-
Notifications
You must be signed in to change notification settings - Fork 0
/
Loki Scanner Again
41 lines (34 loc) · 1.63 KB
/
Loki Scanner Again
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: CPIRT.Windows.Scanner.Loki
description: Make sure to download latest release of Loki, upgrade, and then package in a zip folder named loki.zip
tools:
- name: Loki
parameters:
- name: UploadCSVLog
type: bool
sources:
- query: |
-- preparation
LET Hostname <= SELECT Hostname as Host FROM info()
LET Toolzip <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="Loki", IsExecutable=FALSE)
LET TmpDir <= tempdir(remove_last=TRUE)
LET UnzipIt <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
Let LokiExec = TmpDir + '\\loki\\loki.exe'
-- execute Loki
LET ExecLoki <= SELECT * FROM execve(argv=['cmd.exe', '/c', 'cd', TmpDir, '&', LokiExec, '--onlyrelevant', '-l', TmpDir + '\\' + Hostname.Host[0] + '-loki-log-file.csv', '--csv', '--dontwait'])
-- parse csvs
SELECT * FROM foreach(row=ExecLoki,
query={
SELECT *, Hostname
FROM split_records(filenames=TmpDir + "\\" + Hostname.Host[0] + "-loki-log-file.csv", accessor="auto", regex="," , columns=['Time', 'Hostname', 'DetectionType', 'ScanType', 'Detection'], count=5)
})
- name: Uploads
query: |
-- upload CSV logs if requested
SELECT * FROM if(
condition=UploadCSVLog,
then={
SELECT Name, upload(file=FullPath,
name=relpath(base=TmpDir + Hostname.Host[0] + "-loki-log-file.csv", path=FullPath)) as FileDetails
FROM glob(globs="/**", root=TmpDir)
WHERE Name =~ "(csv)$"
})