# KAPE Triage Target
# Equivalent to KAPE's !SANS_Triage compound target
# Comprehensive triage collection for incident response
[target]
name = "KAPE_Triage"
description = "Comprehensive forensic triage similar to KAPE !SANS_Triage"
category = "triage"
priority = "critical"
# Include core forensic modules
modules = [
"windows/registry",
"windows/execution",
"windows/event-logs",
"browser/all-browsers"
]
# Include base profiles for security analysis
includes = [
"../base/malware.toml",
"../base/credentials.toml",
"../base/network.toml"
]
# Additional triage-specific patterns
[[patterns]]
name = "Triage Marker"
pattern = "triage"
case-insensitive = true
type = "string"
[[patterns]]
name = "Incident Response"
pattern = "(?:incident|response|IR|forensic)"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Evidence Tag"
pattern = "(?:evidence|exhibit|case.?\\d+)"
case-insensitive = true
type = "regex"
# Triage-specific signatures
[[signatures]]
name = "Triage High Value Artifacts"
query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Registry Hive', 'Event Log', 'Prefetch File', 'Browser History')"
[[signatures]]
name = "Execution Evidence"
query = "SELECT sha256, COUNT(DISTINCT pattern_name) as execution_indicators FROM pattern_matches WHERE pattern_name LIKE '%Prefetch%' OR pattern_name LIKE '%ShimCache%' OR pattern_name LIKE '%BAM%' OR pattern_name LIKE '%UserAssist%' GROUP BY sha256 HAVING execution_indicators > 1"