create_acquisition_profile
Generate a new acquisition profile for Windows, Linux, macOS, or AIX systems, specifying evidence lists, artifact configurations, and network capture settings to streamline digital forensics and incident response processes.
Instructions
Create a new acquisition profile
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| aix | Yes | AIX specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), and `customContentProfiles` (array). Example: { "evidenceList": ["logs"], ... } | |
| eDiscovery | Yes | eDiscovery configuration. Must include the key `patterns` (array of objects with `pattern` and `category` strings). Example: { "patterns": [] } | |
| linux | Yes | Linux specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), `customContentProfiles` (array), and `networkCapture` (object). Example: { "evidenceList": ["logs"], ... } | |
| macos | Yes | macOS specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), `customContentProfiles` (array), and `networkCapture` (object). Example: { "evidenceList": ["logs"], ... } | |
| name | Yes | Name for the new acquisition profile | |
| organizationIds | No | Organization IDs to associate the profile with. Defaults to empty array. | |
| windows | Yes | Windows specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), `customContentProfiles` (array), and `networkCapture` (object). Example: { "evidenceList": ["evt"], "artifactList": [], "customContentProfiles": [], "networkCapture": { "enabled": false, "duration": 600, "pcap": { "enabled": false }, "networkFlow": { "enabled": false } } } |
Input Schema (JSON Schema)
{
"properties": {
"aix": {
"description": "AIX specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), and `customContentProfiles` (array). Example: { \"evidenceList\": [\"logs\"], ... }",
"type": "object"
},
"eDiscovery": {
"description": "eDiscovery configuration. Must include the key `patterns` (array of objects with `pattern` and `category` strings). Example: { \"patterns\": [] }",
"type": "object"
},
"linux": {
"description": "Linux specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), `customContentProfiles` (array), and `networkCapture` (object). Example: { \"evidenceList\": [\"logs\"], ... }",
"type": "object"
},
"macos": {
"description": "macOS specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), `customContentProfiles` (array), and `networkCapture` (object). Example: { \"evidenceList\": [\"logs\"], ... }",
"type": "object"
},
"name": {
"description": "Name for the new acquisition profile",
"type": "string"
},
"organizationIds": {
"description": "Organization IDs to associate the profile with. Defaults to empty array.",
"items": {
"type": "string"
},
"type": "array"
},
"windows": {
"description": "Windows specific configuration. Must include keys like `evidenceList` (array of strings), `artifactList` (array of strings, optional), `customContentProfiles` (array), and `networkCapture` (object). Example: { \"evidenceList\": [\"evt\"], \"artifactList\": [], \"customContentProfiles\": [], \"networkCapture\": { \"enabled\": false, \"duration\": 600, \"pcap\": { \"enabled\": false }, \"networkFlow\": { \"enabled\": false } } }",
"type": "object"
}
},
"required": [
"name",
"windows",
"linux",
"macos",
"aix",
"eDiscovery"
],
"type": "object"
}