Velociraptor Integration
If you’re an SIEM (InsightIDR) Ultimate customer, you have access to a version of the open source, Digital Forensic and Incident Response (DFIR) tool, Velociraptor . For Rapid7 Ultimate customers, Velociraptor is integrated with the Command Platform (Insight Platform) as a component of the Rapid7 Agent (Insight Agent).
Velociraptor access for Managed Threat Complete
For Managed Threat Complete customers, only the Ultimate tier includes access to Velociraptor. Velociraptor is not included in the Managed Threat Complete Essential and Advanced tiers.
You can use Velociraptor alongside SIEM (InsightIDR) to add DFIR capabilities to your investigative toolset, allowing a greater level of monitoring and swifter responses to issues. With integrated Velociraptor, you can detect on events that Velociraptor monitors and pivot to Velociraptor when researching an investigation.
Requirements
To access Velociraptor in SIEM (InsightIDR), you’ll need:
- An SIEM (InsightIDR) Ultimate, Managed Threat Complete Ultimate, or Threat Complete Ultimate license
- A deployed Rapid7 Agent (Insight Agent)
Trying to deploy Velociraptor as an SIEM (InsightIDR) Essential or Advanced customer?
Read the Velociraptor documentation to get started with the open source version. Open source Velociraptor does not integrate with SIEM (InsightIDR) or the Command Platform (Insight Platform).
How Velociraptor works with the Rapid7 Agent (Insight Agent)
As an SIEM (InsightIDR) Ultimate customer, Velociraptor is deployed after you install the Rapid7 Agent (Insight Agent). Unlike open source Velociraptor—which requires you to separately deploy an endpoint component and configure a dedicated server—Velociraptor integrated with the Command Platform (Insight Platform) is ready to use as soon as the Rapid7 Agent (Insight Agent) is installed.
The integrated version of Velociraptor is delivered by two components, which run as child processes of the Rapid7 Agent (Insight Agent):
Rapid7 Agent Core
This component handles communication between the Velociraptor client and the server. Its functions include:
- Identifying and connecting to the organization’s unique Velociraptor server instance within the Command Platform (Insight Platform)
- Translating the standard Velociraptor client ID to the Rapid7 Agent (Insight Agent)‘s asset ID, which ensures that endpoints have the same ID in both Velociraptor and the Command Platform (Insight Platform)
- Sending and receiving data, such as incoming hunt collection jobs and outgoing results
Rapid7 Velociraptor
This component is a version of the open source Velociraptor client executable with a few differences:
- It contains additional modules to communicate with the Command Platform (Insight Platform) through the Rapid7 Agent Core component.
- It’s compiled without the server and web service components that are included in the open source binaries. Only client functions are available.
Both the Rapid7 Velociraptor and Agent Core components are compatible with the operating systems currently supported by the Rapid7 Agent (Insight Agent). Read the Rapid7 Agent (Insight Agent) documentation to learn more.
Do not remove the client.config.yaml file installed with the Rapid7 Velociraptor component
Although the Rapid7 Agent Core component manages server communications, the Velociraptor client requires the client.config.yaml
file for start-up functions.
Recommended configuration
Although Velociraptor is available when the Rapid7 Agent (Insight Agent) is installed, you might want to make additional configuration changes to take advantage of the Velociraptor and SIEM (InsightIDR) integration.
Read more about Velociraptor to understand the configuration settings that Rapid7 recommends.
User logins for Velociraptor
SIEM (InsightIDR) Ultimate users have access to the Velociraptor user interface through their Command Platform (Insight Platform) credentials.
When you navigate to Velociraptor through the Command Platform (Insight Platform), you’re logged in with your current Command Platform (Insight Platform) session. Logging out through either Velociraptor or the Command Platform (Insight Platform) ends your session in both places.
Read the Velociraptor topic and the open source Velociraptor documentation to learn more about how to access and use the Velociraptor user interface.
Data retention policy
The endpoint data collected by Velociraptor is retained for two weeks. This includes query results, client monitoring events, query logs, and acquired files.
User data and artifacts are not included in this policy and are retained indefinitely.