API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| d0e62e609cec0379 | VQL Plugin: dedup Category: general Dedups the query based on a column. This will suppress rows with identical values for the key column | velociraptor-vql |
| e6e36e8235776889 | VQL Plugin: delay Category: general Executes 'query' and delays relaying the rows by the specified number of seconds. | velociraptor-vql |
| b7316f741721fa19 | VQL Plugin: delete_events Category: server Delete events from a flow. | velociraptor-vql |
| 099f58b022c5bcb8 | VQL Plugin: delete_flow Category: server Delete all the files that make up a flow. | velociraptor-vql |
| 8ea280a52cc2f45a | VQL Function: describe_address Category: general Describe an address in the PE text section. This is used to guess the function this address resides in. We look up the export table of the PE file… | velociraptor-vql |
| 0a92e6ab8faf5cf2 | VQL Function: dict Category: popular Construct a dict from arbitrary keyword args. This function creates a dictionary (a key/value map). NOTE: In VQL dictionaries always have string keys. Sometimes… | velociraptor-vql |
| dd3c57293932c609 | VQL Plugin: diff Category: event Executes 'query' periodically and emit differences from the last query. The `diff()` plugin runs a non-event query periodically and calculates the difference between… | velociraptor-vql |
| 0e5ac2827a028c9c | VQL Function: dirname Category: general Return the directory path. ### Example ```vql dirname(path="/usr/bin/ls") -> "/usr/bin" ``` ### See also - [basename]({{< ref… | velociraptor-vql |
| 56e4ad6203b8feb3 | VQL Plugin: ebpf_events Category: linux Dumps information about potential ebpf_events that can be used by the `watch_ebpf` plugin. ### See also - [watch_ebpf]({{< ref… | velociraptor-vql |
| 113005d92fdb6574 | VQL Plugin: efivariables Category: general Enumerate efi variables. | velociraptor-vql |
| 8d4b94cc422dc482 | VQL Plugin: elastic_upload Category: general Upload rows to elastic. This uses the Elastic bulk upload API to push arbitrary rows to elastic. The query specified in `query` will be run and each… | velociraptor-vql |
| d0ebf3b9f8fde5da | VQL Function: encode Category: encode Encodes a string as a different type. Currently supported types include 'hex', 'base64'. | velociraptor-vql |
| 7dbbb5c2410e92dd | VQL Function: entropy Category: encode Calculates shannon scale entropy of a string. | velociraptor-vql |
| 7a51466aea434704 | VQL Function: enumerate Category: general Collect all the items in each group by bin. This is an aggregate function that keeps track of all elements in a GROUP BY group. ### Notes Use this… | velociraptor-vql |
| f0f2f30e245e6442 | VQL Plugin: enumerate_flow Category: server Enumerate all the files that make up a flow. This includes the uploaded files, the result sets and the various metadata files that result flow state… | velociraptor-vql |
| c6b40259607e41e1 | VQL Function: environ Category: general Get an environment variable. | velociraptor-vql |
| 919fb66b20178b5e | VQL Plugin: environ Category: general The row returned will have all environment variables as columns. If the var parameter is provided, only those variables will be provided. | velociraptor-vql |
| 6786dda82f592bad | VQL Plugin: etw_sessions Category: windows Enumerates all active ETW sessions | velociraptor-vql |
| b493059ae46f4852 | VQL Function: eval Category: general Evaluate a vql lambda function on the current scope. This allows you to use a string as a VQL function - the string will be parsed at runtime as a VQL expression… | velociraptor-vql |
| 705b084b5c95186e | VQL Accessor: ewf Category: general Allow reading an EWF file. Note that usually EWF files form a set of files with extensions like .E01, .E02 etc. This accessor will automatically try to find all… | velociraptor-vql |
| 610999fbbafe0946 | VQL Plugin: execve Category: popular This plugin launches an external command and captures its STDERR, STDOUT and return code. The command's stdout is split using the `sep` parameter as… | velociraptor-vql |
| f28ff5acd871bf31 | VQL Function: expand Category: popular Expand the path using the environment. This function expands environment variables into the path. It is normally needed after using registry values of type… | velociraptor-vql |
| e907828cbebff21c | VQL Accessor: ext4 Category: general Access files by parsing the raw ext4 filesystems. This accessor is designed to operate on a live system. It automatically enumerates the mount points and… | velociraptor-vql |
| cca1cbf3d68df491 | VQL Accessor: fat Category: general Access the FAT filesystem inside an image by parsing FAT. This accessor is designed to operate on images directly. It requires a delegate accessor to get the raw… | velociraptor-vql |
| ffc0654c23cfb892 | VQL Function: favorites_delete Category: server Delete a favorite. | velociraptor-vql |
| c955ef82ad395e90 | VQL Plugin: favorites_list Category: general List all user's favorites. | velociraptor-vql |
