From 4f48a5bc4d980259b60223400b27485aafde902a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 4 May 2026 07:05:35 +0000
Subject: [PATCH 01/13] [docs] fix(executors): correct misleading implant
cleanup statement
---
docs/deployment/ecosystem/executors.md | 45 ++++++++++----------------
docs/usage/openaev-agent.md | 4 ++-
2 files changed, 20 insertions(+), 29 deletions(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 6a66fac0..c6e7ec88 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -31,13 +31,6 @@ threat arsenal actions on endpoints.
The Tanium agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions, according
to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-The implants will be downloaded to these folders on the different assets:
-
-* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
-* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
-
-where XXXXX will be a completely random UUID, generated for each inject that will be executed.
-This ensures that the implants are unique and will be deleted on assets' restart.
### Configure the Tanium Platform
@@ -129,13 +122,6 @@ Endpoints from the selected computer groups should now appear in the **OpenAEV E
The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-The implants will be downloaded to these folders on the different assets:
-
-* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
-* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
-
-where XXXXX will be a completely random UUID, generated for each inject that will be executed.
-This ensures that the implants are unique and will be deleted on assets' restart.
### Configure the CrowdStrike Platform
@@ -301,13 +287,6 @@ according to the [OpenAEV architecture](https://docs.openaev.io/latest/deploymen
On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the process that will execute the threat arsenal actions.
-The implants will be downloaded to these folders on the different assets:
-
-* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
-* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
-
-where XXXXX will be a completely random UUID, generated for each inject that will be executed.
-This ensures that the implants are unique and will be deleted on assets' restart.
### Configure the Palo Alto Cortex Platform
@@ -392,13 +371,6 @@ Endpoint on the OpenAEV endpoint page.
The SentinelOne agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-The implants will be downloaded to these folders on the different assets:
-
-* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
-* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
-
-where XXXXX will be a completely random UUID, generated for each inject that will be executed.
-This ensures that the implants are unique and will be deleted on assets' restart.
!!! warning "SentinelOne"
@@ -585,3 +557,20 @@ Run the following commands with an administrator Powershell in order to uninstal
`schtasks /delete /tn OpenAEVCaldera`
`Stop-Process -Name oaev-agent-caldera`
`rm -force -Recurse "C:\Program Files (x86)\Filigran\OAEV Caldera"`
+
+## Implant directories and cleanup
+
+For all executors (except Caldera and OpenAEV agent), implants are downloaded to the following folders on the endpoints:
+
+* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
+* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
+
+where `XXXXX` is a completely random UUID, generated for each inject that will be executed.
+
+- Each implant directory is unique per inject.
+- Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
+
+!!! note "OpenAEV Agent"
+
+ The OpenAEV Agent has its own built-in garbage collector with different thresholds. See the [OpenAEV Agent documentation](../../usage/openaev-agent.md) for details.
+
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index 270f74db..0f7b595e 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -246,7 +246,9 @@ The main features of the OpenAEV Agent include:
* Automatic agent upgrade (on startup and registration)
* Periodic job retrieval (every 30 seconds)
* Implant lifecycle management
-* Execution cleanup and directory pruning
+* Execution cleanup and directory pruning (garbage collector running every **3 minutes**):
+ * Directories matching `runtimes/execution-*` and `payloads/execution-*` older than **20 minutes** are processed: associated processes are killed, then the directories are renamed from `execution-*` to `executed-*`.
+ * Directories matching `runtimes/executed-*` and `payloads/executed-*` older than **2 days** are permanently deleted.
* Health checks (heartbeat every 2 minutes)
---
From 7c1c245932dba9478da029e18234502c710d24f6 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Wed, 6 May 2026 10:53:11 +0200
Subject: [PATCH 02/13] [docs] fix(executors): correct misleading implant
cleanup statement
---
docs/usage/openaev-agent.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index 0f7b595e..bfb43a08 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -247,8 +247,8 @@ The main features of the OpenAEV Agent include:
* Periodic job retrieval (every 30 seconds)
* Implant lifecycle management
* Execution cleanup and directory pruning (garbage collector running every **3 minutes**):
- * Directories matching `runtimes/execution-*` and `payloads/execution-*` older than **20 minutes** are processed: associated processes are killed, then the directories are renamed from `execution-*` to `executed-*`.
