallCountinteger

Sum of uninstalls per software product version within the hour, day, month.

0 if installed, or present but not detected as installed.

1233
  • $Software_Hourly
  • $Software_Daily
  • $Software_Monthly
VersionstringThe version of the software that was installed/uninstalled.55.0.2883.87All

Each time the Tachyon client starts it does an initial scan of install software before it starts capturing. Since the Tachyon client has no way of knowing when this install/uninstall happened, it will mark the event as having occurred "now".

On Windows, software installations are read from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Per-user installations are not yet supported.

Linux does not distinguish between O/S packages (even the kernel) and application packages; they are all software.

Software performance

Windows only. The following table shows fields available in the $SoftwarePerformance_ tables. 

FieldDatatypeDescriptionSample valueTables
ExectutablePathstring

The path and filename of the process executable.

c:\windows\explorer.exeAll
HandleCountinteger

How many open handles the process has

1234

All

InstanceCountintegerHow many instances of the process are active at the same time2

All

IoReadKilobytesPerSecond integerkB read by the process per second2All
IoWriteKilobytesPerSecond integerkB written by the process per second0All
MemoryUsagePhysicalKilobytes integer

kB used by the process in physical memory

35780All
MemoryUsageVirtualKilobytes integerkB used by the process in virtual memory9496All
ProcessorTimePercent realPercentage of time the processor is running the process1.11080672689126All
ProcessorTimeSecondsPerSecond realNumber of processor seconds consumed by this process per second, where a "processor second" is a single processor core which is fully busy for an entire second.0.0666526784132013All
Productstring

The title of the software product.

Google Chrome

All
SampleCountinteger

How many samples the aggregated data is based on.

1233
  • $SoftwarePerformance_Hourly
  • $SoftwarePerformance_Daily
  • $SoftwarePerformance_Monthly
TSinteger

When the record was added to the table. See Timestamps.

1500756083

All

VersionstringThe version of the software product..55.0.2883.87All

New in 5.0 this capture source is used by the Tachyon Experience application. 

TCP outbound connections

Windows, macOS and Linux only. Not Solaris or Android. The following table shows fields available in the $TCP_ tables. 

FieldDatatypeDescriptionSample valueTables
ConnectionCountintegerSum of connections to an IP Address and Port by a process within the hour, day, month.123
  • $TCP_Hourly
  • $TCP_Daily
  • $TCP_Monthly
IpAddressstring

The target remote IP address of the connection, either an IPv4 or IPv6 address.

Windows support for IPV6 is limited; the Tachyon client will capture the connections, but the format used to represent the target IPV6 may differ slightly depending on the mechanism used, and may be subject to change in future versions of the Windows Tachyon client.

132.245.77.18

[2001:4860:4860::8888]

All
PortintegerThe target remote port of the connection.443All
ProcessIdinteger

The operating-system specific identifier of the process which instigated the connection.

Not supported for Mac OSX earlier than Mac OSX Lion (10.7).

11828
  • $TCP_Live
ProcessNamestring

The executable filename of the process which instigated the connection

Connections originated from system-oriented processes are captured as "(system)"

chrome.exeAll
TSinteger

When the record was added to the table. See Timestamps.

1500756083

All

The Tachyon client captures TCP connections, not UDP connections - as UDP is inherently connectionless (each packet sent is effectively a new connection).

Each time the Tachyon client starts it does an initial scan of connections before it starts capturing. A limitation of the Windows API is means that all established TCP connections, whether inbound or outbound, are captured; there is no way to distinguish between the two. This means that it is possible for the Tachyon client to double-capture a connection if that connection was established before the Tachyon client stops monitoring, and still exists when the Tachyon client starts monitoring again, for example between Tachyon client restarts. Unlike other capture sources, there is no persistent storage setting to prevent double-counting.

The Tachyon client captures initial "connect" requests, not just successful connection establishment. This means that an attempt to perform a connection will be captured, even if that connection does not complete, for example, because of a timeout, or the server-side does not permit the connection.

User usage

Windows only. The following table shows fields available in the $UserUsage_Daily table. 

FieldDatatypeDescriptionSample valueTables
Durationinteger

The number of minutes covered by the individual user session(s) of at least one instance of this login.

Duration can never be more than 1440 minutes, being the number of minutes in a day.

12
  •  $UserUsage_Daily
EmailstringThe email address that is cached in the system for this user. This may not necessarily be the email address to use to contact the user via corporate email.abrown@acme.org
  •  $UserUsage_Daily
FirstNamestringThe forename that the system has cached for the user.Alice
  •  $UserUsage_Daily
LastNamestringThe surname that the system has cached for the userBrown
  •  $UserUsage_Daily
LastSeeninteger

The UTC Timestamp of when the last instance of the user session (of all the accumulated subjects of this record) was last seen (polling) or actually exited (events), rounded down to the start of the minute in which the event occurred.

Whilst any session is in progress, for the current day records, LastSeen will creep across the day and the duration will increase as time passes if the user remains logged in. That is Duration and LastSeen will increase each time you query the table (with at least a minute between queries).

Once midnight is crossed then the daily records for yesterday are 'closed off' by setting LastSeen = TS + 86400 (the number of seconds in a day), which is midnight of the next day.

If all users sessions for one user are exited and never occur again that day, then the LastSeen field for that daily record should 'stick' at one value and never ever change again.

In other words the maximum difference between TS and LastSeen in a single row is at most 86400, being the number of seconds in a day.

Tracking of a user session summary from one day to another ("carry-over") can be achieved by looking for a record based on TStomorrow = LastSeentoday with all the other key information the same. If that exact key record with the 'carry over' conditions is not found then the user session did not theoretically continue across midnight.

Note that a session that exits after 23:59:00 and starts again before 00:01:00 the next day will appear to be a continuous user session in the summary tables. Even though it could theoretically have not existed for nearly two minutes. This is because the resolution of the table is to the start of the minute the event occurred in.

See Timestamps.

1526990846
  •  $UserUsage_Daily
SIDstringThe Windows NT SID of the user.S-1-5-21-xxx-yyy-zzz
  •  $UserUsage_Daily
TSintegerWhen the record was added to the table. See Timestamps.1526947200
  •  $UserUsage_Daily
Usernamestring

The user account name, with a domain prefix if applicable.

For Windows devices not a in a domain, the 'domain' is the local machine name. For non-Windows devices such as Linux there is no domain part.

aliceb

acme\AliceBrown

  •  $UserUsage_Daily

The Tachyon client captures user sessions (usage); this is from the moment the user instigates a login/logout, hence User Usage. The usage data presented is grouped by SID and Username, and parallel login durations are really the coverage of the time period, not the total time for all the individual sessions.

Constraints of Legacy OS

In this documentation, the following are referred to as legacy OS. 1E does not provide support for the Tachyon client on these OS. This is because Microsoft has withdrawn support for these OS or they are not significantly used by business organizations.

  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8.0
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Please contact 1E if you require support for these legacy OS.

If you experience an issue on these OS, then please try replicating the issue on a supported OS.