Technical Analysis Concepts
In general, analysis follows these steps:
- Post-processing (done automatically when a scan is imported)
- Auto Analyze data
- Manual review of remaining items
Post-Processing (PP) is Xylok’s term for taking raw data as collected at each device and internally running a script against that data to make it easier for a human to analyse or, in many cases, allow Xylok to come to an automatic determination about that data. Post processing scripts within Xylok typically do one or more of the following:
- Simplify raw data: this entails taking the raw data from the command and eliminating or standardizing unimportant parts. For example, the dates of a file listing may not matter for a particular check and PP may hide them.
- Recommend a status and/or comment: For checks where no outside information is needed, PP may be able to directly recommend a finding status. This isn’t always possible–for example, we couldn’t know if a particular user is actually needed by your system. If present, PP recommendations are applied when Automatic Analysis is run. Even if PP can’t directly recommend something, AA can still help speed your analysis process through textual comparisons. Check out the in-depth AA article for more details.
- Saving system data: While not a benefit to analysis, PP scripts can also save off more information about your system, like the host name, IPs, and open ports. This data gets surfaced in the machine details.
When viewing a scan, there is a option under the “Scan Options” to re-run post-processing. In general, this does not need to be manually done because PP is run when the scan is imported. When a new Xylok update is installed it may be appropriate to re-run PP on recent scans to allow any script corrections or recommendations to be applied.