Velociraptor Incident Response Overview Velociraptor is an endpoint visibility and forensics platform for collecting host-based state information using Velociraptor Query Language (VQL). It operates in three core modes: Collect (targeted evidence gathering), Monitor (continuous event capture), and Hunt (proactive threat hunting). When to use this skill : - Active incident response requiring endpoint evidence collection - Threat hunting across enterprise infrastructure - Digital forensics investigations and timeline analysis - Endpoint monitoring and anomaly detection - Custom forensic artifac…

, user_id):\n raise ValueError(\"Invalid user ID format\")\n\n# Use ORM query builders\nuser = User.query.filter_by(id=user_id).first()\n```\n\n**Step 4: Implement least privilege**\n- Database user should have minimum required permissions\n- Use read-only accounts for SELECT operations\n- Never use admin/root accounts for application queries\n\n### XSS Remediation\n\n**Step 1: Enable auto-escaping**\n- Most modern frameworks escape by default\n- Ensure auto-escaping is not disabled\n\n**Step 2: Use framework-specific safe methods**\n\n```javascript\n// React: Use JSX (auto-escapes)\n\u003cdiv>{userInput}\u003c/div>\n\n// Vue: Use template syntax (auto-escapes)\n\u003cdiv>{{ userInput }}\u003c/div>\n\n// Angular: Use property binding (auto-escapes)\n\u003cdiv [textContent]=\"userInput\">\u003c/div>\n```\n\n**Step 3: Sanitize when HTML is required**\n\n```javascript\nimport DOMPurify from 'dompurify';\n\n// Sanitize HTML content\nconst clean = DOMPurify.sanitize(userHTML, {\n ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],\n ALLOWED_ATTR: []\n});\n```\n\n**Step 4: Content Security Policy (CSP)**\n\n```html\n\u003c!-- Add CSP header -->\nContent-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'\n```\n\n---\n\n## Advanced Configuration\n\nThis section contains detailed configuration options and tuning parameters.\n\n### Example: SAST Tool Configuration\n\n```yaml\n# Advanced security scanner configuration\nscanner:\n # Severity threshold\n severity_threshold: MEDIUM\n\n # Rule configuration\n rules:\n enabled:\n - sql-injection\n - xss\n - hardcoded-secrets\n disabled:\n - informational-only\n\n # False positive reduction\n confidence_threshold: HIGH\n exclude_patterns:\n - \"*/test/*\"\n - \"*/tests/*\"\n - \"*/node_modules/*\"\n - \"*.test.js\"\n - \"*.spec.ts\"\n\n # Performance tuning\n max_file_size_kb: 2048\n timeout_seconds: 300\n parallel_jobs: 4\n\n # Output configuration\n output_format: json\n include_code_snippets: true\n max_snippet_lines: 10\n```\n\n---\n\n## Examples and Code Samples\n\nThis section provides comprehensive code examples for various scenarios.\n\n### Example 1: Secure API Authentication\n\n```python\n# Secure API key handling\nimport os\nfrom functools import wraps\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n# Load API key from environment (never hardcode)\nVALID_API_KEY = os.environ.get('API_KEY')\nif not VALID_API_KEY:\n raise ValueError(\"API_KEY environment variable not set\")\n\ndef require_api_key(f):\n @wraps(f)\n def decorated_function(*args, **kwargs):\n api_key = request.headers.get('X-API-Key')\n\n if not api_key:\n return jsonify({'error': 'API key required'}), 401\n\n # Constant-time comparison to prevent timing attacks\n import hmac\n if not hmac.compare_digest(api_key, VALID_API_KEY):\n return jsonify({'error': 'Invalid API key'}), 403\n\n return f(*args, **kwargs)\n return decorated_function\n\[email protected]('/api/secure-endpoint')\n@require_api_key\ndef secure_endpoint():\n return jsonify({'message': 'Access granted'})\n```\n\n### Example 2: Secure Password Hashing\n\n```python\n# Secure password storage with bcrypt\nimport bcrypt\n\ndef hash_password(password: str) -> str:\n \"\"\"Hash a password using bcrypt.\"\"\"\n # Generate salt and hash password\n salt = bcrypt.gensalt(rounds=12) # Cost factor: 12 (industry standard)\n hashed = bcrypt.hashpw(password.encode('utf-8'), salt)\n return hashed.decode('utf-8')\n\ndef verify_password(password: str, hashed: str) -> bool:\n \"\"\"Verify a password against a hash.\"\"\"\n return bcrypt.checkpw(\n password.encode('utf-8'),\n hashed.encode('utf-8')\n )\n\n# Usage\nstored_hash = hash_password(\"user_password\")\nis_valid = verify_password(\"user_password\", stored_hash) # True\n```\n\n### Example 3: Secure File Upload\n\n```python\n# Secure file upload with validation\nimport os\nimport magic\nfrom werkzeug.utils import secure_filename\n\nALLOWED_EXTENSIONS = {'pdf', 'png', 'jpg', 'jpeg'}\nALLOWED_MIME_TYPES = {\n 'application/pdf',\n 'image/png',\n 'image/jpeg'\n}\nMAX_FILE_SIZE = 5 * 1024 * 1024 # 5 MB\n\ndef is_allowed_file(filename: str, file_content: bytes) -> bool:\n \"\"\"Validate file extension and MIME type.\"\"\"\n # Check extension\n if '.' not in filename:\n return False\n\n ext = filename.rsplit('.', 1)[1].lower()\n if ext not in ALLOWED_EXTENSIONS:\n return False\n\n # Check MIME type (prevent extension spoofing)\n mime = magic.from_buffer(file_content, mime=True)\n if mime not in ALLOWED_MIME_TYPES:\n return False\n\n return True\n\ndef handle_upload(file):\n \"\"\"Securely handle file upload.\"\"\"\n # Check file size\n file.seek(0, os.SEEK_END)\n size = file.tell()\n file.seek(0)\n\n if size > MAX_FILE_SIZE:\n raise ValueError(\"File too large\")\n\n # Read content for validation\n content = file.read()\n file.seek(0)\n\n # Validate file type\n if not is_allowed_file(file.filename, content):\n raise ValueError(\"Invalid file type\")\n\n # Sanitize filename\n filename = secure_filename(file.filename)\n\n # Generate unique filename to prevent overwrite attacks\n import uuid\n unique_filename = f\"{uuid.uuid4()}_{filename}\"\n\n # Save to secure location (outside web root)\n upload_path = os.path.join('/secure/uploads', unique_filename)\n file.save(upload_path)\n\n return unique_filename\n```\n\n---\n\n## Best Practices for Reference Documents\n\n1. **Start with \"When to use\"** - Help Claude know when to load this reference\n2. **Include table of contents** - For documents >100 lines\n3. **Use concrete examples** - Code samples with vulnerable and fixed versions\n4. **Map to frameworks** - OWASP, CWE, MITRE ATT&CK for context\n5. **Provide remediation** - Don't just identify issues, show how to fix them\n6. **Organize logically** - Group related content, use clear headings\n7. **Keep examples current** - Use modern patterns and current framework versions\n8. **Be concise** - Even in references, challenge every sentence\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15672,"content_sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f"},{"filename":"references/mitre-attack-mapping.md","content":"# MITRE ATT&CK Technique Detection with Velociraptor\n\nMapping of MITRE ATT&CK techniques to Velociraptor artifacts and VQL queries.\n\n## Table of Contents\n- [Initial Access](#initial-access)\n- [Execution](#execution)\n- [Persistence](#persistence)\n- [Privilege Escalation](#privilege-escalation)\n- [Defense Evasion](#defense-evasion)\n- [Credential Access](#credential-access)\n- [Discovery](#discovery)\n- [Lateral Movement](#lateral-movement)\n- [Collection](#collection)\n- [Exfiltration](#exfiltration)\n- [Command and Control](#command-and-control)\n\n## Initial Access\n\n### T1078: Valid Accounts\n\n**Artifacts**:\n- `Windows.EventLogs.EvtxHunter` (EventID 4624, 4625)\n- `Windows.EventLogs.RDP`\n\n**VQL Query**:\n```sql\n-- Detect unusual logon patterns\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,\n EventData.TargetUserName AS Username,\n EventData.IpAddress AS SourceIP,\n EventData.LogonType AS LogonType,\n EventData.WorkstationName AS Workstation\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 4624\n AND (\n EventData.LogonType IN (3, 10) -- Network or RemoteInteractive\n OR timestamp(epoch=System.TimeCreated.SystemTime).Hour NOT IN (8,9,10,11,12,13,14,15,16,17) -- Off-hours\n )\nORDER BY LogonTime DESC\n```\n\n### T1566: Phishing\n\n**Artifacts**:\n- `Windows.Forensics.Lnk`\n- `Windows.Applications.Office.Keywords`\n\n**VQL Query**:\n```sql\n-- Suspicious Office document execution\nSELECT FullPath,\n Mtime,\n read_file(filename=FullPath, length=100000) AS Content\nFROM glob(globs=[\n \"C:/Users/*/Downloads/**/*.doc*\",\n \"C:/Users/*/Downloads/**/*.xls*\"\n])\nWHERE Content =~ \"(?i)(macro|vba|shell|exec|powershell)\"\n AND Mtime > timestamp(epoch=now() - 604800)\n```\n\n## Execution\n\n### T1059.001: PowerShell\n\n**Artifacts**:\n- `Windows.EventLogs.PowershellScriptblock`\n- `Windows.System.Powershell.PSReadline`\n\n**VQL Query**:\n```sql\n-- Malicious PowerShell execution\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ExecutionTime,\n EventData.ScriptBlockText AS Command,\n EventData.Path AS ScriptPath\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Microsoft-Windows-PowerShell%4Operational.evtx\")\nWHERE System.EventID.Value = 4104 -- Script Block Logging\n AND EventData.ScriptBlockText =~ \"(?i)(invoke-expression|iex|downloadstring|webclient|bypass|hidden|encodedcommand)\"\nORDER BY ExecutionTime DESC\n```\n\n### T1059.003: Windows Command Shell\n\n**Artifacts**:\n- `Windows.System.Pslist`\n- `Windows.EventLogs.ProcessCreation`\n\n**VQL Query**:\n```sql\n-- Suspicious cmd.exe usage\nSELECT Pid, Ppid, Name, CommandLine, Username, CreateTime\nFROM pslist()\nWHERE Name =~ \"(?i)cmd.exe\"\n AND CommandLine =~ \"(?i)(/c|/k|/r)\"\n AND Ppid IN (\n SELECT Pid FROM pslist()\n WHERE Name =~ \"(?i)(winword|excel|powerpnt|acrobat|outlook)\"\n )\n```\n\n### T1053.005: Scheduled Task\n\n**Artifacts**:\n- `Windows.System.TaskScheduler`\n- `Windows.EventLogs.ScheduledTasks`\n\n**VQL Query**:\n```sql\n-- Recently created scheduled tasks\nSELECT FullPath AS TaskPath,\n parse_xml(file=FullPath).Task.Actions.Exec.Command AS Command,\n parse_xml(file=FullPath).Task.Principals.Principal.UserId AS RunAsUser,\n timestamp(epoch=Mtime) AS Created\nFROM glob(globs=\"C:/Windows/System32/Tasks/**\")\nWHERE NOT IsDir\n AND Mtime > timestamp(epoch=now() - 86400)\n AND Command != \"\"\nORDER BY Created DESC\n```\n\n## Persistence\n\n### T1547.001: Registry Run Keys\n\n**Artifacts**:\n- `Windows.Persistence.PermanentRuns`\n- `Windows.System.StartupItems`\n\n**VQL Query**:\n```sql\n-- Autorun registry entries\nSELECT Key.FullPath AS RegistryKey,\n ValueName,\n ValueData.value AS ExecutablePath,\n timestamp(epoch=Key.Mtime) AS LastModified\nFROM read_reg_key(globs=[\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*\",\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/*\",\n \"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*\",\n \"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run/*\"\n])\nWHERE ValueData.value != \"\"\nORDER BY LastModified DESC\n```\n\n### T1543.003: Windows Service\n\n**Artifacts**:\n- `Windows.System.Services`\n- `Windows.EventLogs.ServiceCreation`\n\n**VQL Query**:\n```sql\n-- Suspicious services\nSELECT Key.Name AS ServiceName,\n ImagePath.value AS ExecutablePath,\n DisplayName.value AS DisplayName,\n Start.value AS StartType,\n timestamp(epoch=Key.Mtime) AS LastModified\nFROM read_reg_key(globs=\"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*\")\nWHERE ImagePath.value != \"\"\n AND (\n ImagePath.value =~ \"(?i)(temp|appdata|users)\"\n OR ImagePath.value =~ \"(?i)(powershell|cmd|wscript)\"\n OR Key.Mtime > timestamp(epoch=now() - 604800)\n )\n```\n\n### T1546.003: WMI Event Subscription\n\n**Artifacts**:\n- `Windows.Persistence.PermanentWMIEvents`\n\n**VQL Query**:\n```sql\n-- Malicious WMI event subscriptions\nSELECT Namespace,\n FilterName,\n Query,\n ConsumerName,\n ConsumerType,\n ConsumerData\nFROM wmi(\n query=\"SELECT * FROM __FilterToConsumerBinding\",\n namespace=\"ROOT/Subscription\"\n)\nWHERE ConsumerData =~ \"(?i)(powershell|cmd|wscript|executable)\"\n```\n\n## Privilege Escalation\n\n### T1548.002: Bypass User Account Control\n\n**Artifacts**:\n- `Windows.EventLogs.EvtxHunter` (EventID 4688 with elevated token)\n\n**VQL Query**:\n```sql\n-- UAC bypass indicators\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,\n EventData.NewProcessName AS ProcessName,\n EventData.CommandLine AS CommandLine,\n EventData.ParentProcessName AS ParentProcess\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 4688\n AND EventData.TokenElevationType = \"%%1937\" -- Full token elevated\n AND (\n EventData.NewProcessName =~ \"(?i)(fodhelper|computerdefaults|sdclt)\"\n OR EventData.CommandLine =~ \"(?i)(eventvwr|ms-settings)\"\n )\n```\n\n### T1134: Access Token Manipulation\n\n**Artifacts**:\n- `Windows.EventLogs.EvtxHunter` (EventID 4672, 4673)\n\n**VQL Query**:\n```sql\n-- Sensitive privilege use\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,\n EventData.SubjectUserName AS Username,\n EventData.PrivilegeList AS Privileges\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 4672\n AND EventData.PrivilegeList =~ \"(SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege)\"\n```\n\n## Defense Evasion\n\n### T1070.001: Clear Windows Event Logs\n\n**Artifacts**:\n- `Windows.EventLogs.Cleared`\n\n**VQL Query**:\n```sql\n-- Event log clearing\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ClearedTime,\n System.Channel AS LogName,\n EventData.SubjectUserName AS Username\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value IN (1102, 104) -- Audit log cleared\nORDER BY ClearedTime DESC\n```\n\n### T1562.001: Disable or Modify Tools\n\n**Artifacts**:\n- `Windows.Forensics.Timeline`\n- `Windows.Registry.RecentDocs`\n\n**VQL Query**:\n```sql\n-- Security tool tampering\nSELECT Key.FullPath AS RegistryKey,\n ValueName,\n ValueData.value AS Value,\n timestamp(epoch=Key.Mtime) AS Modified\nFROM read_reg_key(globs=[\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows Defender/**\",\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows Defender/**\",\n \"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/WinDefend/**\"\n])\nWHERE (\n ValueName =~ \"(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|Start)\"\n AND (ValueData.value = 1 OR ValueData.value = 4)\n)\n```\n\n### T1055: Process Injection\n\n**Artifacts**:\n- `Windows.Detection.ProcessInjection`\n- `Windows.Memory.Acquisition`\n\n**VQL Query**:\n```sql\n-- Detect process injection via memory protections\nSELECT Pid,\n process_tracker_get(id=Pid).Name AS ProcessName,\n Address,\n Size,\n Protection,\n Type\nFROM vad()\nWHERE Protection =~ \"EXECUTE.