Global

  • Datastore

    • Profiles related to the server’s datastore.

    • Replication

      • Reports current replication connections between master and minion.

    • Replication

      • Reports current replication connections between master and minion.

  • Services

    • Velociraptor contains many service modules that help the process perform certain tasks. These usually contain specific profiles to show how they are performing.

    • ExportContainers

      • The Velociraptor GUI allows exporting collections from Flows or Hunts into a Zip file. If the collection is very large this can take some time. While the GUI shows some progress information:

      Export Progress as shown by the GUI
      Export Progress as shown by the GUI

      • ExportContainers

        • The Velociraptor GUI allows exporting collections from Flows or Hunts into a Zip file. If the collection is very large this can take some time. While the GUI shows some progress information:

        Export Progress as shown by the GUI
        Export Progress as shown by the GUI

        The profile shows a lot more information:

        Export Containers profile
        Export Containers profile

        As indicated by the profile, Velociraptor uses multiple threads to compress many files into the zip file at the same time. These files are typically written in temporary files then merged into the final Zip files (this is the way to utilize multiple cores when preparing a Zip file).

      • Throttler

        • An important criteria for Velociraptor is to ensure the impact on endpoint performance is limited. This helps in cases when we need to perform intensive tasks on the endpoint. We want to make sure the end system is still usable and reduce our impact on the end user.

        Velociraptor achieves this by implementing a Throttler. This mechanism is able to pause query execution when the process’s average CPU utilization exceeds some limit.

      • User Manager

        • Reporting information about current users registered on the system.

      • Open-close

        • Similarly to tempfiles, it is important to know what files we have opened that should be closed. This is tracked by the Open Close Tracker. The tracker does not only track operating system files but other abstract objects within Velociraptor that need to be closed.

        Open Closed profile
        Open Closed profile

        We typically want to see all files being suitably closed unless they are used currently. Some files are held open for a short time after use, to avoid needing to re-open them if accessed soon after.

      • tempfiles

        • Velociraptor uses temporary files for a variety is purposes. It is important to ensure that whenever we create a temporary file, we suitably remove it.

        The Tempfile tracker keeps track of temporary files we used.

        Temporary file profile
        Temporary file profile

        The profile indicates:

        1. Which temporary files were used.
        2. Where they were created from (gives an idea why we created these files).
        3. When the file was created and removed

        In the above example, we see two temporary files created from the VQL tempfile() function and one created by the VQL engine during a materialize operation (e.g. expanding a LET ). All files were suitably closed as determined by the non zero destroyed time.

      • worker

        • Notebooks are very useful feature of the server allowing for complex post-processing of collected data. Sometimes these queries are very large and take a long time to run. To limit the amount of resources the queries can take on the server, Velociraptor only creates a limited number of notebook workers (by default 5).

        Inspecting the notebook workers
        Inspecting the notebook workers

    • VQL

      • Queries

        • See currently and recently running VQL queries.

        • Active Queries

          • This view shows the queries currently running in this process. For example queries will run as part of notebook evaluation, currently installed event queries, or currently collecting artifacts (in the case of the offline collector).

          Active Queries profile
          Active Queries profile

          The above example shows a number of queries watching a variety of event logs on the endpoint. This is because this endpoint is running the Windows.Hayabusa.Monitoring artifact, which evaluate many Sigma rules, many referring to different log sources. Each log source relies on parsing the event logs.

          • Queries

            • See currently and recently running VQL queries.

            • Active Queries

              • This view shows the queries currently running in this process. For example queries will run as part of notebook evaluation, currently installed event queries, or currently collecting artifacts (in the case of the offline collector).

              Active Queries profile
              Active Queries profile

              The above example shows a number of queries watching a variety of event logs on the endpoint. This is because this endpoint is running the Windows.Hayabusa.Monitoring artifact, which evaluate many Sigma rules, many referring to different log sources. Each log source relies on parsing the event logs.

            • Plugins

              • Much of Velociraptor functionality is implemented using VQL plugins. Some plugins are very sophisticated and require their own profile tracking.