ir-velociraptorlisted

# Velociraptor Incident Response ## Overview Velociraptor is an endpoint visibility and forensics platform for collecting host-based state information using Velociraptor Query Language (VQL). It operates in three core modes: **Collect** (targeted evidence gathering), **Monitor** (continuous event capture), and **Hunt** (proactive threat hunting). **When to use this skill**: - Active incident response requiring endpoint evidence collection - Threat hunting across enterprise infrastructure - Digital forensics investigations and timeline analysis - Endpoint monitoring and anomaly detection - Custom forensic artifact development for specific threats ## Quick Start ### Local Forensic Triage (Standalone Mode) ```bash # Download Velociraptor binary for your platform # https://github.com/Velocidex/velociraptor/releases # Run GUI mode for interactive investigation velociraptor gui # Access web interface at https://127.0.0.1:8889/ # Default admin credentials shown in console output ``` ### Enterprise Server Deployment ```bash # Generate server configuration velociraptor config generate > server.config.yaml # Start server velociraptor --config server.config.yaml frontend # Generate client configuration velociraptor --config server.config.yaml config client > client.config.yaml # Deploy clients across endpoints velociraptor --config client.config.yaml client ``` ## Core Incident Response Workflows ### Workflow 1: Initial Compromise Investigation Progress: [ ] 1. Identify