*WRITE\" -- RWX memory\n AND Type = \"Private\"\n AND process_tracker_get(id=Pid).Name NOT IN (\"chrome.exe\", \"firefox.exe\") -- Exclude known JIT\n```\n\n## Credential Access\n\n### T1003.001: LSASS Memory\n\n**Artifacts**:\n- `Windows.EventLogs.ProcessAccess`\n- `Windows.Detection.Mimikatz`\n\n**VQL Query**:\n```sql\n-- LSASS access attempts\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,\n EventData.SourceProcessId AS SourcePID,\n EventData.SourceImage AS SourceImage,\n EventData.TargetImage AS TargetImage,\n EventData.GrantedAccess AS AccessRights\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx\")\nWHERE System.EventID.Value = 10 -- ProcessAccess\n AND EventData.TargetImage =~ \"(?i)lsass.exe\"\n AND EventData.GrantedAccess =~ \"(0x1010|0x1410|0x143A)\" -- Suspicious access rights\n```\n\n### T1003.002: Security Account Manager\n\n**Artifacts**:\n- `Windows.Forensics.SAM`\n- `Windows.EventLogs.EvtxHunter`\n\n**VQL Query**:\n```sql\n-- SAM registry hive access\nSELECT FullPath,\n timestamp(epoch=Atime) AS AccessTime,\n timestamp(epoch=Mtime) AS ModifiedTime\nFROM glob(globs=[\n \"C:/Windows/System32/config/SAM\",\n \"C:/Windows/System32/config/SYSTEM\",\n \"C:/Windows/System32/config/SECURITY\"\n])\nWHERE Atime > timestamp(epoch=now() - 86400)\n```\n\n### T1555: Credentials from Password Stores\n\n**Artifacts**:\n- `Windows.Forensics.DPAPI`\n- `Windows.Browsers.ChromeHistory`\n\n**VQL Query**:\n```sql\n-- Browser credential access\nSELECT FullPath,\n timestamp(epoch=Atime) AS AccessTime\nFROM glob(globs=[\n \"C:/Users/*/AppData/Local/Google/Chrome/User Data/*/Login Data\",\n \"C:/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/*/logins.json\"\n])\nWHERE Atime > timestamp(epoch=now() - 86400)\nORDER BY AccessTime DESC\n```\n\n## Discovery\n\n### T1082: System Information Discovery\n\n**Artifacts**:\n- `Generic.Client.Info`\n- `Windows.System.SystemInfo`\n\n**VQL Query**:\n```sql\n-- System enumeration commands\nSELECT Pid, Name, CommandLine, Username, CreateTime\nFROM pslist()\nWHERE CommandLine =~ \"(?i)(systeminfo|whoami|ipconfig|hostname|ver)\"\n AND CreateTime > timestamp(epoch=now() - 3600)\nORDER BY CreateTime DESC\n```\n\n### T1083: File and Directory Discovery\n\n**Artifacts**:\n- `Windows.EventLogs.ProcessCreation`\n\n**VQL Query**:\n```sql\n-- File system enumeration\nSELECT Pid, Name, CommandLine, CreateTime\nFROM pslist()\nWHERE CommandLine =~ \"(?i)(dir|tree|findstr|where)\"\n AND CommandLine =~ \"(?i)(\\\\*|recursive|/s|/b)\"\nORDER BY CreateTime DESC\n```\n\n### T1049: System Network Connections Discovery\n\n**Artifacts**:\n- `Windows.Network.Netstat`\n\n**VQL Query**:\n```sql\n-- Network enumeration commands\nSELECT Pid, Name, CommandLine, CreateTime\nFROM pslist()\nWHERE CommandLine =~ \"(?i)(netstat|net use|net view|arp|route print|nslookup)\"\nORDER BY CreateTime DESC\n```\n\n## Lateral Movement\n\n### T1021.001: Remote Desktop Protocol\n\n**Artifacts**:\n- `Windows.EventLogs.RDP`\n- `Windows.EventLogs.EvtxHunter`\n\n**VQL Query**:\n```sql\n-- RDP lateral movement\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,\n EventData.TargetUserName AS Username,\n EventData.IpAddress AS SourceIP,\n System.Computer AS DestinationHost\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 4624\n AND EventData.LogonType = 10 -- RemoteInteractive\n AND EventData.IpAddress != \"127.0.0.1\"\nORDER BY LogonTime DESC\n```\n\n### T1021.002: SMB/Windows Admin Shares\n\n**Artifacts**:\n- `Windows.EventLogs.EvtxHunter` (EventID 5140, 5145)\n\n**VQL Query**:\n```sql\n-- Admin share access\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,\n EventData.SubjectUserName AS Username,\n EventData.IpAddress AS SourceIP,\n EventData.ShareName AS Share,\n EventData.RelativeTargetName AS FilePath\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 5140\n AND EventData.ShareName =~ \"(?i)(ADMIN\\\\$|C\\\\$|IPC\\\\$)\"\n```\n\n### T1047: Windows Management Instrumentation\n\n**Artifacts**:\n- `Windows.EventLogs.WMIActivity`\n- `Windows.System.Pslist`\n\n**VQL Query**:\n```sql\n-- WMI process creation\nSELECT Pid, Name, CommandLine, Username, CreateTime\nFROM pslist()\nWHERE (\n -- WMI spawned processes\n Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ \"(?i)wmiprvse.exe\")\n\n -- Or WMIC usage\n OR (Name =~ \"(?i)wmic.exe\" AND CommandLine =~ \"(?i)(process call create|/node:)\")\n)\nORDER BY CreateTime DESC\n```\n\n## Collection\n\n### T1005: Data from Local System\n\n**Artifacts**:\n- `Windows.Forensics.Timeline`\n- `Windows.Detection.Yara`\n\n**VQL Query**:\n```sql\n-- Data staging detection\nSELECT FullPath, Size,\n timestamp(epoch=Ctime) AS Created,\n timestamp(epoch=Mtime) AS Modified\nFROM glob(globs=[\n \"C:/Users/*/AppData/**/*.zip\",\n \"C:/Users/*/AppData/**/*.rar\",\n \"C:/Users/*/AppData/**/*.7z\",\n \"C:/Windows/Temp/**/*.zip\"\n])\nWHERE Size > 10485760 -- > 10MB\n AND Ctime > timestamp(epoch=now() - 86400)\nORDER BY Size DESC\n```\n\n### T1119: Automated Collection\n\n**Artifacts**:\n- `Windows.System.Pslist`\n- `Windows.EventLogs.ProcessCreation`\n\n**VQL Query**:\n```sql\n-- Automated collection tools\nSELECT Pid, Name, CommandLine, Username, CreateTime\nFROM pslist()\nWHERE CommandLine =~ \"(?i)(robocopy|xcopy|tar|7z|winrar)\"\n AND CommandLine =~ \"(?i)(/s|recursive|mirror)\"\n```\n\n## Exfiltration\n\n### T1041: Exfiltration Over C2 Channel\n\n**Artifacts**:\n- `Windows.Network.NetstatEnriched`\n- `Windows.Detection.NetworkAlerts`\n\n**VQL Query**:\n```sql\n-- Large outbound transfers\nSELECT Laddr.Port AS LocalPort,\n Raddr.IP AS RemoteIP,\n Raddr.Port AS RemotePort,\n Pid,\n process_tracker_get(id=Pid).Name AS ProcessName,\n process_tracker_get(id=Pid).CommandLine AS CommandLine\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\n AND Raddr.IP !~ \"^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)\"\n AND Raddr.Port NOT IN (80, 443, 22)\n```\n\n### T1052: Exfiltration Over Physical Medium\n\n**Artifacts**:\n- `Windows.Forensics.USBDevices`\n- `Windows.EventLogs.USBActivity`\n\n**VQL Query**:\n```sql\n-- USB file transfers\nSELECT FullPath, Size,\n timestamp(epoch=Mtime) AS Modified\nFROM glob(globs=[\"D:/**\", \"E:/**\", \"F:/**\"]) -- Removable drives\nWHERE Mtime > timestamp(epoch=now() - 86400)\n AND Size > 1048576 -- > 1MB\nORDER BY Mtime DESC, Size DESC\n```\n\n## Command and Control\n\n### T1071: Application Layer Protocol\n\n**Artifacts**:\n- `Windows.Network.NetstatEnriched`\n- `Windows.Detection.Sigma`\n\n**VQL Query**:\n```sql\n-- Unusual outbound connections\nSELECT Raddr.IP AS RemoteIP,\n Raddr.Port AS RemotePort,\n COUNT(*) AS ConnectionCount,\n GROUP_CONCAT(DISTINCT process_tracker_get(id=Pid).Name) AS Processes\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\n AND Raddr.IP !~ \"^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)\"\n AND Raddr.Port NOT IN (80, 443, 53, 22, 3389)\nGROUP BY Raddr.IP, Raddr.Port\nHAVING ConnectionCount > 10\n```\n\n### T1095: Non-Application Layer Protocol\n\n**Artifacts**:\n- `Windows.Network.RawConnections`\n\n**VQL Query**:\n```sql\n-- Raw socket usage (ICMP tunneling, etc.)\nSELECT Pid,\n process_tracker_get(id=Pid).Name AS ProcessName,\n process_tracker_get(id=Pid).CommandLine AS CommandLine,\n Protocol,\n Laddr.IP AS LocalIP,\n Raddr.IP AS RemoteIP\nFROM netstat()\nWHERE Protocol NOT IN (\"TCP\", \"UDP\")\n AND Raddr.IP != \"\"\n```\n\n### T1219: Remote Access Software\n\n**Artifacts**:\n- `Windows.System.Pslist`\n- `Windows.Persistence.PermanentRuns`\n\n**VQL Query**:\n```sql\n-- Remote access tools\nSELECT Pid, Name, Exe, CommandLine, Username\nFROM pslist()\nWHERE Name =~ \"(?i)(teamviewer|anydesk|logmein|ammyy|vnc|radmin|screenconnect)\"\n OR Exe =~ \"(?i)(remote|rdp|desktop|viewer)\"\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15724,"content_sha256":"2631ad78e549dab75e50cdb18392a868e0835a3ff639b54b1864cd64f12f5571"},{"filename":"references/vql-patterns.md","content":"# VQL Query Patterns for Incident Response\n\nComprehensive VQL query patterns for common incident response and threat hunting scenarios.\n\n## Table of Contents\n- [Process Analysis](#process-analysis)\n- [Network Forensics](#network-forensics)\n- [File System Analysis](#file-system-analysis)\n- [Registry Forensics](#registry-forensics)\n- [Memory Analysis](#memory-analysis)\n- [Event Log Analysis](#event-log-analysis)\n- [Persistence Mechanisms](#persistence-mechanisms)\n- [Lateral Movement Detection](#lateral-movement-detection)\n- [Data Exfiltration](#data-exfiltration)\n- [Malware Analysis](#malware-analysis)\n\n## Process Analysis\n\n### Suspicious Process Detection\n\n```sql\n-- Processes with suspicious characteristics\nSELECT Pid, Ppid, Name, CommandLine, Username, Exe, CreateTime\nFROM pslist()\nWHERE (\n -- Suspicious parent-child relationships\n (Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ \"(?i)(winword|excel|powerpnt|acrobat)\")\n AND Name =~ \"(?i)(powershell|cmd|wscript|cscript)\")\n\n -- Processes running from temp directories\n OR Exe =~ \"(?i)(temp|tmp|appdata)\"\n\n -- Processes with obfuscated command lines\n OR CommandLine =~ \"(?i)(iex|invoke-expression|downloadstring|webclient|hidden|bypass)\"\n)\n```\n\n### Living-off-the-Land Binaries (LOLBins)\n\n```sql\n-- Detect abuse of legitimate Windows binaries\nSELECT Pid, Name, CommandLine, Username, Exe\nFROM pslist()\nWHERE (\n -- certutil for downloading\n (Name =~ \"(?i)certutil\" AND CommandLine =~ \"(?i)(urlcache|url)\")\n\n -- bitsadmin for downloading\n OR (Name =~ \"(?i)bitsadmin\" AND CommandLine =~ \"(?i)(transfer|download)\")\n\n -- mshta for code execution\n OR (Name =~ \"(?i)mshta\" AND CommandLine =~ \"(?i)(http|javascript|vbscript)\")\n\n -- rundll32 suspicious usage\n OR (Name =~ \"(?i)rundll32\" AND CommandLine =~ \"(?i)(javascript|url)\")\n)\n```\n\n### Process Injection Detection\n\n```sql\n-- Identify potential process injection\nSELECT Pid, Name,\n AllocatedMemory,\n ProtectionFlags,\n Handles\nFROM handles()\nWHERE Type = \"Section\"\n AND ProtectionFlags =~ \"EXECUTE\"\n AND Name != \"\"\n```\n\n## Network Forensics\n\n### External Connections\n\n```sql\n-- All external network connections with process context\nSELECT Laddr.IP AS LocalIP,\n Laddr.Port AS LocalPort,\n Raddr.IP AS RemoteIP,\n Raddr.Port AS RemotePort,\n Status, Pid,\n process_tracker_get(id=Pid).Name AS ProcessName,\n process_tracker_get(id=Pid).Exe AS ProcessPath,\n process_tracker_get(id=Pid).CommandLine AS CommandLine\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\n AND Raddr.IP != \"\"\n AND Raddr.IP !~ \"^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)\" -- Exclude RFC1918\n AND Raddr.IP !~ \"^(127\\\\.|169\\\\.254\\\\.)\" -- Exclude localhost and link-local\n```\n\n### Unusual Port Activity\n\n```sql\n-- Connections on unusual ports\nSELECT Raddr.IP AS RemoteIP,\n Raddr.Port AS RemotePort,\n COUNT(*) AS ConnectionCount,\n GROUP_CONCAT(DISTINCT process_tracker_get(id=Pid).Name) AS Processes\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\n AND Raddr.Port NOT IN (80, 443, 22, 3389, 445, 139, 53)\nGROUP BY Raddr.IP, Raddr.Port\nHAVING ConnectionCount > 5\n```\n\n### DNS Query Analysis\n\n```sql\n-- Suspicious DNS queries\nSELECT query AS Domain,\n response AS IPAddress,\n timestamp(epoch=Time) AS QueryTime\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Microsoft-Windows-DNS-Client%4Operational.evtx\")\nWHERE System.EventID.Value = 3008\n AND (\n -- Long domain names (possible DGA)\n length(query) > 50\n\n -- High entropy domains\n OR query =~ \"[a-z0-9]{20,}\"\n\n -- Suspicious TLDs\n OR query =~ \"\\\\.(tk|ml|ga|cf|gq)$\"\n )\n```\n\n## File System Analysis\n\n### Recently Modified Executables\n\n```sql\n-- Executables modified in last 7 days\nSELECT FullPath, Size,\n timestamp(epoch=Mtime) AS ModifiedTime,\n timestamp(epoch=Ctime) AS CreatedTime,\n hash(path=FullPath, accessor=\"file\") AS SHA256\nFROM glob(globs=[\n \"C:/Windows/System32/**/*.exe\",\n \"C:/Windows/SysWOW64/**/*.exe\",\n \"C:/Users/*/AppData/**/*.exe\",\n \"C:/ProgramData/**/*.exe\"\n])\nWHERE Mtime > timestamp(epoch=now() - 604800) -- 7 days\nORDER BY Mtime DESC\n```\n\n### Webshell Detection\n\n```sql\n-- Potential webshells in web directories\nSELECT FullPath, Size,\n timestamp(epoch=Mtime) AS ModifiedTime,\n read_file(filename=FullPath, length=1000) AS Content\nFROM glob(globs=[\n \"C:/inetpub/wwwroot/**/*.asp\",\n \"C:/inetpub/wwwroot/**/*.aspx\",\n \"C:/inetpub/wwwroot/**/*.php\",\n \"C:/xampp/htdocs/**/*.php\"\n])\nWHERE Content =~ \"(?i)(eval|base64_decode|exec|shell_exec|system|passthru|WScript\\\\.Shell)\"\n OR FullPath =~ \"(?i)(cmd|shell|upload|backdoor|c99)\"\n```\n\n### Suspicious File Timestamps\n\n```sql\n-- Files with timestamp anomalies (timestomping detection)\nSELECT FullPath,\n timestamp(epoch=Mtime) AS ModifiedTime,\n timestamp(epoch=Ctime) AS ChangeTime,\n timestamp(epoch=Btime) AS BornTime\nFROM glob(globs=\"C:/Users/**/*.exe\")\nWHERE Mtime \u003c Btime -- Modified time before birth time (anomaly)\n OR Ctime \u003c Btime -- Change time before birth time\n```\n\n## Registry Forensics\n\n### Autorun Locations\n\n```sql\n-- Comprehensive autorun registry key enumeration\nSELECT Key.FullPath AS RegistryPath,\n ValueName,\n ValueData.value AS Value,\n timestamp(epoch=Key.Mtime) AS LastModified\nFROM read_reg_key(globs=[\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*\",\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/*\",\n \"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*\",\n \"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run/*\",\n \"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*\"\n])\nWHERE ValueData.value != \"\"\n```\n\n### Recent Registry Modifications\n\n```sql\n-- Recently modified registry keys in security-sensitive locations\nSELECT FullPath,\n timestamp(epoch=Mtime) AS ModifiedTime\nFROM glob(globs=[\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/**\",\n \"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/**\",\n \"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/**\"\n], accessor=\"registry\")\nWHERE Mtime > timestamp(epoch=now() - 86400) -- Last 24 hours\nORDER BY Mtime DESC\n```\n\n### AppInit DLL Injection\n\n```sql\n-- Detect AppInit DLL injection mechanism\nSELECT ValueName,\n ValueData.value AS DLLPath,\n timestamp(epoch=Key.Mtime) AS LastModified\nFROM read_reg_key(globs=[\n \"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/AppInit_DLLs\",\n \"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows NT/CurrentVersion/Windows/AppInit_DLLs\"\n])\nWHERE ValueData.value != \"\"\n```\n\n## Memory Analysis\n\n### Suspicious Memory Regions\n\n```sql\n-- Memory regions with unusual protections\nSELECT Pid,\n process_tracker_get(id=Pid).Name AS ProcessName,\n Address,\n Size,\n Protection\nFROM vad()\nWHERE Protection =~ \"EXECUTE.