Submits VQL to a Velociraptor server and returns the response as events.
velociraptor [-n|--request-name <string>] [-o|--org-id <string>]
[-r|--max-rows <uint64>] [-s|--subscribe <artifact>]
[-q|--query <vql>] [-w|--max-wait <duration>]
velociraptor source operator provides a request-response interface to a
The pipeline operator is the client and it establishes a connection to a
Velociraptor server. The client request contains a query written in the
Velociraptor Query Language (VQL), a SQL-inspired language with a
.. FROM .. WHERE structure.
You can either send a raw VQL query via
velociraptor --query "<vql>" to a
server and processs the response, or hook into a continuous feed of artifacts
velociraptor --subscribe <artifact>. Whenever a hunt runs that contains
this artifact, the server will forward it to the pipeline and emit the artifact
payload in the response field
All Velociraptor client-to-server communication is mutually authenticated and
encrypted via TLS certificates. This means you must provide client-side
certificate, which you can generate as follows. (Velociraptor ships as a static
binary that we refer to as
Create a server configuration
velociraptor-binary config generate > server.yaml
Create an API client:
velociraptor-binary -c server.yaml config api_client --name tenzir client.yaml
Copy the generated
client.yamlto your Tenzir plugin configuration directory as
velociraptor.yamlso that the operator can find it:
cp client.yaml /etc/tenzir/plugin/velociraptor.yaml
Run the frontend with the server configuration:
velociraptor-binary -c server.yaml frontend
Now you are ready to run VQL queries!
An identifier for the request to the Velociraptor server.
Defaults to a randoum UUID.
The ID of the Velociraptor organization.
The VQL query string.
The maxium number of rows to return in a the stream gRPC messages returned by the server.
Defaults to 1,000.
Subscribes to a flow artifact.
This option generates a larger VQL expression under the hood that creates one
event per flow and artifact. The response contains a field
contains the result of the hunt.
Controls how long to wait before releasing a partial result set.
Show all processes:
velociraptor --query "select * from pslist()"
Subscribe to a hunt flow that contains the
velociraptor --subscribe Windows