Velociraptor DFIR integration for LimaCharlie. List available VQL artifacts, view artifact definitions, launch forensic collections on endpoints. Find raw collection data in Artifacts (type:velociraptor, source:SID). Query processed JSON events from the 'velociraptor' sensor (tag:ext:ext-velociraptor). Build D&R rules for velociraptor_collection events. Use for: forensic triage, incident response, threat hunting, VQL artifact collection.
View on GitHubmarketplace/plugins/lc-essentials/skills/velociraptor/SKILL.md
January 23, 2026
Select agents to install to:
npx add-skill https://github.com/refractionPOINT/lc-ai/blob/main/marketplace/plugins/lc-essentials/skills/velociraptor/SKILL.md -a claude-code --skill velociraptorInstallation paths:
.claude/skills/velociraptor/# Velociraptor DFIR Integration
Launch Velociraptor forensic collections and work with collection results in LimaCharlie.
---
## LimaCharlie Integration
> **Prerequisites**: Run `/init-lc` to initialize LimaCharlie context.
### API Access Pattern
All LimaCharlie API calls go through the `limacharlie-api-executor` sub-agent:
```
Task(
subagent_type="lc-essentials:limacharlie-api-executor",
model="sonnet",
prompt="Execute LimaCharlie API call:
- Function: <function-name>
- Parameters: {<params>}
- Return: RAW | <extraction instructions>
- Script path: {skill_base_directory}/../../scripts/analyze-lc-result.sh"
)
```
### Critical Rules
| Rule | Wrong | Right |
|------|-------|-------|
| **MCP Access** | Call `mcp__*` directly | Use `limacharlie-api-executor` sub-agent |
| **LCQL Queries** | Write query syntax manually | Use `generate_lcql_query()` first |
| **Timestamps** | Calculate epoch values | Use `date +%s` or `date -d '7 days ago' +%s` |
| **OID** | Use org name | Use UUID (call `list_user_orgs` if needed) |
---
## Background
Velociraptor is an open source endpoint visibility tool for digital forensics, incident response, and triage. LimaCharlie integrates with Velociraptor via the `ext-velociraptor` extension.
### How Velociraptor Data Flows in LimaCharlie
When a Velociraptor collection runs:
1. **Raw Artifacts**: The collected data is stored as a ZIP file in LimaCharlie's Artifact system
- Filter by: `artifact_type: velociraptor`
- The `source` field contains the Sensor ID (SID) where it was collected
2. **Processed Events**: For small collections, data is also processed to JSON and ingested as sensor events
- Events appear on a sensor with hostname: `velociraptor`
- Tagged with: `ext:ext-velociraptor`
- Event types: `velociraptor_collection`, `artifact_event`
3. **D&R Automation**: You can trigger on these events for automated workflows
## When to Use
Use this skill when the user wants to:
- List availabl