Services

Velociraptor contains many service modules that help the process perform certain tasks. These usually contain specific profiles to show how they are performing.

  • ExportContainers

    • The Velociraptor GUI allows exporting collections from Flows or Hunts into a Zip file. If the collection is very large this can take some time. While the GUI shows some progress information:

    Export Progress as shown by the GUI
    Export Progress as shown by the GUI

    The profile shows a lot more information:

    Export Containers profile
    Export Containers profile

    As indicated by the profile, Velociraptor uses multiple threads to compress many files into the zip file at the same time. These files are typically written in temporary files then merged into the final Zip files (this is the way to utilize multiple cores when preparing a Zip file).

  • Throttler

    • An important criteria for Velociraptor is to ensure the impact on endpoint performance is limited. This helps in cases when we need to perform intensive tasks on the endpoint. We want to make sure the end system is still usable and reduce our impact on the end user.

    Velociraptor achieves this by implementing a Throttler. This mechanism is able to pause query execution when the process’s average CPU utilization exceeds some limit.

  • User Manager

    • Reporting information about current users registered on the system.

  • Open-close

    • Similarly to tempfiles, it is important to know what files we have opened that should be closed. This is tracked by the Open Close Tracker. The tracker does not only track operating system files but other abstract objects within Velociraptor that need to be closed.

    Open Closed profile
    Open Closed profile

    We typically want to see all files being suitably closed unless they are used currently. Some files are held open for a short time after use, to avoid needing to re-open them if accessed soon after.

  • tempfiles

    • Velociraptor uses temporary files for a variety is purposes. It is important to ensure that whenever we create a temporary file, we suitably remove it.

    The Tempfile tracker keeps track of temporary files we used.

    Temporary file profile
    Temporary file profile

    The profile indicates:

    1. Which temporary files were used.
    2. Where they were created from (gives an idea why we created these files).
    3. When the file was created and removed

    In the above example, we see two temporary files created from the VQL tempfile() function and one created by the VQL engine during a materialize operation (e.g. expanding a LET ). All files were suitably closed as determined by the non zero destroyed time.

  • worker

    • Notebooks are very useful feature of the server allowing for complex post-processing of collected data. Sometimes these queries are very large and take a long time to run. To limit the amount of resources the queries can take on the server, Velociraptor only creates a limited number of notebook workers (by default 5).

    Inspecting the notebook workers
    Inspecting the notebook workers