What is the Velociraptor skill used for?

It is used to automate digital forensics and incident response tasks, specifically by launching Velociraptor VQL collections on endpoints and analyzing the resulting data through LimaCharlie.

Which operating systems are supported for collections?

The skill supports Velociraptor collections on Windows (x86/x64), Linux (386/amd64/arm64), and macOS (amd64/arm64) EDR sensors.

Can I automate Velociraptor collections based on alerts?

Yes, the skill provides patterns for building D&R (Detection and Response) rules that can automatically trigger collections when specific security events occur.

Are there any prerequisites for using this skill?

Yes, your LimaCharlie organization must have the 'ext-velociraptor' extension subscribed and you must initialize the LimaCharlie context.

How do I access the results of a forensic collection?

Raw data is stored as ZIP files in LimaCharlie's Artifact system, while smaller collections are processed into JSON events that can be queried using LCQL.

Velociraptor DFIR Integration

Name: Velociraptor DFIR Integration
Author: refractionPOINT

$refractionPOINT$ byrefractionPOINT

•

安全与测试

Orchestrates digital forensics and incident response by launching Velociraptor artifact collections and analyzing telemetry within the LimaCharlie ecosystem.

The Velociraptor DFIR skill provides a powerful interface for security analysts to perform advanced forensic triage and threat hunting through Claude. By integrating the Velociraptor framework with LimaCharlie, it enables users to discover VQL artifacts, launch remote collections across Windows, Linux, and macOS endpoints, and retrieve raw or processed results. This skill streamlines the entire IR workflow—from artifact definition to automated D&R rule creation—allowing for rapid evidence gathering and analysis without leaving the terminal.

主要功能

01Seamless LCQL querying of processed Velociraptor JSON events

02Support for automated D&R rules to trigger collections upon detection

03Remote execution of VQL artifact collections on single or multiple sensors

04Real-time discovery and viewing of built-in and external VQL definitions

053 GitHub stars

06Automated retrieval of raw forensic artifacts from the LimaCharlie storage system

使用场景

01Hunting for specific threats using custom or built-in VQL artifacts

02Executing rapid forensic triage across a fleet during an active security incident

03Automating the collection of KAPE-style triage files based on endpoint detections

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add refractionpoint/lc-ai velociraptor

For use in Claude.ai and ChatGPT

Download Skill