tanium-process-events
Retrieve process events from Tanium
tanium-process-events profile=PROFILE [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] ip=IP [offset=NUM] [limit=NUM]
- profile=PROFILE
- Tanium profile name
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- ip=IP
- Target IP
- offset=NUM
- Skip count
- limit=NUM
- Max output count
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Start time | |
| profile | String | Connect profile | |
| end_time | Date | End time | |
| nt_domain | String | NT domain | |
| nt_user | String | NT user | |
| md5 | String | Image MD5 | |
| pid | Integer | Process ID | |
| image | String | Image file path | |
| cmd_line | String | Command line | |
| ppid | Integer | Parent process ID | |
| parent_image | String | Parent image path | |
| parent_cmd_line | String | Parent command line | |
| parent_md5 | String | Parent image MD5 | |
| ppguid | String | Parent process GUID | |
| pguid | String | process GUID | |
| exit_code | Integer | Exit code | |
| id | String | Event ID |