Velociraptor DFIR

the velociraptor dfir connector enables automated forensic data collection and incident response actions within the swimlane turbine platform velociraptor dfir is a powerful digital forensics and incident response (dfir) tool that provides detailed endpoint visibility and facilitates in depth investigations this connector allows swimlane turbine users to integrate velociraptor's capabilities directly into their security workflows, enabling automated labeling, quarantining, and retrieval of client data by leveraging this integration, security teams can execute custom queries, manage client statuses, and analyze forensic artifacts, thereby enhancing their incident response efficiency and reducing time to resolution prerequisites before integrating velociraptor dfir with swimlane turbine, ensure you have the following api config file authentication with these parameters url the endpoint url for the velociraptor dfir server api config base64 a base64 encoded string containing the api configuration details for secure communication with the velociraptor server capabilities this connector provides the following capabilities add client label add client quarantine get client flow results get client flows get client id get client label get hunt flows get hunt results remove client label remove client quarantine search filename search hash search with custom query limitations include information about known limitations here, including supported or minimum versions, especially known unsupported versions asset setup create a client api certificate create a client api certificate using this command velociraptor config server config yaml config api client name mike role administrator api config yaml now convert the api config yaml to base64 pass the base64 in the api config base64 field in the asset configurations velociraptor asset authenticates using api config file configuration parameters parameter description type required url a url to the target host string required api config base64 convert api config yaml file to base64 check readme to generate a api config yaml file string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add client label assigns a specified label to a client in velociraptor dfir using the provided client id endpoint method post input argument name type required description client id string required client id to label label string required parameter for add client label output parameter type description response array output field response client id string unique identifier agent information object output field agent information version string output field version name string name of the resource build time string time value build url string url endpoint for the request os info object output field os info system string output field system hostname string name of the resource release string output field release machine string output field machine fqdn string output field fqdn mac addresses array output field mac addresses first seen at number output field first seen at last seen at number output field last seen at last ip string output field last ip last interrogate flow id string unique identifier last interrogate artifact name string name of the resource labels array output field labels file name string name of the resource file string output field file last hunt timestamp number output field last hunt timestamp last event table version number output field last event table version last label timestamp number output field last label timestamp example \[ { "response" \[ {} ] } ] add client quarantine initiates quarantine for a specified client in velociraptor dfir using the provided client id endpoint method post input argument name type required description client id string required unique identifier output parameter type description response array output field response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) object unique identifier flow id string unique identifier request object output field request creator string output field creator user data string response data client id string unique identifier flow id string unique identifier urgent boolean output field urgent artifacts array output field artifacts specs array output field specs artifact string output field artifact max batch wait number output field max batch wait max batch rows number output field max batch rows max batch rows buffer number output field max batch rows buffer cpu limit number output field cpu limit iops limit number output field iops limit progress timeout number output field progress timeout timeout number output field timeout max rows number output field max rows max upload bytes number output field max upload bytes trace freq sec number output field trace freq sec allow custom overrides boolean unique identifier log batch time number time value compiled collector args array output field compiled collector args example \[ { "response" \[ {} ] } ] get client flow results retrieve results for a specific flow from velociraptor dfir using the provided client id, flow id, and artifact endpoint method get input argument name type required description client id string required unique identifier flow id string required unique identifier artifact string required parameter for get client flow results output parameter type description response array output field response filesystem string output field filesystem size string output field size used number output field used avail string output field avail use% string output field use% mounted string output field mounted example \[ { "response" \[ { "filesystem" "udev", "size" "16g", "used" 0, "avail" "16g", "use%" "0%", "mounted" "/dev" }, { "filesystem" "tmpfs", "size" "3 2g", "used" "1 6m", "avail" "3 2g", "use%" "1%", "mounted" "/run" }, { "filesystem" "/dev/sda5", "size" "688g", "used" "28g", "avail" "625g", "use%" "5%", "mounted" "/" } ] } ] get client flows retrieve all active and completed flows for a specified client in velociraptor dfir using the client's unique identifier endpoint method get input argument name type required description client id string required unique identifier output parameter type description response array output field response client id string unique identifier session id string unique identifier request object output field request creator string output field creator user data string response data client id string unique identifier flow id string unique identifier urgent boolean output field urgent artifacts array output field artifacts specs array output field specs artifact string output field artifact env array output field env max batch wait number output field max batch wait max batch rows number output field max batch rows max batch rows buffer number output field max batch rows buffer cpu limit number output field cpu limit iops limit number output field iops limit progress timeout number output field progress timeout timeout number output field timeout max rows number output field max rows max upload bytes number output field max upload bytes trace freq sec number output field trace freq sec allow custom overrides boolean unique identifier log batch time number time value example \[ { "response" \[] } ] get client id obtain the unique client id for a given host within velociraptor dfir, requiring the host's specific identifier endpoint method get input argument name type required description host string required parameter for get client id output parameter type description response string output field response example \[ { "response" "c b279741549ca223d" } ] get client label retrieves a specific label for a client in velociraptor dfir using the given client id endpoint method get input argument name type required description client id string required unique identifier label string required parameter for get client label output parameter type