VQL and API - MSI creation
44 views
Skip to first unread message
Paolo Leoni Work
Jul 22, 2024, 6:22:51 AM7/22/24
to velocirapt...@googlegroups.com
Hi everyone, I have a question about API and VQL integration.
With this query, the org config param is read from the selected scope on frontend:
LET Build(Target) = repack(
upload_name=format(
format='Org_%v_%v',
args=[org().name, inventory_get(tool=Target).Definition.filename]),
target=Target,
config=serialize(format='yaml', item=org()._client_config))
SELECT *
FROM chain(
a={
SELECT Build(Target="VelociraptorWindowsMSI")
FROM scope()
},
b={
SELECT Build(Target="VelociraptorWindows_x86MSI")
FROM scope()
WHERE AlsoBuild_x86
})
How can I refer to a specific ORG using API when I run this server artifact (Server.Utils.CreateMSI)?
Thank you.
~p
With this query, the org config param is read from the selected scope on frontend:
LET Build(Target) = repack(
upload_name=format(
format='Org_%v_%v',
args=[org().name, inventory_get(tool=Target).Definition.filename]),
target=Target,
config=serialize(format='yaml', item=org()._client_config))
SELECT *
FROM chain(
a={
SELECT Build(Target="VelociraptorWindowsMSI")
FROM scope()
},
b={
SELECT Build(Target="VelociraptorWindows_x86MSI")
FROM scope()
WHERE AlsoBuild_x86
})
How can I refer to a specific ORG using API when I run this server artifact (Server.Utils.CreateMSI)?
Thank you.
~p
Mike Cohen
Jul 22, 2024, 7:45:31 AM7/22/24
to Paolo Leoni Work, velocirapt...@googlegroups.com
You just pass the org id in the API call itself
The API runs a query in the context of the caller on the specified org. The user must have appropriate permissions in that org to run
Thanks
Mike
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/CA%2Br9BfKwcE5c%2BHrtrYXQ40zRsE5hFnKvQ%2BGtsgqSt7jj6UULEg%40mail.gmail.com.
Paolo Leoni Work
Jul 22, 2024, 9:09:33 AM7/22/24
to Mike Cohen, velocirapt...@googlegroups.com
Thank you for the help Mike.
Can I pass org_id argument also to velociraptor-v0.XY.Z-windows-amd64.exe?
e.g. adding org_id arg to this command:
.\velociraptor-v0.XY.Z-windows-amd64.exe --api_config "api_config.yaml" query "<QUERY>" --format jsonl
I ask because on my env I can't use Python.
Thanks in advance.
~p
Mike Cohen
Jul 22, 2024, 9:19:38 AM7/22/24
to Paolo Leoni Work, velocirapt...@googlegroups.com
You should be able to specify the target org using the `--org ORGID` flag.
You can see all the options you can set with the query command using the -h flag for help
Paolo Leoni Work
Jul 22, 2024, 9:15:23 PM7/22/24
to Mike Cohen, velocirapt...@googlegroups.com
Now It's ok.
Thank you Mike for your great support.
~p
Reply all
Reply to author
Forward
0 new messages