Querying Activity Records

The 1E Client collects a considerable amount of historical data such as processes executed, TCP connections, and so on. This information is stored in tables known as Activity Records. To query information in these tables, you would normally write a specific instruction in Tachyon Instruction Management Studio (TIMS) which returns data from a specific table. If you want to retrieve information from different tables, you would normally write an instruction for each table you wish to query, or, alternatively, you could write a parametrized instruction that takes the query as a parameter and returns a fixed schema result.

The 1E PowerShell Toolkit offers you two ways of invoking Activity Record queries.

  • The dynamic query functionality allows you to invoke a query directly. However, like the dynamic scripting and SCALE functionality, this requires that you have a valid instruction signing certificate so that the associated instruction can be dynamically created, uploaded, and executed. Refer to Code signing certificate.
  • Alternatively, you can use the invoke-1Eactivityquery cmdlet. This does not require you to possess a code signing certificate, but you need to have uploaded the instruction it depends on, 1E-Exchange-ActivityRecordQry. This is included in the 1E PowerShell Toolkit files.

The results from both approaches are exactly the same. For more information about Activity Records, refer to Client Activity Record.

Dynamic query

To execute an Activity Record dynamic query, you specify the query inside single quotes as an argument. For example:

Copy
invoke-1edynamic -query 'select * from $arp_live' -targetscope urth-dev

Single quotes are used to prevent the PowerShell interpreter from processing the $ symbol. You can also use double quotes if you escape the $ with a backquote, like this: "select * from `$arp_live".

The screenshot below shows an example.

Invoke-1Eactivityquery cmdlet

You can query Activity Records even if you lack an instruction signing certificate. To do this, you must first upload the 1E-Exchange-ActivityRecordQry instruction on which it depends. This instruction is bundled with the 1E PowerShell Toolkit. To upload it, use either the 1E Platform Settings UI or the publish-1Einstruction cmdlet included in the Toolkit.

Copy
invoke-1Eactivityquery -query <query> -targetscope <scope>|-targetfqdns <fqdns>

For example:

Copy
invoke-1Eactivityquery -query 'select * from $arp_live' -targetscope urth-dev

As with the dynamic query option, you can use double quotes instead around the query if you escape the $ symbol to prevent PowerShell from processing it.