Velociraptor Overview

2021-06-09

Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform.

It was developed by Digital Forensic and Incident Response (DFIR) professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints. Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches:

  • Reconstruct attacker activities through digital forensic analysis
  • Hunt for evidence of sophisticated adversaries
  • Investigate malware outbreaks and other suspicious network activities
  • Monitory continuously for suspicious user activities, such as files copied to USB devices
  • Discover whether disclosure of confidential information occurred outside the network
  • Gather endpoint data over time for use in threat hunting and future investigations

VQL - the Velociraptor difference

Velociraptor’s power and flexibility comes from the Velociraptor Query Language (VQL). VQL is a framework for creating highly customized artifacts, which allow you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server.

Rocket Velociraptor
Rocket Velociraptor

Documentation overview

The site is divided into the following parts

  • Deployment where you will learn the different deployment options.

  • GUI Tour provides a tour of the user interface.

  • VQL Fundamentals provide a deep dive into VQL and how to write your own artifacts and queries.