-
Notifications
You must be signed in to change notification settings - Fork 0
/
Custom.Server.DispatchTriage.yaml
91 lines (79 loc) · 3.9 KB
/
Custom.Server.DispatchTriage.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Custom.Server.DispatchTriage
description: |
This artifact retrieves records from completed flows, groups them by the
unique combinations of magid_id and file_accessor.
The MonitoredArtifacts table allows you to configure which artifact
completions to listen for.
It then looks up the magic_id in the ResponseMap lookup table in order to
determine which client artifacts to dispatch next, for each magic_id type.
The dispatched client artifacts are sent a list of file targets and the
file accessor to use (the same one that was used when detecting their file
type).
type: SERVER_EVENT
parameters:
- name: MonitoredArtifacts
description: |
Client artifacts that will be monitored for completions.
** Remove System.VFS.DownloadFile from this list if you DO NOT want to
use the modified version of that artifact which is included in this
demonstration set **
type: csv
default: |
ArtifactName
Custom.Client.FindByMagics
System.VFS.DownloadFile
- name: ResponseMap
description: |
A table of mappings that pair incoming magic_id values from the
Custom.Client.FindByMagics artifact to reponse artifacts.
Any reponse artifacts that you create should accept a list of file
paths named "targets" and an associated "file_accessor" value.
type: csv
default: |
MagicID,ArtifactToDispatch
winevtx,Custom.Client.TriageGene
pe_32,Custom.Client.TriageCapa
sources:
- query:
LET dedupe = starl(code='''
def unique(list1):
unique_list = []
for x in list1:
if x not in unique_list:
unique_list.append(x)
return unique_list
''')
LET monitored_artifacts <= join(array=MonitoredArtifacts.ArtifactName, sep="|")
LET completions = SELECT *, client_info(client_id=ClientId).os_info.fqdn AS Fqdn
FROM watch_monitoring(artifact="System.Flow.Completion")
WHERE Flow.artifacts_with_results =~ monitored_artifacts
AND log(message=format(format="Flow %v completed on %v",
args=[Flow.artifacts_with_results, Fqdn]))
LET results(ClientId, FlowId, ArtifactId) = SELECT magic_id + "." + file_accessor AS idx,
magic_id, file_accessor,
ClientId as client_id, FlowId AS flow_id,
enumerate(items=target_fullpath) AS targets,
ArtifactId AS artifact_name
FROM source(
client_id=ClientId,
flow_id=FlowId,
artifact=ArtifactId)
GROUP BY idx
SELECT * FROM foreach(row=completions,
query={
SELECT * FROM foreach(
row=Flow.artifacts_with_results,
query={ SELECT * FROM foreach(row=ResponseMap,
query={
SELECT *, collect_client(
client_id=client_id,
artifacts=ArtifactToDispatch,
env=dict(targets=serialize(item=dedupe.unique(list1=targets), format="json"), file_accessor=file_accessor)
) AS dispatched_flow
FROM results(ClientId=ClientId, FlowId=FlowId, ArtifactId=_value)
WHERE magic_id = MagicID
AND log(message=format(
format="grouped result: - %v - %v - %v - %v - %v - %v",
args=[idx, client_id, flow_id, artifact_name, magic_id, file_accessor]))
})}
)})