Velociraptor provides complete control of the server within VQL queries. On the server the VQL engine contains the following plugins and functions which you can use to manage and automate the server via VQL queries. Such server-side VQL can be run via Server Artifacts, Notebooks, or the API.
Since these rely on the server datastore and server services they are not available on clients!
| Plugin/Function | Type | Description |
|---|---|---|
| add_client_monitoring | Function | Adds a new artifact to the client monitoring table |
| add_server_monitoring | Function | Adds a new artifact to the server monitoring table |
| artifact_definitions | Plugin | Dump artifact definitions from the internal repository |
| artifact_delete | Function | Deletes an artifact from the global repository |
| artifact_set | Function | Sets an artifact into the global repository |
| artifact_set_metadata | Function | Sets metadata about the artifact |
| backup | Plugin | Generates a backup file |
| backup_restore | Plugin | Restore state from a backup file |
| cancel_flow | Function | Cancels the flow |
| client_create | Function | Create a new client in the data store |
| client_delete | Plugin | Delete all information related to a client from the filestore |
| client_info | Function | Returns client info (like the fqdn) from the datastore |
| client_metadata | Function | Returns client metadata from the datastore |
| client_set_metadata | Function | Sets client metadata |
| clients | Plugin | Retrieve the list of clients |
| collect_client | Function | Launch an artifact collection against a client |
| create_flow_download | Function | Creates a download pack for the flow |
| create_hunt_download | Function | Creates a download pack for a hunt |
| create_notebook_download | Function | Creates a notebook export zip file |
| delete_events | Plugin | Delete events from a flow |
| delete_flow | Plugin | Delete all the files that make up a flow |
| enumerate_flow | Plugin | Enumerate all the files that make up a flow |
| favorites_delete | Function | Delete a favorite |
| favorites_save | Function | Save a collection into the favorites |
| file_store | Function | Resolves file store paths into full filesystem paths |
| file_store_delete | Function | Delete file store paths |
| flow_logs | Plugin | Retrieve the query logs of a flow |
| flow_results | Plugin | Retrieve the results of a flow |
| flows | Plugin | Retrieve the flows launched on each client |
| get_client_monitoring | Function | Retrieve the current client monitoring state |
| get_flow | Function | Gets flow details |
| get_server_monitoring | Function | Retrieve the current server monitoring state |
| gui_users | Plugin | Retrieve the list of users on the server |
| hunt | Function | Create and launch a hunt |
| hunt_add | Function | Assign a client to a hunt |
| hunt_delete | Plugin | Delete a hunt |
| hunt_flows | Plugin | Retrieve the flows launched by a hunt |
| hunt_info | Function | Retrieve the hunt information |
| hunt_results | Plugin | Retrieve the results of a hunt |
| hunt_update | Function | Update a hunt |
| hunts | Plugin | Retrieve the list of hunts |
| import | Function | Imports an artifact into the current scope |
| import_collection | Function | Imports an offline collection zip file (experimental) |
| inventory | Plugin | Retrieve the tools inventory |
| inventory_add | Function | Add or reconfigure a tool into the inventory |
| inventory_get | Function | Get tool info from inventory service |
| killkillkill | Function | Sends a kill message to the client and forces a restart - this is very aggressive! |
| label | Function | Add the labels to the client |
| link_to | Function | Create a url linking to a particular part in the Velociraptor GUI |
| logging | Plugin | Watch the logs emitted by the server |
| Plugin | Send Email to a remote server | |
| monitoring | Plugin | Extract monitoring log from a client |
| monitoring_logs | Plugin | Retrieve log messages from client event monitoring for the specified client id and artifact |
| notebook_create | Function | Create a new notebook |
| notebook_delete | Plugin | Delete a notebook with all its cells |
| notebook_export | Function | Exports a notebook to a zip file or HTML |
| notebook_get | Function | Get a notebook |
| notebook_update | Function | Update a notebook metadata |
| notebook_update_cell | Function | Update a notebook cell |
| org | Function | Return the details of the current org |
| org_create | Function | Creates a new organization |
| org_delete | Function | Deletes an Org from the server |
| orgs | Plugin | Retrieve the list of orgs on this server |
| parallelize | Plugin | Runs query on result batches in parallel |
| passwd | Function | Updates the user’s password |
| query | Plugin | Evaluate a VQL query |
| repack | Function | Repack and upload a repacked binary or MSI to the server |
| rm_client_monitoring | Function | Remove an artifact from the client monitoring table |
| rm_server_monitoring | Function | Remove an artifact from the server monitoring table |
| send_event | Function | Sends an event to a server event monitoring queue |
| server_frontend_cert | Function | Get Server Frontend Certificate |
| server_metadata | Function | Returns server metadata from the datastore |
| server_set_metadata | Function | Sets server metadata |
| set_client_monitoring | Function | Sets the current client monitoring state |
| set_server_monitoring | Function | Sets the current server monitoring state |
| source | Plugin | Retrieve rows from an artifact’s source |
| timeline | Plugin | Read a timeline |
| timeline_add | Function | Add a new query to a timeline |
| timeline_delete | Function | Delete a super timeline |
| timelines | Plugin | List all timelines in a notebook |
| upload_directory | Function | Upload a file to an upload directory |
| uploads | Plugin | Retrieve information about a flow’s uploads |
| user | Function | Retrieves information about the Velociraptor user |
| user_create | Function | Creates a new user from the server, or updates their permissions or reset their password |
| user_delete | Function | Deletes a user from the server |
| user_grant | Function | Grants the user the specified roles |
| user_options | Function | Update and read the user GUI options |
| vfs_ls | Plugin | List directory and build a VFS object |
| whoami | Function | Returns the username that is running the query |