Basic VQL

VQL provides a basic set of functions and plugins allowing queries to manipulate data and implement logic. This page details those plugins which are considered foundational to the VQL language and therefore may be useful in all types of artifacts.

VQL plugins are not the same as VQL functions. A plugin is the subject of the VQL query - i.e. plugins always follow the FROM keyword, while functions (which return a single value instead of a sequence of rows) are only present in column specification (e.g. after SELECT) or in condition clauses (i.e. after the WHERE keyword).

arrayFunctionCreate an array with all the args
atexitFunctionInstall a query to run when the query is unwound
atoiFunctionConvert a string to an integer
base64decodeFunctionDecodes a base64 encoded string
base64encodeFunctionEncodes a string into base64
basenameFunctionReturn the basename of the path
batchPluginBatches query rows into multiple arrays
cacheFunctionCreates a cache object
column_filterPluginSelect columns from another query using regex
copyFunctionCopy a file
countFunctionCounts the items
dictFunctionConstruct a dict from arbitrary keyword args
dirnameFunctionReturn the directory path
encodeFunctionEncodes a string as as different type
enumerateFunctionCollect all the items in each group by bin
environFunctionGet an environment variable
expandFunctionExpand the path using the environment
filterFunctionFilters an array by regex or condition
formatFunctionFormat one or more items according to a format string
generateFunctionCreate a named generator that receives rows from the query
getFunctionGets the member field from item
getpidFunctionReturns the current pid of the Velociraptor process
humanizeFunctionFormat items in human readable way
ifFunctionConditional execution of query
itemsFunctionIterate over dict members producing _key and _value columns
itemsPluginEnumerate all members of the item (similar to Python’s items() method)
joinFunctionJoin all the args on a separator
killkillkillFunctionKills the client and forces a restart - this is very aggressive!
lenFunctionReturns the length of an object
logFunctionLog the message and return TRUE
lowcaseFunctionReturns the lowercase version of a string
maxFunctionFinds the largest item in the aggregate
memoizeFunctionMemoize a query into memory
minFunctionFinds the smallest item in the aggregate
nowFunctionReturns current time in seconds since epoch
path_joinFunctionBuild a path by joining all components
path_splitFunctionSplit a path into components
queryFunctionLaunch a subquery and materialize it into a list of rows
randFunctionSelects a random number
rangePluginIterate over range
read_fileFunctionRead a file into a string
regex_transformFunctionSearch and replace a string with multiple regex
relpathFunctionReturn the relative path of
scopeFunctionreturn the scope
serializeFunctionEncode an object as a string (csv or json)
setFunctionSets the member field of the item
sleepFunctionSleep for the specified number of seconds
sliceFunctionSlice an array
splitFunctionSplits a string into an array based on a regexp separator
strFunctionReturns the string representation of provided data
stripFunctionStrip prefix and/or suffix from a string
substrFunctionCreate a substring from a string
sumFunctionSums the items
tempdirFunctionCreate a temporary directory
timestampFunctionConvert from different types to a time
to_dictFunctionConstruct a dict from a query
unhexFunctionApply hex decoding to the string
unzipPluginUnzips a file into a directory
upcaseFunctionReturns an uppercase version of the string
upload_sftpFunctionUpload files to SFTP
upload_webdavFunctionUpload files to a WebDAV server
urlFunctionConstruct a URL or parse one
utf16FunctionParse input from utf16
utf16_encodeFunctionEncode a string to utf16 bytes
uuidFunctionGenerate a UUID