Sync to Master #3824
Merged
Sync to Master #3824
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add execution field for windows 10+ - displays integer Add "NA" output for Win8/Win7 struct.
Updated extraction function to exclude any base64 blobs in a URL as large scale testing I observed base64 characters extracted from URLs was always a misfire and often above the minimum character threshold.
fix typo in RiskyExe definition
* Load fs accessors before exporting VQL information for `velociraptor vql export` command * Render event log messages as logs * Remove compiled collector args for HuntList response so it can fit within the gRPC size limit. * Case insensitive comparison for expected hash to support artifacts that specify hashes with caps. * Remove error level logging from sqlite code - this causes artifact collection to fail during normal operations --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This causes huge browser delays for certain large artifacts like Windows.Hayabusa.Rules which contain large blobs in the artifact definition.
Since Linux paths may already have quotes in them and a quote or backslash are valid characters in a linux path. This can cause issues when serializing Glob results to temp files. Fixes: #3783
Update some logic and remove noisy Hostname mismatch
Allow the whole table, specific columns, or specific cells to be compacted. This helps certain data which may be too large to fit in a cell. Previously such data caused the cell to be expanded which made the table more sparse and hard to see. This PR allows only certain cells to be expanded as needed to keep the table compact taking less real estate. Reworked the filter/sort buttons at the top of each column to appear outside the header itself. Previously these buttons were part of the header causing the header to be slightly wider than it needed to be- making the table more sparse. This new CSS allows the buttons to extend outside the column when they appear. Changed the sense of drag and drop on column headers to insert the dragged column before the dragged upon table - previously they would be swapped but this is not intuitive. 
The artifactset GUI was redesigned to use a multi-select which serializes to a json array. However, artifactset expects to serialize to a CSV type parameter. This made it impossible to specify any artifacts in the GUI correctly.
* Reflect user preference timezone * Shows times in RFC3339 format * Enter time in RFC3339 format * Dropdown calendar * Quick settings - next week, prev week etc.
Mainly related to the new calendar control and dropdown menu backgrounds.
This resulted in unsampled data overflowing the 2000 row maximum the GUI is prepared to accept into the graphs. This means the graphs would terminate once 2000 rows were reached. Therefore, for a lot of past data the end of the graph was not very recent.
Add a notebook suggestion that creates a simple table that looks very much like the default output from journalctl. I find myself studying the identifier/unit and message exclusively most of the time. Having this simplification as a VQL suggestion would be very handy for day-to-day use.
Previously the timeline widget would display all times in UTC but other times in the GUI are displayed in the user's selected timezone. This PR changes this to make the timeline widget display times in the same timezone selected by the user. Also refactored CSV parameter editor to not use editable tables. These were not intuitive as the user had to click on the table to realize they were editable. Also it caused the layout to jump around. This PR fixes it in favor of fixed simple text areas. Additionally this PR patches the timeline widget to ensure ctrl-wheel zooms in steps of 1 - the default upstream is to jump in steps of 10 which is way too much
This allows any row from any table to be annotated to a global timeline. This is allowed even if there is no natural time column in the row (the time is set to 1980 in that case). This feature allows to selectively annotating noteworthy rows from any artifact/client/flow/hunt into a central place for reporting and analysis without first importing a time series. The user simply right clicks on any row and selects "Annotate"
Also add timestamp in the artifact to record when the artifact was built.
If the timeline message column was not a string, it would not be emitted at all. This PR forces it to be a string. Also handle floats in table output. Update vfilter to fix LIMIT bug in GROUP BY clauses.
This preserves the column types more accurately to correspond with internal data types.
adding IP analysis to VT enrichment artifact in order to query IP addresses in addition to hashes/files.
Also added add_labels and del_labels to the hunt_update() VQL function to allow hunt labels to be manipulated from VQL. Modified Event Table UI to allow for resizable and draggable columns.
Extended the link_to() VQL function to support more objects, such as uploads. Also fixed timezone issues in graphs.
* Root org will create a backup for all other orgs. The data for each org can be stored in the same zip file. * It is now possible to restore only some providers selectively.
Add to timeline dialog broke due to the recent API changes. CSS Fix for compressed JSON objects Add column compression for event timeline viewer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.