*WRITE\" -- RWX memory (suspicious)\n AND Type = \"Private\"\n```\n\n### Injected Code Detection\n\n```sql\n-- Detect potentially injected code\nSELECT Pid,\n Name AS ProcessName,\n Vad.Address AS MemoryAddress,\n Vad.Protection AS Protection,\n Vad.Type AS MemoryType\nFROM pslist()\nLET Vad \u003c= SELECT * FROM vad(pid=Pid)\nWHERE Vad.Protection =~ \"EXECUTE\"\n AND Vad.Type = \"Private\"\n AND Vad.Name = \"\"\n```\n\n## Event Log Analysis\n\n### Failed Logon Attempts\n\n```sql\n-- Failed authentication attempts\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,\n EventData.TargetUserName AS Username,\n EventData.IpAddress AS SourceIP,\n EventData.WorkstationName AS Workstation,\n EventData.FailureReason AS Reason\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 4625 -- Failed logon\nORDER BY EventTime DESC\nLIMIT 1000\n```\n\n### Privilege Escalation Events\n\n```sql\n-- Privilege elevation and sensitive privilege use\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,\n System.EventID.Value AS EventID,\n EventData.SubjectUserName AS User,\n EventData.PrivilegeList AS Privileges\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value IN (4672, 4673, 4674) -- Special privilege events\n AND EventData.PrivilegeList =~ \"(SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege)\"\n```\n\n### Scheduled Task Creation\n\n```sql\n-- Detect scheduled task creation for persistence\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,\n EventData.TaskName AS TaskName,\n EventData.UserContext AS RunAsUser,\n EventData.TaskContent AS TaskXML\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Microsoft-Windows-TaskScheduler%4Operational.evtx\")\nWHERE System.EventID.Value = 106 -- Task registered\nORDER BY EventTime DESC\n```\n\n## Persistence Mechanisms\n\n### Comprehensive Persistence Hunt\n\n```sql\n-- Multi-vector persistence detection\nLET RegistryAutoRuns = SELECT \"Registry\" AS Method, Key.FullPath AS Location, ValueData.value AS Value\nFROM read_reg_key(globs=\"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*\")\n\nLET ScheduledTasks = SELECT \"Scheduled Task\" AS Method, FullPath AS Location, \"\" AS Value\nFROM glob(globs=\"C:/Windows/System32/Tasks/**\")\nWHERE NOT IsDir\n\nLET Services = SELECT \"Service\" AS Method, Key.Name AS Location, ImagePath.value AS Value\nFROM read_reg_key(globs=\"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/**/ImagePath\")\n\nLET StartupFolders = SELECT \"Startup Folder\" AS Method, FullPath AS Location, \"\" AS Value\nFROM glob(globs=[\n \"C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*\",\n \"C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/*\"\n])\n\nSELECT * FROM chain(\n a=RegistryAutoRuns,\n b=ScheduledTasks,\n c=Services,\n d=StartupFolders\n)\n```\n\n### WMI Event Subscription Persistence\n\n```sql\n-- Detect malicious WMI event subscriptions\nSELECT Name,\n EventFilter,\n Consumer,\n timestamp(epoch=CreationDate) AS Created\nFROM wmi_persist()\nWHERE EventFilter != \"\" OR Consumer != \"\"\n```\n\n## Lateral Movement Detection\n\n### PsExec Activity\n\n```sql\n-- PsExec service creation and execution\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,\n EventData.ServiceName AS ServiceName,\n EventData.ImagePath AS ExecutablePath,\n EventData.AccountName AS Account\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/System.evtx\")\nWHERE System.EventID.Value = 7045 -- Service installed\n AND (\n EventData.ServiceName =~ \"(?i)PSEXESVC\"\n OR EventData.ImagePath =~ \"(?i)(\\\\\\\\\\\\\\\\.*\\\\\\\\.*\\\\\\\\|admin\\\\$|c\\\\$)\"\n )\n```\n\n### Remote Desktop Activity\n\n```sql\n-- RDP logon activity\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,\n EventData.TargetUserName AS Username,\n EventData.IpAddress AS SourceIP,\n EventData.LogonType AS LogonType\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 4624 -- Successful logon\n AND EventData.LogonType = 10 -- RemoteInteractive (RDP)\nORDER BY LogonTime DESC\n```\n\n### SMB/Admin Share Access\n\n```sql\n-- Network share access from remote systems\nSELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,\n EventData.SubjectUserName AS Username,\n EventData.IpAddress AS SourceIP,\n EventData.ShareName AS ShareAccessed,\n EventData.ObjectName AS FileAccessed\nFROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\nWHERE System.EventID.Value = 5140 -- Network share accessed\n AND EventData.ShareName =~ \"(?i)(ADMIN\\\\$|C\\\\$|IPC\\\\$)\"\n```\n\n## Data Exfiltration\n\n### Large File Transfers\n\n```sql\n-- Files copied to removable media or network shares\nSELECT FullPath,\n Size,\n timestamp(epoch=Mtime) AS LastModified,\n hash(path=FullPath, accessor=\"file\").SHA256 AS SHA256\nFROM glob(globs=[\n \"D:/**\", -- Removable drive\n \"E:/**\",\n \"\\\\\\\\*/**\" -- Network paths\n])\nWHERE Size > 10485760 -- Files larger than 10MB\n AND Mtime > timestamp(epoch=now() - 86400)\nORDER BY Size DESC\n```\n\n### USB Device History\n\n```sql\n-- USB device connection history\nSELECT Key.Name AS DeviceID,\n FriendlyName.value AS DeviceName,\n timestamp(epoch=Key.Mtime) AS LastConnected\nFROM read_reg_key(globs=\"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/USBSTOR/**/FriendlyName\")\nORDER BY LastConnected DESC\n```\n\n### Cloud Storage Activity\n\n```sql\n-- Files in cloud sync directories\nSELECT FullPath, Size,\n timestamp(epoch=Mtime) AS LastModified\nFROM glob(globs=[\n \"C:/Users/*/OneDrive/**\",\n \"C:/Users/*/Dropbox/**\",\n \"C:/Users/*/Google Drive/**\"\n])\nWHERE Mtime > timestamp(epoch=now() - 86400)\nORDER BY Mtime DESC\n```\n\n## Malware Analysis\n\n### Suspicious File Indicators\n\n```sql\n-- Files with malware-associated characteristics\nSELECT FullPath,\n Size,\n timestamp(epoch=Mtime) AS ModifiedTime,\n hash(path=FullPath, accessor=\"file\") AS Hashes\nFROM glob(globs=[\n \"C:/Windows/Temp/**/*.exe\",\n \"C:/Users/*/AppData/Local/Temp/**/*.exe\",\n \"C:/ProgramData/**/*.exe\"\n])\nWHERE (\n -- Small executables (potential droppers)\n Size \u003c 102400\n\n -- Or recently created\n OR Mtime > timestamp(epoch=now() - 3600)\n)\n```\n\n### Packed Executable Detection\n\n```sql\n-- Detect potentially packed executables (high entropy)\nSELECT FullPath,\n parse_pe(file=FullPath).Entropy AS Entropy,\n parse_pe(file=FullPath).Sections AS Sections\nFROM glob(globs=\"C:/Users/**/*.exe\")\nWHERE parse_pe(file=FullPath).Entropy > 7.0 -- High entropy suggests packing\n```\n\n### Malicious Scripts\n\n```sql\n-- Suspicious PowerShell/VBS scripts\nSELECT FullPath,\n Size,\n timestamp(epoch=Mtime) AS ModifiedTime,\n read_file(filename=FullPath, length=5000) AS Content\nFROM glob(globs=[\n \"C:/Users/**/*.ps1\",\n \"C:/Users/**/*.vbs\",\n \"C:/Users/**/*.js\",\n \"C:/Windows/Temp/**/*.ps1\"\n])\nWHERE Content =~ \"(?i)(invoke-expression|iex|downloadstring|webclient|bypass|hidden|encodedcommand)\"\n```\n\n## Advanced Hunting Patterns\n\n### Threat Hunting with Multiple Indicators\n\n```sql\n-- Correlate multiple suspicious indicators\nLET SuspiciousProcesses = SELECT Pid, Name, CommandLine\nFROM pslist()\nWHERE CommandLine =~ \"(?i)(bypass|hidden|encodedcommand)\"\n\nLET SuspiciousConnections = SELECT Pid, Raddr.IP AS RemoteIP\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\n AND Raddr.IP !~ \"^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)\"\n\nSELECT sp.Pid,\n sp.Name,\n sp.CommandLine,\n GROUP_CONCAT(sc.RemoteIP) AS ConnectedIPs\nFROM SuspiciousProcesses sp\nJOIN SuspiciousConnections sc ON sp.Pid = sc.Pid\nGROUP BY sp.Pid\n```\n\n### Timeline Analysis\n\n```sql\n-- Comprehensive timeline of system activity\nSELECT timestamp(epoch=Timestamp) AS EventTime,\n Source,\n EventType,\n Details\nFROM chain(\n a={SELECT Mtime AS Timestamp, \"FileSystem\" AS Source, \"FileCreated\" AS EventType, FullPath AS Details\n FROM glob(globs=\"C:/Users/**\") WHERE Mtime > timestamp(epoch=now() - 86400)},\n b={SELECT System.TimeCreated.SystemTime AS Timestamp, \"EventLog\" AS Source,\n format(format=\"EventID:%v\", args=System.EventID.Value) AS EventType,\n EventData AS Details\n FROM parse_evtx(filename=\"C:/Windows/System32/winevt/Logs/Security.evtx\")\n WHERE System.TimeCreated.SystemTime > timestamp(epoch=now() - 86400)},\n c={SELECT Key.Mtime AS Timestamp, \"Registry\" AS Source, \"KeyModified\" AS EventType, Key.FullPath AS Details\n FROM glob(globs=\"HKEY_LOCAL_MACHINE/SOFTWARE/**\", accessor=\"registry\")\n WHERE Key.Mtime > timestamp(epoch=now() - 86400)}\n)\nORDER BY EventTime DESC\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15588,"content_sha256":"99c1e0a8b7aeea614109d2c455ec4f5a9a8b09052dea3712e4cb40f95be02fa7"},{"filename":"references/WORKFLOW_CHECKLIST.md","content":"# Workflow Checklist Template\n\nThis template demonstrates workflow patterns for security operations. Copy and adapt these checklists to your specific skill needs.\n\n## Pattern 1: Sequential Workflow Checklist\n\nUse this pattern for operations that must be completed in order, step-by-step.\n\n### Security Assessment Workflow\n\nProgress:\n[ ] 1. Identify application entry points and attack surface\n[ ] 2. Map authentication and authorization flows\n[ ] 3. Identify data flows and sensitive data handling\n[ ] 4. Review existing security controls\n[ ] 5. Document findings with framework references (OWASP, CWE)\n[ ] 6. Prioritize findings by severity (CVSS scores)\n[ ] 7. Generate report with remediation recommendations\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 2: Conditional Workflow\n\nUse this pattern when the workflow branches based on findings or conditions.\n\n### Vulnerability Remediation Workflow\n\n1. Identify vulnerability type\n - If SQL Injection → See [sql-injection-remediation.md](sql-injection-remediation.md)\n - If XSS (Cross-Site Scripting) → See [xss-remediation.md](xss-remediation.md)\n - If Authentication flaw → See [auth-remediation.md](auth-remediation.md)\n - If Authorization flaw → See [authz-remediation.md](authz-remediation.md)\n - If Cryptographic issue → See [crypto-remediation.md](crypto-remediation.md)\n\n2. Assess severity using CVSS calculator\n - If CVSS >= 9.0 → Priority: Critical (immediate action)\n - If CVSS 7.0-8.9 → Priority: High (action within 24h)\n - If CVSS 4.0-6.9 → Priority: Medium (action within 1 week)\n - If CVSS \u003c 4.0 → Priority: Low (action within 30 days)\n\n3. Apply appropriate remediation pattern\n4. Validate fix with security testing\n5. Document changes and update security documentation\n\n---\n\n## Pattern 3: Iterative Workflow\n\nUse this pattern for operations that repeat across multiple targets or items.\n\n### Code Security Review Workflow\n\nFor each file in the review scope:\n1. Identify security-sensitive operations (auth, data access, crypto, input handling)\n2. Check against secure coding patterns for the language\n3. Flag potential vulnerabilities with severity rating\n4. Map findings to CWE and OWASP categories\n5. Suggest specific remediation approaches\n6. Document finding with code location and fix priority\n\nContinue until all files in scope have been reviewed.\n\n---\n\n## Pattern 4: Feedback Loop Workflow\n\nUse this pattern when validation and iteration are required.\n\n### Secure Configuration Generation Workflow\n\n1. Generate initial security configuration based on requirements\n2. Run validation script: `./scripts/validate_config.py config.yaml`\n3. Review validation output:\n - Note all errors (must fix)\n - Note all warnings (should fix)\n - Note all info items (consider)\n4. Fix identified issues in configuration\n5. Repeat steps 2-4 until validation passes with zero errors\n6. Review warnings and determine if they should be addressed\n7. Apply configuration once validation is clean\n\n**Validation Loop**: Run validator → Fix errors → Repeat until clean\n\n---\n\n## Pattern 5: Parallel Analysis Workflow\n\nUse this pattern when multiple independent analyses can run concurrently.\n\n### Comprehensive Security Scan Workflow\n\nRun these scans in parallel:\n\n**Static Analysis**:\n[ ] 1a. Run SAST scan (Semgrep/Bandit)\n[ ] 1b. Run dependency vulnerability scan (Safety/npm audit)\n[ ] 1c. Run secrets detection (Gitleaks/TruffleHog)\n[ ] 1d. Run license compliance check\n\n**Dynamic Analysis**:\n[ ] 2a. Run DAST scan (ZAP/Burp)\n[ ] 2b. Run API security testing\n[ ] 2c. Run authentication/authorization testing\n\n**Infrastructure Analysis**:\n[ ] 3a. Run infrastructure-as-code scan (Checkov/tfsec)\n[ ] 3b. Run container image scan (Trivy/Grype)\n[ ] 3c. Run configuration review\n\n**Consolidation**:\n[ ] 4. Aggregate all findings\n[ ] 5. Deduplicate and correlate findings\n[ ] 6. Prioritize by risk (CVSS + exploitability + business impact)\n[ ] 7. Generate unified security report\n\n---\n\n## Pattern 6: Research and Documentation Workflow\n\nUse this pattern for security research and documentation tasks.\n\n### Threat Modeling Workflow\n\nResearch Progress:\n[ ] 1. Identify system components and boundaries\n[ ] 2. Map data flows between components\n[ ] 3. Identify trust boundaries\n[ ] 4. Enumerate assets (data, services, credentials)\n[ ] 5. Apply STRIDE framework to each component:\n - Spoofing threats\n - Tampering threats\n - Repudiation threats\n - Information disclosure threats\n - Denial of service threats\n - Elevation of privilege threats\n[ ] 6. Map threats to MITRE ATT&CK techniques\n[ ] 7. Identify existing mitigations\n[ ] 8. Document residual risks\n[ ] 9. Recommend additional security controls\n[ ] 10. Generate threat model document\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 7: Compliance Validation Workflow\n\nUse this pattern for compliance checks against security standards.\n\n### Security Compliance Audit Workflow\n\n**SOC 2 Controls Review**:\n[ ] 1. Review access control policies (CC6.1, CC6.2, CC6.3)\n[ ] 2. Verify logical access controls implementation (CC6.1)\n[ ] 3. Review authentication mechanisms (CC6.1)\n[ ] 4. Verify encryption implementation (CC6.1, CC6.7)\n[ ] 5. Review audit logging configuration (CC7.2)\n[ ] 6. Verify security monitoring (CC7.2, CC7.3)\n[ ] 7. Review incident response procedures (CC7.3, CC7.4)\n[ ] 8. Verify backup and recovery processes (A1.2, A1.3)\n\n**Evidence Collection**:\n[ ] 9. Collect policy documents\n[ ] 10. Collect configuration screenshots\n[ ] 11. Collect audit logs\n[ ] 12. Document control gaps\n[ ] 13. Generate compliance report\n\n---\n\n## Pattern 8: Incident Response Workflow\n\nUse this pattern for security incident handling.\n\n### Security Incident Response Workflow\n\n**Detection and Analysis**:\n[ ] 1. Confirm security incident (rule out false positive)\n[ ] 2. Determine incident severity (SEV1/2/3/4)\n[ ] 3. Identify affected systems and data\n[ ] 4. Preserve evidence (logs, memory dumps, network captures)\n\n**Containment**:\n[ ] 5. Isolate affected systems (network segmentation)\n[ ] 6. Disable compromised accounts\n[ ] 7. Block malicious indicators (IPs, domains, hashes)\n[ ] 8. Implement temporary compensating controls\n\n**Eradication**:\n[ ] 9. Identify root cause\n[ ] 10. Remove malicious artifacts (malware, backdoors, webshells)\n[ ] 11. Patch vulnerabilities exploited\n[ ] 12. Reset compromised credentials\n\n**Recovery**:\n[ ] 13. Restore systems from clean backups (if needed)\n[ ] 14. Re-enable systems with monitoring\n[ ] 15. Verify system integrity\n[ ] 16. Resume normal operations\n\n**Post-Incident**:\n[ ] 17. Document incident timeline\n[ ] 18. Identify lessons learned\n[ ] 19. Update security controls to prevent recurrence\n[ ] 20. Update incident response procedures\n[ ] 21. Communicate with stakeholders\n\n---\n\n## Usage Guidelines\n\n### When to Use Workflow Checklists\n\n✅ **Use checklists for**:\n- Complex multi-step operations\n- Operations requiring specific order\n- Security assessments and audits\n- Incident response procedures\n- Compliance validation tasks\n\n❌ **Don't use checklists for**:\n- Simple single-step operations\n- Highly dynamic exploratory work\n- Operations that vary significantly each time\n\n### Adapting This Template\n\n1. **Copy relevant pattern** to your skill's SKILL.md or create new reference file\n2. **Customize steps** to match your specific security tool or process\n3. **Add framework references** (OWASP, CWE, NIST) where applicable\n4. **Include tool-specific commands** for automation\n5. **Add decision points** where manual judgment is required\n\n### Checklist Best Practices\n\n- **Be specific**: \"Run semgrep --config=auto .