API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| 89778d035eb4ca97 | VQL Plugin: parse_journald Category: parsers Parse a journald file. | velociraptor-vql |
| 36f072ebe609b4fe | VQL Function: parse_json Category: parsers Parse a JSON string into an object. Note that when VQL dereferences fields in a dict it returns a Null for those fields that do not exist. Thus there is no… | velociraptor-vql |
| f18f4ae627b2828d | VQL Function: parse_json_array Category: parsers Parse a JSON string into an array. This function is similar to `parse_json()` but works for a JSON list instead of an object. | velociraptor-vql |
| e312fab59c08a558 | VQL Plugin: parse_json_array Category: parsers Parses events from a line oriented json file. | velociraptor-vql |
| e56ad62ef001f670 | VQL Plugin: parse_jsonl Category: parsers Parses a line oriented json file. | velociraptor-vql |
| 6e4bafffd23731fd | VQL Plugin: parse_lines Category: parsers Parse a file separated into lines. Many programs write text based logs separated by line feeds - for example `Apache`, `nginx` or `IIS`. You can parse these… | velociraptor-vql |
| 867cc59ef9d4c1f1 | VQL Plugin: parse_mft Category: parsers Scan the $MFT from an NTFS volume. This plugin expect an $MFT file to operate on. For example, it is commonly used with the 'ntfs' accessor which opens the… | velociraptor-vql |
| fe9994edacee7f2e | VQL Function: parse_ntfs Category: parsers Parse specific inodes from an NTFS image file or the raw device. This function retrieves more information about a specific MFT entry including listing all… | velociraptor-vql |
| 1b062734fa43189e | VQL Plugin: parse_ntfs_i30 Category: parsers Scan the $I30 stream from an NTFS MFT entry. This is similar in use to the parse_ntfs() function but parses the $I30 stream. Note: You can also use a… | velociraptor-vql |
| f5d5d627ffae6dc6 | VQL Plugin: parse_ntfs_ranges Category: parsers Show the run ranges for an NTFS stream. Note: You can also use a raw $MFT file to operate on - see `parse_ntfs()` for a full description. | velociraptor-vql |
| 54fa40ee152eaaa0 | VQL Function: parse_pe Category: parsers Parse a PE file. This function parses a PE file from disk or memory to extract the different aspects of the PE file. The fields include: - `FileHeader`: The… | velociraptor-vql |
| 36a55fb79e6f43ab | VQL Function: parse_pkcs7 Category: parsers Parse a DER encoded pkcs7 string into an object. | velociraptor-vql |
| 8a2800454415b4be | VQL Plugin: parse_pst Category: general Parse a PST file and extract email data. | velociraptor-vql |
| 3dd4933bd549b472 | VQL Plugin: parse_records_with_regex Category: parsers Parses a file with a set of regexp and yields matches as records. The file is read into a large buffer. Then each regular expression is applied… | velociraptor-vql |
| bedc0567a02d2e55 | VQL Plugin: parse_recyclebin Category: parsers Parses a $I file found in the $Recycle.Bin | velociraptor-vql |
| 4e48c2555d3229be | VQL Function: parse_string_with_regex Category: parsers Parse a string with a set of regex and extract fields. Returns a dict with fields populated from all regex capture variables. | velociraptor-vql |
| b17afe90dc01ad9a | VQL Plugin: parse_usn Category: parsers Parse the USN journal from a device, image file or USN file. This plugin calculates the full path of a USN entry by tracing its parent MFT entries through the… | velociraptor-vql |
| f1d9a8258062a699 | VQL Function: parse_x509 Category: parsers Parse a DER encoded x509 string into an object. If you have a base64 encoded certificate you will first need to strip the header and footer and decode it,… | velociraptor-vql |
| fdc546a0caafaa38 | VQL Function: parse_xml Category: parsers Parse an XML document into a dict like object. | velociraptor-vql |
| 31438a55a8f4688b | VQL Function: parse_yaml Category: parsers Parse yaml into an object. | velociraptor-vql |
| 599682d62ce64ee1 | VQL Plugin: partitions Category: windows List all partitions | velociraptor-vql |
| 6168354703234e8d | VQL Function: passwd Category: server Updates the user's password. | velociraptor-vql |
| da6052bc75680bb7 | VQL Function: patch Category: general Patch a JSON object with a json patch or merge. The function allows for modifications of objects by way of applying a json patch. You can read more about JSON… | velociraptor-vql |
| d12fbc3d770b421f | VQL Function: path_join Category: general Build a path by joining all components. | velociraptor-vql |
| fe4e51c24a3d4069 | VQL Function: path_split Category: parsers Split a path into components. Note this is more complex than just split() because it takes into account path escaping. | velociraptor-vql |
| 0d8dc5ee4cb24f04 | VQL Function: pathspec Category: parsers Create a structured path spec to pass to certain accessors. | velociraptor-vql |
| 4fbf6b4e2c44447e | VQL Function: pe_dump Category: general Dump a PE file from process memory. | velociraptor-vql |
| f455136b7ef3dd62 | VQL Accessor: pipe Category: general Read from a VQL pipe. **NOTE: this is not the same as a windows named pipe**. A VQL pipe allows data to be generated from a VQL query, as the pipe is read, the… | velociraptor-vql |
| 5adc478d28fa8935 | VQL Function: pipe Category: general A pipe allows plugins that use files to read data from a vql query. **NOTE: this is not the same as a Windows named pipe**. This is needed to be able to use the… | velociraptor-vql |
| 9dc1c47292e60d53 | VQL Function: pk_decrypt Category: encode Decrypt files using pubkey encryption | velociraptor-vql |
| eb7b5953f7a26453 | VQL Function: pk_encrypt Category: encode Encrypt files using pubkey encryption | velociraptor-vql |
| b954b4791f3f063b | VQL Function: plist Category: popular Parse plist file | velociraptor-vql |
| 748196214a68d100 | VQL Plugin: plist Category: parsers Parses a plist file. | velociraptor-vql |
| 687ab8417482eda1 | VQL Plugin: prefetch Category: parsers Parses a prefetch file. | velociraptor-vql |
| 242b49a7e95b2eec | VQL Plugin: proc_dump Category: windows Dumps process memory. Dumps a process into a crashdump. The crashdump file can be opened with the windows debugger as normal. The plugin returns the… | velociraptor-vql |
| ab7f706dd8d47617 | VQL Plugin: proc_yara Category: windows Scan processes using yara rules. This plugin uses yara's own engine to scan process memory for the signatures. {{% notice note %}} Process memory access… | velociraptor-vql |
| b767cc9a9dda406f | VQL Accessor: process Category: general Access process memory like a file. The Path is taken in the form `/<pid>`, i.e. the pid appears as the top level path component. The accessor does not… | velociraptor-vql |
| e3a11eb941d9a508 | VQL Function: process_tracker Category: general Install a global process tracker. The process tracker is an in-memory cache. It has a limited size with older records being expired. This LRU cache… | velociraptor-vql |
| 6a5ec6b8c01215c4 | VQL Function: process_tracker_all Category: general Get all processes stored in the tracker. | velociraptor-vql |
| 2e86b37ebfd265e0 | VQL Function: process_tracker_callchain Category: general Get a call chain from the global process tracker. | velociraptor-vql |
| b11b90f096b6bbe7 | VQL Function: process_tracker_children Category: general Get all children of a process. | velociraptor-vql |
| 27b2a1f292a38eee | VQL Function: process_tracker_get Category: popular Get a single process from the global tracker. | velociraptor-vql |
| 98ac0190044418d8 | VQL Plugin: process_tracker_pslist Category: popular List all processes from the process tracker. | velociraptor-vql |
| 9745b0effebb56bc | VQL Function: process_tracker_tree Category: general Get the full process tree under the process id. | velociraptor-vql |
| dd7cc9065a8e7852 | VQL Plugin: process_tracker_updates Category: general Get the process tracker update events from the global process tracker. | velociraptor-vql |
| 8dbd1bccd553c548 | VQL Plugin: profile Category: developer Returns a profile dump from the running process. | velociraptor-vql |
| 0c9cb926f9fe9eec | VQL Plugin: profile_goroutines Category: developer Enumerates all running goroutines. | velociraptor-vql |
| ce5886a6196308e3 | VQL Plugin: profile_memory Category: developer Enumerates all in use memory within the runtime. | velociraptor-vql |
| b3aa1b2f623b0e11 | VQL Function: pskill Category: general Kill the specified process. | velociraptor-vql |
| 8a88909df92a13b4 | VQL Plugin: pslist Category: popular Enumerate running processes. When specifying the pid this operation is much faster so if you are interested in specific processes, the pid should be specified.… | velociraptor-vql |