unable to add FQDN to script

14 views
Skip to first unread message

Jan Jacobs

unread,
Aug 3, 2021, 3:34:22 AM8/3/21
to velociraptor-discuss
Hello all,

I hope someone can help me with this tiny frustrating bit :)

i have a script that sends the results of a hunt to a web api for further processing:
- query: |
      LET ROWS = SELECT {
        SELECT ID, 
        Title, 
        str(str=ActualValue) AS ActualValue, 
        str(str=ExpectedValue) AS ExpectedValue,
        OK, 
        FlowId, 
        ClientId, 
        client_info(client_id=ClientId).os_info.Fqdn AS Fqdn
      FROM source(
        artifact='Custom.Windows.Audit.SCA',
        client_id=ClientId, flow_id=FlowId)
          } AS Row
      FROM watch_monitoring(artifact="System.Flow.Completion")
      WHERE Flow.artifacts_with_results =~ "Custom.Windows.Audit.SCA"

      SELECT * FROM foreach(row=ROWS,
        query={
         SELECT * FROM http_client(
           data=serialize(item=dict(
           Customer="<CUSTOMER>",
           token="<TOKEN>",
           Audit=Row
         )),
        headers=dict(`Content-Type`="application/json"),
        method="POST",
        url="<URL>")})

This goes well except for the Fqdn. It gives me the following error:
Symbol Fqdn not found. Current Scope is: [NULL], [$cache, config, $acl, Artifact, $root], [$throttle], [collections], [ROWS], [Custom_Upload_CompliancyToPortal_0_2], [$Query], [Timestamp, Flow, FlowId, ClientId, _ts], [ID, Title, ActualValue, ExpectedValue, OK]

If i execute the same query in a notebook everything is fine. assumably because it gets the info from from a different source, with the hunt_id included.. But i'm a bit at a loss here. Also, if i understand the last ine correctly, the ClientId and FlowId are not shipped off to the API?

Can anyone shed some light on this for me?

Jan Jacobs

unread,
Aug 3, 2021, 4:56:16 AM8/3/21
to velociraptor-discuss
My apologies!

The above script works correct, what i failed to do was unload the artifact from the server monitoring, and adding it anew!

Op dinsdag 3 augustus 2021 om 09:34:22 UTC+2 schreef Jan Jacobs:
Reply all
Reply to author
Forward
0 new messages