Add Organization to fields sent to Splunk and Elastic #3399
Conversation
"Add org_name field containing the Organization Name for use on Splunk
|
|
| @@ -113,7 +113,11 @@ sources: | |||
| timestamp(epoch=now()) AS timestamp, | |||
| ClientId, Flow.session_id AS FlowId, | |||
| "artifact_" + regex_replace(source=_value, | |||
| re='[/.]', replace='_') as _index | |||
| re='[/.]', replace='_') as _index, | |||
| { | |||
There was a problem hiding this comment.
This is extremely unperformant as it would have to scan all the clients for every insertion.
I would suggest instead to use org().name which contains the current org's name. Maybe even use LET to store it in a variable before the query (the org name is not going to change right?)
There was a problem hiding this comment.
The idea of using it in every interaction was due to the possibility of several organizations being present on the same hunt. If this is not an use case previously I was using org().name too
There was a problem hiding this comment.
It is not possible to have multiple orgs in the same hunt since each org has a separate hunt manager.
There was a problem hiding this comment.
Then Im confused as for why when I create a new hunt I can select which organizations to use, maybe I missunterstood something.
There was a problem hiding this comment.
Orgs are documented here https://docs.velociraptor.app/docs/deployment/orgs/
They are completely separate with a different set of hunts, clients, custom artifacts etc.
As an org admin you can launch a hunt on multiple orgs in the GUI but each of those hunts are independent.
Also each server monitoring artifact is independent inside each org. So you can choose to only upload some orgs to splunk and just others. Within each artifact instance the org() plugin will be constant by definition.
There was a problem hiding this comment.
All right, wasn't aware of that segregation even when lunching on multiple orgs, will then make the changes as you suggested. Should we close this PR and open a new one or just update this one?
There was a problem hiding this comment.
Just update this one - thanks!
There was a problem hiding this comment.
Done! Took the chance to also apply it to Elastic where I found it most usefull. And thanks to you for your patience and great work!
Update so the organization name is stored in a variable instead of being queried every single iteration. Add same behaviour to Elastic.
KALRONG
changed the title
Add org_name field containing the Organization Name for use on Splunk --------- Co-authored-by: Mike Cohen <mike@velocidex.com>
Add org_name field containing the Organization Name for use on Splunk --------- Co-authored-by: Mike Cohen <mike@velocidex.com>
Add org_name field containing the Organization Name for use on Splunk