Velociraptor Query Language (VQL) is a powerful, SQL-like language used to create custom artifacts that can query, collect, and monitor almost any aspect of an endpoint.

Can I use this for real-time monitoring?

Yes, the skill provides VQL examples for monitoring process creation, file system changes, and registry modifications in real-time using event-based artifacts.

What is Velociraptor used for in this skill?

Velociraptor is used for endpoint monitoring, digital forensics, and incident response, allowing users to collect artifacts and hunt for threats across large networks using VQL.

How does it integrate with existing security tools?

The skill includes guidance on integrating Velociraptor data with popular SIEMs like Splunk and the Elastic Stack for centralized logging and advanced security analysis.

Does this skill support multi-platform environments?

Yes, it provides deployment and collection patterns for Windows, Linux, and macOS endpoints, including specific artifacts for each operating system.

Velociraptor Incident Response & Forensics

Name: Velociraptor Incident Response & Forensics
Author: mukul975

bymukul975

•

4,121

•

Security & Testing

Deploys and configures Velociraptor for scalable endpoint forensic artifact collection and real-time threat hunting across enterprise environments.

This skill empowers security teams to implement Velociraptor, an open-source endpoint monitoring platform, for rapid digital forensics and incident response (DFIR). It provides specialized guidance on server setup, client deployment across Windows, Linux, and macOS, and the execution of Velociraptor Query Language (VQL) for automated triage. By leveraging large-scale hunts and real-time monitoring capabilities, users can efficiently identify indicators of compromise, collect forensic evidence from thousands of endpoints simultaneously, and integrate findings into modern SIEM/SOAR workflows.

Key Features

014,121 GitHub stars

02Native mapping to MITRE ATT&CK and D3FEND frameworks

03Multi-platform deployment for Windows, Linux, and macOS

04Scalable VQL-based forensic artifact collection and triage

05Enterprise-wide threat hunting via Fleetspeak architecture

06Real-time endpoint monitoring and file system tracking

Use Cases

01Continuous real-time monitoring of sensitive registry keys, system directories, and process events

02Rapid forensic triage and evidence collection during active security incidents

03Proactive enterprise-wide threat hunting for specific file hashes, YARA rules, or patterns

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills implementing-velociraptor-for-ir-collection

For use in Claude.ai and ChatGPT

Key Features

014,121 GitHub stars

02Native mapping to MITRE ATT&CK and D3FEND frameworks

03Multi-platform deployment for Windows, Linux, and macOS

04Scalable VQL-based forensic artifact collection and triage

05Enterprise-wide threat hunting via Fleetspeak architecture

06Real-time endpoint monitoring and file system tracking

Use Cases

01Continuous real-time monitoring of sensitive registry keys, system directories, and process events

02Rapid forensic triage and evidence collection during active security incidents

03Proactive enterprise-wide threat hunting for specific file hashes, YARA rules, or patterns

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills implementing-velociraptor-for-ir-collection

For use in Claude.ai and ChatGPT