predictiple/Custom.Server.UpdateArtifacts.yaml

## README.MD

      
    Raw
  

              README.MD
            
          
    You can monitor for changed artifacts by running:
SELECT * FROM watch_monitoring(artifact="Server.Internal.ArtifactModification")

  
## Custom.Server.UpdateArtifacts.yaml
name: Custom.Server.UpdateArtifacts
description: |
  Reloads custom artifacts every 5 minutes.
  Note that artifact_prefix is required.
  Change the ModTime filter if you don't want to only load files that have
  been updated in the last hour.

type: SERVER_EVENT

parameters:
  - name: artifacts_root
    default: /opt/velociraptor/filestore/artifact_definitions/
  - name: artifact_prefix
    default: Custom

sources:
  - query: |
      LET schedule = SELECT Local FROM clock(period=300)
      LET artifacts_on_disk <= SELECT FullPath FROM glob(globs=artifacts_root + '**')
                               WHERE FullPath =~ '.+yaml'
                               AND ModTime > timestamp(epoch=now() - 3600)
      SELECT { SELECT * FROM foreach(
        row=artifacts_on_disk,
        query={ SELECT artifact_set(definition=read_file(filename=FullPath), prefix=artifact_prefix) FROM scope() }) }
      FROM schedule
	name: Custom.Server.UpdateArtifacts
	description: \|
	Reloads custom artifacts every 5 minutes.
	Note that artifact_prefix is required.
	Change the ModTime filter if you don't want to only load files that have
	been updated in the last hour.

	type: SERVER_EVENT

	parameters:
	- name: artifacts_root
	default: /opt/velociraptor/filestore/artifact_definitions/
	- name: artifact_prefix
	default: Custom

	sources:
	- query: \|
	LET schedule = SELECT Local FROM clock(period=300)
	LET artifacts_on_disk <= SELECT FullPath FROM glob(globs=artifacts_root + '**')
	WHERE FullPath =~ '.+yaml'
	AND ModTime > timestamp(epoch=now() - 3600)
	SELECT { SELECT * FROM foreach(
	row=artifacts_on_disk,
	query={ SELECT artifact_set(definition=read_file(filename=FullPath), prefix=artifact_prefix) FROM scope() }) }
	FROM schedule