Velociraptor DFIR

the velociraptor dfir connector enables automated forensic data collection and incident response actions within the swimlane turbine platform velociraptor dfir is a powerful digital forensics and incident response (dfir) tool that provides detailed endpoint visibility and facilitates in depth investigations this connector allows swimlane turbine users to integrate velociraptor's capabilities directly into their security workflows, enabling automated labeling, quarantining, and retrieval of client data by leveraging this integration, security teams can execute custom queries, manage client statuses, and analyze forensic artifacts, thereby enhancing their incident response efficiency and reducing time to resolution prerequisites before integrating velociraptor dfir with swimlane turbine, ensure you have the following api config file authentication with these parameters url the endpoint url for the velociraptor dfir server api config base64 a base64 encoded string containing the api configuration details for secure communication with the velociraptor server capabilities this connector provides the following capabilities add client label add client quarantine get client flow results get client flows get client id get client label get hunt flows get hunt results remove client label remove client quarantine search filename search hash search with custom query limitations include information about known limitations here, including supported or minimum versions, especially known unsupported versions asset setup create a client api certificate create a client api certificate using this command velociraptor config server config yaml config api client name mike role administrator api config yaml now convert the api config yaml to base64 pass the base64 in the api config base64 field in the asset notes https //docs velociraptor app/docs/server automation/server api/ configurations velociraptor asset authenticates using api config file configuration parameters parameter description type required url a url to the target host string required api config base64 convert api config yaml file to base64 check readme to generate a api config yaml file string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add client label assigns a specified label to a client in velociraptor dfir using the provided client id endpoint method post input argument name type required description client id string required client id to label label string required parameter for add client label input example {"client id" "c b279741549ca223d","label" "first label 1"} output parameter type description response array output field response response client id string unique identifier response agent information object output field response agent information response agent information version string output field response agent information version response agent information name string name of the resource response agent information build time string time value response agent information build url string url endpoint for the request response os info object output field response os info response os info system string output field response os info system response os info hostname string name of the resource response os info release string output field response os info release response os info machine string output field response os info machine response os info fqdn string output field response os info fqdn response os info mac addresses array output field response os info mac addresses response first seen at number output field response first seen at response last seen at number output field response last seen at response last ip string output field response last ip response last interrogate flow id string unique identifier response last interrogate artifact name string name of the resource response labels array output field response labels response labels file name string name of the resource response labels file string output field response labels file response last hunt timestamp number output field response last hunt timestamp response last event table version number output field response last event table version response last label timestamp number output field response last label timestamp output example {"response" \[{"client id" "c b279741549ca223d","agent information" {},"os info" {},"first seen at" 1724747862,"last seen at" 1724774682386090,"last ip" "127 0 0 1 41040","last interrogate flow id" "f cr6p0lgjfcvjc","last interrogate artifact name" "generic client info/basicinformation","labels" \[],"last hunt timestamp" 0,"last event table version" 0,"last label timestamp" 0,"label(client id='c b279741549ca223d', labels='first label 1', op='set')" {}}]} add client quarantine initiates quarantine for a specified client in velociraptor dfir using the provided client id endpoint method post input argument name type required description client id string required unique identifier input example {"client id" "c b279741549ca223d"} output parameter type description response array output field response response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) object unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) flow id string unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request object unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request creator string unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request user data string response data response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request client id string unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request flow id string unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request urgent boolean unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request artifacts array unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request specs array unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request specs artifact string unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request specs max batch wait number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request specs max batch rows number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request specs max batch rows buffer number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request cpu limit number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request iops limit number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request progress timeout number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request timeout number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request max rows number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request max upload bytes number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request trace freq sec number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request allow custom overrides boolean unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request log batch time number unique identifier response collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict())) request compiled collector args array unique identifier output example {"response" \[{"collect client(client id='c b279741549ca223d', artifacts=\['windows remediation quarantine'], spec=dict( windows remediation quarantine =dict()))" {}}]} get client flow results retrieve results for a specific flow from velociraptor dfir using the provided client id, flow id, and artifact endpoint method get input argument name type required description client id string required unique identifier flow id string required unique identifier artifact string required parameter for get client flow results input example {"client id" "c b279741549ca223d","flow id" "f efsd245323453dfds","artifact" "generic client diskspace"} output parameter type description response array output field response response filesystem string output field response filesystem response size string output field response size response used number output field response used response avail string output field response avail response use% string output field response use% response mounted string output field response mounted output example {"response" \[{"filesystem" "udev","size" "16g","used" 