Velociraptor Hunts are a way of running the same flow on many endpoints at once. Hunts issue very quickly and wait until each endpoint returns results.
Sometimes, the artifacts collected might take a long time and have unacceptable performance impact on the endpoint. In some cases the artifacts end up retrieving too much data that is not needed.
For those cases you might want to run the following server artifact. It cancels all currently in-flight collections.
Optionally you can also remove any files already collected if you do not need them.
This artifact is implicitly collected by the GUI when pressing the “Delete Hunt” Button.
name: Server.Hunts.CancelAndDelete
description: |
Velociraptor Hunts are a way of running the same flow on
many endpoints at once. Hunts issue very quickly and wait
until each endpoint returns results.
Sometimes, the artifacts collected might take a long time and
have unacceptable performance impact on the endpoint.
In some cases the artifacts end up retrieving too much data
that is not needed.
For those cases you might want to run the following server
artifact. It cancels all currently in-flight collections.
Optionally you can also remove any files already collected if you
do not need them.
This artifact is implicitly collected by the GUI when pressing the
"Delete Hunt" Button.
type: SERVER
parameters:
- name: HuntId
description: hunt_id you would like to kill all associated flows.
- name: Hunts
type: json_array
description: A list of hunt ids to delete
default: '[]'
- name: DeleteAllFiles
description: Also delete all collected files
type: bool
sources:
- name: CancelFlows
query: |
SELECT * FROM Artifact.Server.Utils.CancelHunt(Hunts=Hunts)
- name: HuntFiles
query: |
LET AllHunts <= if(condition=HuntId, then=Hunts + HuntId, else=Hunts)
SELECT * FROM foreach(row={
SELECT _value as HuntId FROM items(item=AllHunts)
}, query={
SELECT *
FROM hunt_delete(hunt_id=HuntId, really_do_it=DeleteAllFiles)
})