-
|
Hello team, My question is related to the Notebooks. Can we write and execute VQL queries from the Notebooks on all the endpoints? or the Notebooks VQL queries are only executed on the Velociratpr server only? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Notebooks are run on the server but you can collect an artifact on the clients. You can use the notebook to initiate collections from the client using the collect_client() vql function but it must be an artifact. You can use Generic.Client.VQL to run generic VQL queries on the client which is what the shell GUI screen does. Running VQL on clients is practically more complicated that in the notebook - it needs to be scheduled (the client may not be up at the time) and we need to store the results in a unique location (basically the flow id is the directory where results go). We also need provenance as to what we actually ran on the client and what it sent back. So this is why we can only collect artifacts from clients and not run adhoc VQL. We also need people to test the VQL properly before deploying to clients so the work flow is
|
Beta Was this translation helpful? Give feedback.
Notebooks are run on the server but you can collect an artifact on the clients. You can use the notebook to initiate collections from the client using the collect_client() vql function but it must be an artifact.
You can use Generic.Client.VQL to run generic VQL queries on the client which is what the shell GUI screen does.
Running VQL on clients is practically more complicated that in the notebook - it needs to be scheduled (the client may not be up at the time) and we need to store the results in a unique location (basically the flow id is the directory where results go). We also need provenance as to what we actually ran on the client and what it sent back. So this is why we can only c…