Process_List
Unified process listing across multiple callbacks for a single host
This process_list structure needs to be in the user_output field of a post_response message. This allows the Apfell server to pick up the array from a predictable location, allows the information to be presented to operators, and allows browser scripts to act on the data as well. Look to Action: post_response for the post response format.
Command Component
You need to toggle the is_process_list flag on the command that will be sending this output to true in the Payload Management page for the server to specifically parse this data into the unified process listing view instead of just displaying it to the user
Why a Unified Process List per Host
There are many instances where you might have multiple agents running on a single host and you run common tasking like process lists over and over and over again. You often do this because the tasking has scrolled out of view, maybe it's just stale information, or maybe you couldn't quite remember which callback actually had that task. This is where the unified process listing comes into play.
With a special format for process listing, Apfell can track all the different process lists together for a single host. It doesn't matter which host you ran the task on, as long as you pull up the process_list view for that host, all of the tasks will be available and viewable.
Output Format
Naturally, this has a special format for us to make it the most useful. Like almost everything else in Apfell, this requires structured output in JSON:
All that's needed is an array of all the processes with the above information in the user_output field of your post_response action. That allows Apfell to create a process hierarchy (if you supply both process_id and parent_process_id) and a sortable/filterable table of processes.
This new view also allows you to diff two different process listing outputs to see what processes were added or removed.
Last updated