\" not \"Scan the code\"\n- **Include success criteria**: \"Validation passes with 0 errors\"\n- **Reference standards**: Link to OWASP, CWE, NIST where relevant\n- **Show progress**: Checkbox format helps track completion\n- **Provide escape hatches**: \"If validation fails, see troubleshooting.md\"\n\n### Integration with Feedback Loops\n\nCombine checklists with validation scripts for maximum effectiveness:\n\n1. Create checklist for the workflow\n2. Provide validation script that checks quality\n3. Include \"run validator\" step in checklist\n4. Loop: Complete step → Validate → Fix issues → Re-validate\n\nThis pattern dramatically improves output quality through systematic validation.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":8390,"content_sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f"},{"filename":"skill-report.json","content":"{\n \"schema_version\": \"2.0\",\n \"meta\": {\n \"generated_at\": \"2026-01-16T15:43:31.707Z\",\n \"slug\": \"agentsecops-ir-velociraptor\",\n \"source_url\": \"https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/incident-response/ir-velociraptor\",\n \"source_ref\": \"main\",\n \"model\": \"claude\",\n \"analysis_version\": \"3.0.0\",\n \"source_type\": \"community\",\n \"content_hash\": \"bb1f3f709c90340339415916060091aebb532f3691b0bf8f8429e6e41a3e720f\",\n \"tree_hash\": \"26a5c8d9ae38d6755103cacbfc10138feccbea660a6b97b3ef1840a8930aa2ee\"\n },\n \"skill\": {\n \"name\": \"ir-velociraptor\",\n \"description\": \"Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.\\n\",\n \"summary\": \"Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL...\",\n \"icon\": \"🔍\",\n \"version\": \"0.1.0\",\n \"author\": \"AgentSecOps\",\n \"license\": \"MIT\",\n \"category\": \"incident-response\",\n \"tags\": [\n \"forensics\",\n \"incident-response\",\n \"endpoint-detection\",\n \"threat-hunting\",\n \"vql\",\n \"dfir\",\n \"live-response\",\n \"evidence-collection\"\n ],\n \"supported_tools\": [\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"risk_factors\": [\n \"network\",\n \"external_commands\",\n \"filesystem\",\n \"env_access\",\n \"scripts\"\n ]\n },\n \"security_audit\": {\n \"risk_level\": \"safe\",\n \"is_blocked\": false,\n \"safe_to_publish\": true,\n \"summary\": \"Pure documentation skill containing only markdown reference files and YAML templates for the legitimate open-source Velociraptor DFIR platform. All patterns detected are false positives: VQL queries (not shell commands), detection patterns (not C2 code), forensic artifacts (not credential theft), and documentation links. This is incident response documentation for security professionals.\",\n \"risk_factor_evidence\": [\n {\n \"factor\": \"network\",\n \"evidence\": [\n {\n \"file\": \"assets/artifact-template.yaml\",\n \"line_start\": 126,\n \"line_end\": 126\n },\n {\n \"file\": \"assets/artifact-template.yaml\",\n \"line_start\": 127,\n \"line_end\": 127\n },\n {\n \"file\": \"assets/artifact-template.yaml\",\n \"line_start\": 132,\n \"line_end\": 132\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 240,\n \"line_end\": 240\n },\n {\n \"file\": \"assets/hunt-template.yaml\",\n \"line_start\": 138,\n \"line_end\": 138\n },\n {\n \"file\": \"assets/hunt-template.yaml\",\n \"line_start\": 138,\n \"line_end\": 138\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 43,\n \"line_end\": 43\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 44,\n \"line_end\": 44\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 45,\n \"line_end\": 45\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 73,\n \"line_end\": 73\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 118,\n \"line_end\": 118\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 119,\n \"line_end\": 119\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 151,\n \"line_end\": 151\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 191,\n \"line_end\": 191\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 192,\n \"line_end\": 192\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 193,\n \"line_end\": 193\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 217,\n \"line_end\": 217\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 260,\n \"line_end\": 260\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 261,\n \"line_end\": 261\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 288,\n \"line_end\": 288\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 594,\n \"line_end\": 594\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 595,\n \"line_end\": 595\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 627,\n \"line_end\": 627\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 410,\n \"line_end\": 410\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 411,\n \"line_end\": 411\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 77,\n \"line_end\": 77\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 110,\n \"line_end\": 110\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 200,\n \"line_end\": 200\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 325,\n \"line_end\": 325\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 117,\n \"line_end\": 117\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 122,\n \"line_end\": 122\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 126,\n \"line_end\": 126\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 127,\n \"line_end\": 127\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 128,\n \"line_end\": 128\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 132,\n \"line_end\": 132\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 357,\n \"line_end\": 357\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 358,\n \"line_end\": 358\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 359,\n \"line_end\": 359\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 370,\n \"line_end\": 370\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 371,\n \"line_end\": 371\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 372,\n \"line_end\": 372\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 385,\n \"line_end\": 385\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 411,\n \"line_end\": 411\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 419,\n \"line_end\": 419\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 6,\n \"line_end\": 6\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 19,\n \"line_end\": 19\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 20,\n \"line_end\": 20\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 21,\n \"line_end\": 21\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 43,\n \"line_end\": 43\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 48,\n \"line_end\": 48\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 329,\n \"line_end\": 329\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 330,\n \"line_end\": 330\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 331,\n \"line_end\": 331\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 332,\n \"line_end\": 332\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 333,\n \"line_end\": 333\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 48,\n \"line_end\": 48\n }\n ]\n },\n {\n \"factor\": \"external_commands\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 298,\n \"line_end\": 298\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 301,\n \"line_end\": 301\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 304,\n \"line_end\": 304\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 307,\n \"line_end\": 307\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 310,\n \"line_end\": 310\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 134,\n \"line_end\": 134\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 250,\n \"line_end\": 250\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 291,\n \"line_end\": 291\n },\n {\n \"file\": \"assets/hunt-template.yaml\",\n \"line_start\": 36,\n \"line_end\": 36\n },\n {\n \"file\": \"assets/hunt-template.yaml\",\n \"line_start\": 115,\n \"line_end\": 115\n },\n {\n \"file\": \"assets/hunt-template.yaml\",\n \"line_start\": 183,\n \"line_end\": 183\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 17,\n \"line_end\": 51\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 51,\n \"line_end\": 72\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 72,\n \"line_end\": 78\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 78,\n \"line_end\": 82\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 82,\n \"line_end\": 88\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 88,\n \"line_end\": 92\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 92,\n \"line_end\": 98\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 98,\n \"line_end\": 102\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 102,\n \"line_end\": 108\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 108,\n \"line_end\": 112\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 112,\n \"line_end\": 123\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 123,\n \"line_end\": 127\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 127,\n \"line_end\": 135\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 135,\n \"line_end\": 143\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 143,\n \"line_end\": 150\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 150,\n \"line_end\": 156\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 156,\n \"line_end\": 164\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 164,\n \"line_end\": 170\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 170,\n \"line_end\": 183\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 183,\n \"line_end\": 191\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 191,\n \"line_end\": 203\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 203,\n \"line_end\": 209\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 209,\n \"line_end\": 222\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 222,\n \"line_end\": 228\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 228,\n \"line_end\": 246\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 246,\n \"line_end\": 252\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 252,\n \"line_end\": 268\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 268,\n \"line_end\": 274\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 274,\n \"line_end\": 289\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 289,\n \"line_end\": 295\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 295,\n \"line_end\": 322\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 322,\n \"line_end\": 326\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 326,\n \"line_end\": 353\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 353,\n \"line_end\": 357\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 357,\n \"line_end\": 398\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 398,\n \"line_end\": 402\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 402,\n \"line_end\": 435\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 435,\n \"line_end\": 439\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 439,\n \"line_end\": 472\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 472,\n \"line_end\": 478\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 478,\n \"line_end\": 485\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 485,\n \"line_end\": 489\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 489,\n \"line_end\": 501\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 501,\n \"line_end\": 507\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 507,\n \"line_end\": 517\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 517,\n \"line_end\": 537\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 537,\n \"line_end\": 546\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 546,\n \"line_end\": 550\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 550,\n \"line_end\": 562\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 562,\n \"line_end\": 566\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 566,\n \"line_end\": 576\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 576,\n \"line_end\": 582\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 582,\n \"line_end\": 596\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 596,\n \"line_end\": 602\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 602,\n \"line_end\": 608\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 608,\n \"line_end\": 612\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 612,\n \"line_end\": 618\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 105,\n \"line_end\": 105\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 509,\n \"line_end\": 509\n },\n {\n \"file\": \"references/artifact-development.md\",\n \"line_start\": 512,\n \"line_end\": 512\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 38,\n \"line_end\": 40\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 40,\n \"line_end\": 43\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 43,\n \"line_end\": 47\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 47,\n \"line_end\": 50\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 50,\n \"line_end\": 54\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 54,\n \"line_end\": 75\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 75,\n \"line_end\": 82\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 82,\n \"line_end\": 86\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 86,\n \"line_end\": 98\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 98,\n \"line_end\": 102\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 102,\n \"line_end\": 139\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 139,\n \"line_end\": 143\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 143,\n \"line_end\": 183\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 183,\n \"line_end\": 187\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 187,\n \"line_end\": 195\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 195,\n \"line_end\": 199\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 199,\n \"line_end\": 202\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 202,\n \"line_end\": 207\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 207,\n \"line_end\": 210\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 210,\n \"line_end\": 213\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 213,\n \"line_end\": 224\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 224,\n \"line_end\": 227\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 227,\n \"line_end\": 237\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 237,\n \"line_end\": 243\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 243,\n \"line_end\": 247\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 247,\n \"line_end\": 253\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 253,\n \"line_end\": 261\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 261,\n \"line_end\": 265\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 265,\n \"line_end\": 273\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 273,\n \"line_end\": 278\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 278,\n \"line_end\": 284\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 285,\n \"line_end\": 290\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 