Server.Utils.DeleteClientLabel :: Velociraptor

Server.Utils.DeleteClientLabel

This artifact completely removes a client from the data store if a configured label is set.

We reccomend running as a server artifact then if happy with actions add as an action for monitoring.

Be careful with this one: there is no way to recover old data. However, if the client still exists, it will just automatically re-enroll when it next connects. You will still be able to talk to it, it is just that old collected data is deleted.


name: Server.Utils.DeleteClientLabel
author: Matt Green - @mgreen27
description: |
  This artifact completely removes a client from the data store if a configured
  label is set.

  We reccomend running as a server artifact then if happy with actions add as an
  action for monitoring.

  Be careful with this one: there is no way to recover old
  data. However, if the client still exists, it will just
  automatically re-enroll when it next connects. You will still be able
  to talk to it, it is just that old collected data is deleted.

type: SERVER

parameters:
  - name: LabelToDelete
    description: A label to delete the client if applied to machine.
    default: todelete
  - name: ReallyDoIt
    description: If you really want to delete the client, check this.
    type: bool

sources:
  - query: |
        LET to_remove = SELECT
            client_id AS ClientId,
            os_info.hostname as Hostname,
            timestamp(epoch=first_seen_at) AS FirstSeen,
            timestamp(epoch=last_seen_at) AS LastSeen,
            agent_information.version AS AgentVersion,
            agent_information.build_time AS AgentBuildTime,
            os_info.release as OS,
            os_info.machine as Architecture,
            os_info.fqdn as Fqdn,
            last_ip AS LastIp,
            labels,
            os_info.mac_addresses as mac_addresses
        FROM clients()
        WHERE LabelToDelete IN labels

        LET deleted_files <= SELECT *
            FROM client_delete(client_id=to_remove.ClientId, really_do_it=ReallyDoIt)

        SELECT *,
            {
                SELECT vfs_path
                FROM deleted_files
                WHERE client_id = ClientId
            } AS DeletedFiles,
            {
                SELECT type
                FROM deleted_files
                WHERE client_id = ClientId
                GROUP BY type
            } AS DeletedFileType,
            {
                SELECT really_do_it
                FROM deleted_files
                WHERE client_id = ClientId
                GROUP BY really_do_it
            } AS really_do_it
        FROM to_remove