Help with VQL Query

[Paul Lindvay]

I am trying to get a list of all volumes drive letters from fixed disks on a system using the query:

DriveList = SELECT DeviceID
        FROM wmi(query="SELECT * from Win32_LogicalDisk",
           namespace="ROOT\\CIMV2")
        WHERE DriveType = 3

I would like to pass to values to the "Device" variable in the Windows.KapeFiles.Targets artifact that should take the form "C:, D:" so that it collects artifacts from all fixed drive drive letters and is populated on the fly when the artifact is run from an offline collector.  

DeviceID gives me the value for the volume, but when I try to reference it, it shows the full JSON output for DeviceID (IE.  [{"DeviceID":"C:"}]) rather than just the value itself.  I also need help with once the value can be extracted from the JSON, how to chain multiple row return values into the necessary form "C:, D:" etc.

Any help is appreciated.

[Mike Cohen]

You would normally access the column through the . Operator to get an array of the values

https://docs.velociraptor.app/docs/vql/fundamentals/#example---associative-operator-applied-on-a-stored-query

Then pass it to the join() function to join them on ,

Then call the original artifact using the Artifact.Windows.KapeFiles.Targets()

Something like join(array= DriveList.DeviceID, SEP=",")

You can always see what data you have at each point using explain or just log() 

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/b2773b7a-945a-4048-86e3-30609081dbf8n%40googlegroups.com.