the endpoint /healthz is useful for monitoring minion's health status, but cannot be found in the docs currently

          Is this different than https://github.com/Velocidex/velociraptor/blob/091d96634d8613d76ffcd9d1eabe442252cac71e/artifacts/definitions/Windows/Applications/NirsoftBrowserViewer.yaml#L3 ?

Should we just incorporate it there?

Originally posted by @scudette in #654 (comment)

Yes. it may be similar. could be incorporated.
FileActivityWatch is brand new and doesn't have a similar yaml

Its only shown the Debian's one.
Thanks

For both server and clients.

https://docs.velociraptor.app/docs/vql/notebooks/

The end of the page indicates it's going to walk through how to run an artifact in a notebook locally but then ends abruptly

The number of artifacts in the exchange is growing and we need to trim them a bit in order to increase quality.

The following guidelines make sense

1. Artifacts the specifically search in event logs should be merged into the sigma project
2. Artifacts the look in sqlite files should be merged in sqlitehunter
3. Artifacts that run external tools should pin tool hashes
4. Artifacts that look for specific threats should be removed once the threat is too old (e.g. log4j)

The first http request is used to first check for version timestamp and find zip url of DetectRaptor package.

The first request is set to https://api.github.com/repos/mgreen27/DetectRaptor/releases.

I don't know if it's due to an update on GitHub side, but right now the Server.ImportDetectRaptor server artifact fails to execute properly because GitHub API wants the User-Agent header to be set. Below is the corresponding Log:

Request forbidden by administrative rules. Please make sure your request has a User-Agent header (https://docs.github.com/en/rest/overview/resources-in-the-rest-api#user-agent-required). Check https://developer.github.com for other possible causes.

So I propose to pass a user-agent value in the user_gent argument of http_client() on the first call (PR to come). That way the forbidden error is no longer returned and the import is successful.

Hello! This isn't really an "issue" or "bug", but I came across your documentation regarding the use of CIS-CAT Lite here: https://docs.velociraptor.app/exchange/artifacts/pages/windows.audit.ciscat_lite/.

I wanted to let you know you could actually automate the process and avoid having to register with CIS by using their publicly available API to download the latest version of CIS-CAT Lite. Documentation for that API is at https://ssapi.docs.cisecurity.org/en/latest/endpoints/cis-cat-lite-latest.html.

I am sure automating the full process of downloading, unzipping and running CIS-CAT Lite, and uploading the HTML report could be a helpful addition to your tools. Hope it helps!

In particular explain how the ACLs interact with the API connections

The file Log4jVulnHunter.yaml causes multiple instances of the following errors and finishes in ERROR state.

glob: Field root Expecting a path arg type, not *url.URL

and

Symbol FullPath not found.

I'm sorry if this is not the place where this issue should be opened

But when using Velociraptor v0.7.1-1, both Generic.Detection.Log4jVulnHunter and Generic.Detection.log4jRCE uses the FullPath arg in

/*Generic.Detection.Log4jVulnHunter*/
FROM Recurse(File=FullPath, OriginalFile=FullPath,Container=FullPath,RecursionRounds=0)

/*Generic.Detection.log4jRCE*/
LET files = SELECT FullPath, Name, Size , Mtime, Atime, Ctime, Btime

I replaced FullPath by OSPath locally and it solved this problem !

Hi Guys!
I miss some kind of a reference page about the Config file in documentation.
I've started to create it. But before I proceed, I would like to know your thoughts about it.
Here is 2 screenshots how I see it 1, 2
I used this file as a source, but I'm not sure if it actually enough. For me, it is more convenient to show examples and attach links within the Documentation.

Do we need it or such reference can be created in some automated way with fewer efforts?