Task Profiles
Task Profiles provide a way for an analyst to post-process Bulk Acquisition data automatically. HXTool accomplishes this by downloading each host acquisition package, extracting the contents of the package and processing the data based on the configured Task Profile. The resulting data is JSON formatted.
- File Writer - writes the acquisition data to a single file, one item per line
- IP Sender - sends the acquisition data to the configured host via TCP or UDP, one item per line. (Can be used with generic TCP/UDP listeners for ingesting the into a SIEM)
- Helix - send the data, GZIP compressed, to FireEye Helix
- Mongo - send the data to the configured MongoDB database. See the configuration README
Task Profiles can be found under the HXTool main menu, under Acquisitions. Once you've navigated to the Task Profiles page, click New Profile to add one.
- Give your profile a name
- Enter the fully qualified path to a file (extension doesn't matter), this is where there data will be written to. The user that HXTool is running under must have permission to write to the file and to the directory that the file is in.
- Leave the Event mode as-is (per-event)
- Click Submit and your profile will show in the list and will now be ready to use with Bulk Acquisitions
- Give your profile a name
- Select the appropriate protocol for your listener/receiver, TCP or UDP
- Enter the IP address or fully qualified domain name (FQDN) of the host that the listener/receiver is operating on
- Enter the port on which that listener/receiver is listening on
- Leave the Event mode as-is (per-event)
- On the receiving side, the listener should be configured to receive/ingest JSON formatted data, one object per line, i.e. each object will be followed by a new line.
- Click Submit and your profile will show in the list and will now be ready to use with Bulk Acquisitions
- Give your profile a name
- The module has no configuration options as it leverages the Mongo database configuration in
conf.json