Skip to content

Understanding Output

Jump to bottom
Colby Farley edited this page Apr 29, 2026 · 3 revisions

Understanding Output

HarrierOps Azure writes table, JSON, CSV, and loot artifacts from the same underlying model output. That means the formats are different views of the same collected result, not separate collectors.

Output Modes

  • --output table for quick operator reading in the terminal
  • --output json for structured review and automation
  • --output csv for spreadsheet-style inspection

Example:

ho-azure --outdir ./ho-azure-demo whoami --output json

Artifact Layout

All commands write under <outdir>/:

  • loot/<command>.json
  • json/<command>.json
  • table/<command>.txt
  • csv/<command>.csv

all-checks also writes:

  • run-summary.json

What run-summary.json Means

run-summary.json is orchestration metadata for all-checks. It tells you which commands ran and where their artifacts were written. It is not a separate evidence source.

JSON Header Fields

JSON artifacts include a top-level metadata object. Treat that object as tool and runtime provenance: command token, generation time, schema version, tenant/subscription scope, auth source, artifact validation context, and reused session artifacts when present. Operators can use this information for audit, but it is primarily there so the tool and automation can validate what produced the artifact.

Grouped command outputs also include operator-facing header fields:

  • grouped_command_name names the grouped command family, such as chains, persistence, or exfil.
  • family or surface names the selected grouped view, such as deployment-path or logic-apps.
  • input_mode summarizes where the backing evidence came from: live, artifact-backed, or mixed.
  • backing_commands lists the helper commands used to build the grouped output.
  • operator_receipt, when present, is the operator-facing command receipt: grouped command, surface/family, input mode, command state, summary, and backing commands. Use it when you want the quick answer to "what command view did I run, and did this reuse saved helper artifacts?"

For grouped outputs that include operator_receipt, read operator_receipt.command as the operator-facing command identity. Read metadata.command as the stable artifact-producing command token used by the tool and artifact system. When operator_receipt.input_mode is artifact-backed or mixed, the exact reused artifact paths remain in metadata.session_artifacts.

Loot Selection Contract

HarrierOps Azure uses semantic-high-band loot selection only for commands that ship a defended row-level priority contract.

Today that includes:

  • permissions
  • privesc
  • tokens-credentials
  • cross-tenant
  • ho-azure chains credential-path
  • ho-azure chains deployment-path
  • ho-azure chains compute-control
  • ho-azure chains escalation-path

For those commands, semantic-high-band loot means keeping priority=high rows when present.

All other commands currently use ranked-cutoff loot selection: loot keeps the top-ranked rows from the command's normal ordering, but that ordering should not be read as a durable semantic high / medium / low contract unless the command explicitly ships that priority field in JSON.

Table-only labels, ordering, or priority-like display context are not equivalent to a shipped semantic priority contract.

Important examples:

  • ho-azure chains deployment-path --output json may use semantic-high-band loot because its family rows ship defended priority.
  • ho-azure chains by itself does not. The base overview is a family index surface and still uses ranked-cutoff loot behavior.
  • network-effective and snapshots-disks remain ranked-cutoff surfaces even if the rendered table shows priority-like wording or context.

Practical Reading Pattern

  1. Start with terminal table output for quick triage.
  2. Open the JSON artifact when you want the exact structured result.
  3. Use the table or CSV files later if you want saved views outside the terminal.
  4. For all-checks, use run-summary.json to jump into the per-command artifacts.

Contract Expectations

  • JSON output is deterministic.
  • Table output should not invent fields that are absent from the JSON contract.
  • Schema files under schemas/ and snapshots under tests/golden/ are the regression baseline.

If you need the versioned contract details, use the repo docs rather than the wiki:

  • docs/output-contracts.md
  • docs/api-mapping/

HarrierOps Azure Wiki

Core
Identity
Config
Secrets
Storage
Resource
Network
Compute
Orchestration

Chain Families

Investigations
Reference

Clone this wiki locally