This server monitoring artifact will automatically zip and backup any collected artifacts to Azure blob storage.
You will need to provide a SasURL to upload to the container. The credentials can be given as parameters or they will be taken from the server metadata.
Based on Server.Utils.BackupS3.
Thanks to @shortxstack and @Recon_InfoSec
name: Server.Utils.BackupAzure
description: |
This server monitoring artifact will automatically zip and backup
any collected artifacts to Azure blob storage.
You will need to provide a SasURL to upload to the container. The
credentials can be given as parameters or they will be taken from
the server metadata.
Based on Server.Utils.BackupS3.
Thanks to @shortxstack and @Recon_InfoSec
type: SERVER_EVENT
parameters:
- name: ArtifactNameRegex
default: "."
description: A regular expression to select which artifacts to upload
type: regex
- name: SasURL
description: A SAS URL to use for upload to the container.
- name: RemoveDownloads
type: bool
description: If set, remove the flow export files after upload
- name: UploadSubdirectory
default: FALSE
type: bool
description: If set, upload exports to subirectory per flow
sources:
- query: |
-- Allow these settings to be set by the artifact parameter or the server metadata.
LET sas_url <= if(condition=SasURL, then=SasURL,
else=server_metadata().DefaultSasURL)
LET completions = SELECT *,
client_info(client_id=ClientId).os_info.fqdn AS Fqdn,
create_flow_download(client_id=ClientId,
flow_id=FlowId, wait=TRUE) AS FlowDownload
FROM watch_monitoring(artifact="System.Flow.Completion")
WHERE Flow.artifacts_with_results =~ ArtifactNameRegex
SELECT upload_azure(
file=FlowDownload,
accessor="fs",
sas_url=sas_url,
name=if(condition=UploadSubdirectory,
then=format(format="%v/Host %v %v %v.zip",args=[FlowId, Fqdn, FlowId, timestamp(epoch=now())]),
else=format(format="Host %v %v %v.zip",args=[Fqdn, FlowId, timestamp(epoch=now())]))
) AS Upload
FROM completions
WHERE Upload OR
if(condition=RemoveDownloads,
then=rm(filename=file_store(path=FlowDownload)))