Velociraptor
App Vendor: Velociraptor
App Category: IT Services
Connector Version: 1.0.3
API Version: N/A
About App
Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints. This app provides useful info-gathering and response actions.
The Velociraptor app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Client Labels | This action adds a supplied list of labels to a client. |
Execute Query | This action takes in a VQL query string and returns a list of results. |
Get Client Info | This action returns a client's info. |
List Client Processes | This action returns a client's running processes. |
List Clients | This action lists all velociraptor clients. |
List Windows Client Users | This action returns a windows client's local users. |
Quarantine Client | This action quarantines a client. |
Remove Client Labels | This action removes the supplied list of labels from the client. |
Remove Quarantined Client | This action removes a client from quarantine. |
Configuration Parameters
The following configuration parameters are required for the Velociraptor connector app to communicate with the Velociraptor enterprise application. The parameters can be configured by creating instances in the connector app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Server | Enter the Velociraptor server address. | Text | Required | |
Port | Enter the Velociraptor server API port. | Integer | Required | |
CA Certificate | Enter the API client CA certificate. | File | Required | |
Client Private Key | Enter the API client private key to authenticate. | File | Required | |
Client Certificate | Enter the API client certificate to authenticate. | File | Required |
Action: Add Client Labels
This action adds the supplied list of labels to a client.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the ID of the client. | Text | Required | You can retrieve this using the action List Clients. |
Labels | Enter the list of labels to add to the client. | List | Required |
Action: Execute Query
This action takes in a VQL query string and returns a list of results.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the VQL query string to execute the query. | Text | Required | |
Max Wait | Enter the maximum time to wait for query execution. | Integer | Optional | |
Max Row | Enter the maximum rows to return by the query. | Integer | Optional |
Action: Get Client Info
This action returns a client's info.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to retrieve the information. | Text | Required | You can retrieve this using the action List Clients. |
Action: List Client Processes
This action returns a client's running processes.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to retrieve its processes. | Text | Required | You can retrieve this using the action List Clients. |
Action: List Clients
This action lists all Velociraptor clients.
Action Input Parameters
No input parameters are required for this action.
Action: List Windows Client Users
This action returns a windows client's local users.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to return the local users. | Text | Required | You can retrieve this using the action List Clients. |
Action: Quarantine Client
This action quarantines a client.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to quarantine it. | Text | Required | You can retrieve this using the action List Clients. |
Action: Remove Client Labels
This action removes the supplied list of labels from the client.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to remove the labels. | Text | Required | You can retrieve this using the action List Clients. |
Labels | Enter the list of labels to remove from the client. | List | Required |
Action: Remove Quarantined Client
This action removes a client from quarantine.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to remove it from quarantine. | Text | Required | You can retrieve this using the action List Clients. |