Fetch useful info from clients and store it as client metadata (Velocidex#1203)

# Client metadata and asset management

Although I imagine everyone using Velociraptor mostly to fetch data en
masse using hunts, personally I usually look up individual clients for
investigations. Later on I will run targeted hunts based on
metadata/tags, and rarely hunt across the whole fleet.

One of the perhaps biggest upgrades for myself has been to be able to
look up clients based on their serial number or assigned owner (fetched
from an asset management system). I have since extended this system to
tie the client to external systems and agents like Defender/Intune/Entra
and Action1/NinjaOne based on its serial or agent ID.

I have used most of these artifacts for years now, but I have not had
the capacity to document how to use them. predictible has since written
a good [knowledge base
artifact](https://docs.velociraptor.app/knowledge_base/tips/automating_metadata/)
that covers most if not all the concepts, so releasing the following
artifacts may not require a lot of additional documentation. There
should be at least a complete example showing

- How to extend Custom.Generic.Client.Info with
Generic.Client.HW.Identification
- Configure Server.Monitor.StoreClientHWInfo (illustrate how to use
SerialColumn and HWInfoMetadata)
- Configure Server.Monitor.StoreClientInfo (illustrate how to use
InfoMetadata)

An excellent showcase would use Defender, ADStatus FIXME for more useful
fields.

Perhaps a knowledge base article or blog post (whichever is the most
suitable format) referring to predictible's existing article, then
simply setting up all artifacts and showing how to look up various
indexed metadata provided by these new artifacts is enough?

## Client artifacts

Gather information from the client system.

These are helper artifacts fetching information about the client. The
aim is to extract some sort of identifier, a computer serial or some
sort of ID, that will later be used to fetch a lot of telemetry from the
computer from another agent. – Rather than implementing all of that in
Veloriraptor. However, when the useful data is already there as part of
fetching this identifier, it will be included in the artifact.

The intended way to use of these artifacts is by calling them from
Custom.Generic.Client.Info, but they may be used on their own.

## Generic.Client.HW.Identification

This artifact fetches useful hardware identification values from all
OSes and has served me well for years. It would be nice to gather
experience from manufacturers that I have never run clients on. The only
changes it has seen recently is a very rudimentary attempt to detect
whether the client is running in a VM.

## Generic.Client.ADStatus

The primary use case for this artifact is to get a simple answer to
whether the computer is joined to an Active Directory domain or not.
Depending on the OS, a lot more details are provided.

## Generic.Client.Defender.Health

The primary use case for this artifact is to get the MDATP machine ID
for all three OSes, but an extensive list of health data from the agent
is fetched.

## TODO: A good fourth example

I have some ideas, but I am very open for suggestions that goes beyond
just my own particular needs.

## Server event artifacts

Store information from interrogation as client metadata.

Storing data from the Custom.Generic.Client.Info is easy and almost does
not require its own published artifact. However, the following two
artifacts saves the user from having to write this themselves, and lets
them configure their desired result from parameters.

### Server.Monitor.StoreClientHWInfo

This is a relatively simple artifact, but it is very useful. The
parameter SerialColumn lets you choose which metadata columns (defaults
assuming Generic.Client.HW.Identification is used) to use for serial
value, in a prioritised order. The artifact comes with common patterns
to ignore. It could be extended with some transforms for manufacturers
who store serials in a weird way.

### Server.Monitor.StoreClientInfo

Given a specified interrogation artifact, this artifacts stores
specified columns from specified sources as optionally renamed metadata
values. Sources should only contain one row, but if they contain more,
the first row is picked.

Example use of the InfoMetadata parameter:

| Source | Field | Alias |

|------------------|----------------------------------------|-------------|
| BasicInformation | OS | os |
| BasicInformation | Architecture | arch |
| ADStatus | DomainJoined | ad_joined |
| MDATPHealth | MDATPHealth.edrMachineId | defender_id |
| ComputerSetup | Details.computer setup.execution.timestamp |
cs_executed |
| ComputerSetup | Details.computer setup.git.hash | cs_version |

(The ComputerSetup source here is an artifact fetching metadata produced
by an ansible playbook run, telling us when it was last executed, and
what version.)

