Velocidex
Add flow completion e-mail notification artifact
From the artifact description:
Send an e-mail when a client flow (with artifacts of interest) has finished. Cancelled collections and collections with artifacts that do not satisfy preconditions do not create notifications when they are finished.
Example use cases:
- A collection is created for an offline client and you want to be notified when it finishes. The DelayThreshold ensures that e-mails are not sent unless flows complete some time later (i.e. not immediately).
- An e-mail is sent to an auditor for every collection with detailed results
- Send e-mails when flows (of interest) fail
If HTML is enabled, the e-mails look something like this:
Rows containing empty information, like in this example "Urgent", "Hunt", "Uploaded files", "Uploaded bytes" and "Error", are left out. For consistency, these can be included even if falsy by setting KeepEmptyRows to true.
In this example, a row called "Computer serial" is a custom line configured by adding the following to the ClientMetadata parameters:
| Field | Alias |
|---|---|
| serial | Computer serial |
where "serial" is a client metadata field for the client that completed the flow.
The same result looks like this in plain text:
If a flow fails, the output looks as follows:
I am going to rename the artifact, export useful functions, and also create another similar artifact that creates e-mails for alerts (Server.Internal.Alerts), hence the draft status. The work put into formatting dicts into HTML tables will be reused to present alert context in e-mails produced by alerts.
The artifact descriptions need a little update, I want to rename the original artifact, and I want to write a knowledge base entry on how to set these up. The KB artifact should include examples on how alerts can be used.