Server.Utils.DeleteManyFlows

Sometimes the Velociraptor server accumulates a lot of data that is no longer needed.

This artifact will enumerate all flows from all clients and matches them against some criteria. Flows that match are then removed.

NOTE This artifact will destroy all data irrevocably. Take care! You should always do a dry run first to see which flows will match before using the ReallyDoIt option.

name: Server.Utils.DeleteManyFlows
description: |
   Sometimes the Velociraptor server accumulates a lot of data that is
   no longer needed.

   This artifact will enumerate all flows from all clients and matches
   them against some criteria. Flows that match are then removed.

   **NOTE** This artifact will destroy all data irrevocably. Take
     care! You should always do a dry run first to see which flows
     will match before using the ReallyDoIt option.

type: SERVER

parameters:
   - name: ArtifactRegex
     default: Generic.Client.Info
     type: regex
   - name: HostnameRegex
     description: If specified only target these hosts
     type: regex
   - name: DateBefore
     description: Only select flows created before this date. If not set we choose all flows.
     type: timestamp
   - name: CreatorRegex
     default: "."
     type: regex
     description: |
       Match flows created by this user.
   - name: ReallyDoIt
     type: bool
     description: Does not delete until you press the ReallyDoIt button!

sources:
  - query: |
        LET DateBefore <= DateBefore || timestamp(epoch=now())
        LET hits = SELECT * FROM foreach(row={
            SELECT client_id,
                   os_info.hostname AS hostname
            FROM clients()
            WHERE hostname =~ HostnameRegex
        },
        query={
          SELECT client_id, hostname,
                 session_id, request.creator AS creator,
                 request.artifacts as artifacts,
                 timestamp(epoch=create_time) AS created
          FROM flows(client_id=client_id)
          WHERE creator =~ CreatorRegex
             AND artifacts =~ ArtifactRegex
             AND created < DateBefore
        }, workers=10)

        SELECT * FROM if(condition=ReallyDoIt,
        then={
            SELECT * FROM foreach(row=hits,
            query={
                SELECT client_id, hostname, creator,
                       session_id, artifacts, created, Type, Data, Error
                FROM delete_flow(client_id=client_id,
                        flow_id=session_id, really_do_it=ReallyDoIt)
                WHERE log(message=format(format="Deleting flow %v from %v",
                   args=[session_id, hostname]))
            }, workers=10)
        }, else={
            SELECT * FROM hits
        })