Skip to content
This repository was archived by the owner on Sep 20, 2023. It is now read-only.

Add Velociraptor #66

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions analyzer_requirements.md
Original file line number Diff line number Diff line change
Expand Up @@ -1402,6 +1402,15 @@ The following options are required in the Redmin Responder configuration:
opening status from the Redmine Workflow)
- `closing_task`: Closing the task after successfully creating the Redmine issue

### Velociraptor
This responder can be used to run a flow for a Velociraptor artifact. This could include gathering data, or performing initial response, as the artifact (or artifact "pack") could encompass any number of actions. The responder can be run on an observable type of `ip`, `fqdn`, or `other`, and will look for a matching client via the Velociraptor server. If a client match is found for the last seen IP, or the hostname, the responder will kick off the flow, the results will be returned, and the client ID will be added as a tag to the case and the observable.

#### Requirements
The following options are required in the Velociraptor Responder configuration:

- `velociraptor_client_config`: The path to the Velociraptor API client config.
(See the following for generating an API client config: https://www.velocidex.com/docs/user-interface/api/, and ensure the appropriate ACLs are granted to the API user).
- `velociraptor_artifact`: The name artifact you which to collect (as you would see it in the Velociraptor GUI)

### Wazuh
This responder performs actions on [Wazuh](https://wazuh.com/), the open source security monitoring platform. It
Expand Down