This artifact watches for completion of the watchArtifact
and assigns the given setLabel if the WHERE condition is matched.
Anytime the Windows.System.Services hunt is run across the environment,
results will be interpreted by this server-side artifact.
In this configuration, it will match on all systems running “Active Directory Domain Services” which likely indicates the system is a Domain Controller and will label it as such.
name: Label.DomainController
author: Eric Capuano - @eric_capuano
description: |
This artifact watches for completion of the `watchArtifact`
and assigns the given `setLabel` if the `WHERE` condition is matched.
Anytime the `Windows.System.Services` hunt is run across the environment,
results will be interpreted by this server-side artifact.
In this configuration, it will match on all systems running
"Active Directory Domain Services" which likely indicates the system
is a Domain Controller and will label it as such.
type: SERVER_EVENT
parameters:
- name: setLabel
default: dc
- name: watchArtifact
default: Windows.System.Services
sources:
- query: |
LET completions = SELECT *
FROM watch_monitoring(artifact="System.Flow.Completion")
WHERE Flow.artifacts_with_results =~ watchArtifact
LET matches = SELECT *,
label(client_id=ClientId, labels=setLabel, op="set")
FROM source(artifact=watchArtifact,
client_id=ClientId, flow_id=FlowId)
WHERE Name = "NTDS" AND DisplayName = "Active Directory Domain Services"
SELECT * FROM foreach(row=completions, query=matches)