290,\n \"line_end\": 293\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 293,\n \"line_end\": 317\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 317,\n \"line_end\": 321\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 321,\n \"line_end\": 339\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 339,\n \"line_end\": 346\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 346,\n \"line_end\": 373\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 373,\n \"line_end\": 378\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 378,\n \"line_end\": 389\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 389,\n \"line_end\": 392\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 392,\n \"line_end\": 399\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 399,\n \"line_end\": 406\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 406,\n \"line_end\": 416\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 416,\n \"line_end\": 419\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 419,\n \"line_end\": 426\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 426,\n \"line_end\": 431\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 431,\n \"line_end\": 443\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 443,\n \"line_end\": 456\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 456,\n \"line_end\": 468\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 468,\n \"line_end\": 471\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 471,\n \"line_end\": 480\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 480,\n \"line_end\": 487\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 487,\n \"line_end\": 498\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 498,\n \"line_end\": 501\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 501,\n \"line_end\": 509\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 509,\n \"line_end\": 514\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 514,\n \"line_end\": 536\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 536,\n \"line_end\": 539\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 539,\n \"line_end\": 551\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 551,\n \"line_end\": 556\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 556,\n \"line_end\": 564\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 564,\n \"line_end\": 567\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 567,\n \"line_end\": 576\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 576,\n \"line_end\": 583\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 583,\n \"line_end\": 600\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 600,\n \"line_end\": 603\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 603,\n \"line_end\": 615\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 615,\n \"line_end\": 636\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 636,\n \"line_end\": 639\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 639,\n \"line_end\": 652\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 652,\n \"line_end\": 657\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 520,\n \"line_end\": 520\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 514,\n \"line_end\": 536\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 278,\n \"line_end\": 278\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 515,\n \"line_end\": 515\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 81,\n \"line_end\": 81\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 145,\n \"line_end\": 145\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 173,\n \"line_end\": 173\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 176,\n \"line_end\": 176\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 177,\n \"line_end\": 177\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 180,\n \"line_end\": 180\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 181,\n \"line_end\": 181\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 182,\n \"line_end\": 182\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 215,\n \"line_end\": 215\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 218,\n \"line_end\": 218\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 272,\n \"line_end\": 272\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 295,\n \"line_end\": 295\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 296,\n \"line_end\": 296\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 299,\n \"line_end\": 299\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 315,\n \"line_end\": 315\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 316,\n \"line_end\": 316\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 380,\n \"line_end\": 380\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 381,\n \"line_end\": 381\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 382,\n \"line_end\": 382\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 388,\n \"line_end\": 388\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 408,\n \"line_end\": 408\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 411,\n \"line_end\": 411\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 412,\n \"line_end\": 412\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 415,\n \"line_end\": 415\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 54,\n \"line_end\": 74\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 74,\n \"line_end\": 95\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 95,\n \"line_end\": 108\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 108,\n \"line_end\": 111\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 111,\n \"line_end\": 118\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 118,\n \"line_end\": 122\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 122,\n \"line_end\": 129\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 129,\n \"line_end\": 135\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 135,\n \"line_end\": 151\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 151,\n \"line_end\": 154\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 154,\n \"line_end\": 162\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 162,\n \"line_end\": 296\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 296,\n \"line_end\": 306\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 306,\n \"line_end\": 309\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 309,\n \"line_end\": 318\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 318,\n \"line_end\": 333\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 333,\n \"line_end\": 342\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 342,\n \"line_end\": 346\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 346,\n \"line_end\": 354\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 354,\n \"line_end\": 358\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 358,\n \"line_end\": 361\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 361,\n \"line_end\": 371\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 371,\n \"line_end\": 404\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 404,\n \"line_end\": 414\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 414,\n \"line_end\": 447\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 447,\n \"line_end\": 451\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 451,\n \"line_end\": 472\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 472,\n \"line_end\": 476\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 476,\n \"line_end\": 537\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 23,\n \"line_end\": 23\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 24,\n \"line_end\": 24\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 27,\n \"line_end\": 41\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 41,\n \"line_end\": 46\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 46,\n \"line_end\": 47\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 47,\n \"line_end\": 50\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 50,\n \"line_end\": 61\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 61,\n \"line_end\": 68\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 68,\n \"line_end\": 69\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 69,\n \"line_end\": 72\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 72,\n \"line_end\": 81\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 81,\n \"line_end\": 86\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 86,\n \"line_end\": 87\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 87,\n \"line_end\": 90\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 90,\n \"line_end\": 100\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 100,\n \"line_end\": 105\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 105,\n \"line_end\": 106\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 106,\n \"line_end\": 109\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 109,\n \"line_end\": 120\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 120,\n \"line_end\": 127\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 127,\n \"line_end\": 128\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 128,\n \"line_end\": 131\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 131,\n \"line_end\": 145\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 145,\n \"line_end\": 150\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 150,\n \"line_end\": 151\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 151,\n \"line_end\": 154\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 154,\n \"line_end\": 168\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 168,\n \"line_end\": 173\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 173,\n \"line_end\": 176\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 176,\n \"line_end\": 189\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 189,\n \"line_end\": 196\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 196,\n \"line_end\": 199\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 199,\n \"line_end\": 212\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 212,\n \"line_end\": 217\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 217,\n \"line_end\": 220\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 220,\n \"line_end\": 228\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 228,\n \"line_end\": 235\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 235,\n \"line_end\": 238\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 238,\n \"line_end\": 246\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 246,\n \"line_end\": 251\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 251,\n \"line_end\": 252\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 252,\n \"line_end\": 255\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 255,\n \"line_end\": 270\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 270,\n \"line_end\": 275\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 275,\n \"line_end\": 276\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 276,\n \"line_end\": 279\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 279,\n \"line_end\": 291\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 291,\n \"line_end\": 298\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 298,\n \"line_end\": 299\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 299,\n \"line_end\": 302\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 302,\n \"line_end\": 313\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 313,\n \"line_end\": 318\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 318,\n \"line_end\": 319\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 319,\n \"line_end\": 322\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 322,\n \"line_end\": 333\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 333,\n \"line_end\": 338\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 338,\n \"line_end\": 339\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 339,\n \"line_end\": 342\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 342,\n \"line_end\": 352\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 352,\n \"line_end\": 359\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 359,\n \"line_end\": 360\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 360,\n \"line_end\": 363\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 363,\n \"line_end\": 370\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 370,\n \"line_end\": 375\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 375,\n \"line_end\": 378\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 378,\n \"line_end\": 385\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 385,\n \"line_end\": 390\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 390,\n \"line_end\": 393\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 393,\n \"line_end\": 399\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 399,\n \"line_end\": 406\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 406,\n \"line_end\": 407\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 407,\n \"line_end\": 410\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 410,\n \"line_end\": 421\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 421,\n \"line_end\": 426\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 426,\n \"line_end\": 429\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 429,\n \"line_end\": 439\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 439,\n \"line_end\": 444\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 444,\n \"line_end\": 445\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 445,\n \"line_end\": 448\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 448,\n \"line_end\": 460\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 460,\n \"line_end\": 467\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 467,\n \"line_end\": 468\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 468,\n \"line_end\": 471\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 471,\n \"line_end\": 485\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 485,\n \"line_end\": 490\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 490,\n \"line_end\": 491\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 491,\n \"line_end\": 494\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 494,\n \"line_end\": 500\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 500,\n \"line_end\": 507\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 507,\n \"line_end\": 508\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 508,\n \"line_end\": 511\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 511,\n \"line_end\": 523\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 523,\n \"line_end\": 528\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 528,\n \"line_end\": 529\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 529,\n \"line_end\": 532\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 532,\n \"line_end\": 540\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 540,\n \"line_end\": 547\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 547,\n \"line_end\": 548\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 548,\n \"line_end\": 551\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 551,\n \"line_end\": 563\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 563,\n \"line_end\": 568\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 568,\n \"line_end\": 571\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 571,\n \"line_end\": 582\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 582,\n \"line_end\": 587\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 587,\n \"line_end\": 588\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 588,\n \"line_end\": 591\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 591,\n \"line_end\": 597\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 59,\n \"line_end\": 59\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 65,\n \"line_end\": 65\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 68,\n \"line_end\": 68\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 69,\n \"line_end\": 69\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 73,\n \"line_end\": 73\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 77,\n \"line_end\": 77\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 165,\n \"line_end\": 165\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 188,\n \"line_end\": 188\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 91,\n \"line_end\": 91\n },\n {\n \"file\": \"references/mitre-attack-mapping.md\",\n \"line_start\": 94,\n \"line_end\": 94\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 21,\n \"line_end\": 36\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 36,\n \"line_end\": 40\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 40,\n \"line_end\": 57\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 57,\n \"line_end\": 61\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 61,\n \"line_end\": 71\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 71,\n \"line_end\": 77\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 77,\n \"line_end\": 92\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 92,\n \"line_end\": 96\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 96,\n \"line_end\": 107\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 107,\n \"line_end\": 111\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 111,\n \"line_end\": 128\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 128,\n \"line_end\": 134\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 134,\n \"line_end\": 148\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 148,\n \"line_end\": 152\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 152,\n \"line_end\": 165\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 165,\n \"line_end\": 169\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 169,\n \"line_end\": 178\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 178,\n \"line_end\": 184\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 184,\n \"line_end\": 198\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 198,\n \"line_end\": 202\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 202,\n \"line_end\": 213\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 213,\n \"line_end\": 217\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 217,\n \"line_end\": 227\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 227,\n \"line_end\": 233\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 233,\n \"line_end\": 243\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 243,\n \"line_end\": 247\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 247,\n \"line_end\": 259\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 259,\n \"line_end\": 265\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 265,\n \"line_end\": 276\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 276,\n \"line_end\": 280\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 280,\n \"line_end\": 289\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 289,\n \"line_end\": 293\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 293,\n \"line_end\": 302\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 302,\n \"line_end\": 308\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 308,\n \"line_end\": 332\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 332,\n \"line_end\": 336\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 336,\n \"line_end\": 344\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 344,\n \"line_end\": 350\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 350,\n \"line_end\": 362\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 362,\n \"line_end\": 366\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 366,\n \"line_end\": 376\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 376,\n \"line_end\": 380\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 380,\n \"line_end\": 390\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 390,\n \"line_end\": 396\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 396,\n \"line_end\": 410\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 410,\n \"line_end\": 414\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 414,\n \"line_end\": 421\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 421,\n \"line_end\": 425\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 425,\n \"line_end\": 436\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 436,\n \"line_end\": 442\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 442,\n \"line_end\": 460\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 460,\n \"line_end\": 464\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 464,\n \"line_end\": 471\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 471,\n \"line_end\": 475\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 475,\n \"line_end\": 488\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 488,\n \"line_end\": 494\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 494,\n \"line_end\": 512\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 512,\n \"line_end\": 516\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 516,\n \"line_end\": 535\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 28,\n \"line_end\": 28\n },\n {\n \"file\": \"references/vql-patterns.md\",\n \"line_start\": 476,\n \"line_end\": 476\n },\n {\n \"file\": \"references/WORKFLOW_CHECKLIST.md\",\n \"line_start\": 74,\n \"line_end\": 74\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 116,\n \"line_end\": 116\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 128,\n \"line_end\": 128\n },\n {\n \"file\": \"skill-report.json\",\n \"line_start\": 128,\n \"line_end\": 128\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 41,\n \"line_end\": 50\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 50,\n \"line_end\": 54\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 54,\n \"line_end\": 66\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 66,\n \"line_end\": 85\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 85,\n \"line_end\": 86\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 86,\n \"line_end\": 87\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 87,\n \"line_end\": 88\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 88,\n \"line_end\": 89\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 89,\n \"line_end\": 90\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 90,\n \"line_end\": 127\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 127,\n \"line_end\": 137\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 137,\n \"line_end\": 145\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 145,\n \"line_end\": 151\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 151,\n \"line_end\": 157\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 157,\n \"line_end\": 169\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 169,\n \"line_end\": 175\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 175,\n \"line_end\": 181\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 181,\n \"line_end\": 187\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 187,\n \"line_end\": 194\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 194,\n \"line_end\": 202\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 202,\n \"line_end\": 221\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 221,\n \"line_end\": 244\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 244,\n \"line_end\": 245\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 245,\n \"line_end\": 253\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 253,\n \"line_end\": 284\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 284,\n \"line_end\": 286\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 286,\n \"line_end\": 293\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 293,\n \"line_end\": 303\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 303,\n \"line_end\": 308\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 308,\n \"line_end\": 310\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 310,\n \"line_end\": 311\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 311,\n \"line_end\": 312\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 312,\n \"line_end\": 314\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 314,\n \"line_end\": 316\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 316,\n \"line_end\": 317\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 317,\n \"line_end\": 318\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 318,\n \"line_end\": 319\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 319,\n \"line_end\": 321\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 321,\n \"line_end\": 323\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 323,\n \"line_end\": 324\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 324,\n \"line_end\": 325\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 111,\n \"line_end\": 111\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 149,\n \"line_end\": 149\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 193,\n \"line_end\": 193\n },\n {\n \"file\": \"SKILL.md\",\n \"line_start\": 209,\n \"line_end\": 209\n }\n ]\n },\n {\n \"factor\": \"filesystem\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 323,\n \"line_end\": 323\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 323,\n \"line_end\": 323\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 246,\n \"line_end\": 246\n }\n ]\n },\n {\n \"factor\": \"env_access\",\n \"evidence\": [\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/ci-config-template.yml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 132,\n \"line_end\": 132\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 147,\n \"line_end\": 147\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 148,\n \"line_end\": 148\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 156,\n \"line_end\": 156\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 157,\n \"line_end\": 157\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 162,\n \"line_end\": 162\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 163,\n \"line_end\": 163\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 164,\n \"line_end\": 164\n },\n {\n \"file\": \"assets/rule-template.yaml\",\n \"line_start\": 165,\n \"line_end\": 165\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 231,\n \"line_end\": 231\n },\n {\n \"file\": \"references/deployment-guide.md\",\n \"line_start\": 236,\n \"line_end\": 236\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 423,\n \"line_end\": 423\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 424,\n \"line_end\": 424\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 425,\n \"line_end\": 425\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 427,\n \"line_end\": 427\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 430,\n \"line_end\": 430\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 432,\n \"line_end\": 432\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 437,\n \"line_end\": 437\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 444,\n \"line_end\": 444\n }\n ]\n },\n {\n \"factor\": \"scripts\",\n \"evidence\": [\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 138,\n \"line_end\": 138\n },\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 137,\n \"line_end\": 137\n }\n ]\n }\n ],\n \"critical_findings\": [],\n \"high_findings\": [],\n \"medium_findings\": [],\n \"low_findings\": [],\n \"dangerous_patterns\": [],\n \"files_scanned\": 13,\n \"total_lines\": 5140,\n \"audit_model\": \"claude\",\n \"audited_at\": \"2026-01-16T15:43:31.707Z\"\n },\n \"content\": {\n \"user_title\": \"Collect endpoint evidence with Velociraptor VQL\",\n \"value_statement\": \"Conduct forensic investigations and threat hunting across enterprise endpoints. Use VQL queries to collect process artifacts, network connections, registry data, and event logs for incident analysis and compromise detection.\",\n \"seo_keywords\": [\n \"velociraptor\",\n \"incident response\",\n \"digital forensics\",\n \"endpoint detection\",\n \"threat hunting\",\n \"VQL queries\",\n \"MITRE ATT&CK\",\n \"evidence collection\",\n \"forensic artifacts\",\n \"Claude Code\"\n ],\n \"actual_capabilities\": [\n \"Create VQL queries for process and network investigation\",\n \"Collect forensic artifacts from Windows endpoints\",\n \"Map threat indicators to MITRE ATT&CK techniques\",\n \"Build custom Velociraptor hunt configurations\",\n \"Develop offline collectors for air-gapped investigations\",\n \"Deploy enterprise Velociraptor server infrastructure\"\n ],\n \"limitations\": [\n \"Requires Velociraptor binary to be installed separately\",\n \"No actual endpoint access without Velociraptor deployment\",\n \"Linux and macOS support is secondary to Windows focus\",\n \"Does not perform live memory acquisition\"\n ],\n \"use_cases\": [\n {\n \"target_user\": \"Incident Responders\",\n \"title\": \"Investigate security breaches\",\n \"description\": \"Collect and analyze forensic evidence to determine scope and root cause of security incidents\"\n },\n {\n \"target_user\": \"Threat Hunters\",\n \"title\": \"Proactively hunt for threats\",\n \"description\": \"Deploy organization-wide hunts to detect suspicious process execution and persistence mechanisms\"\n },\n {\n \"target_user\": \"Security Analysts\",\n \"title\": \"Build forensic artifacts\",\n \"description\": \"Create custom VQL artifacts tailored to specific threat scenarios and detection requirements\"\n }\n ],\n \"prompt_templates\": [\n {\n \"title\": \"Basic VQL Query\",\n \"scenario\": \"Process investigation\",\n \"prompt\": \"Write a VQL query to find processes running from temp directories with obfuscated command lines\"\n },\n {\n \"title\": \"Registry Persistence\",\n \"scenario\": \"Detect autoruns\",\n \"prompt\": \"Show me the VQL to hunt for suspicious registry run keys and startup locations\"\n },\n {\n \"title\": \"Threat Hunt\",\n \"scenario\": \"MITRE ATT&CK mapping\",\n \"prompt\": \"What VQL queries detect PowerShell execution techniques mapped to ATT&CK T1059.001\"\n },\n {\n \"title\": \"Artifact Development\",\n \"scenario\": \"Custom collection\",\n \"prompt\": \"Create a custom Velociraptor artifact YAML that collects recent executables with SHA256 hashes\"\n }\n ],\n \"output_examples\": [\n {\n \"input\": \"Find processes with suspicious parent-child relationships indicating potential injection\",\n \"output\": [\n \"Processes spawned by Office applications running PowerShell or cmd.exe\",\n \"Processes from AppData/Temp directories with hidden or bypass flags\",\n \"LOLBin abuse (certutil, bitsadmin, mshta) for code execution\",\n \"Memory regions with RWX protections in non-JIT processes\"\n ]\n },\n {\n \"input\": \"Hunt for persistence mechanisms used by attackers\",\n \"output\": [\n \"Scheduled tasks with suspicious PowerShell command lines\",\n \"Registry run keys modified in the last 7 days\",\n \"WMI event subscriptions for persistent execution\",\n \"Startup folder executables with unknown publishers\"\n ]\n },\n {\n \"input\": \"Detect lateral movement activity in the network\",\n \"output\": [\n \"Process executions originating from remote IP addresses\",\n \"Authentication events from unusual source locations\",\n \"SMB shares accessed during off-hours\",\n \"RDP connections from non-standard endpoints\"\n ]\n }\n ],\n \"best_practices\": [\n \"Use preconditions to verify OS compatibility before artifact execution\",\n \"Implement rate limiting and CPU limits to prevent endpoint performance impact\",\n \"Document chain of custody and investigation scope for compliance\"\n ],\n \"anti_patterns\": [\n \"Running filesystem glob queries without time or size limits\",\n \"Collecting all artifacts without defining specific investigation scope\",\n \"Storing collected evidence without encryption or access controls\"\n ],\n \"faq\": [\n {\n \"question\": \"What platforms does Velociraptor support?