View Categories

Managing Tasks and Priorities

Aralez allows users to define and organize tasks within the YAML configuration file. Each task specifies its operations, such as collecting artifacts or executing commands, and includes a priority level that determines the order of execution. This page explains how to manage tasks and priorities to ensure an efficient and logical workflow.

Tasks Overview #

A task is a logical grouping of operations defined in the configuration file. Tasks can perform actions such as collecting specific artifacts, processing drives, or executing external or system commands.

Tasks are defined under the tasks section and have several key components:

  • type: Specifies whether the task involves data collection or command execution.
  • priority: Determines the execution order of tasks.
  • entries: Defines the specific operations or artifacts for the task.
  • disabled (optional): Allows disabling tasks without removing them from the configuration.

Understanding Task Priority #

The priority field determines the order in which tasks are executed:

  • Tasks with lower values are executed first.
  • Tasks with higher values are executed later.
  • Tasks with the same priority are executed in the order they appear in the configuration file.

Note: it’s important to evaluate task priorities. For example, ephemeral data such as memory extractions must be collected first.

Example:

tasks:
  artifacts:
    type: "collect"
    priority: 1
    entries:
      mft:
        - root_path: "\\"
          objects: ["$MFT"]
  tools:
    type: "execute"
    priority: 2
    entries:
      external:
        - name: "autorunsc.exe"
          args: ["-nobanner"]
          output_file: "Autorunsc.txt"
          exec_type: "external"

In this example:

  1. The artifacts task will execute first (priority 1).
  2. The tools task will execute next (priority 2).

Enabling and Disabling Tasks #

The disabled field allows you to exclude specific tasks from execution without removing them from the configuration. This is useful for temporarily skipping tasks while debugging or testing.

Example:

tasks:
  unused_task:
    type: "collect"
    priority: 100
    disabled: true
    entries:
      temp_files:
        - root_path: "\\Temp"
          objects: ["*"]

  • The unused_task is disabled and will not be executed.
  • To enable the task, remove or set disabled to false.

Task Types #

Data Collection Tasks #

Tasks with type: "collect" specify directories, files, and objects to retrieve. These tasks can target specific drives, directories, or system artifacts.

Example:

tasks:
  collect_files:
    type: "collect"
    priority: 1
    entries:
      event_logs:
        - root_path: "\\Windows\\System32\\winevt\\Logs"
          objects: ["*.evtx"]
Command Execution Tasks #

Tasks with type: "execute" run system or external commands. These tasks are often used for collecting system state information or running custom scripts.

Example:

tasks:
  system_info:
    type: "execute"
    priority: 2
    entries:
      system:
        - name: "systeminfo.exe"
          args: []
          output_file: "SystemInfo.txt"
          exec_type: "system"

This task runs the systeminfo.exe command and saves the output to SystemInfo.txt.

Task Entries #

The entries field within each task defines the specific operations or artifacts associated with that task. Entries can include:

File Collection: #
  • Specify root_path for the directory and objects for the files or patterns to match.
  • Optional fields like max_size and encrypt can refine collection behavior.
Command Execution: #
  • Define the name of the executable or command, args for its parameters, and output_file for the results.
  • Use exec_type to specify the type of command (external, system, or internal).

Best Practices for Managing Tasks and Priorities #

Organize Tasks by Priority #
  • Assign lower values to tasks critical for initial data collection (e.g., retrieving MFT, event logs).
  • Use higher values for less critical or optional tasks (e.g., running external tools).
Group Similar Tasks Together #
  • Group related data collection or command execution tasks into separate logical units for better readability and management.
Disable Unnecessary Tasks #
  • Use the disabled field to temporarily exclude tasks without deleting them, allowing easy re-enablement when needed.
Review Task Dependencies #
  • Ensure that tasks are ordered logically if certain tasks depend on the results of others.

Example Configuration #

tasks:
  artifacts:
    type: "collect"
    priority: 1
    entries:
      mft:
        - root_path: "\\"
          objects: ["$MFT"]

  tools:
    type: "execute"
    priority: 2
    entries:
      external:
        - name: "autorunsc.exe"
          args: ["-nobanner"]
          output_file: "Autorunsc.txt"
          exec_type: "external"

  debug_logs:
    type: "collect"
    priority: 3
    disabled: false
    entries:
      logs:
        - root_path: "\\Windows\\Logs"
          objects: ["*.log"]
          max_size: 1048576