:py:mod:`dissect.target.plugins.apps.edr.velociraptor` ====================================================== .. py:module:: dissect.target.plugins.apps.edr.velociraptor Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.edr.velociraptor.VelociraptorRecordBuilder dissect.target.plugins.apps.edr.velociraptor.VelociraptorPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.edr.velociraptor.VELOCIRAPTOR_RESULTS dissect.target.plugins.apps.edr.velociraptor.ISO_8601_PATTERN .. py:data:: VELOCIRAPTOR_RESULTS :value: '/$velociraptor_results$' .. py:data:: ISO_8601_PATTERN :value: '\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?(Z|[+-]\\d{2}:\\d{2})?' .. py:class:: VelociraptorRecordBuilder(artifact_name: str, extract_nested: bool) .. py:attribute:: record_name .. py:attribute:: extract_nested .. py:method:: build(object: dict, target: dissect.target.target.Target) -> dissect.target.helpers.record.TargetRecordDescriptor Builds a Velociraptor record. .. py:class:: VelociraptorPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Returns records from Velociraptor artifacts. .. py:attribute:: __namespace__ :value: 'velociraptor' Defines the plugin namespace. .. py:attribute:: results_dir .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: results(extract_nested: bool = False) -> collections.abc.Iterator[flow.record.Record] Return Rapid7 Velociraptor artifacts. By default JSON objects are not extracted from the artifacts, this can be done with the argument ``--extract-nested``. .. rubric:: References - https://docs.velociraptor.app/docs/vql/artifacts/