Velociraptor DFIR integration for LimaCharlie. List available VQL artifacts, view artifact definitions, launch forensic collections on endpoints. Find raw collection data in Artifacts (type:velociraptor, source:SID). Query processed JSON events from the 'velociraptor' sensor (tag:ext:ext-velociraptor). Build D&R rules for velociraptor_collection events. Use for: forensic triage, incident response, threat hunting, VQL artifact collection.
Launch Velociraptor forensic collections and work with collection results in LimaCharlie.
Prerequisites: Run
/init-lcto initialize LimaCharlie context.
All LimaCharlie operations use the limacharlie CLI directly:
limacharlie <noun> <verb> --oid <oid> --output yaml [flags]
For command help and discovery: limacharlie <command> --ai-help
| Rule | Wrong | Right |
|---|---|---|
| CLI Access | Call MCP tools or spawn api-executor |
Use Bash("limacharlie ...") directly |
| Output Format | --output json | --output yaml (more token-efficient) |
| Filter Output | Pipe to jq/yq | Use --filter JMESPATH to select fields |
| LCQL Queries | Write query syntax manually | Use limacharlie ai generate-query first |
| Timestamps | Calculate epoch values | Use date +%s or date -d '7 days ago' +%s |
| OID | Use org name | Use UUID (call limacharlie org list if needed) |
Velociraptor is an open source endpoint visibility tool for digital forensics, incident response, and triage. LimaCharlie integrates with Velociraptor via the ext-velociraptor extension.
When a Velociraptor collection runs:
Raw Artifacts: The collected data is stored as a ZIP file in LimaCharlie's Artifact system
artifact_type: velociraptorsource field contains the Sensor ID (SID) where it was collectedProcessed Events: For small collections, data is also processed to JSON and ingested as sensor events
velociraptorext:ext-velociraptorvelociraptor_collection, artifact_eventD&R Automation: You can trigger on these events for automated workflows
Use this skill when the user wants to:
The organization must have the ext-velociraptor extension subscribed.
The
limacharlieCLI must be available.
If not already known, get the OID:
limacharlie org list --output yaml
List all VQL artifacts available for collection (built-in and external from triage.velocidex.com):
limacharlie extension request --name ext-velociraptor --action list_artifacts --oid <oid> --output yaml
Before collecting, view an artifact's YAML to understand its parameters:
limacharlie extension request --name ext-velociraptor --action show_artifact \
--data '{"artifact_name": "Windows.System.Drivers"}' --oid <oid> --output yaml
Collect from a single sensor:
limacharlie extension request --name ext-velociraptor --action collect \
--data '{"artifact_list": ["Windows.System.Drivers"], "sid": "<sensor-id>"}' \
--oid <oid> --output yaml
Collect from multiple sensors using a selector:
limacharlie extension request --name ext-velociraptor --action collect \
--data '{"artifact_list": ["Windows.KapeFiles.Targets"], "sensor_selector": "plat == windows", "args": "KapeTriage=Y", "collection_ttl": 3600, "retention_ttl": 7}' \
--oid <oid> --output yaml
List raw Velociraptor artifacts stored in the Artifact system:
limacharlie artifact list --type velociraptor --sid <sensor-id> --oid <oid> --output yaml
Download an artifact:
limacharlie artifact download --id <artifact-id> --oid <oid> --output yaml
For small collections, data is also available as events. Use LCQL to query them.
CRITICAL: Always use limacharlie ai generate-query first - never write LCQL manually.
limacharlie ai generate-query --prompt "velociraptor_collection events from the last 7 days" --oid <oid> --output yaml
Then execute:
limacharlie search run --query "<generated-query>" --start <ts> --end <ts> --oid <oid> --output yaml
To find the virtual sensor that receives processed Velociraptor data:
limacharlie sensor list --selector "\`ext:ext-velociraptor\` in tags" --oid <oid> --output yaml
| Parameter | Type | Description |
|---|---|---|
artifact_list | string[] | List of artifacts to collect (use one of artifact_list OR custom_artifact) |
custom_artifact | string | Custom artifact YAML definition |
sid | string | Single sensor ID (use one of sid OR sensor_selector) |
sensor_selector | string | bexpr selector for multiple sensors (e.g., plat == windows) |
args | string | Comma-separated artifact arguments (e.g., KapeTriage=Y,EventLogs=Y) |
collection_ttl | int | Seconds to keep attempting collection (default: 604800 = 7 days) |
retention_ttl | int | Days to retain collected artifacts (default: 7) |
ignore_cert | bool | Ignore SSL certificate errors during collection |
| Artifact | Platform | Description |
|---|---|---|
Windows.KapeFiles.Targets | Windows | KAPE-style triage collection |
Windows.System.Pslist | Windows | Running processes |
Windows.System.Drivers | Windows | Loaded kernel drivers |
Windows.Network.Netstat | Windows | Network connections |
Windows.EventLogs.Evtx | Windows | Windows event logs |
Windows.Registry.UserAssist | Windows | User activity tracking |
Generic.System.Pstree | All | Process tree |
Linux.Sys.Users | Linux | User accounts |
Linux.Sys.Syslog | Linux | System logs |
MacOS.Applications.List | macOS | Installed applications |
Detect when a Velociraptor collection completes:
# Detection