description response array output field response client id string unique identifier agent information object output field agent information version string output field version name string name of the resource build time string time value build url string url endpoint for the request os info object output field os info system string output field system hostname string name of the resource release string output field release machine string output field machine fqdn string output field fqdn mac addresses array output field mac addresses first seen at number output field first seen at last seen at number output field last seen at last ip string output field last ip last interrogate flow id string unique identifier last interrogate artifact name string name of the resource labels array output field labels last hunt timestamp number output field last hunt timestamp last event table version number output field last event table version last label timestamp number output field last label timestamp label check object output field label check clientid string unique identifier example \[ { "response" \[ {} ] } ] get hunt flows retrieves all flows initiated by a specific hunt in velociraptor dfir using the unique hunt id endpoint method get input argument name type required description hunt id string required unique identifier output parameter type description response array output field response huntid string unique identifier clientid string unique identifier flowid string unique identifier flow object output field flow client id string unique identifier session id string unique identifier request object output field request creator string output field creator user data string response data client id string unique identifier flow id string unique identifier urgent boolean output field urgent artifacts array output field artifacts specs array output field specs file name string name of the resource file string output field file cpu limit number output field cpu limit iops limit number output field iops limit progress timeout number output field progress timeout timeout number output field timeout max rows number output field max rows max upload bytes number output field max upload bytes trace freq sec number output field trace freq sec allow custom overrides boolean unique identifier example \[ { "response" \[] } ] get hunt results retrieve results for a specific velociraptor dfir hunt using the hunt id and artifact parameters endpoint method get input argument name type required description hunt id string required unique identifier artifact string required parameter for get hunt results output parameter type description response array output field response filesystem string output field filesystem size string output field size used number output field used avail string output field avail use% string output field use% mounted string output field mounted flowid string unique identifier clientid string unique identifier orgid string unique identifier fqdn string output field fqdn example \[ { "response" \[] } ] remove client label removes a specified label from a velociraptor dfir client using the provided client id and label endpoint method delete input argument name type required description client id string required unique identifier label string required parameter for remove client label output parameter type description response array output field response client id string unique identifier agent information object output field agent information version string output field version name string name of the resource build time string time value build url string url endpoint for the request os info object output field os info system string output field system hostname string name of the resource release string output field release machine string output field machine fqdn string output field fqdn mac addresses array output field mac addresses first seen at number output field first seen at last seen at number output field last seen at last ip string output field last ip last interrogate flow id string unique identifier last interrogate artifact name string name of the resource labels array output field labels last hunt timestamp number output field last hunt timestamp last event table version number output field last event table version last label timestamp number output field last label timestamp label(client id='c b279741549ca223d', labels=\['first label 2'], op='remove') object unique identifier clientid string unique identifier example \[ { "response" \[ {} ] } ] remove client quarantine removes a client from quarantine in velociraptor dfir by utilizing the specified client id endpoint method delete input argument name type required description client id string required unique identifier output parameter type description response array output field response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) object unique identifier flow id string unique identifier request object output field request creator string output field creator user data string response data client id string unique identifier flow id string unique identifier urgent boolean output field urgent artifacts array output field artifacts specs array output field specs artifact string output field artifact max batch wait number output field max batch wait max batch rows number output field max batch rows max batch rows buffer number output field max batch rows buffer cpu limit number output field cpu limit iops limit number output field iops limit progress timeout number output field progress timeout timeout number output field timeout max rows number output field max rows max upload bytes number output field max upload bytes trace freq sec number output field trace freq sec allow custom overrides boolean unique identifier log batch time number time value compiled collector args array output field compiled collector args example \[ { "response" \[ {} ] } ] search filename initiates a search for a specific file by name and path across endpoints using velociraptor dfir endpoint method post input argument name type required description file name string required name of the resource file path string required parameter for search filename output parameter type description response array output field response example \[ { "response" \[] } ] search hash initiate a hunt for a specific file hash with velociraptor dfir to detect potential security incidents requires a file hash as input endpoint method post input argument name type required description file hash string required parameter for search hash output parameter type description response array output field response example \[ { "response" \[] } ] search with custom query executes a user defined vql query in velociraptor dfir to search across collected data, with 'query' as a required input endpoint method get input argument name type required description query string required parameter for search with custom query output parameter type description response array output field response hostname string name of the resource uptime number time value boottime number time value procs number output field procs os string output field os platform string output field platform platformfamily string output field platformfamily platformversion string output field platformversion kernelversion string output field kernelversion virtualizationsystem string output field virtualizationsystem virtualizationrole string output field virtualizationrole compilerversion string output field compilerversion hostid string unique identifier exe string output field exe cwd string output field cwd isadmin boolean output field isadmin clientstart string output field clientstart fqdn string output field fqdn architecture string output field architecture example \[ { "response" \[ {} ] } ] notes api documentation https //docs velociraptor app/docs/server automation/server api/