Applying labels to hunt results

Sometimes it is useful to label clients from a hunt.

For the following example, I will label all machines with rows from the Windows.Carving.CobaltStrike artifact with a label “CobaltStrike”.

SELECT ClientId,Fqdn,Rule,
    label(client_id=ClientId,labels=['CobaltStrike'],op='set') as SetLabel
FROM source(artifact="Windows.Carving.CobaltStrike")
GROUP BY ClientId

Label clients from hunt
Label clients from hunt