This artifact could probably be over-engineered to add some sort of
transformation logic to support multiple rows. However, I think it is
fine as it is.

I am not sure if it is fixed, but attempting to store empty metadata
created issues in some version, hence the conditional at the end.

# Asset management

Now that clients have various IDs set in metadata, it would be great to
pull useful data (not stored on the endpoint) from external sources
using APIs. Examples:

- Fetch assigned owner and assigned use from an asset management system
- Look up account name / account ID
- Fetch vulnerabilities and security issues/recommendations
- TODO: plenty of examples to fill

Use cases where this additional information is fetched and then used in
a notebook are topics for a chapter of its own. Right now we want to
fetch data to store as additional indexed metadata. We will use one
particular example: Fetching information about the assigned owner from
an asset management system.

Velociraptor will give us plenty of information about logged-in users,
but I want to know who actually owns the computer. This can then be used
to determine whether the last-logged in user shouldn't even be logged
into the system in the first place. Other information, like assigned
department, location, or other useful custom fields, could also be
valuable.

We will use Snipe-IT as our example asset management system. It is most
likely not used in large enterprises, but is open-source and although a
bit cumbersome, still powerful and useful. I have been planning to write
one for Atlassian Assets. The system in question matters little, since
they will have have some sort of REST API and very common concepts.

We want to do the following:

- Fetch assets (perhaps matching certain filters)
- Match assets by serial
- Transform some of the information
- Synchronise selected data from the asset and save as client metadata

We want this data updated, so the data will be synchronised either

- On demand (running the server artifact)
- Whenever the client is interrogated, giving us immediate updates for
new clients (done by a server event artifact)
- Periodically, so that changes in the assets are updated (e.g. new
owner) (done by a server event artifact)

The server event artifacts simply call the server artifacts. Since the
server artifact has a lot of important parameters, and since we cannot
expect the administrator to have to fill these in in three separate
places, the following is done:

- The server artifact saves its arguments to a server metadata value
- The event artifacts fetches all arguments from the same value

This may be elegant or ugly, depending on who you ask, but it works and
certainly beats the alternative.

## Server artifacts

### Server.Assets.SnipeIT.Sync

Querying Snipe-IT is trivial (at least with the QueryAPI server artifact
helper). However, in order to create a user-friendly way to select which
fields to synchronise, with support for custom fields and aliases,
additional logic is needed. The artifact may be used in three ways:

- Simply fetch all assets (matching filters)
- Fetch assets with a serial found in Velociraptor clients
- Synchronise client metadata

The first two are "read-only" actions and can be used with notebook
suggestions to

- Find clients missing serial numbers
- Find clients not in assets
- Find assets not running Velociraptor

## Server event artifacts

### Server.Monitor.SnipeIT.Sync.Interrogation

Update client metadata whenever it is interrogated. Shows what metadata
changed (from/to).

## Server.Monitor.SnipeIT.Sync.Periodic

Update client metadata at a specified interval. Shows what metadata
changed (from/to).

# Artifact table

Complete artifact list (with dependencies, if any):

| Name | Type | Deps. | Description |
|------|------|--------|-------------|
| Generic.Client.HW.Identification | Client | - | Pull hardware
identification information from the system, like serial number and
computer model |
| Generic.Client.ADStatus | Client | - | Fetch Active Directory status |
| Generic.Client.Defender.Health | Client | - | Get Microsoft Defender
health status |
| Server.Monitor.StoreClientHWInfo | Server | - | Store client HW info
as metadata |
| Server.Monitor.StoreClientInfo | Server | (HW.Identification) | Store
client info as metadata |
| Server.Utils.QueryAPI | Server | - | Query an HTTP API with login and
pagination support |
| Server.Assets.SnipeIT.Sync | Server | (QueryAPI) | Save key Snipe-IT
asset information as client metadata |
| Server.Monitor.SnipeIT.Sync.Interrogation | Server event |
SnipeIT.Sync | Update asset information when client is interrogated |
| Server.Monitor.SnipeIT.Sync.Periodic | Server event | SnipeIT.Sync |
Update asset information regularly at a specified interval |

