Problem getting flows using API

[martinl...@gmail.com]

Hi,

Previously I've got flow data using source via the API, but now it doesn't work (as far as I can see I am using it the same way as I did before). Here is what I get (I had to add the empty env dict to collect_client() as I got an error without it)

 1) pyvelociraptor --config ~/Velociraptor/current/cyborg-velociraptor-api.yaml 'SELECT collect_client(client_id="C.f80d8cd7ce4c3af2",artifacts=["Generic.Client.Info"], env=dict()) FROM scope()'

Wed Jul 14 05:00:41 2021: vql: Starting query execution.

Wed Jul 14 05:00:41 2021: vql: Time 0: Test: Sending response part 0 443 B (1 rows).

[{'collect_client(client_id="C.f80d8cd7ce4c3af2", artifacts= ["Generic.Client.Info"], env=dict())': {'flow_id': 'F.C3N6UUBV25O4K', 'request': {'creator': 'cyborg', 'client_id': 'C.f80d8cd7ce4c3af2', 'urgent': False, 'artifacts': ['Generic.Client.Info'], 'specs': [{'artifact': 'Generic.Client.Info', 'parameters': {'env': []}}], 'ops_per_second': 0, 'timeout': 0, 'max_rows': 0, 'max_upload_bytes': 0, 'allow_custom_overrides': False, 'compiled_collector_args': []}}}]

Wed Jul 14 05:00:41 2021: vql: Query Stats: {"RowsScanned":1,"PluginsCalled":1,"FunctionsCalled":2,"ProtocolSearch":0,"ScopeCopy":3}

2) pyvelociraptor --config ~/Velociraptor/current/cyborg-velociraptor-api.yaml "SELECT * from  source(flow_id='F.C3N6UUBV25O4K', client_id='C.f80d8cd7ce4c3af2', artifact='Generic.Client.Info')"

Wed Jul 14 05:02:07 2021: vql: Starting query execution.

Wed Jul 14 05:02:07 2021: vql: Time 0: Test: Sending response part 0 2 B (0 rows).

[]

3) pyvelociraptor --config ~/Velociraptor/current/cyborg-velociraptor-api.yaml 'SELECT * from flows(client_id="C.f80d8cd7ce4c3af2")'

Wed Jul 14 05:03:07 2021: vql: Starting query execution.

Wed Jul 14 05:03:07 2021: vql: Time 0: Test: Sending response part 0 1.6 kB (2 rows).

[{'client_id': 'C.f80d8cd7ce4c3af2', 'session_id': 'F.C3N6UUBV25O4K', 'request': {'creator': 'cyborg', 'client_id': 'C.f80d8cd7ce4c3af2', 'urgent': False, 'artifacts': ['Generic.Client.Info'], 'specs': [{'artifact': 'Generic.Client.Info', 'parameters': {'env': []}}], 'ops_per_second': 0, 'timeout': 0, 'max_rows': 0, 'max_upload_bytes': 0, 'allow_custom_overrides': False, 'compiled_collector_args': []}, 'backtrace': '', 'create_time': 1626238841818574, 'start_time': 1626238842633055, 'active_time': 1626238842633055, 'total_uploaded_files': 0, 'total_expected_uploaded_bytes': 0, 'total_uploaded_bytes': 0, 'total_collected_rows': 24, 'total_logs': 8, 'outstanding_requests': 0, 'next_response_id': 1626238905668400003, 'execution_duration': 118400000, 'state': 'FINISHED', 'status': '', 'user_notified': True, 'artifacts_with_results': ['Generic.Client.Info/Users', 'Generic.Client.Info/BasicInformation'], 'uploaded_files': [], 'logs': [], 'dirty': False, 'total_loads': 2}]

Wed Jul 14 05:03:07 2021: vql: Query Stats: {"RowsScanned":2,"PluginsCalled":1,"FunctionsCalled":0,"ProtocolSearch":0,"ScopeCopy":5}

Thanks,

Martin.

[Mike Cohen]

As you can see the artifacts_with_results contain two artifacts:

 artifacts_with_results': ['Generic.Client.Info/Users', 'Generic.Client.Info/BasicInformation'],

If you provide either of those to the source plugin they should return the results. For example

 pyvelociraptor --config ~/Velociraptor/current/cyborg-velociraptor-api.yaml "SELECT * from  source(flow_id='F.C3N6UUBV25O4K', client_id='C.f80d8cd7ce4c3af2', artifact='Generic.Client.Info/Users')"

Thanks

Mike

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/95b8b73a-a8fc-48b6-bae3-86b2c9169cabn%40googlegroups.com.