Closed mavam closed 8 months ago
mavam
commented
9 months ago We've been discussing this integration in our Discord server. One possible way to do the integration is as follows:
vql -s <server> <query> operator that submits a VQL query as string via gRPC to server. A proto file exists in the Python bindings.mavam
commented
8 months ago Christoph provided some insights on how to best use the operator:
When it comes to API-Responses I see two use cases:
1. Query against the Velociraptor Server (VQL), Response by the Server Easy case, server responds to a single question
2. Subscribing to "Hunt" Results ("Flows") Flows are results each client sends to the server for one requested Hunt. The wording is a little complicated here, for reference check https://docs.velociraptor.app/docs/gui/hunting/. The Velociraptor-Server tells connected clients what to search for by defining a "Hunt", containing one or more "Artifacts" (examples see here: https://docs.velociraptor.app/artifact_references/). The clients respond with the collected information in a "Flow" (one flow per hunt and client. Anyhow: It would be great to be able to just subscribe to results of Hunts ("Flows"), without having to write a multi-column VQL-Query like the one contained here (https://docs.velociraptor.app/artifact_references/pages/elastic.flows.upload/, first two "LET" Statements in the "query" field). For example something like "vql subscribe artifact="Windows" (which would subscribe to the JSON result of every Flow, containing "Windows" artifacts, parse it to JSON and return it).
mavam
commented
8 months ago Shipped as part of https://github.com/tenzir/tenzir/pull/3556.
Velociraptor is a DFIR tool tool The Velociraptor operator would be a source that runs a VQL query against a Velociraptor server and returns the results as events.