---------

Co-authored-by: Mike Cohen <mike@velocidex.com>

Author: misje

.github/workflows/gh-pages.yml

@@ -9,6 +9,9 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
     steps:
       - uses: actions/checkout@v2
         with:

content/exchange/artifacts/Generic.Client.ADStatus.yaml

@@ -0,0 +1,115 @@
+name: Generic.Client.ADStatus
+author: Andreas Misje – @misje
+description: |
+  Get Active Directory join status from a computer.
+
+  `DomainJoined` (boolean) and `Domain` (uppercase) are returned on all
+  operating systems. Additional columns depend on the OS:
+
+  - **Linux**: uses `realm list` (realm/sssd). Adds `_RealmType`,
+    `_RealmName`, `AllowedUsers`, `AllowedGroups`.
+  - **Windows**: uses `dsregcmd /status`. Adds `AzureAdJoined`,
+    `EnterpriseJoined`, `NetBIOS`, `DeviceName`.
+  - **macOS**: uses `dsconfigad -show`. Adds `DeviceName`, `AdminGroups`.
+
+  On Linux hosts without realm/sssd installed, `realm list` is absent and
+  the artifact returns `DomainJoined: false`. Treat that as "unknown" if
+  the deployment mixes hosts that may not have realm at all.
+
+  ## Use as part of client interrogation
+
+  This artifact is designed to be called from a custom override of
+  [`Generic.Client.Info`](/artifact_references/pages/generic.client.info/)
+  so that AD status is collected on every interrogation. Combined with
+  [`Server.Monitor.StoreClientInfo`](/exchange/artifacts/pages/server.monitor.storeclientinfo/),
+  the result can be saved as searchable client metadata such as
+  `ad_joined: true` or `ad_domain: AD.EXAMPLE.ORG`. See
+  [How can I automatically add & update client metadata?](/knowledge_base/tips/automating_metadata/)
+  for an in-depth walkthrough about how to save interrogation data as
+  client metadata.
+
+  #metadata #activedirectory
+
+type: CLIENT
+
+implied_permissions:
+  - EXECVE
+
+sources:
+  - query: |
+      LET Info <= SELECT OS
+        FROM info()
+
+      LET SplitString(String) = filter(regex='.+',
+                                       list=split(string=String, sep=', ?'))
+
+      LET LinuxStatus = SELECT
+          parse_string_with_regex(
+            string=Stdout,
+            regex=(''' +type: +(?P<_RealmType>.*)''', ''' +realm-name: +(?P<_RealmName>.*)''', ''' +domain-name: +(?P<Domain>.*)''', ''' +permitted-logins: +(?P<AllowedUsers>.*)''', ''' +permitted-groups: +(?P<AllowedGroups>.*)''', )) AS ADStatus
+        FROM execve(
+          argv=('realm', 'list'))
+
+      LET WindowsStatus = SELECT
+          parse_string_with_regex(
+            string=Stdout,
+            regex=('''(?s)Device State.+AzureAdJoined *: *(?P<AzureAdJoined>\S+)''', '''(?s)Device State.+EnterpriseJoined *: *(?P<EnterpriseJoined>\S+)''', '''(?s)Device State.+DomainJoined *: *(?P<DomainJoined>\S+)''', '''(?s)Device State.+DomainName *: *(?P<NetBIOS>\S+)''', '''(?s)Device State.+Device Name *: *(?P<DeviceName>\S+)''', )) AS ADStatus
+        FROM execve(
+          argv=('dsregcmd', '/status'))
+
+      LET DarwinStatus = SELECT
+          parse_string_with_regex(
+            string=Stdout,
+            regex=('''Active Directory Domain += +(?P<Domain>\S+)''', '''Computer Account += +(?P<DeviceName>\S+)\$''', ''' +Allowed admin groups += +(?P<AdminGroups>.+)''', )) AS ADStatus
+        FROM execve(
+          argv=('dsconfigad', '-show'))
+
+      LET ADDict = SELECT
+          ADStatus + dict(Domain=upcase(string=ADStatus.Domain)) AS ADStatus
+        FROM switch(
+          linux={
+          SELECT *
+          FROM if(
+            condition=Info[0].OS = 'linux',
+            then={
+          SELECT ADStatus + dict(
+                   DomainJoined=ADStatus != dict(),
+                   AllowedUsers=SplitString(String=ADStatus.AllowedUsers),
+                   AllowedGroups=SplitString(String=ADStatus.AllowedGroups)) AS ADStatus
+          FROM LinuxStatus
+        })
+        },
+          windows={
+          SELECT
+          *
+          FROM if(
+            condition=Info[0].OS = 'windows',
+            then={
+          SELECT
+          ADStatus + dict(
+            AzureAdJoined=ADStatus.AzureAdJoined = 'YES',
+            EnterpriseJoined=ADStatus.EnterpriseJoined = 'YES',
+            DomainJoined=ADStatus.DomainJoined = 'YES') +
+            parse_string_with_regex(
+              string=ADStatus.DeviceName,
+              regex='''^(?P<DeviceName>[^.]+)\.(?P<Domain>\S+)$''') AS ADStatus
+          FROM WindowsStatus
+        })
+        },
+          darwin={
+          SELECT
+          *
+          FROM if(
+            condition=Info[0].OS = 'darwin',
+            then={
+          SELECT
+          ADStatus + dict(
+            DomainJoined=ADStatus != dict(),
+            AdminGroups=SplitString(
+              String=ADStatus.AdminGroups)) AS ADStatus
+          FROM DarwinStatus
+        })
+        })
+
+      SELECT *
+      FROM foreach(row=ADDict, column='ADStatus')

