Offline Collector: Order of artifact acquisition? #3895
-
|
Howdy! I'm wondering if there is a way to control the order in which artifact acquisition modules are executed when creating/running an Offline Collector? An example use case: we use a PowerShell module for extraction of a custom artifact, which can impact PowerShell transcript logging (if enabled on the endpoint). It would be strongly preferred to run the EVTX artifact collection first, then execute the PowerShell module. Collector configuration order/selection does not seem to have an impact. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Artifacts are collected in the offline collector the same way as they are collected on a client - in parallel with a concurrency control (default 2 at the same time). Because they run in parallel there is no enforced order (we want them collected as quickly as possible). This is especially important for bulk collection because most of the time taken is IO and compression so we want to parallelize as much as possible. There is a concurrency setting in the GUI which defaults to 2
Changing it to 1 will make collection much slower as only one query can run at once - I think there are still no guarantees about order though because the collections are launched in parallel but only one will run at the same time. One possibility is to have a custom artifact with multiple sources - as long as the precondition is at the artifact level the sources will run in sequence (within the same artifact). This way you can run the EVTX collection before the powershells. name: MyCustomArtifact
sources:
- query: |
SELECT * FROM Artifact.Windows.KapeFiles.Targets(_BasicCollection='Y')
- query: |
SELECT * FROM Artifact.My.Custom.Powershell(....)This is not ideal because it will only collect one source from the artifact though (and you wont be able to import the collection) so maybe you can do that for the powershell logs and the regular KapeFiles Targets for the other logs. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, that is very helpful! I continue to use VR Offline probably in a way that it wasn't specifically intended, often against only one to five hosts. Speed is not terribly critical, parallelization not terribly critical. Stomping EVTX logs with PowerShell queries not so great! I will play around with the above. THANK YOU! |
Beta Was this translation helpful? Give feedback.
Artifacts are collected in the offline collector the same way as they are collected on a client - in parallel with a concurrency control (default 2 at the same time).
Because they run in parallel there is no enforced order (we want them collected as quickly as possible). This is especially important for bulk collection because most of the time taken is IO and compression so we want to parallelize as much as possible. There is a concurrency setting in the GUI which defaults to 2
Changing it to 1 will make collection much slower as only one query can run at once - I think there are still no guarantees about order though because the collections are launched in parallel but only one will run…