Uploading all results from a specific result

[Jan Jacobs]

Hello!

In the past months we have set out to bring good quality security to the SMB for SMB pricing. To achieve this we went looking for FOSS tools and after many headaches we ended up with Velociraptor! Awesome product! Maybe some day we can build an endpoint security module called "triceratops" and a SIEM module called "Pteranodon"  ;-)

We have made an artifact that does check some Windows registry settings as a base "compliancy" check. its here: GitHub

It works Awesome!

Then we have made an Artifact that uploads the results of the aforementioned artifact here: GitHub

And this is where we currently have an issue.. it uploads the results as they come in. which means we make many API calls each hunt. Whereas i am hoping we can find a way to upload all the results in one go. 

If i add the code of the 2th artifact to the workbook of the first artifact, all results are indeed uploaded in one API call, so it can be done! 

Hopefully someone can point me in the right direction.

[Mike Cohen]

You could schedule the artifact to run periodically instead of it's not important to get an the results asap.

Just use the clock() plugin to generate an event periodically

See this for an example too 

https://github.com/Velocidex/velociraptor/blob/588fbc3f030f4303327de15a905884f01087a667/artifacts/definitions/Server/Monitoring/ScheduleHunt.yaml

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/a851a0d7-97a3-4a94-ae8a-60ddd7618b5en%40googlegroups.com.

[Jan Jacobs]

Thanks Mike, as always :-) 

We have that clock running to automaticly schedule the check artifact each morning, but if i schedule the uploader like that, how will it know which results to upload? Does it automaticly upload all the results of the last scheduled hunt, or do i need to add the details manually? Because that would defeat the purpose :-) 

Also, i need to give each client a token, i am thinking about using the labels for this, but maybe you know a better way?

I gather there’s a lot of interest for something like this, maybe it could be build into Velociraptor itself somehow? 

Met vriendelijke groet,

 

Jan Jacobs

 

Information Security Consultant +31 (0)6 21 42 23 83 Jan.J...@conandoyle.eu www.conandoyle.eu	Naaldwijkseweg 65 2291 PA  Wateringen The Netherlands +31 (0)85 - 060 64 96

 

 

Op 29 sep. 2021 om 00:25 heeft Mike Cohen <mi...@velocidex.com> het volgende geschreven: