Velociraptor provides complete control of the server within VQL queries. On the server, the VQL engine contains the following plugins and functions. You can use this functionality to manage and automate the server by writing VQL queries.
To reuse server side artifacts, simply create an artifact with
type: SERVER and launch it from the “Server Artifacts” screen in
the GUI.
| Plugin/Function | Type | Description |
|---|---|---|
| add_client_monitoring | Function | Adds a new artifact to the client monitoring table |
| add_server_monitoring | Function | Adds a new artifact to the server monitoring table |
| artifact_definitions | Plugin | Dump artifact definitions from the internal repository |
| artifact_delete | Function | Deletes an artifact from the global repository |
| artifact_set | Function | Sets an artifact into the global repository |
| cancel_flow | Function | Cancels the flow |
| cidr_contains | Function | Calculates if an IP address falls within a range of CIDR specified |
| client_delete | Plugin | Delete all information related to a client from the filestore |
| client_info | Function | Returns client info (like the fqdn) from the datastore |
| client_metadata | Function | Returns client metadata from the datastore |
| client_set_metadata | Function | Sets client metadata |
| clients | Plugin | Retrieve the list of clients |
| collect_client | Function | Launch an artifact collection against a client |
| compress | Function | Compress a file |
| create_flow_download | Function | Creates a download pack for the flow |
| create_hunt_download | Function | Creates a download pack for a hunt |
| elastic_upload | Plugin | Upload rows to elastic |
| enumerate_flow | Plugin | Enumerate all the files that make up a flow |
| favorites_delete | Function | Delete a favorite |
| favorites_save | Function | Save a collection into the favorites |
| file_store | Function | Resolves file store paths into full filesystem paths |
| file_store_delete | Function | Delete file store paths |
| flow_results | Plugin | Retrieve the results of a flow |
| flows | Plugin | Retrieve the flows launched on each client |
| gcs_pubsub_publish | Function | Publish a message to Google PubSub |
| geoip | Function | Lookup an IP Address using the MaxMind GeoIP database |
| get_client_monitoring | Function | Retrieve the current client monitoring state |
| get_server_monitoring | Function | Retrieve the current server monitoring state |
| gui_users | Plugin | Retrieve the list of users on the server |
| hunt | Function | Create and launch a hunt |
| hunt_add | Function | Assign a client to a hunt |
| hunt_flows | Plugin | Retrieve the flows launched by a hunt |
| hunt_results | Plugin | Retrieve the results of a hunt |
| hunts | Plugin | Retrieve the list of hunts |
| import_collection | Function | Imports an offline collection zip file (experimental) |
| inventory | Plugin | Retrieve the tools inventory |
| inventory_add | Function | Add or reconfigure a tool into the inventory |
| inventory_get | Function | Get tool info from inventory service |
| label | Function | Add the labels to the client |
| Plugin | Send Email to a remote server | |
| monitoring | Plugin | Extract monitoring log from a client |
| notebook_delete | Plugin | Delete a notebook with all its cells |
| parallelize | Plugin | Runs query on result batches in parallel |
| patch | Function | Patch a JSON object with a json patch or merge |
| rate | Function | Calculates the rate (derivative) between two quantities |
| rm_client_monitoring | Function | Remove an artifact from the client monitoring table |
| rm_server_monitoring | Function | Remove an artifact from the server monitoring table |
| sample | Plugin | Executes ‘query’ and samples every n’th row |
| server_metadata | Function | Returns server metadata from the datastore |
| server_set_metadata | Function | Sets server metadata |
| set_client_monitoring | Function | Sets the current client monitoring state |
| set_server_monitoring | Function | Sets the current server monitoring state |
| source | Plugin | Retrieve rows from an artifact’s source |
| splunk_upload | Plugin | Upload rows to splunk |
| timeline | Plugin | Read a timeline |
| timeline_add | Function | Add a new query to a timeline |
| upload_directory | Function | Upload a file to an upload directory |
| uploads | Plugin | Retrieve information about a flow’s uploads |
| user_create | Function | Creates a new user from the server, or updates their permissions or reset their password |
| user_delete | Function | Deletes a user from the server |