From 3822776435cdcce84805c788bc62c7cc192f1215 Mon Sep 17 00:00:00 2001 From: Mike Cohen Date: Wed, 1 Mar 2023 23:49:46 +1000 Subject: [PATCH] Update VQL references (#535) --- .pyspelling.yml | 9 +- .wordlist.txt | 18 ++ .../server_monitoring/_index.md | 3 +- content/vql_reference/basic/_index.md | 2 +- content/vql_reference/basic/len/_index.md | 2 +- content/vql_reference/basic/log/_index.md | 41 +++- content/vql_reference/misc/_index.md | 6 + content/vql_reference/misc/all/_index.md | 2 +- content/vql_reference/misc/any/_index.md | 2 +- content/vql_reference/misc/get_flow/_index.md | 28 +++ content/vql_reference/misc/mail/_index.md | 38 +++ .../vql_reference/misc/mock_clear/_index.md | 20 ++ .../vql_reference/misc/mock_replay/_index.md | 30 +++ content/vql_reference/misc/repack/_index.md | 32 +++ content/vql_reference/misc/trace/_index.md | 20 ++ .../vql_reference/misc/write_jsonl/_index.md | 4 +- .../vql_reference/parsers/parse_mft/_index.md | 1 + .../parsers/split_records/_index.md | 4 +- .../vql_reference/plugin/pathspec/_index.md | 1 + content/vql_reference/plugin/yara/_index.md | 2 +- .../server/create_flow_download/_index.md | 4 +- .../server/elastic_upload/_index.md | 1 + .../vql_reference/server/gui_users/_index.md | 2 +- content/vql_reference/server/mail/_index.md | 4 +- .../server/splunk_upload/_index.md | 2 +- .../vql_reference/server/uploads/_index.md | 1 + static/reference/data.json | 232 ++++++++++++++++-- 27 files changed, 477 insertions(+), 34 deletions(-) create mode 100644 content/vql_reference/misc/get_flow/_index.md create mode 100644 content/vql_reference/misc/mail/_index.md create mode 100644 content/vql_reference/misc/mock_clear/_index.md create mode 100644 content/vql_reference/misc/mock_replay/_index.md create mode 100644 content/vql_reference/misc/repack/_index.md create mode 100644 content/vql_reference/misc/trace/_index.md diff --git a/.pyspelling.yml b/.pyspelling.yml index 1cd8a41761e..038a3266bd9 100644 --- a/.pyspelling.yml +++ b/.pyspelling.yml @@ -20,9 +20,6 @@ matrix: # ``` - open: '(?s)^(?P *`{3,})' close: '^(?P=open)$' - # Ignore text between inline back ticks - - open: '(?P`+)' - close: '(?P=open)' # Insides of URL links - open: '\]\(' close: '\)' @@ -32,8 +29,12 @@ matrix: # Inside HTML tags - open: '(?s)(?P[<])' close: '[>]' + # Ignore text between inline back ticks + - open: '(?P`+)' + close: '(?P=open)' + # Inside yaml headers - - open: '(?s)^(?P *-{3,})' + - open: '(?s)^(?P---)$' close: '^(?P=open)$' - pyspelling.filters.markdown: diff --git a/.wordlist.txt b/.wordlist.txt index df9b1cf0e7d..d2de3cba8df 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -1292,3 +1292,21 @@ CVEs TLDR musl vfs + +deduped +LazyAny + +VelociraptorDarwin +VelociraptorLinux +VelociraptorWindows +os +IOPs +ProcessEntry +ProcessTrackerUpdate +enrichments +msec + +namespece +cwd +PIDs +EBS diff --git a/content/docs/server_automation/server_monitoring/_index.md b/content/docs/server_automation/server_monitoring/_index.md index 35e4c2cf65d..5cdfa971d0b 100644 --- a/content/docs/server_automation/server_monitoring/_index.md +++ b/content/docs/server_automation/server_monitoring/_index.md @@ -30,8 +30,7 @@ case: The full description of how to set up slack to receive messages from Velociraptor can be found in our blog post [Slack and -Velociraptor]({{< ref -"/blog/2020/2020-12-26-slack-and-velociraptor-b63803ba4b16/" >}}), but +Velociraptor]({{< ref "/blog/2020/2020-12-26-slack-and-velociraptor-b63803ba4b16/" >}}), but here we cover the high level details. ### Step 1: Checking a group of clients for online status diff --git a/content/vql_reference/basic/_index.md b/content/vql_reference/basic/_index.md index 823082644ce..e37bf5233fc 100644 --- a/content/vql_reference/basic/_index.md +++ b/content/vql_reference/basic/_index.md @@ -50,7 +50,7 @@ or in condition clauses (i.e. after the `WHERE` keyword). |[join](join)|Function|Join all the args on a separator| |[killkillkill](killkillkill)|Function|Kills the client and forces a restart - this is very aggressive!