- * Directories matching `runtimes/executed-*` and `payloads/executed-*` older than **2 days** are permanently deleted.
+ * Directories matching `runtimes/execution-*` and `payloads/execution-*` older than **10 minutes** are processed: associated processes are killed, then the directories are renamed from `execution-*` to `executed-*`.
+ * Directories matching `runtimes/executed-*` and `payloads/executed-*` older than **10 minutes** are permanently deleted.
* Health checks (heartbeat every 2 minutes)
---
From 0d23f4cda694f4ac16dc015a83473e452bdf4e42 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 10:55:06 +0200
Subject: [PATCH 03/13] [docs] fix(executors): add clanup configuration section
---
docs/usage/openaev-agent.md | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index bfb43a08..5d1980bc 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -251,6 +251,25 @@ The main features of the OpenAEV Agent include:
* Directories matching `runtimes/executed-*` and `payloads/executed-*` older than **10 minutes** are permanently deleted.
* Health checks (heartbeat every 2 minutes)
+---
+### Cleanup Configuration
+
+The garbage collector thresholds can be customized in the agent's `toml.config` file:
+
+| Parameter | Description | Default value |
+|--------------------------------|----------------------------------------------------------------------------------------------------------|---------------|
+| `executing_max_time_minutes` | Max age (in minutes) for `execution-*` directories before processes are killed and directories renamed to `executed-*` | `10` |
+| `directory_max_time_minutes` | Max age (in minutes) for `executed-*` directories before they are permanently deleted | `10` |
+| `cleanup_interval_seconds` | Interval (in seconds) between cleanup cycles | `180` |
+
+Example configuration in `toml.config`:
+
+```toml
+[cleanup]
+executing_max_time_minutes = 10
+directory_max_time_minutes = 10
+cleanup_interval_seconds = 180
+```
---
## Troubleshooting
From 83cd0d62029fe1609c22a1b440d8592a97139714 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 13:16:39 +0200
Subject: [PATCH 04/13] [docs] fix(executors): add clanup configuration section
---
docs/usage/openaev-agent.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index 5d1980bc..c386f2a8 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -254,7 +254,7 @@ The main features of the OpenAEV Agent include:
---
### Cleanup Configuration
-The garbage collector thresholds can be customized in the agent's `toml.config` file:
+The garbage collector thresholds can be customized in the agent's `openaev-agent-config.toml` file:
| Parameter | Description | Default value |
|--------------------------------|----------------------------------------------------------------------------------------------------------|---------------|
From 30a456d65b883ca575a2f74ef56c018564a42903 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 14:25:10 +0200
Subject: [PATCH 05/13] [docs] fix(executors): add clanup configuration section
---
docs/usage/openaev-agent.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index c386f2a8..5292645d 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -262,7 +262,7 @@ The garbage collector thresholds can be customized in the agent's `openaev-agent
| `directory_max_time_minutes` | Max age (in minutes) for `executed-*` directories before they are permanently deleted | `10` |
| `cleanup_interval_seconds` | Interval (in seconds) between cleanup cycles | `180` |
-Example configuration in `toml.config`:
+Example configuration in `openaev-agent-config.toml`:
```toml
[cleanup]
From a7aa550ae0bebd3d1e00a34ba8ce5b76820a4ff3 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 15:43:35 +0200
Subject: [PATCH 06/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 124 ++++++++++++++-----------
docs/usage/openaev-agent.md | 2 +-
2 files changed, 72 insertions(+), 54 deletions(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index c6e7ec88..971c51e0 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -26,15 +26,18 @@ threat arsenal actions on endpoints.
---
+
## Tanium Agent
-The Tanium agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions, according
+The Tanium agent can be leveraged to execute implants as detached processes that will then execute threat arsenal
+actions, according
to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-
### Configure the Tanium Platform
-We provide [two Tanium packages](https://github.com/OpenAEV-Platform/openaev/blob/master/openaev-api/src/main/java/io/openaev/executors/tanium/openaev-tanium-packages.json) to be imported into the Tanium platform.