content/exchange/artifacts/Generic.Client.Defender.Health.yaml

@@ -0,0 +1,170 @@
+name: Generic.Client.Defender.Health
+author: Andreas Misje – @misje
+description: |
+  Get Microsoft Defender for Endpoint (MDATP) health and configuration.
+
+  MDATP is Microsoft's EDR product for Windows, macOS and Linux. This
+  artifact retrieves all available agent status and configuration via the
+  platform-native interface: `mdatp health --output json` on Linux and
+  macOS, `Get-MpComputerStatus` through
+  [`Windows.System.PowerShell`](/artifact_references/pages/windows.system.powershell/)
+  on Windows.
+
+  A single row is returned with a dict called `MDATPHealth` whose
+  shape differs across platforms. Linux and macOS are nearly
+  identical; Windows differs significantly. Platform-specific extras:
+
+  Linux:
+
+  - `behaviorMonitoring`
+  - `supplementaryEventsSubsystem`
+
+  macOS:
+
+  - `deviceControlEnforcementLevel`
+  - `ecsConfigurationIds`
+  - `fullDiskAccessEnabled`
+  - `networkEventsSubsystem`
+  - `tamperProtection`
+  - `troubleshootingMode`
+
+  Windows values are parsed from text output and arrive as strings
+  (e.g. the literal `'True'`, not the boolean `true`). Linux and macOS
+  values are properly typed JSON. The notebook suggestion **Common
+  MDATP health information** normalises a useful subset across all
+  three platforms.
+
+  ## Use as part of client interrogation
+
+  Although useful on its own to gather MDATP status from hosts, this
+  artifact can also be called from a custom override of
+  [`Generic.Client.Info`](/artifact_references/pages/generic.client.info/).
+  Combined with
+  [`Server.Monitor.StoreClientInfo`](/exchange/artifacts/pages/server.monitor.storeclientinfo/),
+  selected fields can be saved as client metadata. In particular,
+  `edrMachineId` can be used to identify the client in MDATP, and tie
+  the client ID to machines in Microsoft Graph API queries. See
+  [How can I automatically add & update client metadata?](/knowledge_base/tips/automating_metadata/)
+  for an in-depth walkthrough about how to save interrogation data as
+  client metadata.
+
+  #mdatp #metadata
+
+type: CLIENT
+
+implied_permissions:
+  - EXECVE
+
+sources:
+  - query: |
+      LET Info <= SELECT OS
+        FROM info()
+
+      SELECT *
+      FROM if(
+        condition=Info[0].OS = 'linux',
+        then={
+          SELECT parse_json(data=Stdout) AS MDATPHealth
+          FROM execve(argv=['/usr/bin/mdatp', 'health', '--output', 'json'])
+        },
+        else=if(
+          condition=Info[0].OS = 'darwin',
+          then={
+          SELECT parse_json(data=Stdout) AS MDATPHealth
+          FROM execve(argv=['/usr/local/bin/mdatp', 'health', '--output', 'json'])
+        },
+          else=if(
+            condition=Info[0].OS = 'windows',
+            then={
+          SELECT
+          to_dict(item={
+          SELECT _key,
+                 _value
+          FROM parse_records_with_regex(
+            file=Stdout,
+            accessor='data',
+            regex='''^\s*(?P<_key>\S+)\s+:\s+(?P<_value>[^\r\n]+)''')
+        }) + dict(
+            edrMachineId=read_file(
+              accessor='reg',
+              filename='''HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\senseId''')) AS MDATPHealth
