Skip to content

Add flow completion e-mail notification artifact #1094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Add flow completion e-mail notification artifact #1094

wants to merge 6 commits into from

Conversation

misje
Copy link
Contributor

@misje misje commented Jul 28, 2025
edited
Loading

From the artifact description:

Send an e-mail when a client flow (with artifacts of interest) has finished.
Cancelled collections and collections with artifacts that do not satisfy
preconditions do not create notifications when they are finished.

Example use cases:

  • A collection is created for an offline client and you want to be notified
    when it finishes. The DelayThreshold ensures that e-mails are not sent unless
    flows complete some time later (i.e. not immediately).
  • An e-mail is sent to an auditor for every collection with detailed results
  • Send e-mails when flows (of interest) fail

If HTML is enabled, the e-mails look something like this:

image

Rows containing empty information, like in this example "Urgent", "Hunt", "Uploaded files", "Uploaded bytes" and "Error", are left out. For consistency, these can be included even if falsy by setting KeepEmptyRows to true.

In this example, a row called "Computer serial" is a custom line configured by adding the following to the ClientMetadata parameters:

Field Alias
serial Computer serial

where "serial" is a client metadata field for the client that completed the flow.

The same result looks like this in plain text:

image

If a flow fails, the output looks as follows:

image

@misje
Add flow completion e-mail notification artifact
0135b1b 
Use mail() to send an e-mail when a flow completes (or fails).
@misje
Copy link
Contributor Author

misje commented Jul 28, 2025

Job fails due to Velocidex/velociraptor#4368

scudette
scudette reviewed Jul 28, 2025
View reviewed changes
content/exchange/artifacts/Server.Alerts.Mail.yaml Outdated
args=(Title, Summary, Table(Values=TableRowsDict)))

// Add some CSS to make the table look at least a bit nice:
LET Body = if(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be easier to use the new template() function

https://docs.velociraptor.app/vql_reference/other/template/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cheers. I was not aware of this new function. The VQL docs were a bit minimal. How much is implemented (from the go docs)? if, else, printf, with, whitespace modifiers,"|", any functions? Are VQL functions from the scope available?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After further thought I realized that the template feature is only available in the head release and so this makes the artifact not work on older servers. This might be OK for you though?

We should hopefully have an RC out very soon.

misje added 4 commits July 28, 2025 19:22
@misje
Use template() in favour of format()
af3d4de 
This increases readability and does not require escaping '%'.
@misje
Remove reference to "Exchange."
e10fd4f 
The reference to the artifact name did not match the actual artifact name.
@misje
Simplify dict query
f924ce0 
Refactor use of "useless scope()".
@misje
Do not format timestamps and durations if they are null
b01064d 
Also remove empty tables if there are no arguments, just like with all other fields.
@misje misje marked this pull request as draft August 2, 2025 19:21
@misje
Copy link
Contributor Author

misje commented Aug 2, 2025

I am going to rename the artifact, export useful functions, and also create another similar artifact that creates e-mails for alerts (Server.Internal.Alerts), hence the draft status. The work put into formatting dicts into HTML tables will be reused to present alert context in e-mails produced by alerts.

@misje
Export functions and reuse code in a new alert monitor
bf88c09 
The original artifact has been completely rewritten with mostly the same features, except one can choose to get e-mails for failed flows even if they do not match filters.

A new artifact, Server.Monitoring.Alerts, sends e-mails for alerts sent with alert(). Just as the original artifact, it includes a bunch of client and flow context, in addition to the alert context. A parameter lets one extract a severity value from the alert context, since such a concept is not native to alert().
@misje
Copy link
Contributor Author

misje commented Aug 7, 2025

The artifact descriptions need a little update, I want to rename the original artifact, and I want to write a knowledge base entry on how to set these up. The KB artifact should include examples on how alerts can be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scudette scudette scudette left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@misje @scudette