These are the functions and plugins that are the most frequently used in Velociraptor’s built-in artifacts and the Community Exchange artifacts. So we can infer that these are the most “popular” and therefore probably the most useful ones for everyday artifact writing.
VQL provides a vast array of functions and plugins allowing queries to manipulate data and implement logic. Many are suitable for specific use cases, however most on this page are considered foundational to the VQL language. They are the general purpose VQL “workhorses”, which is why they are frequently used in the existing artifacts.
If you are new to VQL then this is a good place to start and become acquainted with the commonly used functions and plugins.
| Plugin/Function | Type | Description |
|---|---|---|
| atoi | Function | Convert a string to an integer |
| basename | Function | Return the basename of the path |
| chain | Plugin | Chain the output of several queries into the same table |
| column_filter | Plugin | Select columns from another query using regex |
| count | Function | Counts the items |
| dict | Function | Construct a dict from arbitrary keyword args |
| execve | Plugin | This plugin launches an external command and captures its STDERR, |
| expand | Function | Expand the path using the environment |
| filter | Function | Filters an array by regex or condition |
| flatten | Plugin | Flatten the columns in query |
| foreach | Plugin | Executes ‘query’ once for each row in the ‘row’ query |
| format | Function | Format one or more items according to a format string |
| get | Function | Gets the member field from item |
| glob | Plugin | Retrieve files based on a list of glob expressions |
| http_client | Plugin | Make a http request |
| humanize | Function | Format items in human readable way |
| if | Function | Conditional execution of query |
| if | Plugin | Conditional execution of query |
| info | Plugin | Get information about the running host |
| int | Function | Truncate to an integer |
| items | Function | Iterate over dict members producing _key and _value columns |
| items | Plugin | Enumerate all members of the item (similar to Python’s items() method) |
| join | Function | Join all the args on a separator |
| len | Function | Returns the length of an object |
| log | Function | Log a message to the query log stream |
| lowcase | Function | Returns the lowercase version of a string |
| memoize | Function | Memoize a query into memory |
| netstat | Plugin | Collect network information |
| now | Function | Returns the current time in seconds since epoch |
| plist | Function | Parse plist file |
| process_tracker_get | Function | Get a single process from the global tracker |
| process_tracker_pslist | Plugin | List all processes from the process tracker |
| pslist | Plugin | Enumerate running processes |
| range | Plugin | Iterate over range |
| read_file | Function | Read a file into a string |
| read_file | Plugin | Read files in chunks |
| regex_transform | Function | Search and replace a string with multiple regex |
| scope | Function | return the scope |
| scope | Plugin | The scope plugin returns the current scope as a single row |
| set | Function | Sets the member field of the item |
| sigma | Plugin | Evaluate sigma rules |
| split | Function | Splits a string into an array based on a regexp separator |
| stat | Function | Get file information |
| str | Function | Returns the string representation of provided data |
| substr | Function | Create a substring from a string |
| switch | Plugin | Conditional execution of multiple queries in order |
| tempdir | Function | Create a temporary directory |
| tempfile | Function | Create a temporary file and write some data into it |
| timestamp | Function | Convert from different types to a time |
| to_dict | Function | Construct a dict from a query |
| unzip | Plugin | Unzips a file into a directory |
| upload | Function | Upload a file to the upload service |