| |[len](len)|Function|Returns the length of an object| -|[log](log)|Function|Log the message| +|[log](log)|Function|Log the message and return TRUE| |[lowcase](lowcase)|Function|| |[max](max)|Function|Finds the largest item in the aggregate| |[memoize](memoize)|Function|Memoize a query into memory| diff --git a/content/vql_reference/basic/len/_index.md b/content/vql_reference/basic/len/_index.md index c410610620e..73650ea6af0 100644 --- a/content/vql_reference/basic/len/_index.md +++ b/content/vql_reference/basic/len/_index.md @@ -19,7 +19,7 @@ no_edit: true Arg | Description | Type ----|-------------|----- -list|A list of items too filter|Any (required) +list|A list of items to filter|Any (required) ### Description diff --git a/content/vql_reference/basic/log/_index.md b/content/vql_reference/basic/log/_index.md index 6333e74e144..7d5ad7c4211 100644 --- a/content/vql_reference/basic/log/_index.md +++ b/content/vql_reference/basic/log/_index.md @@ -26,5 +26,44 @@ level|Level to log at (DEFAULT, WARN, ERROR, INFO).|string ### Description -Log the message. +Log the message and return TRUE. + +The message will be logged into the query log stream (Viewable in +the Logs tab). The `message` parameter represents a format string +that will be expanded using the `args` parameter list if needed. + +Since `log()` always returns TRUE it is easy to use in a WHERE +clause as a form of debugging (It is basically equivalent to the +print statement of other languages). + +```sql +SELECT * FROM glob(...) +WHERE log(message="Value of OSPath is %v", args=OSPath) +``` + +## Deduplication + +Log messages will be deduped according to the `dedup` +parameter - each distinct format string will not be emitted more +frequently than the `dedup` parameter (by default 60 seconds). + +This makes it safe to use `log()` frequently without overflowing +the logs stream. + +```vql +SELECT * FROM range(end=_value) +WHERE log(message="Value is %v", args=_value) +``` + +Will only emit a single message due to the format string being +deduped. + +This property makes it useful to add progress logging to long +running artifacts. The logs will be emitted every minute. + +```vql +SELECT * FROM glob(...) +WHERE log(message="Processing file %v", args=OSPath) +``` + diff --git a/content/vql_reference/misc/_index.md b/content/vql_reference/misc/_index.md index 45bc96a2ecd..e7aabb85633 100644 --- a/content/vql_reference/misc/_index.md +++ b/content/vql_reference/misc/_index.md @@ -19,10 +19,14 @@ Miscellaneous plugins not yet categorized. |[delete_flow](delete_flow)|Plugin|Delete all the files that make up a flow| |[entropy](entropy)|Function|Calculates shannon scale entropy of a string| |[flow_logs](flow_logs)|Plugin|Retrieve the query logs of a flow| +|[get_flow](get_flow)|Function|Gets flow details| |[gunzip](gunzip)|Function|Apply Gunzip to the data| |[hunt_delete](hunt_delete)|Plugin|Delete a hunt| |[lru](lru)|Function|Creates an LRU object| |[lzxpress_decompress](lzxpress_decompress)|Function|Decompress an lzxpress blob| +|[mail](mail)|Function|Send Email to a remote server| +|[mock_clear](mock_clear)|Function|Resets all mocks| +|[mock_replay](mock_replay)|Function|Replay recorded calls on a mock| |[org](org)|Function|Return the details of the current org| |[org_create](org_create)|Function|Creates a new organization| |[org_delete](org_delete)|Function|Deletes an Org from the server| @@ -41,8 +45,10 @@ Miscellaneous plugins not yet categorized. |[query](query)|Plugin|Evaluate a VQL query| |[rekey](rekey)|Function|Causes the client to rekey and regenerate a new client ID| |[remap](remap)|Function|Apply a remapping configuration to the root scope| +|[repack](repack)|Function|Repack and upload a repacked binary or MSI to the server| |[server_frontend_cert](server_frontend_cert)|Function|Get Server Frontend Certificate| |[tlsh_hash](tlsh_hash)|Function|Calculate the tlsh hash of a file| +|[trace](trace)|Function|Upload a trace file| |[user](user)|Function|Retrieves information about the Velociraptor user| |[user_grant](user_grant)|Function|Grants the user the specified roles| |[vfs_ls](vfs_ls)|Plugin|List directory and build a VFS object| diff --git a/content/vql_reference/misc/all/_index.md b/content/vql_reference/misc/all/_index.md index 1c210a51429..d55523b1c86 100644 --- a/content/vql_reference/misc/all/_index.md +++ b/content/vql_reference/misc/all/_index.md @@ -19,7 +19,7 @@ no_edit: true Arg | Description | Type ----|-------------|----- -items|The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluted!|Any (required) +items|The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluated!|Any (required) filter|A callback to consider each item|Lambda regex|Optionally one or more regex can be provided for convenience|list of string diff --git a/content/vql_reference/misc/any/_index.md b/content/vql_reference/misc/any/_index.md index c992eaed5ea..4f33e46910c 100644 --- a/content/vql_reference/misc/any/_index.md +++ b/content/vql_reference/misc/any/_index.md @@ -19,7 +19,7 @@ no_edit: true Arg | Description | Type ----|-------------|----- -items|The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluted!|Any (required) +items|The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluated!|Any (required) filter|A callback to consider each item|Lambda regex|Optionally one or more regex can be provided for convenience|list of string diff --git a/content/vql_reference/misc/get_flow/_index.md b/content/vql_reference/misc/get_flow/_index.md new file mode 100644 index 00000000000..886436ee774 --- /dev/null +++ b/content/vql_reference/misc/get_flow/_index.md @@ -0,0 +1,28 @@ +--- +title: get_flow +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## get_flow +Function + + + +
+ +Arg | Description | Type +----|-------------|----- +client_id||string (required) +flow_id||string + +### Description + +Gets flow details. + diff --git a/content/vql_reference/misc/mail/_index.md b/content/vql_reference/misc/mail/_index.md new file mode 100644 index 00000000000..9dbf99bd0e8 --- /dev/null +++ b/content/vql_reference/misc/mail/_index.md @@ -0,0 +1,38 @@ +--- +title: mail +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## mail +Function + + + +
+ +Arg | Description | Type +----|-------------|----- +to|Recipient of the mail|list of string (required) +from|The from email address.|string +cc|A cc for the mail|list of string +subject|The subject.|string +body|The body of the mail.|string (required) +period|How long to wait before sending the next mail - help to throttle mails.|int64 +server_port|The SMTP server port to use (default 587).|uint64 +server|The SMTP server to use (if not specified we try the config file).|string +auth_username|The SMTP username we authenticate to the server.|string +auth_password|The SMTP username password we use to authenticate to the server.|string +skip_verify|Skip SSL verification(default: False).|bool +root_ca|As a better alternative to disable_ssl_security, allows root ca certs to be added here.|string + +### Description + +Send Email to a remote server. + diff --git a/content/vql_reference/misc/mock_clear/_index.md b/content/vql_reference/misc/mock_clear/_index.md new file mode 100644 index 00000000000..81cdfe459f5 --- /dev/null +++ b/content/vql_reference/misc/mock_clear/_index.md @@ -0,0 +1,20 @@ +--- +title: mock_clear +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## mock_clear +Function + + +### Description + +Resets all mocks. + diff --git a/content/vql_reference/misc/mock_replay/_index.md b/content/vql_reference/misc/mock_replay/_index.md new file mode 100644 index 00000000000..7446054c377 --- /dev/null +++ b/content/vql_reference/misc/mock_replay/_index.md @@ -0,0 +1,30 @@ +--- +title: mock_replay +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## mock_replay +Function + + + +
+ +Arg | Description | Type +----|-------------|----- +plugin|The plugin to mock|string +function|The function to mock|string +expected_calls|How many times plugin should be called|int +clear|This call will clear previous mocks for this plugin|bool + +### Description + +Replay recorded calls on a mock. + diff --git a/content/vql_reference/misc/repack/_index.md b/content/vql_reference/misc/repack/_index.md new file mode 100644 index 00000000000..fbec1bd686b --- /dev/null +++ b/content/vql_reference/misc/repack/_index.md @@ -0,0 +1,32 @@ +--- +title: repack +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## repack +Function + + + +
