Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Example: triage

Inputs

  • examples/inputs/triage-samples/vulnerable_app.java

Profile

# Triage and Risk Scoring Example Profile
# Demonstrates triage report generation with risk scoring

decode = ["base64", "hex"]

max-file-size = 52428800  # 50 MiB

tag = "triage"

# High-risk patterns (higher weight in scoring)
[[patterns]]
  name = "Command Injection"
  pattern = "Runtime\\.getRuntime\\(\\)\\.exec\\("
  type = "regex"

[[patterns]]
  name = "SQL Injection"
  pattern = "(?i)(select|insert|update|delete|drop|union).*from"
  type = "regex"

[[patterns]]
  name = "Path Traversal"
  pattern = "\\.\\./\\.\\./\\.\\./"
  type = "regex"

[[patterns]]
  name = "Remote Code Execution"
  pattern = "eval\\s*\\([^)]*\\$"
  type = "regex"

# Medium-risk patterns
[[patterns]]
  name = "Hardcoded Password"
  pattern = "password\\s*=\\s*['\"][^'\"]{8,}['\"]"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "API Key"
  pattern = "api[_-]?key\\s*=\\s*['\"][^'\"]{16,}['\"]"
  type = "regex"
  case-insensitive = true

# Signatures for risk scoring
[[signatures]]
  name = "High Entropy Suspicious"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Multiple Pattern Matches"
  query = "SELECT sha256, COUNT(*) as matches FROM pattern_matches GROUP BY sha256 HAVING matches > 3"

Report outputs

Triage report (converted from triage_report.json)

total_files1
critical_count0
high_count0
medium_count0
low_count0
minimal_count1
must_investigate_count0
generated_at2025-12-03T09:19:44.871932886+00:00

top_scores

characteristics_scorefile_typefile_type_scoremust_investigatepathpattern_count_scorepattern_matchespattern_severity_scorereasonsrisk_levelscoresha256
0Other0False/vulnerable_app.java1079["7 suspicious patterns detected"]Minimal19d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055

all_scores

characteristics_scorefile_typefile_type_scoremust_investigatepathpattern_count_scorepattern_matchespattern_severity_scorereasonsrisk_levelscoresha256
0Other0False/vulnerable_app.java1079["7 suspicious patterns detected"]Minimal19d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055

CSV outputs

errors.csv

Empty CSV

files.csv

pathfile_namesha256file_createdfile_modifiedfile_accessedmime_types_from_file_extensionis_symbolic_linkis_extracted_fileis_decoded_fileis_deobfuscated_filetag
/vulnerable_app.javavulnerable_app.javad72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd0552025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z[]0000

pattern_matches.csv

idsha256pattern_namematch_typematchlocationlength
1d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055Command InjectionregexRuntime.getRuntime().exec(7:826
2d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055SQL InjectionregexSELECT * FROM12:2413
3d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055SQL InjectionregexSELECT name FROM users UNION SELECT password FROM14:2549
4d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055Path Traversalregex../../../19:339
5d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055Remote Code Executionregexeval($30:86
6d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055Hardcoded PasswordregexPASSWORD = "SuperSecret123!"24:3528
7d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055API KeyregexAPI_KEY = "sk-1234567890abcdefghijklmnop"25:3241

signature_matches.csv

idsignature_namesha256
1Multiple Pattern Matchesd72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055

unique_files.csv

sha256sha1md5file_sizemime_type_for_contentshannon_entropy
d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055569213c480f1f16a4aee71518abb2fe52f5c11cf74a23ade7caca99c1f48bd7cf2daff2f1047text/plain4.83469776402311