+We
+provide [two Tanium packages](https://github.com/OpenAEV-Platform/openaev/blob/master/openaev-api/src/main/java/io/openaev/executors/tanium/openaev-tanium-packages.json)
+to be imported into the Tanium platform.
@@ -75,18 +78,18 @@ Once configured and imported, retrieve the package IDs from the URL:
To use the Tanium executor, fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
-| Parameter | Environment variable | Default value | Description |
-|:------------------------------------------------------|:------------------------------------------------------|:---------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor |
-| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL |
-| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key |
-| executor.tanium.api-register-interval | EXECUTOR_TANIUM_API_REGISTER_INTERVAL | 1200 | Tanium API interval to register/update the computer groups/endpoints in OpenAEV (in seconds) |
-| executor.tanium.api-batch-execution-action-pagination | EXECUTOR_TANIUM_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Tanium API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a threat arsenal action) |
-| executor.tanium.clean-implant-interval | EXECUTOR_TANIUM_CLEAN_IMPLANT_INTERVAL | 8 | Tanium clean old implant interval (in hours) |
-| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas |
-| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to |
-| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package |
-| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package |
+| Parameter | Environment variable | Default value | Description |
+|:------------------------------------------------------|:------------------------------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor |
+| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL |
+| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key |
+| executor.tanium.api-register-interval | EXECUTOR_TANIUM_API_REGISTER_INTERVAL | 1200 | Tanium API interval to register/update the computer groups/endpoints in OpenAEV (in seconds) |
+| executor.tanium.api-batch-execution-action-pagination | EXECUTOR_TANIUM_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Tanium API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a threat arsenal action) |
+| executor.tanium.clean-implant-interval | EXECUTOR_TANIUM_CLEAN_IMPLANT_INTERVAL | 8 | Tanium clean old implant interval (in hours) |
+| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas |
+| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to |
+| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package |
+| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package |
!!! note "Tanium API Key"
@@ -117,12 +120,13 @@ Endpoints from the selected computer groups should now appear in the **OpenAEV E
---
+
## CrowdStrike Falcon Agent
-The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
+The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will then execute threat
+arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-
### Configure the CrowdStrike Platform
#### Upload OpenAEV scripts
@@ -215,7 +219,8 @@ To create a host group, go to `Host setup and management` > `Host groups`.
#### Create/Update response policies for your targeted platforms
-As OpenAEV will ask CrowdStrike to create implants in order to execute threat arsenal actions as scripts, you need to allow the
+As OpenAEV will ask CrowdStrike to create implants in order to execute threat arsenal actions as scripts, you need to
+allow the
execution of custom scripts on your assets. To do so, you need to create a new response policy or update an existing one
for your assets' platforms.
@@ -244,20 +249,21 @@ applied.
Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response.
-To use the CrowdStrike executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
-
-| Parameter | Environment variable | Default value | Description |
-|:-----------------------------------------------------------|:------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor |
-| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url |
-| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) |
-| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per 5 seconds to set for hosts batch executions (number of hosts sent per 5 seconds to Crowdstrike to execute a threat arsenal action) |
-| executor.crowdstrike.clean-implant-interval | EXECUTOR_CROWDSTRIKE_CLEAN_IMPLANT_INTERVAL | 8 | Crowdstrike clean old implant interval (in hours) |
-| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id |
-| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret |
-| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas |
-| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script |
-| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script |
+To use the CrowdStrike executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV
+menu.
+
+| Parameter | Environment variable | Default value | Description |
+|:-----------------------------------------------------------|:-----------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor |
+| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url |
+| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) |
+| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per 5 seconds to set for hosts batch executions (number of hosts sent per 5 seconds to Crowdstrike to execute a threat arsenal action) |
+| executor.crowdstrike.clean-implant-interval | EXECUTOR_CROWDSTRIKE_CLEAN_IMPLANT_INTERVAL | 8 | Crowdstrike clean old implant interval (in hours) |
+| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id |
+| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret |
+| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas |
+| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script |
+| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script |
### Checks
@@ -280,21 +286,25 @@ Endpoint on the OpenAEV endpoint page.
