Tachyon Example Product Pack

A collection of commonly used Tachyon questions and instructions. Also useful as an introduction to building your own Product Packs.

Scenario

This Product Pack contain some useful example instructions around certificate management, historic data, software installation and processes that will also assist you in creating your own instruction sets and product packs.

Product Pack Notes

This Product Pack contains a range of commonly used Tachyon questions and instructions:

Delete all certificates with a SHA1 thumbprint of 〈thumbprint〉 from the local machine’s certificate store.

Deletes all certificates with a SHA1 %thumbprint% in the local machine’s certificate store from all folders. This will iterate through a number of predefined stores: Personal (My), Intermediate Certification Authorities (CA), Trusted Root Certification Authorities (Root), Third-Party Certification Authorities (AuthRoot), Enterprise Trust (Trust), Other People (AddressBook), Trusted People (TrustedPeople), Trusted Publishers (TrustedPublisher) and Untrusted Certificates (Disallowed). Certificates are not retrievable once marked for deletion. Please use with caution – deleting a certificate may case a number of things to stop working.

Delete certificates with SHA1 thumbprint 〈thumbprint〉 in the local machine’s certificate store in 〈folder〉

Delete all certificates with a given SHA1 thumbprint in the local machine’s certificate store from a folder. Use with caution – deleting a certificate may cause things to stop working. Windows only.

How many devices have accessed 〈domainName〉 or any of its subdomains in the last 〈numDays〉 days?

Get devices that have resolved a domain name or any of its subdomains in the last few days. Windows and Mac.

How many devices have started a process called 〈procName〉 in the last 〈numDays〉 days?

Get devices where the specified process has started in the last few days

How many devices have started process 〈procName〉 with an MD5 hash of 〈hash〉 in the last 〈numDays〉 days?

Get devices where the specified process with the specified MD5 executable file hash has started in the last few days

How many events of 〈type〉 have been logged per day in the Windows 〈logname〉 event log over the last 〈numDays〉 days?

Returns event log entries of a specified type in the a specified Windows event log in the last few days. Specifying a long period may result in a large amount of data from each agent.

How many times has a process called 〈procName〉 started in the last 〈numDays〉 days?

Returns instances of a process start in the last few days.

How many times has a process called 〈procName〉 with an MD5 hash of 〈hash〉 started in the last 〈numDays〉 days?

Returns instances of a process start with a specified MD5 file hash in the last few days.

How many times has a process with an MD5 hash of hash started in the last numDays days?

Returns instances of a process start with a specified MD5 file hash in the last few days.

Replace 〈findString〉 with 〈replaceString〉 in 〈fileName〉, case sensitive: 〈caseSensitive〉

Replace all occurrences of a string with a replacement string in a named file. Uses a PowerShell script. Windows only.

What certificates were used to digitally sign fileName?

Get the certificates used to create the digital signature. This will return all certificates in the chain(s) used to digitally sign the file. This will not return any timestamp certificates. Windows only.

What DNS names have been accessed in the last numDays days?

Get DNS resolutions that have occurred in the last few days. Windows and Mac.

What does SystemInfo output?

Returns all (raw) information from a SystemInfo report. Windows OS which support PowerShell 3.0 or later.

What hardware information does Windows SystemInfo report?

Get hardware information from a SystemInfo report. Uses a PowerShell script. Windows only.

What IPs has process made connections to in the last numDays days?

Returns the IP addresses a specified process has connected to in the last few days.

What is the hashAlgorithm hash of path?

Returns the hash of a path with a specified hash algorithm. If a folder is specified, this will compute the SCCM 2012 folder hash with the specified algorithm, and will include subdirectories.

What is the CPU percentage usage of each process averaged across my devices?

Returns the CPU usage of all processes on the device at a point in time. The agent will average CPU usage over 5 seconds and return this per process. Multiple processes with the same name, such as a number of conhost processes will be considered one process. Windows only.

What memory information does Windows SystemInfo report?

Get memory information from a SystemInfo report. Uses a PowerShell Script. Windows only.

What new processes have started this week?

Gets processes that have started in the last 7 days and did not run in the prior 7 days.

What operating system information does Windows SystemInfo report?