0,"avail" "16g","use%" "0%","mounted" "/dev"},{"filesystem" "tmpfs","size" "3 2g","used" "1 6m","avail" "3 2g","use%" "1%","mounted" "/run"},{"filesystem" "/dev/sda5","size" "688g","used" "28g","avail" "625g","use%" "5%","mounted" "/"}]} get client flows retrieve all active and completed flows for a specified client in velociraptor dfir using the client's unique identifier endpoint method get input argument name type required description client id string required unique identifier input example {"client id" "c b279741549ca223d"} output parameter type description response array output field response response client id string unique identifier response session id string unique identifier response request object output field response request response request creator string output field response request creator response request user data string response data response request client id string unique identifier response request flow id string unique identifier response request urgent boolean output field response request urgent response request artifacts array output field response request artifacts response request specs array output field response request specs response request specs artifact string output field response request specs artifact response request specs parameters env array parameters for the get client flows action response request specs max batch wait number output field response request specs max batch wait response request specs max batch rows number output field response request specs max batch rows response request specs max batch rows buffer number output field response request specs max batch rows buffer response request cpu limit number output field response request cpu limit response request iops limit number output field response request iops limit response request progress timeout number output field response request progress timeout response request timeout number output field response request timeout response request max rows number output field response request max rows response request max upload bytes number output field response request max upload bytes response request trace freq sec number output field response request trace freq sec response request allow custom overrides boolean unique identifier response request log batch time number time value output example {"response" \[]} get client id obtain the unique client id for a given host within velociraptor dfir, requiring the host's specific identifier endpoint method get input argument name type required description host string required parameter for get client id input example {"host" "127 0 0 1"} output parameter type description response string output field response output example {"response" "c b279741549ca223d"} get client label retrieves a specific label for a client in velociraptor dfir using the given client id endpoint method get input argument name type required description client id string required unique identifier label string required parameter for get client label input example {"client id" "c b279741549ca223d","label" "first label 1"} output parameter type description response array output field response response client id string unique identifier response agent information object output field response agent information response agent information version string output field response agent information version response agent information name string name of the resource response agent information build time string time value response agent information build url string url endpoint for the request response os info object output field response os info response os info system string output field response os info system response os info hostname string name of the resource response os info release string output field response os info release response os info machine string output field response os info machine response os info fqdn string output field response os info fqdn response os info mac addresses array output field response os info mac addresses response first seen at number output field response first seen at response last seen at number output field response last seen at response last ip string output field response last ip response last interrogate flow id string unique identifier response last interrogate artifact name string name of the resource response labels array output field response labels response last hunt timestamp number output field response last hunt timestamp response last event table version number output field response last event table version response last label timestamp number output field response last label timestamp response label check object output field response label check response label check clientid string unique identifier output example {"response" \[{"client id" "c b279741549ca223d","agent information" {},"os info" {},"first seen at" 1724747862,"last seen at" 1724774918462058,"last ip" "127 0 0 1 41040","last interrogate flow id" "f cr6p0lgjfcvjc","last interrogate artifact name" "generic client info/basicinformation","labels" \[],"last hunt timestamp" 0,"last event table version" 0,"last label timestamp" 0,"label check" {}}]} get hunt flows retrieves all flows initiated by a specific hunt in velociraptor dfir using the unique hunt id endpoint method get input argument name type required description hunt id string required unique identifier input example {"hunt id" "h cr6p61p95h6cg"} output parameter type description response array output field response response huntid string unique identifier response clientid string unique identifier response flowid string unique identifier response flow object output field response flow response flow\ client id string unique identifier response flow\ session id string unique identifier response flow\ request object output field response flow\ request response flow\ request creator string output field response flow\ request creator response flow\ request user data string response data response flow\ request client id string unique identifier response flow\ request flow id string unique identifier response flow\ request urgent boolean output field response flow\ request urgent response flow\ request artifacts array output field response flow\ request artifacts response flow\ request specs array output field response flow\ request specs response flow\ request specs file name string name of the resource response flow\ request specs file string output field response flow\ request specs file response flow\ request cpu limit number output field response flow\ request cpu limit response flow\ request iops limit number output field response flow\ request iops limit response flow\ request progress timeout number output field response flow\ request progress timeout response flow\ request timeout number output field response flow\ request timeout response flow\ request max rows number output field response flow\ request max rows response flow\ request max upload bytes number output field response flow\ request max upload bytes response flow\ request trace freq sec number output field response flow\ request trace freq sec response flow\ request allow custom overrides boolean unique identifier output example {"response" \[]} get hunt results retrieve results for a specific velociraptor dfir hunt using the hunt id and artifact parameters endpoint method get input argument name type required description hunt id string required unique identifier artifact string required parameter for get hunt results input example {"hunt id" "h cr6p61p95h6cg","artifact" "generic client diskspace"} output parameter type description response array output field response response filesystem string output field response filesystem response size string output field response size response used number output field response used response avail string output field response avail response use% string output field response use% response mounted string output field response mounted response flowid string unique identifier response clientid string unique identifier response orgid string unique identifier response fqdn string output field response fqdn output example {"response" \[]} remove client label removes a specified label from a velociraptor dfir client using the provided client id and label endpoint method delete input argument name type required description client id string required unique identifier label string required parameter for remove client label input example {"client id" "c b279741549ca223d","label" "first label 1"} output parameter type description response array output field response response client id string unique identifier response agent information object output field response agent information response agent information version string output field response agent information version response agent information name string name of the resource response agent information build time string time value response agent information build url string url endpoint for the request response os info object output field response os info response os info system string output field response os info system response os info hostname string name of the resource response os info release string output field response os info release response os info machine string output field response os info machine response os info fqdn string output field response os info fqdn response os info mac addresses array output field response os info mac addresses response first seen at number output field response first seen at response last seen at number output field response last seen at response last ip string output field response last ip response last interrogate flow id string unique identifier response last interrogate artifact name string name of the resource response labels array output field response labels response last hunt timestamp number output field response last hunt timestamp response last event table version number output field response last event table version response last label timestamp number output field response last label timestamp response label(client id='c b279741549ca223d', labels=\['first label 2'], op='remove') object unique identifier response label(client id='c b279741549ca223d', labels=\['first label 2'], op='remove') clientid string unique identifier output example {"response" \[{"client id" "c b279741549ca223d","agent information" {},"os info" {},"first seen at" 1724747862,"last seen at" 1724779073002068,"last ip" "127 0 0 1 41040","last interrogate flow id" "f cr7022d3l4cho","last interrogate artifact name" "generic client info/basicinformation","labels" \[],"last hunt timestamp" 0,"last event table version" 0,"last label timestamp" 0,"label(client id='c b279741549ca223d', labels=\['first label 2'], op='remove')" {}}]} remove client quarantine removes a client from quarantine in velociraptor dfir by utilizing the specified client id endpoint method delete input argument name type required description client id string required unique identifier input example {"client id" "c b279741549ca223d"} output parameter type description response array output field response response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) object unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) flow id string unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request object unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request creator string unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request user data string response data response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request client id string unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request flow id string unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request urgent boolean unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request artifacts array unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request specs array unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request specs artifact string unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request specs max batch wait number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request specs max batch rows number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request specs max batch rows buffer number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request cpu limit number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request iops limit number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request progress timeout number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request timeout number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request max rows number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request max upload bytes number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request trace freq sec number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request allow custom overrides boolean unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request log batch time number unique identifier response collect client(client id="c b279741549ca223d", artifacts=\["windows remediation quarantine"], spec=dict( windows remediation quarantine =dict( removepolicy ="y"))) request compiled collector args array unique identifier output example {"response" \[{"collect client(client id=\\"c b279741549ca223d\\", artifacts=\[\\"windows remediation quarantine\\"], spec=dict( windows remediation quarantine =dict( removepolicy =\\"y\\")))" {}}]} search filename initiates a search for a specific file by name and path across endpoints using velociraptor dfir endpoint method post input argument name type required description file name string required name of the resource file path string required parameter for search filename input example {"file name" "file txt","file path" "/users/downloads/text txt"} output parameter type description response array output field response output example {"response" \[]} search hash initiate a hunt for a specific file hash with velociraptor dfir to detect potential security incidents requires a file hash as input endpoint method post input argument name type required description file hash string required parameter for search hash input example {"file hash" "advgwertreretewewrtth234werqwae2345qw"} output parameter type description response array output field response output example {"response" \[]} search with custom query executes a user defined vql query in velociraptor dfir to search across collected data, with 'query' as a required input endpoint method get input argument name type required description query string required parameter for search with custom query input example {"query" "select info()"} output parameter type description response array output field response response hostname string name of the resource response uptime number time value response boottime number time value response procs number output field response procs response os string output field response os response platform string output field response platform response platformfamily string output field response platformfamily response platformversion string output field response platformversion response kernelversion string output field response kernelversion response virtualizationsystem string output field response virtualizationsystem response virtualizationrole string output field response virtualizationrole response compilerversion string output field response compilerversion response hostid string unique identifier response exe string output field response exe response cwd string output field response cwd response isadmin boolean output field response isadmin response clientstart string output field response clientstart response fqdn string output field response fqdn response architecture string output field response architecture output example {"response" \[{"hostname" "saikumars macbook pro local","uptime" 59860,"boottime" 1724596444,"procs" 704,"os" "darwin","platform" "darwin","platformfamily" "standalone workstation","platformversion" "14 6 1","kernelversion" "23 6 0","virtualizationsystem" "","virtualizationrole" "","compilerversion" "go1 20 6","hostid" "aa4d852d 2960 5a06 830a 670f1e88ce99","exe" "/usr/local/bin/velociraptor","cwd" "/users/saikumar kondapalli/downloads"}]} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt