Xylok Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. Analysis
  4. /
  5. Technical
  6. /
  7. Analyzing a Scan Manually

Analyzing a Scan Manually

Manual analysis is how automatic analysis gets its data. It’s intended to be as simple as possible while still ensuring each organization using Xylok can set their baseline to meet their particular system’s requirements. The first time scan data is collected on a system, this process will take longer than the average analysis effort in Xylok. Repeat scans take far less effort because Xylok’s Automatic Analysis will match existing data with the new data and apply the same markings.

Results Listing

Analysis for an individual machine has two views. First, the results listing:

Scan result listing

  1. Metadata about the source and date of the scan and includes a Scan Score, which is computed by how many of the Benchmark Checks a Machine is Compliant with out of the total Checks scanned

  2. Open the search builder which allows advanced searching/filtering:

    Scan search

  3. Run automatic analysis

  4. Scan Options button with the following choices:

    • Copy answers
    • Post-process raw data
    • Finding/data comparison
    • Export the scan data. This exports in a Xylok-specific format, suitable for importing into other Xylok instances.
    • Export the scan data in CKL format, for incorporating into third party tools.
    • Delete the scan data
    • Mark this scan as a baseline for automatic analysis
    • View the scan in the Admin site (if user has Admin privileges)

  5. The actual results matching your current search terms (or all of them, if there is no search). Results show the STIG, Check ID, Command that was performed, the Results of that Command, Status of the check (Not a Finding, Finding, or Not Applicable), and any Comments entered for the specific check completed.

Analysis Page

Clicking on a Command or Result on the results listing will load the details of that particular check, which allows the user to change finding status or comments.

Scan item page

This screen has the follow sections:

  1. Check content: the benchmark check content, as it comes directly from DISA or other benchmark source. At the bottom this section there may be an “Expert Comment,” which details additional information needed for answering the check, like hex value translations or Windows SIDs.
  2. Finding status and comment: This section allows the user to review and change the status of the check. The comments shown here appear in many reports in Xylok and will be replicated via automatic analysis to other machines that share the same results. The “Source” portion can be seen by hovering over either the finding status buttons or the comment box, and indicates if the marking came from someone manually checking the result, an applied Automatic Analysis item, or a post-processing recommendation.
  3. The Xylok recommendation from post-processing, which will display the recommended finding status and comment if one exists for this check.
  4. A link to this same check from the previous scan, if one exists, that shows the finding status from that check. This will change to return to the most current item if viewing the previous result.
  5. Previous and next item buttons for this scan can be found from either side of the top banner.
  6. A preview of the items in this scan. This list can be filtered by by clicking on the search bar at the top, which will open the same search builder from the scan items list.

Keyboard Shortcuts

Keyboard shortcuts have been added to allow efficient marking and navigation on the analysis page. These can be viewed by hovering over the “?” at the top right of the status banner and are as follows:

Action Key
Previous Check Left Arrow
Next Check Right Arrow
Mark Compliant 1
Mark Noncompliant 2
Mark N/A 3
Mark Unreviewed 4
Focus Comment c
Focus Search /
Fullscreen Output View f
Close Fullscreen Output View Escape

Analysis Data Display

The most important portion of the check results display is the data collected for the check. This section contains the following information:

Scan item output

This section displays the data collected for the check. There are three views:

  1. Raw data: this is the raw data that came out of running the command(s) in green, just as if you were sitting at the machine’s console running the command by hand.
  2. Postprocessed: if included with this particular command, the post-processed tab reflects the result of the Raw data running through a Python script. This is the default view if available and is intended to be easier to answer and more reliable for automatic analysis.
  3. Diff with previous: this view will show any differences from the previous time data was collected on this system using Unix diff format–green “+” lines are new this run, red “-” lines are from the previous scan. If you need to compare further in the past, use the Compare view in the results listing.

In addition to the various views is a link to run post-processing if needed. There is also a “Wrap Text” link, which will wrap the text within the output for viewing data that overflows if desired. Finally, there is a link to download the raw or post-processed results as a text file. For especially long checks Xylok will not display all output lines on the web–instead, download the results to view everything. Clicking the “Download Results” link will download the current data display view–to download raw results when post-processing has been applied, click the “Raw” button first.

gdoc_arrow_left_alt Accessing Scans Automatic Analysis gdoc_arrow_right_alt