+ +Arg | Description | Type +----|-------------|----- +target|The name of the target OS to repack (VelociraptorWindows, VelociraptorLinux, VelociraptorDarwin)|string +exe|Alternative a path to the executable to repack|OSPath +accessor|The accessor to use to read the file.|string +binaries|List of tool names that will be repacked into the target|list of string +config|The config to be repacked in the form of a json or yaml string|string (required) +upload_name|The name of the upload to create|string (required) + +### Description + +Repack and upload a repacked binary or MSI to the server. + diff --git a/content/vql_reference/misc/trace/_index.md b/content/vql_reference/misc/trace/_index.md new file mode 100644 index 00000000000..10898bcc7b0 --- /dev/null +++ b/content/vql_reference/misc/trace/_index.md @@ -0,0 +1,20 @@ +--- +title: trace +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## trace +Function + + +### Description + +Upload a trace file. + diff --git a/content/vql_reference/misc/write_jsonl/_index.md b/content/vql_reference/misc/write_jsonl/_index.md index 3139395fa2d..48b8a7212dd 100644 --- a/content/vql_reference/misc/write_jsonl/_index.md +++ b/content/vql_reference/misc/write_jsonl/_index.md @@ -19,8 +19,8 @@ no_edit: true Arg | Description | Type ----|-------------|----- -filename|Output JSON files to open|string (required) -accessor|The accessor to use. Currently only supports "auto", "file" or "".|string +filename|CSV files to open|string (required) +accessor|The accessor to use|string query|query to write into the file.|StoredQuery (required) ### Description diff --git a/content/vql_reference/parsers/parse_mft/_index.md b/content/vql_reference/parsers/parse_mft/_index.md index 4ecd49527e3..9bcd3278544 100644 --- a/content/vql_reference/parsers/parse_mft/_index.md +++ b/content/vql_reference/parsers/parse_mft/_index.md @@ -22,6 +22,7 @@ Arg | Description | Type filename|The MFT file.|OSPath (required) accessor|The accessor to use.|string prefix|If specified we prefix all paths with this path.|OSPath +start|The first entry to scan.|int64 ### Description diff --git a/content/vql_reference/parsers/split_records/_index.md b/content/vql_reference/parsers/split_records/_index.md index b30adeb7cec..a61673203ce 100644 --- a/content/vql_reference/parsers/split_records/_index.md +++ b/content/vql_reference/parsers/split_records/_index.md @@ -21,10 +21,12 @@ Arg | Description | Type ----|-------------|----- filenames|Files to parse.|list of OSPath (required) accessor|The accessor to use|string -regex|The split regular expression (e.g. a comma)|string (required) +regex|The split regular expression (e.g. a comma, default whitespace)|string columns|If the first row is not the headers, this arg must provide a list of column names for each value.|list of string first_row_is_headers|A bool indicating if we should get column names from the first row.|bool count|Only split into this many columns if possible.|int +record_regex|A regex to split data into records (default |string +buffer_size|Maximum size of line buffer (default 64kb).|int ### Description diff --git a/content/vql_reference/plugin/pathspec/_index.md b/content/vql_reference/plugin/pathspec/_index.md index 1fb99b404c5..bb7aab0dbf1 100644 --- a/content/vql_reference/plugin/pathspec/_index.md +++ b/content/vql_reference/plugin/pathspec/_index.md @@ -24,6 +24,7 @@ DelegatePath|A delegate to pass to the accessor.|string Path|A path to open.|Any parse|Alternatively parse the pathspec from this string.|string path_type|Type of path this is (windows,linux,registry,ntfs).|string +accessor|The accessor to use to parse the path with|string ### Description diff --git a/content/vql_reference/plugin/yara/_index.md b/content/vql_reference/plugin/yara/_index.md index add084e291b..e1cb434c388 100644 --- a/content/vql_reference/plugin/yara/_index.md +++ b/content/vql_reference/plugin/yara/_index.md @@ -88,7 +88,7 @@ yara DSL and the following combinations are supported `wide`, `wide ascii`, `wide nocase`, `wide nocase ascii`. This shorthand notation is less useful because recent Velociraptor -versions offer a context sensivite Yara rule editor in the GUI +versions offer a context sensitive Yara rule editor in the GUI (simply press ? to bring up a rule template). {{% notice note %}} diff --git a/content/vql_reference/server/create_flow_download/_index.md b/content/vql_reference/server/create_flow_download/_index.md index 9bc1a29e5ac..04c6ddfe2d7 100644 --- a/content/vql_reference/server/create_flow_download/_index.md +++ b/content/vql_reference/server/create_flow_download/_index.md @@ -22,8 +22,8 @@ Arg | Description | Type client_id|Client ID to export.|string (required) flow_id|The flow id to export.