---
+
## Palo Alto Cortex Agent
-The Palo Alto Cortex agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
+The Palo Alto Cortex agent can be leveraged to execute implants as detached processes that will then execute threat
+arsenal actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the process that will execute the threat arsenal actions.
-
+On Windows, because Palo Alto Cortex whitelists its own process tree, OpenAEV creates a scheduled task to detach the
+process that will execute the threat arsenal actions.
### Configure the Palo Alto Cortex Platform
#### Upload OpenAEV scripts
-First of all, you need to create one custom script for Unix, covering both Linux and MacOS systems and another one for Windows.
+First of all, you need to create one custom script for Unix, covering both Linux and MacOS systems and another one for
+Windows.
-To create these scripts, go to `Investigation & responses` > `Action Center` > `Agent Script Library` > `+ New Script`. The names
+To create these scripts, go to `Investigation & responses` > `Action Center` > `Agent Script Library` > `+ New Script`.
+The names
of the scripts can be changed if necessary, the ids will be put in the OpenAEV configuration.
To get the scripts IDs, it may be necessary to add the Script UID column to the scripts list view.
@@ -330,7 +340,8 @@ To create a group, go to `Inventory` > `Endpoints` > `Groups`.
Please note that the Palo Alto Cortex API key created in "Settings/Configurations/API Keys" should have the following minimum role: “Instance Administrator” and security level: "Standard".
-To use the Palo Alto Cortex executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
+To use the Palo Alto Cortex executor, just fill the following configuration in the Integrations (Executors) tab from
+OpenAEV menu.
| Parameter | Environment variable | Default value | Description |
|:--------------------------------------------------------------|:--------------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -356,8 +367,10 @@ groups sections in OpenAEV:
-NB : An Asset can only have one Palo Alto Cortex agent installed due to the uniqueness of the MAC address parameters. If you
-try to install again a Palo Alto Cortex agent on a platform, it will overwrite the actual one and you will always see one
+NB : An Asset can only have one Palo Alto Cortex agent installed due to the uniqueness of the MAC address parameters. If
+you
+try to install again a Palo Alto Cortex agent on a platform, it will overwrite the actual one and you will always see
+one
Endpoint on the OpenAEV endpoint page.
!!! success "Installation done"
@@ -366,17 +379,17 @@ Endpoint on the OpenAEV endpoint page.
---
+
## SentinelOne Agent
-The SentinelOne agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions
+The SentinelOne agent can be leveraged to execute implants as detached processes that will then execute threat arsenal
+actions
according to the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
-
!!! warning "SentinelOne"
Please note that the SentinelOne license with add-on “remote script orchestration” is required to launch SentinelOne scripts with OpenAEV → see in SentinelOne/Settings/Configuration/Add-ons
-
### Configure the SentinelOne Platform
#### Upload OpenAEV scripts
@@ -423,7 +436,8 @@ To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`.
Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: “IR Team”. The API key and the scripts must be created for and with the same user and the required account/site.
-To use the SentinelOne executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV menu.
+To use the SentinelOne executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV
+menu.
| Parameter | Environment variable | Default value | Description |
|:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -445,7 +459,8 @@ Once enabled, you should see SentinelOne available in your `Install agents` sect
-Also, the assets and the asset groups in the selected accounts/sites/groups should now be available in the endpoints and asset
+Also, the assets and the asset groups in the selected accounts/sites/groups should now be available in the endpoints and
+asset
groups sections in OpenAEV:
@@ -459,9 +474,11 @@ Endpoint on the OpenAEV endpoint page.
You are now ready to leverage your SentinelOne platform to run OpenAEV threat arsenal actions!
