Triage profiles

Triage profiles determine which VMs and operating systems Triage will use to analyse samples on. Automatic assigning of profiles is based on file properties discovered during the static analysis phase. The profile section also contains additional analysis settings, such as the default timeout and network.

Triage is shipped with a default configuration containing multiple profiles that fit most use cases. See the configuration below for a commented example of the various sections of the config file. This configuration can be used as-is, even if not all operating systems are deployed in your setup.

The following is the default configuration shipped with Triage. It can be changed according to preference.

Triage profiles YAML

The configuration file can be found at: /var/lib/triage/profiles.yaml

#
## Triage profile configuration
#

# The following options set default task options for a Triage node. Note that
# profiles and tasks provided through the API can override these values.

# Default analysis timeout
# Recommended values: 30, 60, 120
timeout: 60

# The maximum number of tasks to produce automatically. This allows you to
# limit how many tasks e.g. an archive file creates.
max_tasks: 32

# Default network profile
# Use "drop" to disable Internet access, or "internet" to grant Internet access
network: internet

# The default profile is used as fallback in case there is no specific profile
# for a sample.
default:
    # Define which operating systems are allowed during automatic scheduling.
    # The OS tags are (partially) matched with the tags found in the VM
    # metadata.
    windows:
        - "os:windows7"
        - "os:windows10-1703"
        - "os:windows10-2004"
    android:
        - "os:android-9-x86"
        - "os:android-10-x64"
        - "os:android-11-x64"
    linux:
        - "os:ubuntu-18.04-amd64"
        - "os:debian-9-armhf"
        - "os:debian-9-mips"
        - "os:debian-9-mipsel"
    macos:
        - "os:macos-10.15"
    # Operating system groups marked as optional will not be used by default,
    # unless requested by the user.
    optional:
        - "os:linux"
        - "os:macos"
        - "os:android"

# Profiles generate analysis tasks for files based on properties discovered
# during static analysis. These properties are reflected via file tags in the
# static report. File extensions (if relevant) or URL schemas (e.g. "https:")
# can also be specified as static tag.
#
# Specific profiles completely override the default profile. For example, if
# you do not enable any Windows variants (as can be seen in the Android
# profile), automatic scheduling will *not* consider using Windows for Android
# samples even if you request it as a preference.
#
# The name of the profile is used for informational purposes.
#
# A sample can match multiple profiles based on the static tags. In that case,
# the profile with the highest priority is chosen.
# profiles:
    # Example mapping for Android. Samples with Android-related static tags
    # will be restricted to the most appropriate platform.
    # android_arm_x86:
    #     prio: 104
    #     static_tags: ["android", "arch:arm", "arch:x86"]
    #     android: ["os:android-x86", "os:android-x64"]
    # android_arm_x64:
    #     prio: 104
    #     static_tags: ["android", "arch:arm", "arch:x64"]
    #     android: ["os:android-x86", "os:android-x64"]
    # android_arm64_x86:
    #     prio: 103
    #     static_tags: ["android", "arch:arm64", "arch:x86"]
    #     android: ["os:android-x86", "os:android-x64"]
    # android_arm64_x64:
    #     prio: 103
    #     static_tags: ["android", "arch:arm64", "arch:x64"]
    #     android: ["os:android-x64"]
    # android_arm:
    #     prio: 102
    #     static_tags: ["android", "arch:arm"]
    #     android: ["os:android-x86"]
    # android_arm64:
    #     prio: 101
    #     static_tags: ["android", "arch:arm64"]
    #     android: ["os:android-x64"]
    # android_x64:
    #     prio: 101
    #     static_tags: ["android", "arch:x64"]
    #     android: ["os:android-x64"]
    # android_all:
    #     static_tags: ["android"]
    #     android:
    #       - "os:android-9-x86"
    #       - "os:android-10-x64"
    #       - "os:android-11-x64"

    # Example mapping for Linux. Note that using "os:linux-xxx" instead of a
    # specific Linux distro name as is done here will pick a random
    # # distribution.
    # linux_x64:
    #     prio: 105
    #     static_tags: ["linux", "x64"]
    #     linux: ["os:linux-amd64"]
    # linux_x86:
    #     prio: 105
    #     static_tags: ["linux", "x86"]
    #     linux: ["os:linux-amd64"]
    # linux_mipsel:
    #     prio: 105
    #     static_tags: ["linux", "mipsel"]
    #     linux: ["os:linux-mipsel"]
    # linux_mipsbe:
    #     prio: 105
    #     static_tags: ["linux", "mipsbe"]
    #     linux: ["os:linux-mips"]
    # linux_arm:
    #     prio: 105
    #     static_tags: ["linux", "arm"]
    #     linux: ["os:linux-armhf"]
    # linux_all:
    #     prio: 101
    #     static_tags: ["linux"]
    #     linux:
    #       - "os:ubuntu-18.04-amd64"
    #       - "os:debian-9-armhf"
    #       - "os:debian-9-mips"
    #       - "os:debian-9-mipsel"

    # Example mapping for macOS.
    # macos_binaries:
    #     static_tags: ["macos"]
    #     macos: ["os:macos-amd64"]

    # Advanced usage example: specify that .COM files will always run a
    # specific set of tasks. Tasks bypass the user preferences.
    #com:
    #    static_tags: [.com]
    #    tasks:
    #        - tags: ["os:windows7"]
    #          network: internet
    #          timeout: 60

Deprecated Triage profiles

In July 2022 the Triage profiles configuration format was replaced with the new format. It replaces fixed analysis "tasks" with a more flexible list of desired operating systems. The oldld /var/lib/triage/profiles.yaml should be replaced with the new version.

The configuration should be replaced with this if it looks like the following example:

## (Deprecated configuration. Do not use.)
## Triage profile configuration
#

# The following options set default task options for a Triage node. Note that
# profiles as well as tasks provided by the API can override these values.

# Default analysis timeout
# Recommended values: 30, 60, 120
timeout: 60

# Default network profile
# Use "drop" to disable Internet access, or "internet" to grant Internet access
network: drop

# The default profile is used as fallback in case there is no specific profile
# for a sample.
#
# Set `tasks' to an empty list in case no tasks should be scheduled by default.
default:
    tasks:
        - tags: [windows7]
        - tags: [windows10]

# Profiles generate analysis tasks for files based on properties discovered
# during static analysis. These properties are reflected via file tags in the
# static report. File extensions (if relevant) can also be specified.
#
# The name of the profile is used for informational purposes.
profiles:

    # Run PDFs on a Windows machine (any version)
    pdf:
        static_tags: [.pdf]
        tasks:
            - tags: [windows]

    # Run Linux ELF binaries on a Linux machine
    linux_binaries:
        static_tags: [linux,elf]
        tasks:
            - tags: [linux]

    # Example: compare the behavior of a PE when it has Internet access versus
    # when it doesn't
    #pe_inspect:
    #    static_tags: [.exe,pe]
    #    tasks:
    #        - tags: [windows]
    #          network: drop
    #        - tags: [windows]
    #          network: internet