hunt

Function

ArgDescriptionType
descriptionDescription of the huntstring
artifactsA list of artifacts to collectlist of string (required)
expiresA time for expiry (e.g. now() + 1800)LazyExpr
specParameters to apply to the artifactsAny
timeoutSet query timeout (default 10 min)uint64
ops_per_secSet query ops_per_sec valuefloat64
cpu_limitSet query ops_per_sec valuefloat64
iops_limitSet query ops_per_sec valuefloat64
max_rowsMax number of rows to fetchuint64
max_bytesMax number of bytes to uploaduint64
pauseIf specified the new hunt will be in the paused statebool
include_labelsIf specified only include these labelslist of string
exclude_labelsIf specified exclude these labelslist of string
osIf specified target this OSstring
org_idIf set the collection will be started in the specified orgs.list of string

Required Permissions: START_HUNT ORG_ADMIN

Description

Create and launch a hunt.

This function will create a new hunt to collect the specified artifacts. The artifacts to collect are provided in the artifacts parameter. Artifact parameters are provided in the spec parameter (see example below).

NOTES

  1. In the GUI hunts are always created in the paused state. This is not the default state when using this function (all hunts are immediately active - if you want the hunt to be created in the paused state provide the pause=TRUE parameter).

  2. The expiry time is specified in any of the usual time specification ways (seconds since epoch, or ISO format like “2021-10-02”). If the expiry time is in the past, the hunt will not be created.

SELECT hunt(
    description="A general hunt",
    artifacts='Windows.KapeFiles.Targets',
    spec=dict(`Windows.KapeFiles.Targets`=dict(
        Device ='C:', VSSAnalysis='Y', KapeTriage='Y')),
    expires=now() + 18000)
FROM scope()