---
+
## Caldera Agent
-The Caldera agent can be leveraged to execute implants as detached processes that will then execute threat arsenal actions according to
+The Caldera agent can be leveraged to execute implants as detached processes that will then execute threat arsenal
+actions according to
the [OpenAEV architecture](https://docs.openaev.io/latest/deployment/platform/overview/).
!!! note "Caldera already installed"
@@ -560,15 +577,16 @@ Run the following commands with an administrator Powershell in order to uninstal
## Implant directories and cleanup
-For all executors (except Caldera and OpenAEV agent), implants are downloaded to the following folders on the endpoints:
-
-* On Windows assets: `C:\Program Files (x86)\Filigran\OAEV Agent\runtimes\implant-XXXXX`
-* On Linux or MacOS assets: `/opt/openaev-agent/runtimes/implant-XXXXX`
-
-where `XXXXX` is a completely random UUID, generated for each inject that will be executed.
+For all executors (except Caldera and OpenAEV Agent), implants are downloaded into a `runtimes/implant-XXXXX`
+subdirectory relative to the agent's installation directory, where `XXXXX` is a unique UUID generated for each inject
+execution. The installation directory varies depending on the agent type
+and [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the
+exact paths.
- Each implant directory is unique per inject.
-- Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
+- Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: *
+ *8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and
+ `payloads/` that are older than **24 hours**.
!!! note "OpenAEV Agent"
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index 5292645d..6af46082 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -270,8 +270,8 @@ executing_max_time_minutes = 10
directory_max_time_minutes = 10
cleanup_interval_seconds = 180
```
----
+---
## Troubleshooting
Logs are available at the following locations (see installation tables for paths):
From 4b7fd80409e9172a6afd4c7ee5f371d45f71f898 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:04:35 +0200
Subject: [PATCH 07/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 971c51e0..0d8b2051 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -575,18 +575,17 @@ Run the following commands with an administrator Powershell in order to uninstal
`Stop-Process -Name oaev-agent-caldera`
`rm -force -Recurse "C:\Program Files (x86)\Filigran\OAEV Caldera"`
-## Implant directories and cleanup
-
-For all executors (except Caldera and OpenAEV Agent), implants are downloaded into a `runtimes/implant-XXXXX`
-subdirectory relative to the agent's installation directory, where `XXXXX` is a unique UUID generated for each inject
-execution. The installation directory varies depending on the agent type
-and [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the
-exact paths.
-
-- Each implant directory is unique per inject.
-- Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: *
- *8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and
- `payloads/` that are older than **24 hours**.
+## Implant Directories and Cleanup
+
+### Implant Directories
+For all executors (except Caldera and OpenAEV Agent), implants are downloaded into a `runtimes/implant-XXXXX` subdirectory relative to the agent's installation directory, where `XXXXX` is a unique UUID generated for each inject execution.
+
+Each implant directory is unique per inject.
+
+The installation directory varies depending on the agent type and [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
+
+### Cleanup
+Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
!!! note "OpenAEV Agent"
From 9981d7d324952a67b9f86199a6844a3b8b962752 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:25:31 +0200
Subject: [PATCH 08/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 0d8b2051..fb3bd8a8 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -576,9 +576,10 @@ Run the following commands with an administrator Powershell in order to uninstal
`rm -force -Recurse "C:\Program Files (x86)\Filigran\OAEV Caldera"`
## Implant Directories and Cleanup
+For all executors (except Caldera and OpenAEV Agent) :
### Implant Directories
-For all executors (except Caldera and OpenAEV Agent), implants are downloaded into a `runtimes/implant-XXXXX` subdirectory relative to the agent's installation directory, where `XXXXX` is a unique UUID generated for each inject execution.
+Implants are downloaded into a `runtimes/implant-XXXXX` subdirectory relative to the agent's installation directory, where `XXXXX` is a unique UUID generated for each inject execution.
Each implant directory is unique per inject.
From d4b6115ce70d6a20a705c8c9a34b5dce23b321c0 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:27:54 +0200
Subject: [PATCH 09/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index fb3bd8a8..58503105 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -583,7 +583,7 @@ Implants are downloaded into a `runtimes/implant-XXXXX` subdirectory relative to
Each implant directory is unique per inject.