Returns operating sysinformation from a SystemInfo report. Windows OS which support PowerShell 3.0 or later.

What processes have started in the last numDays days without a ‘.exe’ extension?

Gets processes that have started with non ‘.exe’ extensions in the last specified number of days.

What software is installed that was not installed by SCCM?

Finds all installed software that wasn’t installed by SCCM, it does this by checking the MSI installation source location is not ccmcache.

What software was installed in the last numDays days?

Gets software installed in a specified number of days.

What system information does Windows SystemInfo report?

Returns system information from a SystemInfo report. Windows OS which support PowerShell 3.0 or later.

What TCP and UDP connections are listening but currently inactive?

Get listening but currently inactive TCP and UDP connections, for IPv4 and also IPv6 if available. Windows, Linux and Mac only.

What TCP connections are currently active?

Get the current active TCP connections, for IPv4 and also IPv6 if available. Windows, Linux and Mac only.

What version information is stored in fileName?

Returns version information for a file. Windows only.

What versions of product by publisher are installed?

Gets versions of an installed product published by specified publisher. Both the product and publisher parameters are wild-carded and are case insensitive.

What versions of product by publisher were installed in the last numDays days?

Returns versions of a product installed in a specified number of days.

What was the MD5 hash of procName over the last numDays days?

Returns the hashes of a process that has started over the last few days.

Which certificates are installed in the local machine’s certificate store in folder?

Get the certificates in the local machine’s certificate store from the specified folder. Windows only.

Which certificates are installed in the local Windows machine’s certificate store?

Get all certificates in the local machine’s certificate store. Windows only.

Which certificates in the local machine’s certificate store are not yet valid?

Return all certificates in the local machine’s certificate store that are not yet valid. Windows only.

Which certificates in the local machine’s certificate store have a field that contains searchTerm?

Get the certificates in the local machine’s certificate store where the specified field contains the specified search term. Windows only.

Which certificates in the local machine’s certificate store have expired?

Get expired certificates in the local machine’s certificate store. Windows only.

Which certificates in the local machine’s certificate store will expire within numDays days?

Get all certificates in the local machine’s certificate store that will expire in the next few days. If a certificate is in multiple stores, multiple entries will be retrieved. Windows only.

Which devices are affected by certificate expiry in the next numDays days?

Returns devices with a certificate in the local machine certificate store which will expire within the specified number of days. Windows only.

Which devices have connected to ipAddress on any port in the last numDays days?
Get devices that have connected to a specified IP address on any port in the last few days. Windows, Linux and Mac.
Which devices have connected to ipAddress on port port in the last numDays days?

Get devices that have connected to a specified IP address on a specified port in the last few days. Windows, Linux and Mac.

Which devices have processes that are consuming more than percentage% of the CPU?

Gets devices where a process is consuming over a specified percentage of the CPU. The process name returned is the first (there may be more) process using over the specified amount of CPU.

Which devices have started a process with an MD5 hash of hash in the last numDays days?

Get devices where a process with a specified MD5 executable file hash has started in the last few days

Which event IDs of type type have been logged in the Windows logname event log in the last numDays days?

Returns event log entries aggregated on event ID (EventCode) of a specified type in the a specified Windows event log in the last few days. Specifying a long period may result in a large amount of data from each agent.

Which files within folder have a extension extension? Calculate the algorithm hash with subfolder recursion recurse?

Get all files in a folder with the specified extension (including the period), calculating an MD5, SHA1, or SHA256 hash for each file. Optionally recursive. Windows only.

Which processes are consuming more than percentage% of CPU?

Gets processes consuming over a specified percentage of CPU.

Which processes have made connection to ipAddress in the last numDays days?

Returns the number of connections processes that have been made to a specified IP address on any port in the last few days.

Which processes have made connection to ipAddress on port port in the last numDays days?

Returns the number of connections processes have made to a specified IP address on a specified port in the last few days.

Which subdomains of domainName have devices accessed in the last numDays days?

Get the subdomains of a given domain that were resolved in the last few days. Windows and Mac.

 

You must log in to submit a review.Click here to login.

Details

Author

1E Product Pack Creator

Published

Downloads

25

Categories

,

Compatible Versions