Skip to content
XDR Forensics Knowledge Base

interACT Command Snippets

Overview

Section titled “Overview”

The Command Snippets Library in interACT introduces a major usability boost for remote command execution in AIR. It allows analysts to standardize, share, and quickly execute common commands without retyping or hunting through notes.

Snippets can be acessed directly in the interACT terminal window from where they can be copied, pasted or run directly in the current session. This reduces repetitive typing, accelerates response times, and ensures consistency across teams.

How It Works

Section titled “How It Works”
  • Predefined Snippets: A library of common investigation and response commands is provided out-of-the-box. These can be run directly or copy/pasted into a session.
  • Custom Snippets: Analysts can create their own commands, define supported platforms (Windows, Linux, macOS), and save them to the Library for reuse and sharing. These snippets can be global or organization-specific. (With the release of XDR Forensics v5.7 the character limit increases from 2000 to 5000.)
  • Library Management:
    • Edit, delete (for custom snippets), or import/export via text files.
    • Categorization by description, advanced filtering and ownership tracking are supported.
    • Predefined snippets cannot currently be deleted.
    • Users can apply Tags to Command Snippets to streamline management and filtering. You can view and modify all Tags using the Manage Tags button in the Command Snippets library.

Benefits

Section titled “Benefits”
  • Speed: Eliminate repetitive typing and have long, complex, frequently used commands instantly available.
  • Consistency: Standardize investigative workflows across your team.
  • Scalability: Quickly search, and filter hundreds of snippets during critical investigations.
  • Flexibility: Maintain an evolving library of commands tailored to your environment.

System-Generated Command Snippets

Section titled “System-Generated Command Snippets”

To get users started we have supplied some predefined System-generated snippets that are available by default in every environment. These are designed to cover common investigative and forensic tasks without requiring manual setup.

List of System Snippets:

  • List mounted volumes with volumes
  • Preview file beginning with head
  • Verify file integrity with hash
  • Inspect running processes with pslist
  • Compress or extract archives with zip
  • Query system state with osquery
  • Pull evidence to console with get
  • Display directory contents “