Updates to GRR Osquery modules (log2timeline#911)

* Fix pathspec proto attribute * Updates
aarontp · Aug 27, 2024 · 147e5be · 147e5be
1 parent 25bac89
commit 147e5be
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/dftimewolf/lib/collectors/grr_hosts.py b/dftimewolf/lib/collectors/grr_hosts.py
@@ -458,7 +458,7 @@ def _DownloadOsquery(
         # We don't do anything with any collected files for now as we are just
         # interested in the osquery results.
         self.logger.info(
-            f'Skipping collected file - {payload.stat_entry.path_spec}.')
+            f'Skipping collected file - {payload.stat_entry.pathspec}.')
         continue
       if not isinstance(payload, osquery_flows.OsqueryResult):
         self.logger.error(f'Incorrect results format from flow ID {flow_id}')
@@ -1213,7 +1213,7 @@ def _DownloadResults(self,
       if isinstance(payload, osquery_flows.OsqueryCollectedFile):
         # We don't do anything with any collected files for now as we are just
         # interested in the osquery results.
-        self.logger.info(f'File collected - {payload.stat_entry.path_spec}.')
+        self.logger.info(f'File collected - {payload.stat_entry.pathspec}.')
         continue
       if not isinstance(payload, osquery_flows.OsqueryResult):
         self.logger.error(f'Incorrect results format from flow ID {grr_flow}')

diff --git a/dftimewolf/lib/collectors/grr_hunt.py b/dftimewolf/lib/collectors/grr_hunt.py
@@ -907,28 +907,31 @@ def _GetAndWriteResults(
     for result in hunt.ListResults():
       payload = result.payload
 
-      grr_client = list(self.grr_api.SearchClients(result.client.client_id))[0]
+      client_id = result.client.client_id
+      grr_client = list(self.grr_api.SearchClients(client_id))[0]
       client_hostname = grr_client.data.os_info.fqdn.lower()
 
       if isinstance(payload, osquery_flows.OsqueryCollectedFile):
         # We don't do anything with any collected files for now as we are just
         # interested in the osquery results.
-        self.logger.info(f'File collected - {payload.stat_entry.path_spec}.')
+        self.logger.info(f'File collected - {payload.stat_entry.pathspec}.')
         continue
 
       if not isinstance(payload, osquery_flows.OsqueryResult):
         self.ModuleError(
-            f'Incorrect results format from {result.client.client_id} '
+            f'Incorrect results format from {client_id} '
             f'({client_hostname}).  Possibly not an osquery hunt.',
             critical=True)
         continue
 
       headers = [column.name for column in payload.table.header.columns]
       data = [row.values for row in payload.table.rows]
       data_frame = pd.DataFrame.from_records(data, columns=headers)
+      data_frame['client_hostname'] = client_hostname
+      data_frame['client_id'] = client_id
 
       output_filename = os.path.join(output_path, f'{client_hostname}.csv')
-      data_frame.to_csv(output_filename)
+      data_frame.to_csv(output_filename, index=False)
       self.results.append((client_hostname, output_filename))
 
     return self.results