\",\n \"answer\": \"Windows (primary), Linux, and macOS. Most artifacts target Windows for enterprise incident response.\"\n },\n {\n \"question\": \"How many endpoints can Velociraptor manage?\",\n \"answer\": \"Single server handles up to 10,000 clients. Multi-frontend deployments support 100,000+ endpoints.\"\n },\n {\n \"question\": \"Can Velociraptor work offline?\",\n \"answer\": \"Yes. Offline collectors can gather evidence without server connectivity for air-gapped or initial triage scenarios.\"\n },\n {\n \"question\": \"Is collected data encrypted?\",\n \"answer\": \"Enable encryption in collector configuration. Use TLS for server communications and secure output storage.\"\n },\n {\n \"question\": \"Why are queries returning no results?\",\n \"answer\": \"Verify path syntax uses forward slashes, test queries in notebook mode first, and check client permissions.\"\n },\n {\n \"question\": \"How does this compare to commercial EDR?\",\n \"answer\": \"Velociraptor provides deeper forensic capabilities and customization. Best used alongside EDR for comprehensive coverage.\"\n }\n ]\n },\n \"file_structure\": [\n {\n \"name\": \"assets\",\n \"type\": \"dir\",\n \"path\": \"assets\",\n \"children\": [\n {\n \"name\": \"artifact-template.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/artifact-template.yaml\",\n \"lines\": 134\n },\n {\n \"name\": \"ci-config-template.yml\",\n \"type\": \"file\",\n \"path\": \"assets/ci-config-template.yml\",\n \"lines\": 358\n },\n {\n \"name\": \"hunt-template.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/hunt-template.yaml\",\n \"lines\": 211\n },\n {\n \"name\": \"offline-collector-config.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/offline-collector-config.yaml\",\n \"lines\": 271\n },\n {\n \"name\": \"rule-template.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/rule-template.yaml\",\n \"lines\": 356\n }\n ]\n },\n {\n \"name\": \"references\",\n \"type\": \"dir\",\n \"path\": \"references\",\n \"children\": [\n {\n \"name\": \"artifact-development.md\",\n \"type\": \"file\",\n \"path\": \"references/artifact-development.md\",\n \"lines\": 628\n },\n {\n \"name\": \"deployment-guide.md\",\n \"type\": \"file\",\n \"path\": \"references/deployment-guide.md\",\n \"lines\": 658\n },\n {\n \"name\": \"EXAMPLE.md\",\n \"type\": \"file\",\n \"path\": \"references/EXAMPLE.md\",\n \"lines\": 551\n },\n {\n \"name\": \"mitre-attack-mapping.md\",\n \"type\": \"file\",\n \"path\": \"references/mitre-attack-mapping.md\",\n \"lines\": 598\n },\n {\n \"name\": \"vql-patterns.md\",\n \"type\": \"file\",\n \"path\": \"references/vql-patterns.md\",\n \"lines\": 536\n },\n {\n \"name\": \"WORKFLOW_CHECKLIST.md\",\n \"type\": \"file\",\n \"path\": \"references/WORKFLOW_CHECKLIST.md\",\n \"lines\": 254\n }\n ]\n },\n {\n \"name\": \"SKILL.md\",\n \"type\": \"file\",\n \"path\": \"SKILL.md\",\n \"lines\": 334\n }\n ]\n}\n","content_type":"application/json; charset=utf-8","language":"json","size":80874,"content_sha256":"21232a7e01dbc3a0d56d1a91b1ded7b3b59d7ea9d46b0c0e5e99560d0b0b02b5"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Velociraptor Incident Response","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Velociraptor is an endpoint visibility and forensics platform for collecting host-based state information using Velociraptor Query Language (VQL). It operates in three core modes: ","type":"text"},{"text":"Collect","type":"text","marks":[{"type":"strong"}]},{"text":" (targeted evidence gathering), ","type":"text"},{"text":"Monitor","type":"text","marks":[{"type":"strong"}]},{"text":" (continuous event capture), and ","type":"text"},{"text":"Hunt","type":"text","marks":[{"type":"strong"}]},{"text":" (proactive threat hunting).","type":"text"}]},{"type":"paragraph","content":[{"text":"When to use this skill","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Active incident response requiring endpoint evidence collection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Threat hunting across enterprise infrastructure","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Digital forensics investigations and timeline analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Endpoint monitoring and anomaly detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Custom forensic artifact development for specific threats","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Start","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Local Forensic Triage (Standalone Mode)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Download Velociraptor binary for your platform\n# https://github.com/Velocidex/velociraptor/releases\n\n# Run GUI mode for interactive investigation\nvelociraptor gui\n\n# Access web interface at https://127.0.0.1:8889/\n# Default admin credentials shown in console output","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enterprise Server Deployment","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Generate server configuration\nvelociraptor config generate > server.config.yaml\n\n# Start server\nvelociraptor --config server.config.yaml frontend\n\n# Generate client configuration\nvelociraptor --config server.config.yaml config client > client.config.yaml\n\n# Deploy clients across endpoints\nvelociraptor --config client.config.yaml client","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Incident Response Workflows","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 1: Initial Compromise Investigation","type":"text"}]},{"type":"paragraph","content":[{"text":"Progress: [ ] 1. Identify affected endpoints and timeframe [ ] 2. Collect authentication logs and suspicious logins [ ] 3. Gather process execution history and command lines [ ] 4. Extract network connection artifacts [ ] 5. Collect persistence mechanisms (scheduled tasks, autoruns, services) [ ] 6. Analyze file system modifications and suspicious files [ ] 7. Extract memory artifacts if needed [ ] 8. Build timeline and document IOCs","type":"text"}]},{"type":"paragraph","content":[{"text":"Work through each step systematically. Check off completed items.","type":"text"}]},{"type":"paragraph","content":[{"text":"Key VQL Artifacts","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows.EventLogs.RDP","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Remote desktop authentication events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows.System.Pslist","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Running processes with details","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows.Network.NetstatEnriched","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Network connections with process context","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows.Persistence.PermanentWMIEvents","type":"text","marks":[{"type":"code_inline"}]},{"text":" - WMI-based persistence","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows.Timeline.Prefetch","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Program execution timeline","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows.Forensics.Timeline","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Comprehensive filesystem timeline","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 2: Threat Hunting Campaign","type":"text"}]},{"type":"paragraph","content":[{"text":"Progress: [ ] 1. Define threat hypothesis and IOCs [ ] 2. Select or create custom VQL artifacts for detection [ ] 3. Create hunt targeting relevant endpoint groups [ ] 4. Execute hunt across infrastructure [ ] 5. Monitor collection progress and errors [ ] 6. Analyze results and identify positive matches [ ] 7. Triage findings and escalate confirmed threats [ ] 8. Document TTPs and update detections","type":"text"}]},{"type":"paragraph","content":[{"text":"Work through each step systematically. Check off completed items.","type":"text"}]},{"type":"paragraph","content":[{"text":"Common Hunt Scenarios","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Lateral movement detection (PsExec, WMI, remote services)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Webshell identification on web servers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Suspicious scheduled task discovery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Credential dumping tool artifacts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Malicious PowerShell execution patterns","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 3: Evidence Collection for Forensics","type":"text"}]},{"type":"paragraph","content":[{"text":"Progress: [ ] 1. Document collection requirements and scope [ ] 2. Create offline collector with required artifacts [ ] 3. Deploy collector to target endpoint(s) [ ] 4. Execute collection and verify completion [ ] 5. Retrieve collection archive [ ] 6. Validate evidence integrity (hashes) [ ] 7. Import into forensic platform for analysis [ ] 8. Document chain of custody","type":"text"}]},{"type":"paragraph","content":[{"text":"Work through each step systematically. Check off completed items.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Create offline collector (no server required)\nvelociraptor --config server.config.yaml artifacts collect \\\n Windows.KapeFiles.Targets \\\n Windows.EventLogs.Evtx \\\n Windows.Registry.Sysinternals.Eulacheck \\\n --output /path/to/collection.zip\n\n# For custom artifact collection\nvelociraptor artifacts collect Custom.Artifact.Name --args param=value","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"VQL Query Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 1: Process Investigation","type":"text"}]},{"type":"paragraph","content":[{"text":"Search for suspicious process execution patterns:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"sql"},"content":[{"text":"-- Find processes with unusual parent-child relationships\nSELECT Pid, Ppid, Name, CommandLine, Username, Exe\nFROM pslist()\nWHERE Name =~ \"(?i)(powershell|cmd|wscript|cscript)\"\n AND CommandLine =~ \"(?i)(invoke|download|iex|bypass|hidden)\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 2: Network Connection Analysis","type":"text"}]},{"type":"paragraph","content":[{"text":"Identify suspicious network connections:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"sql"},"content":[{"text":"-- Active connections with process context\nSELECT Laddr.IP AS LocalIP,\n Laddr.Port AS LocalPort,\n Raddr.IP AS RemoteIP,\n Raddr.Port AS RemotePort,\n Status, Pid,\n process_tracker_get(id=Pid).Name AS ProcessName,\n process_tracker_get(id=Pid).CommandLine AS CommandLine\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\n AND Raddr.IP =~ \"^(?!10\\\\.)\" -- External IPs only","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 3: File System Forensics","type":"text"}]},{"type":"paragraph","content":[{"text":"Timeline suspicious file modifications:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"sql"},"content":[{"text":"-- Recent file modifications in suspicious locations\nSELECT FullPath, Size, Mtime, Atime, Ctime, Btime\nFROM glob(globs=\"C:/Users/*/AppData/**/*.exe\")\nWHERE Mtime > timestamp(epoch=now() - 86400) -- Last 24 hours\nORDER BY Mtime DESC","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 4: Registry Persistence","type":"text"}]},{"type":"paragraph","content":[{"text":"Hunt for registry-based persistence:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"sql"},"content":[{"text":"-- Common autorun registry keys\nSELECT Key.Name AS RegistryKey,\n ValueName,\n ValueData\nFROM read_reg_key(globs=\"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*\")\nWHERE ValueData =~ \"(?i)(powershell|cmd|wscript|rundll32)\"","type":"text"}]},{"type":"paragraph","content":[{"text":"For comprehensive VQL patterns and advanced queries, see ","type":"text"},{"text":"references/vql-patterns.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/vql-patterns.md","title":null}}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Custom Artifact Development","type":"text"}]},{"type":"paragraph","content":[{"text":"Create custom VQL artifacts for specific investigation needs:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"name: Custom.Windows.SuspiciousProcess\ndescription: |\n Detect processes with suspicious characteristics for incident response.\n\nparameters:\n - name: ProcessNameRegex\n default: \"(?i)(powershell|cmd|wscript)\"\n type: regex\n - name: CommandLineRegex\n default: \"(?i)(invoke|download|bypass)\"\n type: regex\n\nsources:\n - query: |\n SELECT Pid, Ppid, Name, CommandLine, Username, Exe, CreateTime\n FROM pslist()\n WHERE Name =~ ProcessNameRegex\n AND CommandLine =~ CommandLineRegex","type":"text"}]},{"type":"paragraph","content":[{"text":"Save artifacts in YAML format and import via Velociraptor UI or command line.","type":"text"}]},{"type":"paragraph","content":[{"text":"For artifact development guidance","type":"text","marks":[{"type":"strong"}]},{"text":", see ","type":"text"},{"text":"references/artifact-development.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/artifact-development.md","title":null}}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Considerations","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Sensitive Data Handling","type":"text","marks":[{"type":"strong"}]},{"text":": VQL queries can collect credentials, PII, and sensitive files. Implement data minimization - only collect necessary evidence. Use encryption for evidence transport and storage.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access Control","type":"text","marks":[{"type":"strong"}]},{"text":": Velociraptor server access provides significant endpoint control. Implement RBAC, audit all queries, and restrict administrative access. Use client certificates for authentication.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit Logging","type":"text","marks":[{"type":"strong"}]},{"text":": All VQL queries, hunts, and collections are logged. Enable audit trail for compliance. Document investigation scope and approvals.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compliance","type":"text","marks":[{"type":"strong"}]},{"text":": Ensure evidence collection follows organizational policies and legal requirements. Document chain of custody for forensic investigations. Consider data sovereignty for multi-region deployments.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Operational Security","type":"text","marks":[{"type":"strong"}]},{"text":": Velociraptor generates significant endpoint activity. Plan for network bandwidth, endpoint performance impact, and detection by adversaries during covert investigations.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Investigation Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern: Ransomware Investigation","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify patient zero endpoint","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Collect: ","type":"text"},{"text":"Windows.Forensics.Timeline","type":"text","marks":[{"type":"code_inline"}]},{"text":" for file modification patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Collect: ","type":"text"},{"text":"Windows.EventLogs.Evtx","type":"text","marks":[{"type":"code_inline"}]},{"text":" for authentication events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hunt for: Lateral movement artifacts across network","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hunt for: Scheduled tasks or services for persistence","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Extract: Ransomware binary samples for malware analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Build: Timeline of infection spread and data encryption","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern: Data Exfiltration Detection","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Collect network connection history: ","type":"text"},{"text":"Windows.Network.NetstatEnriched","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify large outbound transfers to unusual destinations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Correlate with process execution and file access","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hunt for: Compression tools or staging directories","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Examine: Browser downloads and cloud sync activities","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review: DNS queries for tunneling or C2 domains","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document: Data classification and breach scope","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern: Insider Threat Investigation","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Collect: User authentication and logon events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Track: USB device connections and file transfers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor: Sensitive file access patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review: Email and browser history (with authorization)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Analyze: Print spooler activity for document printing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Examine: Cloud storage access and uploads","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Build: User activity timeline with behavioral anomalies","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration Points","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SIEM Integration","type":"text","marks":[{"type":"strong"}]},{"text":": Export VQL results to Splunk, Elastic, or other SIEM platforms for correlation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Threat Intel Platforms","type":"text","marks":[{"type":"strong"}]},{"text":": Enrich IOCs with TIP integrations via VQL plugins","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SOAR Platforms","type":"text","marks":[{"type":"strong"}]},{"text":": Trigger automated Velociraptor hunts from SOAR playbooks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Forensic Suites","type":"text","marks":[{"type":"strong"}]},{"text":": Import Velociraptor collections into X-Ways, Autopsy, or EnCase","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"EDR Interoperability","type":"text","marks":[{"type":"strong"}]},{"text":": Complement EDR with custom VQL detections and forensic depth","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: High CPU Usage During Collection","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Limit concurrent VQL queries using ","type":"text"},{"text":"rate()","type":"text","marks":[{"type":"code_inline"}]},{"text":" function","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reduce glob scope to specific directories","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"--ops_per_second","type":"text","marks":[{"type":"code_inline"}]},{"text":" limit when creating offline collectors","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Schedule resource-intensive hunts during maintenance windows","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Client Not Reporting to Server","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify network connectivity and firewall rules (default: TCP 8000)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check client logs: ","type":"text"},{"text":"velociraptor --config client.config.yaml logs","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Validate client certificate and enrollment status","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Ensure server frontend is running and accessible","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: VQL Query Returns No Results","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Test query in local notebook mode first","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify filesystem paths use correct syntax (forward slashes)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check plugin availability on target OS","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"log()","type":"text","marks":[{"type":"code_inline"}]},{"text":" function to debug query execution","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review client event logs for permission errors","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Bundled Resources","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Scripts (","type":"text"},{"text":"scripts/","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"vql_query_builder.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Generate common VQL queries from templates","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"artifact_validator.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Validate custom artifact YAML syntax","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"evidence_collector.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Automate offline collector deployment","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"References (","type":"text"},{"text":"references/","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"vql-patterns.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Comprehensive VQL query patterns for common IR scenarios","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"artifact-development.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Guide to creating custom forensic artifacts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"mitre-attack-mapping.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - MITRE ATT&CK technique detection artifacts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"deployment-guide.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Enterprise server deployment and architecture","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Assets (","type":"text"},{"text":"assets/","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"artifact-template.yaml","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Template for custom artifact development","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"hunt-template.yaml","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Hunt configuration template with best practices","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"offline-collector-config.yaml","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Offline collector configuration example","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Velociraptor Documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.velociraptor.app/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"VQL Reference","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.velociraptor.app/vql_reference/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Artifact Exchange","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.velociraptor.app/exchange/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GitHub Repository","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/Velocidex/velociraptor","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MITRE ATT&CK Framework","type":"text","marks":[{"type":"link","attrs":{"href":"https://attack.mitre.org/","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"ir-velociraptor","tags":["forensics","incident-response","endpoint-detection","threat-hunting","vql","dfir","live-response","evidence-collection"],"author":"@skillopedia","source":{"stars":336,"repo_name":"marketplace","origin_url":"https://github.com/aiskillstore/marketplace/blob/HEAD/skills/agentsecops/ir-velociraptor/SKILL.md","repo_owner":"aiskillstore","body_sha256":"52198b3c53c862721dee39ea409880e28082d0ae43f2d17964ee8e0fa9a818b7","cluster_key":"daebb0eef018849e513c6e39b388f3a587830250b59ff95007b3600cc2fa5b47","clean_bundle":{"format":"clean-skill-bundle-v1","source":"aiskillstore/marketplace/skills/agentsecops/ir-velociraptor/SKILL.md","attachments":[{"id":"31b3c72b-f3d8-5319-b4ea-516e05f68859","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/31b3c72b-f3d8-5319-b4ea-516e05f68859/attachment.yaml","path":"assets/artifact-template.yaml","size":3567,"sha256":"5910babcd11198254d72bac65dd605794ac0af0c6abcf7ca74bd68f8a73dc53e","contentType":"application/yaml; charset=utf-8"},{"id":"ca20b5ae-2f57-5f37-a6bd-1573dd913a03","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/ca20b5ae-2f57-5f37-a6bd-1573dd913a03/attachment.yml","path":"assets/ci-config-template.yml","size":11105,"sha256":"0fc554799a0e03a44883990f208f2a428f3c1e70eed1a9bcfbc01e728962b91e","contentType":"application/yaml; charset=utf-8"},{"id":"91c031ee-ada4-50e5-8038-77a9b0986bf7","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/91c031ee-ada4-50e5-8038-77a9b0986bf7/attachment.yaml","path":"assets/hunt-template.yaml","size":5295,"sha256":"8b72cec06926ed098ae00ef2b4224ea2a7e3f997596f2415ab85bfecc726c2d7","contentType":"application/yaml; charset=utf-8"},{"id":"dd8fd44f-590c-5dd3-ab35-5e15f50591d0","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/dd8fd44f-590c-5dd3-ab35-5e15f50591d0/attachment.yaml","path":"assets/offline-collector-config.yaml","size":6811,"sha256":"99fe71b94bfe39aae990215b6ce9d4a7bb20c33a26bc73243674a3f897dd3b65","contentType":"application/yaml; charset=utf-8"},{"id":"aa3ff31f-c007-56ff-953e-7e775b02930c","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/aa3ff31f-c007-56ff-953e-7e775b02930c/attachment.yaml","path":"assets/rule-template.yaml","size":11044,"sha256":"cb228a390bcd3745cafb1783c6337d9106ae179e853935ae19c90caac10a0497","contentType":"application/yaml; charset=utf-8"},{"id":"3088fa3d-c2b0-55ee-9b4c-a6d1f8380383","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/3088fa3d-c2b0-55ee-9b4c-a6d1f8380383/attachment.md","path":"references/EXAMPLE.md","size":15672,"sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f","contentType":"text/markdown; charset=utf-8"},{"id":"3108cdca-7aa7-5c79-895e-5aff8f88a851","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/3108cdca-7aa7-5c79-895e-5aff8f88a851/attachment.md","path":"references/WORKFLOW_CHECKLIST.md","size":8390,"sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f","contentType":"text/markdown; charset=utf-8"},{"id":"6ae038f2-2107-5c74-b4d9-1171092efe31","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6ae038f2-2107-5c74-b4d9-1171092efe31/attachment.md","path":"references/artifact-development.md","size":13649,"sha256":"82da6b40c8ca9f81e87b185076b8c7049c29802dcdc4bb5d529adf8d7f488a1b","contentType":"text/markdown; charset=utf-8"},{"id":"7b71150d-24e2-5341-9929-e8bd92c70bd9","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/7b71150d-24e2-5341-9929-e8bd92c70bd9/attachment.md","path":"references/deployment-guide.md","size":15157,"sha256":"b18eea29f799d85433f90d7b3f10ce9eee7ca9083d4f4625b2d84361ff36167e","contentType":"text/markdown; charset=utf-8"},{"id":"494de683-e6a4-59ec-a2ce-5c99e4b2267c","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/494de683-e6a4-59ec-a2ce-5c99e4b2267c/attachment.md","path":"references/mitre-attack-mapping.md","size":15724,"sha256":"2631ad78e549dab75e50cdb18392a868e0835a3ff639b54b1864cd64f12f5571","contentType":"text/markdown; charset=utf-8"},{"id":"bd33ffa1-62a5-5958-a060-d70032e08fc4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/bd33ffa1-62a5-5958-a060-d70032e08fc4/attachment.md","path":"references/vql-patterns.md","size":15588,"sha256":"99c1e0a8b7aeea614109d2c455ec4f5a9a8b09052dea3712e4cb40f95be02fa7","contentType":"text/markdown; charset=utf-8"},{"id":"b43fe09d-436f-548e-9e7d-f8b9fc943890","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/b43fe09d-436f-548e-9e7d-f8b9fc943890/attachment.json","path":"skill-report.json","size":80874,"sha256":"21232a7e01dbc3a0d56d1a91b1ded7b3b59d7ea9d46b0c0e5e99560d0b0b02b5","contentType":"application/json; charset=utf-8"}],"bundle_sha256":"65023961b7f06406d8a0d5926b1729d03f9cc4dcd67807fe9d1fd853c3868b44","attachment_count":12,"text_attachments":12,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/agentsecops/ir-velociraptor/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","frameworks":["MITRE-ATT&CK","NIST"],"import_tag":"clean-skills-v1","maintainer":"SirAppSec","references":["https://docs.velociraptor.app/","https://github.com/Velocidex/velociraptor","https://docs.velociraptor.app/artifact_references/"],"description":"Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.\n","dependencies":{"tools":["velociraptor"]}}},"renderedAt":1782981604842}

Velociraptor Incident Response Overview Velociraptor is an endpoint visibility and forensics platform for collecting host-based state information using Velociraptor Query Language (VQL). It operates in three core modes: Collect (targeted evidence gathering), Monitor (continuous event capture), and Hunt (proactive threat hunting). When to use this skill : - Active incident response requiring endpoint evidence collection - Threat hunting across enterprise infrastructure - Digital forensics investigations and timeline analysis - Endpoint monitoring and anomaly detection - Custom forensic artifac…