from_velociraptor

Submits VQL to a Velociraptor server and returns the response as events.

from_velociraptor [request_name=string, org_id=string, max_rows=int,
                   subscribe=string, query=string, max_wait=duration, profile=string]

Description

The from_velociraptor input operator provides a request-response interface to a Velociraptor server:

The pipeline operator is the client and it establishes a connection to a Velociraptor server. The client request contains a query written in the Velociraptor Query Language (VQL), a SQL-inspired language with a SELECT .. FROM .. WHERE structure.

You can either send a raw VQL query via from_velociraptor query "<vql>" to a server and processs the response, or hook into a continuous feed of artifacts via from_velociraptor subscribe <artifact>. Whenever a hunt runs that contains this artifact, the server will forward it to the pipeline and emit the artifact payload in the response field HuntResults.

All Velociraptor client-to-server communication is mutually authenticated and encrypted via TLS certificates. This means you must provide client-side certificate, which you can generate as follows. (Velociraptor ships as a static binary that we refer to as velociraptor-binary here.)

Create a server configuration server.yaml:
Terminal window
```
velociraptor-binary config generate > server.yaml
```
Create an API client:
Terminal window
```
velociraptor-binary -c server.yaml config api_client name tenzir client.yaml
```
Copy the generated client.yaml to your Tenzir plugin configuration directory as velociraptor.yaml so that the operator can find it:
Terminal window
```
cp client.yaml /etc/tenzir/plugin/velociraptor.yaml
```
Run the frontend with the server configuration:
Terminal window
```
velociraptor-binary -c server.yaml frontend
```

Now you are ready to run VQL queries!

`request_name = string (optional)`

An identifier for the request to the Velociraptor server.

Defaults to a randoum UUID.

`org_id = string (optional)`

The ID of the Velociraptor organization.

Defaults to "root".

`query = string (optional)`

The VQL query string.

`max_rows = int (optional)`

The maxium number of rows to return in a the stream gRPC messages returned by the server.

Defaults to 1000.

`subscribe = string (optional)`

Subscribes to a flow artifact.

This option generates a larger VQL expression under the hood that creates one event per flow and artifact. The response contains a field HuntResult that contains the result of the hunt.

`max_wait = duration (optional)`

Controls how long to wait before releasing a partial result set.

Defaults to 1s.

`profile = string (optional)`

Specifies the configuration profile for the Velociraptor instance. This enables connecting to multiple Velociraptor instances from the same Tenzir node.

To use profiles, edit your velociraptor.yaml configuration like this, where <config> refers to the contents of the configuration file created by Velociraptor, and <profile> to the desired profile name.

---
title: before
---
<config>

---
title: after
---
profiles:
  <profile>:
    <config>

If profiles are defined, the operator defaults to the first profile.

Examples

Show all processes

from_velociraptor query="select * from pslist()"

Subscribe to a hunt flow containing the `Windows` artifact

from_velociraptor subscribe="Windows"

from_velociraptor

Description

request_name = string (optional)

org_id = string (optional)

query = string (optional)

max_rows = int (optional)

subscribe = string (optional)

max_wait = duration (optional)

profile = string (optional)