Functions and plugins that do not fall into a specific category or that have not yet been categorized.
| Plugin/Function | Type | Description |
|---|---|---|
| alert | Function | Generate an alert message |
| all | Function | Returns TRUE if all items are true |
| any | Function | Returns TRUE if any items are true |
| array | Function | Create an array |
| atexit | Function | Install a query to run when the query is unwound |
| batch | Plugin | Batches query rows into multiple arrays |
| cache | Function | Creates a cache object |
| cidr_contains | Function | Calculates if an IP address falls within a range of CIDR specified |
| collect | Plugin | Collect artifacts into a local file |
| combine | Plugin | Combine the output of several queries into the same result set |
| copy | Function | Copy a file |
| dedup | Plugin | Dedups the query based on a column |
| delay | Plugin | Executes ‘query’ and delays relaying the rows by the specified number of seconds |
| dirname | Function | Return the directory path |
| efivariables | Plugin | Enumerate efi variables |
| elastic_upload | Plugin | Upload rows to elastic |
| enumerate | Function | Collect all the items in each group by bin |
| environ | Function | Get an environment variable |
| environ | Plugin | The row returned will have all environment variables as |
| eval | Function | Evaluate a vql lambda function on the current scope |
| favorites_list | Plugin | List all user’s favorites |
| filesystems | Plugin | Enumerates mounted filesystems |
| for | Plugin | Iterate over a list |
| gcs_pubsub_publish | Function | Publish a message to Google PubSub |
| generate | Function | Create a named generator that receives rows from the query |
| geoip | Function | Lookup an IP Address using the MaxMind GeoIP database |
| getpid | Function | Returns the current pid of the Velociraptor process |
| help | Plugin | Dump information about all VQL functions and plugins |
| host | Function | Perform a DNS resolution |
| ip | Function | Format an IP address |
| lazy_dict | Function | Construct a dict from arbitrary keyword args - does not materialize args so it is suitable for building args via ** expansion |
| logscale_upload | Plugin | Upload rows to LogScale ingestion server |
| lru | Function | Creates an LRU object |
| magic | Function | Identify a file using magic rules |
| Function | Send Email to a remote server | |
| max | Function | Finds the largest item in the aggregate |
| min | Function | Finds the smallest item in the aggregate |
| netcat | Plugin | Make a tcp connection and read data from a socket |
| parse_pst | Plugin | Parse a PST file and extract email data |
| patch | Function | Patch a JSON object with a json patch or merge |
| path_join | Function | Build a path by joining all components |
| pe_dump | Function | Dump a PE file from process memory |
| pipe | Function | A pipe allows plugins that use files to read data from a vql |
| process_tracker | Function | Install a global process tracker |
| process_tracker_all | Function | Get all processes stored in the tracker |
| process_tracker_callchain | Function | Get a call chain from the global process tracker |
| process_tracker_children | Function | Get all children of a process |
| process_tracker_tree | Function | Get the full process tree under the process id |
| process_tracker_updates | Plugin | Get the process tracker update events from the global process tracker |
| pskill | Function | Kill the specified process |
| rand | Function | Selects a random number |
| rate | Function | Calculates the rate (derivative) between two quantities |
| read_crypto_file | Plugin | Read a previously stored encrypted local storage file |
| rekey | Function | Causes the client to rekey and regenerate a new client ID |
| remap | Function | Apply a remapping configuration to the root scope |
| rm | Function | Remove a file from the filesystem using the API |
| rsyslog | Function | Send an RFC5424 compliant remote syslog message |
| sample | Plugin | Executes ‘query’ and samples every n’th row |
| serialize | Function | Encode an object as a string |
| sigma_log_sources | Function | Constructs a Log sources object to be used in sigma rules |
| similarity | Function | Compare two Dicts for similarity |
| sleep | Function | Sleep for the specified number of seconds |
| slice | Function | Slice an array |
| splunk_upload | Plugin | Upload rows to splunk |
| sql | Plugin | Run queries against sqlite, mysql, and postgres databases |
| stat | Plugin | Get file information |
| strip | Function | Strip prefix and/or suffix from a string |
| sum | Function | Sums the items |
| timestamp_format | Function | Format a timestamp into a string |
| typeof | Function | Print the underlying Go type of the variable |
| upcase | Function | Returns an uppercase version of the string |
| upload_azure | Function | Upload files to Azure Blob Storage Service |
| upload_gcs | Function | Upload files to GCS |
| upload_s3 | Function | Upload files to S3 |
| upload_sftp | Function | Upload files to SFTP |
| upload_smb | Function | Upload files using the SMB file share protocol |
| upload_webdav | Function | Upload files to a WebDAV server |
| url | Function | Construct a URL or parse one |
| uuid | Function | Generate a UUID |
| version | Function | Gets the version of a VQL plugin or function |
| write_crypto_file | Plugin | Write a query into an encrypted local storage file |
| write_csv | Plugin | Write a query into a CSV file |
| write_jsonl | Plugin | Write a query into a JSONL file |