Velociraptor.

An open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts. サイバーセキュリティの フォレンジックと IR カテゴリに属します。

An open-source endpoint-visibility and DFIR platform — originally by Mike Cohen, now Rapid7-stewarded — that uses the VQL query language to hunt, collect artifacts, and respond live across fleets of Windows, Linux, and macOS hosts.

Velociraptor is an open-source DFIR and endpoint-visibility platform built around a custom query language called VQL (Velociraptor Query Language). A Velociraptor server orchestrates lightweight agents on Windows, Linux, and macOS endpoints; analysts write or pick VQL artifacts that collect specific evidence (registry hives, MFT, $UsnJrnl, browser history, Sysmon events, persistence locations, memory captures, YARA hits) or perform live response actions (kill process, isolate host, dump memory). Velociraptor is unusually flexible compared to traditional EDR: artifacts are version-controlled YAML+VQL, so a community library of hunts and forensic collectors is published and reused widely (Rapid7's velociraptor-artifacts repo, the SANS community list). Use cases include large-scale hunting across thousands of hosts, bulk artifact collection during IR, evidence preservation, and continuous endpoint monitoring. Originally written by Mike Cohen (also behind GRR), Velociraptor was acquired by Rapid7 in 2021 but remains AGPL-licensed open source with active community development.

Velociraptor に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Velociraptor DFIR。