-The installation directory varies depending on the agent type and [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
+The installation directory varies depending on the agent type and installation mode. Refer to [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact path.(../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
### Cleanup
Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
From 19a66584793dc789102bf2017f3f8f8800faf434 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:30:38 +0200
Subject: [PATCH 10/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 58503105..ae6580ef 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -583,7 +583,7 @@ Implants are downloaded into a `runtimes/implant-XXXXX` subdirectory relative to
Each implant directory is unique per inject.
-The installation directory varies depending on the agent type and installation mode. Refer to [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact path.(../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
+The installation directory path varies depending on the agent type and installation mode. Refer to [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact path.(../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
### Cleanup
Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
From f3e6fefd6c717f93aab9afd3147e00aaf208b781 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:31:33 +0200
Subject: [PATCH 11/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index ae6580ef..77df2e44 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -583,7 +583,7 @@ Implants are downloaded into a `runtimes/implant-XXXXX` subdirectory relative to
Each implant directory is unique per inject.
-The installation directory path varies depending on the agent type and installation mode. Refer to [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact path.(../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
+The installation directory path varies depending on the agent type and installation mode. Refer to [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
### Cleanup
Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
From 97035d809b1b597a69a6e4a6d63f6f449bd795bf Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:49:17 +0200
Subject: [PATCH 12/13] [docs] fix(executors): add clanup configuration section
---
docs/deployment/ecosystem/executors.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md
index 77df2e44..bd80a272 100644
--- a/docs/deployment/ecosystem/executors.md
+++ b/docs/deployment/ecosystem/executors.md
@@ -586,7 +586,7 @@ Each implant directory is unique per inject.
The installation directory path varies depending on the agent type and installation mode. Refer to [installation mode](../../usage/openaev-agent.md#privileges-security_1) for the exact paths.
### Cleanup
-Old implant directories are periodically cleaned up by the platform. Every `clean-implant-interval` hours (default: **8**), the platform sends a cleanup command to each endpoint agent, which removes all directories in `runtimes/` and `payloads/` that are older than **24 hours**.
+Old implant directories are periodically cleaned up by the platform. At the interval defined by `clean-implant-interval` (default: **8 hours**), the platform sends a cleanup command to each endpoint agent to remove directories in `runtimes/` and `payloads/` that are older than **24 hours**.
!!! note "OpenAEV Agent"
From d26b259e23bc567e99f0542c00ca2df8b7482be2 Mon Sep 17 00:00:00 2001
From: savacano28
Date: Thu, 7 May 2026 16:54:59 +0200
Subject: [PATCH 13/13] [docs] fix(executors): add clanup configuration section
---
docs/usage/openaev-agent.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/docs/usage/openaev-agent.md b/docs/usage/openaev-agent.md
index 6af46082..bd6dec6e 100644
--- a/docs/usage/openaev-agent.md
+++ b/docs/usage/openaev-agent.md
@@ -256,11 +256,11 @@ The main features of the OpenAEV Agent include:
The garbage collector thresholds can be customized in the agent's `openaev-agent-config.toml` file:
-| Parameter | Description | Default value |
-|--------------------------------|----------------------------------------------------------------------------------------------------------|---------------|
-| `executing_max_time_minutes` | Max age (in minutes) for `execution-*` directories before processes are killed and directories renamed to `executed-*` | `10` |
-| `directory_max_time_minutes` | Max age (in minutes) for `executed-*` directories before they are permanently deleted | `10` |
-| `cleanup_interval_seconds` | Interval (in seconds) between cleanup cycles | `180` |
+| Parameter | Description | Default value |
+|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| `executing_max_time_minutes` | Maximum time (in minutes) an `execution-*` directory can exist before processes are killed and the directory is renamed to `executed-*` | `10` |
+| `directory_max_time_minutes` | Maximum time (in minutes) an `executed-*` directory can exist before it is permanently deleted | `10` |
+| `cleanup_interval_seconds` | Interval (in seconds) between cleanup cycles | `180` |
Example configuration in `openaev-agent-config.toml`: