Custom.Server.Hunts.CancelAndDelete.yaml

name: Custom.Server.Hunts.CancelAndDelete
description: |
   Velociraptor Hunts are a way of running the same flow on 
   many endpoints at once. Hunts issue very quickly and wait 
   until each endpoint returns results.
   
   Sometimes, the artifacts collected might take a long time and
   have unacceptable performance impact on the endpoint. 
   In some cases the artifacts end up retrieving too much data 
   that is not needed.
   
   For those cases you might want to run the following server
   artifact. It cancels all currently in-flight collections
   (stopping the hunt in the GUI only stops new machines
   from joining but does not actively cancels existing collections).
   
   Optionally you can also remove any files already collected if you
   do not need them.

type: SERVER

parameters:
  - name: HuntId
    description: hunt_id you would like to kill all associated flows.
    default: "H.XXXXXX"
  - name: delete
    description: Also delete all collected files
    type: bool

sources:
  - queries:
      - LET flows = SELECT ClientId,
            Flow.session_id as FlowId,
            HuntId
        FROM hunt_flows(hunt_id=HuntId)
      - SELECT *,
            cancel_flow(client_id=ClientId,flow_id=FlowId) as cancel_flow
        FROM flows
        
  - name: FlowFiles
    queries:
    - LET files = SELECT * FROM foreach(
          row = flows,
          query = {
              SELECT *, 
                 file_store_delete(path=VFSPath) as delete
              FROM enumerate_flow(flow_id=FlowId,client_id=ClientId)
          })
    - SELECT * FROM if(condition=delete, then=files)