|string (required) wait|If set we wait for the download to complete before returning.|bool -type|Type of download to create (deperated Ignored).|string -template|Report template to use (deperated Ignored).|string +type|Type of download to create (deprecated Ignored).|string +template|Report template to use (deprecated Ignored).|string password|An optional password to encrypt the collection zip.|string format|Format to export (csv,json,csv_only) defaults to both.|string expand_sparse|If set we expand sparse files in the archive.|bool diff --git a/content/vql_reference/server/elastic_upload/_index.md b/content/vql_reference/server/elastic_upload/_index.md index 5038f4fecf9..909e2bfc337 100644 --- a/content/vql_reference/server/elastic_upload/_index.md +++ b/content/vql_reference/server/elastic_upload/_index.md @@ -33,6 +33,7 @@ wait_time|Batch elastic upload this long (2 sec).|int64 pipeline|Pipeline for uploads|string disable_ssl_security|Disable ssl certificate verifications.|bool root_ca|As a better alternative to disable_ssl_security, allows root ca certs to be added here.|string +max_memory_buffer|How large we allow the memory buffer to grow to while we are trying to contact the Elastic server (default 100mb).|uint64 ### Description diff --git a/content/vql_reference/server/gui_users/_index.md b/content/vql_reference/server/gui_users/_index.md index 73243990d76..1bd02549701 100644 --- a/content/vql_reference/server/gui_users/_index.md +++ b/content/vql_reference/server/gui_users/_index.md @@ -19,7 +19,7 @@ no_edit: true Arg | Description | Type ----|-------------|----- -all_orgs|If set we enumberate permission for all orgs, otherwise just for this org.|bool +all_orgs|If set we enumerate permission for all orgs, otherwise just for this org.|bool ### Description diff --git a/content/vql_reference/server/mail/_index.md b/content/vql_reference/server/mail/_index.md index 012fb24415d..200eb237898 100644 --- a/content/vql_reference/server/mail/_index.md +++ b/content/vql_reference/server/mail/_index.md @@ -24,11 +24,13 @@ from|The from email address.|string cc|A cc for the mail|list of string subject|The subject.|string body|The body of the mail.|string (required) -period|How long to wait before sending the next mail - help to throttle mails.|int64 (required) +period|How long to wait before sending the next mail - help to throttle mails.|int64 server_port|The SMTP server port to use (default 587).|uint64 server|The SMTP server to use (if not specified we try the config file).|string auth_username|The SMTP username we authenticate to the server.|string auth_password|The SMTP username password we use to authenticate to the server.|string +skip_verify|Skip SSL verification(default: False).|bool +root_ca|As a better alternative to disable_ssl_security, allows root ca certs to be added here.|string ### Description diff --git a/content/vql_reference/server/splunk_upload/_index.md b/content/vql_reference/server/splunk_upload/_index.md index ea509552553..16e87dacfdf 100644 --- a/content/vql_reference/server/splunk_upload/_index.md +++ b/content/vql_reference/server/splunk_upload/_index.md @@ -32,7 +32,7 @@ root_ca|As a better alternative to skip_verify, allows root ca certs to be added wait_time|Batch splunk upload this long (2 sec).|int64 hostname|Hostname for Splunk Events. Defaults to server hostname.|string timestamp_field|Field to use as event timestamp.|string -hostname_field|Field to use as event hostname. Overrides hostname param.|string +hostname_field|Field to use as event hostname. Overrides hostname parameter.|string ### Description diff --git a/content/vql_reference/server/uploads/_index.md b/content/vql_reference/server/uploads/_index.md index d894e687c31..9f945073003 100644 --- a/content/vql_reference/server/uploads/_index.md +++ b/content/vql_reference/server/uploads/_index.md @@ -21,6 +21,7 @@ Arg | Description | Type ----|-------------|----- client_id|The client id to extract|string flow_id|A flow ID (client or server artifacts)|string +hunt_id|A hunt ID|string ### Description diff --git a/static/reference/data.json b/static/reference/data.json index 7a597d584df..73490733666 100644 --- a/static/reference/data.json +++ b/static/reference/data.json @@ -50,7 +50,7 @@ { "name": "items", "type": "Any", - "description": "The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluted!", + "description": "The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluated!", "required": true }, { @@ -88,7 +88,7 @@ { "name": "items", "type": "Any", - "description": "The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluted!", + "description": "The items to consider. Can be an array, subquery or stored query. Will only be lazily evaluated!", "required": true }, { @@ -854,12 +854,12 @@ { "name": "type", "type": "string", - "description": "Type of download to create (deperated Ignored)." + "description": "Type of download to create (deprecated Ignored)." }, { "name": "template", "type": "string", - "description": "Report template to use (deperated Ignored)." + "description": "Report template to use (deprecated Ignored)." }, { "name": "password", @@ -1172,6 +1172,11 @@ "name": "root_ca", "type": "string", "description": "As a better alternative to disable_ssl_security, allows root ca certs to be added here." + }, + { + "name": "max_memory_buffer", + "type": "uint64", + "description": "How large we allow the memory buffer to grow to while we are trying to contact the Elastic server (default 100mb)." } ], "category": "server" @@ -1733,6 +1738,22 @@ "type": "Function", "category": "server" }, + { + "name": "get_flow", + "description": "Gets flow details.", + "type": "Function", + "args": [ + { + "name": "client_id", + "type": "string", + "required": true + }, + { + "name": "flow_id", + "type": "string" + } + ] + }, { "name": "get_server_monitoring", "description": "Retrieve the current server monitoring state.", @@ -1855,7 +1876,7 @@ { "name": "all_orgs", "type": "bool", - "description": "If set we enumberate permission for all orgs, otherwise just for this org." + "description": "If set we enumerate permission for all orgs, otherwise just for this org." } ], "category": "server" @@ -2542,7 +2563,7 @@ { "name": "list", "type": "Any", - "description": "A list of items too filter", + "description": "A list of items to filter", "required": true } ], @@ -2550,8 +2571,9 @@ }, { "name": "log", - "description": "Log the message.", + "description": "Log the message and return TRUE.", "type": "Function", + "version": 2, "args": [ { "name": "message", @@ -2654,7 +2676,7 @@ { "name": "mail", "description": "Send Email to a remote server.", - "type": "Plugin", + "type": "Function", "args": [ { "name": "to", @@ -2688,9 +2710,79 @@ { "name": "period", "type": "int64", - "description": "How long to wait before sending the next mail - help to throttle mails.", + "description": "How long to wait before sending the next mail - help to throttle mails." + }, + { + "name": "server_port", + "type": "uint64", + "description": "The SMTP server port to use (default 587)." + }, + { + "name": "server", + "type": "string", + "description": "The SMTP server to use (if not specified we try the config file)." + }, + { + "name": "auth_username", + "type": "string", + "description": "The SMTP username we authenticate to the server." + }, + { + "name": "auth_password", + "type": "string", + "description": "The SMTP username password we use to authenticate to the server." + }, + { + "name": "skip_verify", + "type": "bool", + "description": "Skip SSL verification(default: False)." + }, + { + "name": "root_ca", + "type": "string", + "description": "As a better alternative to disable_ssl_security, allows root ca certs to be added here." + } + ] + }, + { + "name": "mail", + "description": "Send Email to a remote server.", + "type": "Plugin", + "args": [ + { + "name": "to", + "type": "string", + "description": "Recipient of the mail", + "repeated": true, + "required": true + }, + { + "name": "from", + "type": "string", + "description": "The from email address." + }, + { + "name": "cc", + "type": "string", + "description": "A cc for the mail", + "repeated": true + }, + { + "name": "subject", + "type": "string", + "description": "The subject." + }, + { + "name": "body", + "type": "string", + "description": "The body of the mail.", "required": true }, + { + "name": "period", + "type": "int64", + "description": "How long to wait before sending the next mail - help to throttle mails." + }, { "name": "server_port", "type": "uint64", @@ -2710,6 +2802,16 @@ "name": "auth_password", "type": "string", "description": "The SMTP username password we use to