| fd3c94a685a08d71 | VQL Function: favorites_save Category: server Save a collection into the favorites. Velociraptor allows the user to save a collection into their "Favorite" list. This allows them to quickly and… | velociraptor-vql |
| 3149e429b56141e3 | VQL Plugin: fifo Category: event Executes 'query' and cache a number of rows from it. For each invocation we present the set of past rows. The `fifo()` plugin allows for VQL queries to apply across… | velociraptor-vql |
| 3e0ffa87cfd8db49 | VQL Accessor: file Category: general Access files using the operating system's API. Does not allow access to raw devices. ### Notes This accessor does not follow symbolic links on `Windows`… | velociraptor-vql |
| e738bad1189e411b | VQL Accessor: file_links Category: general Access the filesystem using the OS APIs. Note: Take care with this accessor because there may be circular links. In particular this is dangerous on Linux… | velociraptor-vql |
| ae00ce8588798a21 | VQL Accessor: file_nocase Category: general Access files using the operating system's API. On Linux this accessor implements case insensitive comparisons over the usual case sensitive filesystem.… | velociraptor-vql |
| e3c358c06efe3048 | VQL Function: file_store Category: server Resolves file store paths into full filesystem paths. This function is only available on the server. It can be used to find the backing file behind a… | velociraptor-vql |
| 567f670f7002e37a | VQL Function: file_store_delete Category: server Delete file store paths. | velociraptor-vql |
| 61dc77b3849f77b9 | VQL Plugin: filesystems Category: general Enumerates mounted filesystems. | velociraptor-vql |
| 1d603a761077966b | VQL Function: filter Category: popular Filters an array by regex or condition. Note that if a condition is specified as well as a regex then only the condition is applied. ###… | velociraptor-vql |
| 8344089e4621803e | VQL Plugin: flatten Category: popular Flatten the columns in query. If any column repeats then we repeat the entire row once for each item. | velociraptor-vql |
| c757842bb28c2324 | VQL Plugin: flow_logs Category: server Retrieve the query logs of a flow. | velociraptor-vql |
| 72083be77542b83e | VQL Plugin: flow_results Category: server Retrieve the results of a flow. This is similar to the source() plugin. ### Notes Since a collection can collect multiple artifacts you must specify the… | velociraptor-vql |
| ac2bf0134515ac00 | VQL Plugin: flows Category: server Retrieve the flows launched on each client. Each flow record will include the creator of the flow, the request and metadata about the collection. | velociraptor-vql |
| ea2b4cc27973b3ed | VQL Plugin: for Category: general Iterate over a list. DEPRECATED - use foreach() instead. | velociraptor-vql |
| 9708f91c39609e55 | VQL Plugin: foreach Category: popular Executes 'query' once for each row in the 'row' query. The columns in row will be stored in the scope that is used to evaluate the query therefore the query may… | velociraptor-vql |
| 994e18fdaf1eaa03 | VQL Function: format Category: popular Format one or more items according to a format string. This function is essentially a wrapper around Golang's fmt.Sprintf() function and uses the same format… | velociraptor-vql |
| ac395f2e78b4716f | VQL Accessor: fs Category: general Provide access to the server's filestore and datastore. Many VQL plugins produce references to files stored on the server. This accessor can be used to open those… | velociraptor-vql |
| f93f8a4f43896a2a | VQL Accessor: fs_sparse Category: general Provide access to the server's filestore and datastore. This accessor expands sparse files. Reading from a sparse region will result in zeros being… | velociraptor-vql |
| 1390093e5178a2a0 | VQL Function: gcs_pubsub_publish Category: general Publish a message to Google PubSub. | velociraptor-vql |
| 7eb6fcbc03326482 | VQL Function: generate Category: general Create a named generator that receives rows from the query. This plugin allow multiple queries to efficiently filter rows from the same query. ###… | velociraptor-vql |
| 6cc448f18914ebde | VQL Function: geoip Category: general Lookup an IP Address using the MaxMind GeoIP database. You can get a copy of the database from https://www.maxmind.com/. The database must be locally… | velociraptor-vql |
| 1630a4175a96f7fc | VQL Function: get Category: popular Gets the member field from the item. This is useful to index an item from an array. ### Example ```vql select get(item=[dict(foo=3), 2, 3, 4], member='0.foo')… | velociraptor-vql |
| f03f5ed1d07da88d | VQL Function: get_client_monitoring Category: server Retrieve the current client monitoring state. The client monitoring table represents the server's configuration of client event queries to… | velociraptor-vql |
| 03c0bf7f4fc4ae76 | VQL Function: get_flow Category: server Gets flow details. | velociraptor-vql |