Having trouble altering VQL for glob in a CLIENT_EVENT artifact to detect for removeable media only
#2687
Replies: 1 comment
-
|
reworded request in another discussion |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am bouncing my head off the wall trying to understand why this VQL works in one artifact:
But when I add that FROM and WHERE clause to the artifact query below it breaks the detection, and no files are found when written to a USB device. The VQL below works, but will detect writes to ANY drive, but I need it to only trigger for removable media (USB /external media).
query: |
LET AddedFiles = SELECT OSPath, Size, FullPath
FROM diff(
key="Key",
period=2,
query={
SELECT OSPath, Size, FullPath,
format(format="%v_%v", args=[OSPath, Size, FullPath]) AS Key
FROM glob(globs=":/")
})
WHERE Diff = "added"
I know I am not good with VQL, but I dont see why this VQL does not work:
query: |
LET AddedFiles = SELECT OSPath, Size, FullPath
FROM diff(
key="Key",
period=2,
query={
SELECT OSPath, Size, FullPath,
format(format="%v_%v", args=[OSPath, Size, FullPath]) AS Key
FROM glob(globs="/*", accessor="file")
WHERE Data.Description =~ "Removable"
})
WHERE Diff = "added"
I am confused because this VQL does work for removeable media only, but it does not allow for detections based on time:
query: |
LET removable_disks = SELECT Name AS Drive,
atoi(string=Data.Size) AS Size
FROM glob(globs="/*", accessor="file")
WHERE Data.Description =~ "Removable" AND Size < atoi(string=maxDriveSize)
I have tried combining the above two queries in multiple ways, but I just cannot get the last piece working, which is to change the VQL that works for any drive over time, to just be for removable storage. Anyone see something obvious that I am missing? Thank you so much in advance.
Beta Was this translation helpful? Give feedback.
All reactions