+          FROM Artifact.Windows.System.PowerShell(
+            Command='Get-MpComputerStatus')
+        })))
+
+    notebook:
+      - name: Common MDATP health information
+        type: vql_suggestion
+        template: |
+          /*
+          # Common MDATP health information
+          */
+          LET ColumnTypes <= dict(`ClientId`='client')
+
+          LET S = scope()
+
+          LET Result <= SELECT
+              ClientId,
+              S.Fqdn || client_info(client_id=ClientId).os_info.fqdn AS Fqdn,
+              S.MDATPHealth || dict() AS D
+            FROM source()
+
+          SELECT *
+          FROM foreach(
+            row=Result,
+            query={
+              SELECT *
+              FROM if(
+                condition='AMEngineVersion' IN D,
+                then={
+              SELECT
+              ClientId,
+              Fqdn,
+              D.edrMachineId AS edrMachineId,
+              D.AMProductVersion AS appVersion,
+              D.AMEngineVersion AS engineVersion,
+              D.AntivirusSignatureVersion AS definitionsVersion,
+              timestamp(string=D.AntivirusSignatureLastUpdated) AS definitionsUpdated,
+              if(condition=D.DefenderSignaturesOutOfDate = NULL,
+                  then=NULL,
+                  else=D.DefenderSignaturesOutOfDate != 'False') AS definitionsUpToDate,
+              if(condition=D.BehaviorMonitorEnabled = NULL,
+                  then=NULL,
+                  else=D.BehaviorMonitorEnabled = 'True') AS behaviorMonitoringEnabled,
+              if(condition=D.RealTimeProtectionEnabled = NULL,
+                  then=NULL,
+                  else=D.RealTimeProtectionEnabled = 'True') AS realTimeProtectionEnabled,
+              if(
+                condition=D.IsTamperProtected = NULL,
+                then=NULL,
+                else=D.IsTamperProtected = 'True') AS tamperProtectionEnabled,
+              if(
+                condition=D.TroubleShootingMode = NULL,
+                then=NULL,
+                else=D.TroubleShootingMode != 'Disabled') AS troubleshootingModeEnabled
+              FROM scope()
+            },
+                else={
+              SELECT
+              ClientId,
+              Fqdn,
+              D.edrMachineId AS edrMachineId,
+              D.appVersion AS appVersion,
+              D.engineVersion AS engineVersion,
+              D.definitionsVersion AS definitionsVersion,
+              timestamp(
+                epoch=D.definitionsUpdated) AS definitionsUpdated,
+              if(
+                condition=D.definitionsStatus.`$type` = NULL,
+                then=NULL,
+                else=D.definitionsStatus.`$type` = 'upToDate') AS definitionsUpToDate,
+              // Not available in Darwin:
+              D.behaviorMonitoring.displayValue AS behaviorMonitoringEnabled,
+              D.realTimeProtectionEnabled.value AS realTimeProtectionEnabled,
+              // Not available in Linux:
+              D.tamperProtection.displayValue AS tamperProtectionEnabled,
+              // Not available in Linux:
+              D.troubleshootingMode AS troubleshootingModeEnabled
+              FROM scope()
+            })
+            })