authenticate to the server." + }, + { + "name": "skip_verify", + "type": "bool", + "description": "Skip SSL verification(default: False)." + }, + { + "name": "root_ca", + "type": "string", + "description": "As a better alternative to disable_ssl_security, allows root ca certs to be added here." } ], "category": "server" @@ -2822,6 +2924,38 @@ ], "category": "utils" }, + { + "name": "mock_clear", + "description": "Resets all mocks.", + "type": "Function" + }, + { + "name": "mock_replay", + "description": "Replay recorded calls on a mock.", + "type": "Function", + "args": [ + { + "name": "plugin", + "type": "string", + "description": "The plugin to mock" + }, + { + "name": "function", + "type": "string", + "description": "The function to mock" + }, + { + "name": "expected_calls", + "type": "int", + "description": "How many times plugin should be called" + }, + { + "name": "clear", + "type": "bool", + "description": "This call will clear previous mocks for this plugin" + } + ] + }, { "name": "modules", "description": "Enumerate Loaded DLLs.", @@ -3409,6 +3543,11 @@ "name": "prefix", "type": "OSPath", "description": "If specified we prefix all paths with this path." + }, + { + "name": "start", + "type": "int64", + "description": "The first entry to scan." } ], "category": "parsers" @@ -3838,6 +3977,11 @@ "name": "path_type", "type": "string", "description": "Type of path this is (windows,linux,registry,ntfs)." + }, + { + "name": "accessor", + "type": "string", + "description": "The accessor to use to parse the path with" } ], "category": "plugin" @@ -4600,6 +4744,46 @@ } ] }, + { + "name": "repack", + "description": "Repack and upload a repacked binary or MSI to the server.", + "type": "Function", + "args": [ + { + "name": "target", + "type": "string", + "description": "The name of the target OS to repack (VelociraptorWindows, VelociraptorLinux, VelociraptorDarwin)" + }, + { + "name": "exe", + "type": "OSPath", + "description": "Alternative a path to the executable to repack" + }, + { + "name": "accessor", + "type": "string", + "description": "The accessor to use to read the file." + }, + { + "name": "binaries", + "type": "string", + "description": "List of tool names that will be repacked into the target", + "repeated": true + }, + { + "name": "config", + "type": "string", + "description": "The config to be repacked in the form of a json or yaml string", + "required": true + }, + { + "name": "upload_name", + "type": "string", + "description": "The name of the upload to create", + "required": true + } + ] + }, { "name": "rm", "description": "Remove a file from the filesystem using the API.", @@ -4999,8 +5183,7 @@ { "name": "regex", "type": "string", - "description": "The split regular expression (e.g. a comma)", - "required": true + "description": "The split regular expression (e.g. a comma, default whitespace)" }, { "name": "columns", @@ -5017,6 +5200,16 @@ "name": "count", "type": "int", "description": "Only split into this many columns if possible." + }, + { + "name": "record_regex", + "type": "string", + "description": "A regex to split data into records (default " + }, + { + "name": "buffer_size", + "type": "int", + "description": "Maximum size of line buffer (default 64kb)." } ], "category": "parsers" @@ -5096,7 +5289,7 @@ { "name": "hostname_field", "type": "string", - "description": "Field to use as event hostname. Overrides hostname param." + "description": "Field to use as event hostname. Overrides hostname parameter." } ], "category": "server" @@ -5507,6 +5700,12 @@ ], "category": "windows" }, + { + "name": "trace", + "description": "Upload a trace file.", + "type": "Function", + "version": 1 + }, { "name": "unhex", "description": "Apply hex decoding to the string.", @@ -5896,6 +6095,11 @@ "name": "flow_id", "type": "string", "description": "A flow ID (client or server artifacts)" + }, + { + "name": "hunt_id", + "type": "string", + "description": "A hunt ID" } ], "category": "server" @@ -6411,13 +6615,13 @@ { "name": "filename", "type": "string", - "description": "Output JSON files to open", + "description": "CSV files to open", "required": true }, { "name": "accessor", "type": "string", - "description": "The accessor to use. Currently only supports \"auto\", \"file\" or \"\"." + "description": "The accessor to use" }, { "name": "query",