What is the Velociraptor skill used for?

It is used to automate digital forensics and incident response tasks, specifically by launching Velociraptor VQL collections on endpoints and analyzing the resulting data through LimaCharlie.

Which operating systems are supported for collections?

The skill supports Velociraptor collections on Windows (x86/x64), Linux (386/amd64/arm64), and macOS (amd64/arm64) EDR sensors.

Can I automate Velociraptor collections based on alerts?

Yes, the skill provides patterns for building D&R (Detection and Response) rules that can automatically trigger collections when specific security events occur.

Are there any prerequisites for using this skill?

Yes, your LimaCharlie organization must have the 'ext-velociraptor' extension subscribed and you must initialize the LimaCharlie context.

How do I access the results of a forensic collection?

Raw data is stored as ZIP files in LimaCharlie's Artifact system, while smaller collections are processed into JSON events that can be queried using LCQL.

Velociraptor DFIR Integration

Name: Velociraptor DFIR Integration
Author: refractionPOINT

byrefractionPOINT

•

安全与测试

Orchestrates digital forensics and incident response by launching Velociraptor artifact collections and analyzing telemetry within the LimaCharlie ecosystem.

关于

The Velociraptor DFIR skill provides a powerful interface for security analysts to perform advanced forensic triage and threat hunting through Claude. By integrating the Velociraptor framework with LimaCharlie, it enables users to discover VQL artifacts, launch remote collections across Windows, Linux, and macOS endpoints, and retrieve raw or processed results. This skill streamlines the entire IR workflow—from artifact definition to automated D&R rule creation—allowing for rapid evidence gathering and analysis without leaving the terminal.

主要功能

Seamless LCQL querying of processed Velociraptor JSON events
Support for automated D&R rules to trigger collections upon detection
Remote execution of VQL artifact collections on single or multiple sensors
Real-time discovery and viewing of built-in and external VQL definitions
3 GitHub stars
Automated retrieval of raw forensic artifacts from the LimaCharlie storage system

使用场景

Hunting for specific threats using custom or built-in VQL artifacts
Executing rapid forensic triage across a fleet during an active security incident
Automating the collection of KAPE-style triage files based on endpoint detections

关于

主要功能

Seamless LCQL querying of processed Velociraptor JSON events
Support for automated D&R rules to trigger collections upon detection
Remote execution of VQL artifact collections on single or multiple sensors
Real-time discovery and viewing of built-in and external VQL definitions
3 GitHub stars
Automated retrieval of raw forensic artifacts from the LimaCharlie storage system

使用场景

Hunting for specific threats using custom or built-in VQL artifacts
Executing rapid forensic triage across a fleet during an active security incident
Automating the collection of KAPE-style triage files based on endpoint detections