Module: Legion::Extensions::Velociraptor::Runners::Collections
- Includes:
- Helpers::Lex, Helpers::Cli, Query
- Included in:
- Client, Hunts
- Defined in:
- lib/legion/extensions/velociraptor/runners/collections.rb
Constant Summary
Helpers::Cli::ARTIFACT_PATTERN, Helpers::Cli::ENV_KEY_PATTERN, Helpers::Cli::ID_PATTERN
Instance Method Summary
collapse
Methods included from Query
#query, #search_clients, #server_info
#dict_from_env_keys, #normalize_env, #parse_output, #run_command, #run_vql, #validate_artifact!, #validate_id!, #velociraptor_query_command, #vql_list, #vql_string
Instance Method Details
#cancel_flow(client_id:, flow_id:) ⇒ Object
44
45
46
47
48
49
|
# File 'lib/legion/extensions/velociraptor/runners/collections.rb', line 44
def cancel_flow(client_id:, flow_id:, **)
client = validate_id!(client_id, 'client_id')
flow = validate_id!(flow_id, 'flow_id')
vql = "SELECT cancel_flow(client_id=#{vql_string(client)}, flow_id=#{vql_string(flow)}) AS canceled FROM scope()"
query(vql: vql, **)
end
|
#collect_artifact(client_id:, artifacts:, env: {}) ⇒ Object
12
13
14
15
16
17
18
19
20
21
22
|
# File 'lib/legion/extensions/velociraptor/runners/collections.rb', line 12
def collect_artifact(client_id:, artifacts:, env: {}, **)
client = validate_id!(client_id, 'client_id')
artifact_expr = artifacts_expr(artifacts)
vql = [
'SELECT collect_client(',
"client_id=#{vql_string(client)}, ",
"artifacts=#{artifact_expr}, ",
"env=#{dict_from_env_keys(env)}) AS collection FROM scope()"
].join
query(vql: vql, env: env, **)
end
|
#collect_artifact_and_wait(client_id:, artifacts:, result_artifact:, env: {}) ⇒ Object
24
25
26
27
28
29
30
31
32
33
34
|
# File 'lib/legion/extensions/velociraptor/runners/collections.rb', line 24
def collect_artifact_and_wait(client_id:, artifacts:, result_artifact:, env: {}, **)
client = validate_id!(client_id, 'client_id')
result_source = validate_artifact!(result_artifact)
artifact_expr = artifacts_expr(artifacts)
vql = [
"LET collection <= collect_client(client_id=#{vql_string(client)}, artifacts=#{artifact_expr}, env=#{dict_from_env_keys(env)})",
"LET _ <= SELECT * FROM watch_monitoring(artifact='System.Flow.Completion') WHERE FlowId = collection.flow_id LIMIT 1",
"SELECT * FROM source(client_id=collection.request.client_id, flow_id=collection.flow_id, artifact=#{vql_string(result_source)})"
].join(' ')
query(vql: vql, env: env, **)
end
|
#flow_results(client_id:, flow_id:, artifact:) ⇒ Object
36
37
38
39
40
41
42
|
# File 'lib/legion/extensions/velociraptor/runners/collections.rb', line 36
def flow_results(client_id:, flow_id:, artifact:, **)
client = validate_id!(client_id, 'client_id')
flow = validate_id!(flow_id, 'flow_id')
source_artifact = validate_artifact!(artifact)
vql = "SELECT * FROM source(client_id=#{vql_string(client)}, flow_id=#{vql_string(flow)}, artifact=#{vql_string(source_artifact)})"
query(vql: vql, **)
end
|