This page lists the plugins used to collect information from clients.
VQL plugins are the data sources of VQL queries. While SQL queries refer to static tables of data, VQL queries refer to plugins, which generate data rows to be filtered by the query.
Unlike SQL, VQL plugins also receive keyword arguments. When the plugin is evaluated it simply generates a sequence of rows which are further filtered by the query.
This allows VQL statements to be chained naturally since plugin args may also be other queries.
VQL plugins are not the same as VQL functions. A plugin is the subject
of the VQL query - i.e. plugins always follow the FROM keyword,
while functions (which return a single value instead of a sequence of
rows) are only present in column specification (e.g. after SELECT)
or in condition clauses (i.e. after the WHERE keyword).
| Plugin/Function | Type | Description |
|---|---|---|
| chain | Plugin | Chain the output of several queries into the same table |
| collect | Plugin | Collect artifacts into a local file |
| commandline_split | Function | Split a commandline into separate components following the windows |
| connections | Plugin | List all active connections |
| crypto_rc4 | Function | Apply rc4 to the string and key |
| environ | Plugin | The row returned will have all environment variables as |
| execve | Plugin | This plugin launches an external command and captures its STDERR, |
| filesystems | Plugin | Enumerates mounted filesystems |
| flatten | Plugin | Flatten the columns in query |
| for | Plugin | Iterate over a list |
| foreach | Plugin | Executes ‘query’ once for each row in the ‘row’ query |
| glob | Plugin | Retrieve files based on a list of glob expressions |
| grep | Function | Search a file for keywords |
| hash | Function | Calculate the hash of a file |
| http_client | Plugin | Make a http request |
| if | Plugin | Conditional execution of query |
| info | Plugin | Get information about the running host |
| int | Function | Truncate to an integer |
| ip | Function | Format an IP address |
| js_get | Function | Get a variable’s value from the JS VM |
| js_set | Function | Set a variables value in the JS VM |
| magic | Function | Identify a file using magic rules |
| netcat | Plugin | Make a tcp connection and read data from a socket |
| netstat | Plugin | Collect network information |
| pathspec | Function | Create a structured path spec to pass to certain accessors |
| pipe | Function | A pipe allows plugins that use files to read data from a vql |
| profile | Plugin | Returns a profile dump from the running process |
| pslist | Plugin | Enumerate running processes |
| read_file | Plugin | Read files in chunks |
| reg_rm_key | Function | Removes a key and all its values from the registry |
| reg_rm_value | Function | Removes a value in the registry |
| reg_set_value | Function | Set a value in the registry |
| rm | Function | Remove a file from the filesystem using the API |
| scope | Plugin | The scope plugin returns the current scope as a single row |
| sql | Plugin | Run queries against sqlite, mysql, and postgres databases |
| stat | Plugin | Get file information |
| switch | Plugin | Conditional execution of multiple queries in order |
| tempfile | Function | Create a temporary file and write some data into it |
| upload | Function | Upload a file to the upload service |
| upload | Plugin | Upload files to the server |
| upload_gcs | Function | Upload files to GCS |
| upload_s3 | Function | Upload files to S3 |
| whoami | Function | Returns the username that is running the query |
| write_csv | Plugin | Write a query into a CSV file |